forked from k-space/kube
417 lines
13 KiB
YAML
417 lines
13 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
type: Opaque
|
|
metadata:
|
|
name: authelia-certificates
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
data:
|
|
ldaps.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZJekNDQXd1Z0F3SUJBZ0lVRzNaYnI0MGVVMlRHak1Lek5XaDhOTDJkRDRZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0lURWZNQjBHQTFVRUF3d1dVMkZ0WW1FZ1lYUWdZV1F1YXkxemNHRmpaUzVsWlRBZUZ3MHlNVEV5TVRRdwpOekk0TlRGYUZ3MHlOakV5TVRNd056STROVEZhTUNFeEh6QWRCZ05WQkFNTUZsTmhiV0poSUdGMElHRmtMbXN0CmMzQmhZMlV1WldVd2dnSWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJS0FvSUNBUURub3hEZFlicjAKVFJHOEErdk0xT0I1Rzg4Z05YL1pXeFNLb0VaM2p0ekF0NEc3blV0aUhoVzI1cUhEeXZGVGEzTzJiMUFVSEhzbwpVQXpVTWNVV1FRb3J2RjF4L1VsYitpcnk0QkxFTklaVTdYMVpxb2ZKYXgwZTcrbit1YVM3R015dnB4VXliNGlYCkd3djdZZEh5SmM4WjZROHd2MTdNV2F2ejNaOE5CWFdoeG1xc3ljTlphVkl2S1lNRVpGazNUTnA3T20vSTFpdkYKWDJuNVNtb2d2NmdBVmpVODhSeWc2NlRFVStiaGY5QWdiU0VxWjhMaVd6c20xdHc0WnJXMDVVK25JVjRzTHdlaQp2SXppblFMYmFMTkc2ZUl0cUtQZGVsWWhRNHlCeHM3QXpTOCtieVVBZk9jRktzUTI5alFVdUxNbE1pUmt6MjV5Cnc5UUZxSGVuRjNIYXJqU1JTL3ZZV3J3K0RNbmo2Tit3QVdtd21SR3NzVmxPMjFSLzAzNThBK0h5VzhyLzlsTm8KV1FoMmt3VGRPdjdxMzFwRmZQQUhHUkFITnZUN0dRKzVCeFFjdG83cG1GQ2t2OTdpbmhiZG50d2ViSmM1VWI3NQpBeHNWVC9uNk9aTjJSU09NV0RKY1pjVkpXYjQxdTNTL2lBVHlvbDBuOEZMRlRRZm9xdXdvVkQ1UnpwU0NsVm50Cjd1eENyaGNsYXhTYnhUUDhqa29ERXQzc1NycWoySm5PNlhtQ3R2VlZkMmQvWVZQQ21qQm54TWc1bld1WEwwZTgKNkh3MTd5TGtYeFgzVERkdjF2VThvYTdpTmZyNmc3Vlcrd2ZsUkJoVW5WRUluNXZEdm80STVSdWRXaEJxcHN6VQo3bGQrUDVjZE5GWEdjUlRQdFFlbXkxUllKMG5ZejkybGtRSURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVjZ1JrCnZ4U3V1QnNFaktzbXQvN3dpRHIxbHVRd0h3WURWUjBqQkJnd0ZvQVVjZ1JrdnhTdXVCc0VqS3NtdC83d2lEcjEKbHVRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVNlNXM1aU04QjQ2agp6bXZMOUQ4dUJrQ0VIOW9mMnc1VFluL1NPZkFRVnhBOGxBYndORitlWmgyakdGSUN6citNYmlTMlhZdkxJNnVrClZ5cFJrN28vdExmdmY0alpqZnRpeEliWEM1MjYrUk1xOEcvV2xGbzJnWFZ0eW5BcXp5bXJVYjV1MVZJcG53QWYKNTBzNHlDOURFUXF1aGErYzJCWTBRQ3ZySnUvYy9KTUs3QTdYOFdRSzVDUy8wZkNPdzBPY2xkZzA0c3VWVlU2eQp0MEZmV0kvTlhURFFrU2JWVXN5OElmaXd4a0o5NmNsTjFNWVArQ015Mkh1eWF0aTZySnhVZFBEbS9tYzdRWXNPClNTSzQyNXJQOFFZMmduNlNXUXJXdUJic2dLSEpoVzRBYjdTTldkb0Q0QytwVDA2V1MzVXphMnhZd09TV1IvTWMKR1V5YXRwLzlxR05tOWM1d2RFQ3FtdkVQc2twQkp5ZWR6MUk2V2lxdjRuK0UvRk9qRGl0VVpFd3BFZXRUQktXZgoyRnZRa1pGRmpRU3VIdG5KT040cVRvWmlaNW4vbis4Z1k2Z1Y5Wnd0NHM5OGlpdnUwTFc4UlZGSTNkS0tiYm5lCkY1KzltNE9vMjF0SlU2QThXVGpqVXpLUnFKdEZSa1JpWGtOTGRoY2MrdTdMOFFlZTFOUjIyalg5N2NaVDNGUGoKYmpOUlpId3k5K1dhMG1zcC9EYUR5RnlaOStPUUhReUJJazdCSS9LdU0rT2dta3dlSHBNSE5CMUs1NHZQenZKawpHaFN1QUNIeTRybmdvQTBvMzNhZzJ6a3lEY3NocVRtK2Q3UXFWOWUzU2pONFpUUXlTeWNpa0I1bFJKVHAydVFkCk5jVjBtcG5nREl1aFVlSFRKWkJ0SVZCZnp4bHdHd2c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
