davad/argo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat(authelia): add app for evaluation

Browse source
This commit is contained in:
David Landry 2024-10-09 15:32:05 -04:00
parent cd6524ee7f
commit 3a20805e29
14 changed files with 2089 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -35,7 +35,7 @@ Note 2: Delete the plaintext resource after encrypting it.
sops -e secret.yaml > secret.enc.yaml
```
## 3. Create teh KSOPS kustomize generator
## 3. Create the KSOPS kustomize generator
```
# Create a local Kubernetes Secret

1
apps/authelia/TODO.md Normal file
View file

@ -0,0 +1 @@
Adjust to support stateless containers. See https://www.authelia.com/overview/authorization/statelessness/

353
apps/authelia/base/authelia.custom.yaml Normal file
View file

@ -0,0 +1,353 @@
---
# Source: authelia/templates/configMap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: authelia
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/instance: authelia
app.kubernetes.io/version: 4.38.16
app.kubernetes.io/managed-by: Helm
helm.sh/chart: authelia-0.9.9
data:
configuration.yaml: |
---
# yaml-language-server: $schema=https://www.authelia.com/schemas/v4.38/json-schema/configuration.json
theme: 'light'
default_2fa_method: ''
server:
address: 'tcp://0.0.0.0:9091/'
asset_path: ''
headers:
csp_template: ''
buffers:
read: 4096
write: 4096
timeouts:
read: '6 seconds'
write: '6 seconds'
idle: '30 seconds'
endpoints:
enable_pprof: false
enable_expvars: false
authz:
auth-request:
implementation: 'AuthRequest'
ext-authz:
implementation: 'ExtAuthz'
forward-auth:
implementation: 'ForwardAuth'
log:
level: 'info'
format: 'text'
file_path: ''
keep_stdout: true
telemetry:
metrics:
enabled: false
identity_validation:
elevated_session:
code_lifespan: '5 minutes'
elevation_lifespan: '10 minutes'
characters: 8
require_second_factor: false
skip_second_factor: false
reset_password:
jwt_lifespan: '5 minutes'
jwt_algorithm: 'HS256'
totp:
disable: false
issuer: 'Authelia'
skew: 1
secret_size: 32
algorithm: 'SHA1'
digits: 6
period: 30
allowed_algorithms:
- 'SHA1'
allowed_digits:
- 6
allowed_periods:
- 30
webauthn:
disable: false
display_name: 'Authelia'
attestation_conveyance_preference: 'indirect'
user_verification: 'preferred'
timeout: '60 seconds'
ntp:
address: 'udp://time.cloudflare.com:123'
version: 4
max_desync: '3 seconds'
disable_startup_check: false
disable_failure: false
authentication_backend:
password_reset:
disable: false
custom_url: ''
file:
path: '/config/users_database.yml'
watch: false
search:
email: false
case_insensitive: false
password:
algorithm: 'argon2'
argon2:
variant: 'argon2id'
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
scrypt:
iterations: 16
block_size: 8
parallelism: 1
key_length: 32
salt_length: 16
pbkdf2:
variant: 'sha512'
iterations: 310000
salt_length: 16
sha2crypt:
variant: 'sha512'
iterations: 50000
salt_length: 16
bcrypt:
variant: 'standard'
cost: 12
password_policy:
standard:
enabled: false
min_length: 8
max_length: 0
require_uppercase: false
require_lowercase: false
require_number: false
require_special: false
zxcvbn:
enabled: false
min_score: 0
session:
name: 'authelia_session'
same_site: 'lax'
inactivity: '5 minutes'
expiration: '1 hour'
remember_me: '1 month'
cookies:
regulation:
max_retries: 3
find_time: '2 minutes'
ban_time: '5 minutes'
storage:
notifier:
disable_startup_check: false
access_control:
default_policy: 'two_factor'
...
---
# Source: authelia/templates/persistentVolumeClaim.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: authelia
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/instance: authelia
app.kubernetes.io/version: 4.38.16
app.kubernetes.io/managed-by: Helm
helm.sh/chart: authelia-0.9.9
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Mi
---
# Source: authelia/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: authelia
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/instance: authelia
app.kubernetes.io/version: 4.38.16
app.kubernetes.io/managed-by: Helm
helm.sh/chart: authelia-0.9.9
spec:
type: ClusterIP
sessionAffinity: None
selector:
app.kubernetes.io/name: authelia
app.kubernetes.io/instance: authelia
ports:
- name: http
protocol: TCP
port: 80
targetPort: http
---