|
|
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: authelia-config
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
annotations:
|
|
reloader.stakater.com/match: "true"
|
|
data:
|
|
authelia-config.yml: |
|
|
---
|
|
log:
|
|
level: warn
|
|
certificates_directory: /certificates
|
|
theme: light
|
|
default_redirection_url: https://members.k-space.ee
|
|
totp:
|
|
issuer: K-SPACE
|
|
authentication_backend:
|
|
ldap:
|
|
implementation: activedirectory
|
|
url: ldaps://ad.k-space.ee
|
|
base_dn: dc=ad,dc=k-space,dc=ee
|
|
username_attribute: sAMAccountName
|
|
additional_users_dn: ou=Membership
|
|
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
|
|
additional_groups_dn: cn=Users
|
|
groups_filter: (&(member={dn})(objectclass=group))
|
|
group_name_attribute: cn
|
|
mail_attribute: mail
|
|
display_name_attribute: displayName
|
|
user: cn=authelia,cn=Users,dc=ad,dc=k-space,dc=ee
|
|
session:
|
|
domain: k-space.ee
|
|
same_site: lax
|
|
expiration: 1M
|
|
inactivity: 120h
|
|
remember_me_duration: "0"
|
|
redis:
|
|
host: redis
|
|
port: 6379
|
|
regulation:
|
|
ban_time: 5m
|
|
find_time: 2m
|
|
max_retries: 3
|
|
storage:
|
|
mysql:
|
|
host: mariadb
|
|
database: authelia
|
|
username: authelia
|
|
notifier:
|
|
disable_startup_check: true
|
|
smtp:
|
|
host: mail.k-space.ee
|
|
port: 465
|
|
username: authelia
|
|
sender: authelia@k-space.ee
|
|
subject: "[Authelia] {title}"
|
|
startup_check_address: lauri@k-space.ee
|
|
access_control:
|
|
default_policy: deny
|
|
rules:
|
|
# Longhorn dashboard
|
|
- domain: longhorn.k-space.ee
|
|
policy: two_factor
|
|
subject: group:Longhorn Admins
|
|
- domain: longhorn.k-space.ee
|
|
policy: deny
|
|
# Members site
|
|
- domain: members.k-space.ee
|
|
policy: bypass
|
|
resources:
|
|
- ^/?$
|
|
- domain: members.k-space.ee
|
|
policy: two_factor
|
|
resources:
|
|
- ^/login/authelia/?$
|
|
- domain: members.k-space.ee
|
|
policy: bypass
|
|
# Webmail
|
|
- domain: webmail.k-space.ee
|
|
policy: two_factor
|
|
# Etherpad
|
|
- domain: pad.k-space.ee
|
|
policy: two_factor
|
|
resources:
|
|
- ^/p/board-
|
|
subject: group:Board Members
|
|
- domain: pad.k-space.ee
|
|
policy: deny
|
|
resources:
|
|
- ^/p/board-
|
|
- domain: pad.k-space.ee
|
|
policy: two_factor
|
|
resources:
|
|
- ^/p/members-
|
|
- domain: pad.k-space.ee
|
|
policy: deny
|
|
resources:
|
|
- ^/p/members-
|
|
- domain: pad.k-space.ee
|
|
policy: bypass
|
|
# phpMyAdmin
|
|
- domain: phpmyadmin.k-space.ee
|
|
policy: two_factor
|
|
# Require login for everything else protected by traefik-sso middleware
|
|
- domain: '*.k-space.ee'
|
|
policy: one_factor
|
|
...
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: authelia
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
spec:
|
|
type: ClusterIP
|
|
sessionAffinity: None
|
|
selector:
|
|
app.kubernetes.io/name: authelia
|
|
ports:
|
|
- name: http
|
|
protocol: TCP
|
|
port: 80
|
|
targetPort: http
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: authelia
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
annotations:
|
|
reloader.stakater.com/search: "true"
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: authelia
|
|
replicas: 2
|
|
revisionHistoryLimit: 0
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
spec:
|
|
enableServiceLinks: false
|
|
containers:
|
|
- name: authelia
|
|
image: authelia/authelia:4
|
|
command:
|
|
- authelia
|
|
- --config=/config/authelia-config.yml
|
|
- --config=/config/oidc-secrets.yml
|
|
resources:
|
|
limits:
|
|
cpu: "4.00"
|
|
memory: 125Mi
|
|
requests:
|
|
cpu: "0.25"
|
|
memory: 50Mi
|
|
env:
|
|
- name: AUTHELIA_SERVER_DISABLE_HEALTHCHECK
|
|
value: "true"
|
|
- name: AUTHELIA_JWT_SECRET_FILE
|
|
value: /secrets/JWT_TOKEN
|
|
- name: AUTHELIA_SESSION_SECRET_FILE
|
|
value: /secrets/SESSION_ENCRYPTION_KEY
|
|
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
|
|
value: /secrets/LDAP_PASSWORD
|
|
- name: AUTHELIA_SESSION_REDIS_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: redis-secrets
|
|
key: REDIS_PASSWORD
|
|
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
|
|
value: /secrets/STORAGE_ENCRYPTION_KEY
|
|
- name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
|
|
value: /mariadb-secrets/MYSQL_PASSWORD
|
|
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
|
|
value: /secrets/OIDC_HMAC_SECRET
|
|
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
|
|
value: /secrets/OIDC_PRIVATE_KEY
|
|
- name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
|
|
value: /secrets/SMTP_PASSWORD
|
|
- name: TZ
|
|
value: Europe/Tallinn
|
|
startupProbe:
|
|
failureThreshold: 6
|
|
httpGet:
|
|
path: /api/health
|
|
port: http
|
|
scheme: HTTP
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 5
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
livenessProbe:
|
|
failureThreshold: 5
|
|
httpGet:
|
|
path: /api/health
|
|
port: http
|
|
scheme: HTTP
|
|
initialDelaySeconds: 0
|
|
periodSeconds: 30
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
readinessProbe:
|
|
failureThreshold: 5
|
|
httpGet:
|
|
path: /api/health
|
|
port: http
|
|
scheme: HTTP
|
|
initialDelaySeconds: 0
|
|
periodSeconds: 5
|
|
successThreshold: 1
|
|
timeoutSeconds: 5
|
|
ports:
|
|
- name: http
|
|
containerPort: 9091
|
|
protocol: TCP
|
|
volumeMounts:
|
|
- mountPath: /config/authelia-config.yml
|
|
name: authelia-config
|
|
readOnly: true
|
|
subPath: authelia-config.yml
|
|
- mountPath: /config/oidc-secrets.yml
|
|
name: oidc-secrets
|
|
readOnly: true
|
|
subPath: oidc-secrets.yml
|
|
- mountPath: /secrets
|
|
name: secrets
|
|
readOnly: true
|
|
- mountPath: /certificates
|
|
name: certificates
|
|
readOnly: true
|
|
- mountPath: /mariadb-secrets
|
|
name: mariadb-secrets
|
|
readOnly: true
|
|
volumes:
|
|
- name: authelia-config
|
|
configMap:
|
|
name: authelia-config
|
|
- name: secrets
|
|
secret:
|
|
secretName: application-secrets
|
|
items:
|
|
- key: JWT_TOKEN
|
|
path: JWT_TOKEN
|
|
- key: SESSION_ENCRYPTION_KEY
|
|
path: SESSION_ENCRYPTION_KEY
|
|
- key: STORAGE_ENCRYPTION_KEY
|
|
path: STORAGE_ENCRYPTION_KEY
|
|
- key: STORAGE_PASSWORD
|
|
path: STORAGE_PASSWORD
|
|
- key: LDAP_PASSWORD
|
|
path: LDAP_PASSWORD
|
|
- key: OIDC_PRIVATE_KEY
|
|
path: OIDC_PRIVATE_KEY
|
|
- key: OIDC_HMAC_SECRET
|
|
path: OIDC_HMAC_SECRET
|
|
- key: SMTP_PASSWORD
|
|
path: SMTP_PASSWORD
|
|
- name: certificates
|
|
secret:
|
|
secretName: authelia-certificates
|
|
- name: mariadb-secrets
|
|
secret:
|
|
secretName: mariadb-secrets
|
|
- name: redis-secrets
|
|
secret:
|
|
secretName: redis-secrets
|
|
- name: oidc-secrets
|
|
secret:
|
|
secretName: oidc-secrets
|
|
items:
|
|
- key: oidc-secrets.yml
|
|
path: oidc-secrets.yml
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: authelia
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: default
|
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
|
kubernetes.io/tls-acme: "true"
|
|
traefik.ingress.kubernetes.io/router.entryPoints: websecure
|
|
traefik.ingress.kubernetes.io/router.middlewares: authelia-chain-k6-authelia@kubernetescrd
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
spec:
|
|
rules:
|
|
- host: auth.k-space.ee
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: authelia
|
|
port:
|
|
number: 80
|
|
tls:
|
|
- hosts:
|
|
- auth.k-space.ee
|
|
secretName: authelia-tls
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: forwardauth-k6-authelia
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
spec:
|
|
forwardAuth:
|
|
address: http://authelia.authelia.svc.cluster.local/api/verify?rd=https://auth.k-space.ee/
|
|
trustForwardHeader: true
|
|
authResponseHeaders:
|
|
- Remote-User
|
|
- Remote-Name
|
|
- Remote-Email
|
|
- Remote-Groups
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: headers-k6-authelia
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
spec:
|
|
headers:
|
|
browserXssFilter: true
|
|
customFrameOptionsValue: "SAMEORIGIN"
|
|
customResponseHeaders:
|
|
Cache-Control: "no-store"
|
|
Pragma: "no-cache"
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: chain-k6-authelia-auth
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
spec:
|
|
chain:
|
|
middlewares:
|
|
- name: forwardauth-k6-authelia
|
|
namespace: authelia
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: chain-k6-authelia
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
spec:
|
|
chain:
|
|
middlewares:
|
|
- name: headers-k6-authelia
|
|
namespace: authelia
|
|
---
|
|
apiVersion: mysql.oracle.com/v2
|
|
kind: InnoDBCluster
|
|
metadata:
|
|
name: mysql-cluster
|
|
spec:
|
|
secretName: mysql-secrets
|
|
instances: 3
|
|
router:
|
|
instances: 2
|
|
tlsUseSelfSigned: true
|
|
datadirVolumeClaimTemplate:
|
|
storageClassName: local-path
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
resources:
|
|
requests:
|
|
storage: "1Gi"
|
|
podSpec:
|
|
affinity:
|
|
podAntiAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchExpressions:
|
|
- key: app.kubernetes.io/managed-by
|
|
operator: In
|
|
values:
|
|
- mysql-operator
|
|
topologyKey: kubernetes.io/hostname
|
|
nodeSelector:
|
|
dedicated: storage
|
|
tolerations:
|
|
- key: dedicated
|
|
operator: Equal
|
|
value: storage
|
|
effect: NoSchedule
|
|
---
|
|
apiVersion: codemowers.io/v1alpha1
|
|
kind: KeyDBCluster
|
|
metadata:
|
|
name: redis
|
|
spec:
|
|
replicas: 3
|