# Source: authelia/templates/deployment.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: authelia
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/instance: authelia
app.kubernetes.io/version: 4.38.16
app.kubernetes.io/managed-by: Helm
helm.sh/chart: authelia-0.9.9
spec:
selector:
matchLabels:
app.kubernetes.io/name: authelia
app.kubernetes.io/instance: authelia
revisionHistoryLimit: 5
minReadySeconds: 0
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
template:
metadata:
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/instance: authelia
app.kubernetes.io/version: 4.38.16
app.kubernetes.io/managed-by: Helm
helm.sh/chart: authelia-0.9.9
annotations:
authelia.com/checksum-config: 9c19d6aae755992be367bad3d6336c8a2932c355f96272a49539571a85af007a
spec:
hostNetwork: false
hostPID: false
hostIPC: false
affinity:
nodeAffinity: {}
podAffinity: {}
podAntiAffinity: {}
enableServiceLinks: false
containers:
- name: authelia
image: ghcr.io/authelia/authelia:4.38.16
imagePullPolicy: IfNotPresent
command: ["authelia"]
resources:
limits:
cpu: "4.00"
memory: 2Gi
requests:
cpu: "0.25"
memory: 50Mi
env:
- name: AUTHELIA_SERVER_DISABLE_HEALTHCHECK
value: "true"
- name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
value: '/secrets/internal/identity_validation.reset_password.jwt.hmac.key'
- name: AUTHELIA_SESSION_SECRET_FILE
value: '/secrets/internal/session.encryption.key'
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
value: '/secrets/internal/storage.encryption.key'
- name: X_AUTHELIA_CONFIG
value: '/configuration.yaml'
- name: X_AUTHELIA_CONFIG_FILTERS
value: template
startupProbe:
failureThreshold: 6
httpGet:
path: /api/health
port: http
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
livenessProbe:
failureThreshold: 5
httpGet:
path: /api/health
port: http
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
readinessProbe:
failureThreshold: 5
httpGet:
path: /api/health
port: http
scheme: HTTP
initialDelaySeconds: 0
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
ports:
- name: http
containerPort: 9091
protocol: TCP
volumeMounts:
- mountPath: /config
name: authelia
readOnly: false
- mountPath: /configuration.yaml
name: config
readOnly: true
subPath: configuration.yaml
- mountPath: /secrets/internal
name: secrets
readOnly: true
volumes:
- name: authelia
persistentVolumeClaim:
claimName: authelia
- name: config
configMap:
name: authelia
items:
- key: configuration.yaml
path: configuration.yaml
- name: secrets
secret:
secretName: authelia
items:
- key: identity_validation.reset_password.jwt.hmac.key
path: identity_validation.reset_password.jwt.hmac.key
- key: session.encryption.key
path: session.encryption.key
- key: storage.encryption.key
path: storage.encryption.key
---
# Source: authelia/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: authelia
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/instance: authelia
app.kubernetes.io/version: 4.38.16
app.kubernetes.io/managed-by: Helm
helm.sh/chart: authelia-0.9.9
annotations:
kubernetes.io/tls-acme: "true"
spec:
rules:
- host: 'auth.nc.landry.land'
http:
paths:
- path: '/'
pathType: Prefix
backend:
service:
name: authelia
port:
number: 80
tls:
- hosts:
- 'auth.nc.landry.land'
secretName: authelia-tls

38
apps/authelia/base/daemonset.patch.yaml Normal file
View file

@ -0,0 +1,38 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: authelia
spec:
template:
spec:
containers:
- name: authelia
env:
# prevents 431 request header too large
# https://www.authelia.com/reference/guides/log-messages/#request-header-too-large
- name: AUTHELIA_SERVER_BUFFERS_READ
value: 16384
- name: AUTHELIA_SERVER_BUFFERS_WRITE
value: 16384
- name: AUTHELIA_STORAGE_POSTGRES_HOST
valueFrom:
secretKeyRef:
name: pg-authelia-app
key: host
- name: AUTHELIA_STORAGE_POSTGRES_DATABASE
valueFrom:
secretKeyRef:
name: pg-authelia-app
key: dbname
- name: AUTHELIA_STORAGE_POSTGRES_USERNAME
valueFrom:
secretKeyRef:
name: pg-authelia-app
key: username
- name: AUTHELIA_STORAGE_POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: pg-authelia-app
key: password
# - name: TZ
# value: ...

5
apps/authelia/base/helm.patch.yaml Normal file
View file

@ -0,0 +1,5 @@
- op: remove
path: /metadata/labels/app.kubernetes.io~1managed-by
- op: remove
path: /metadata/labels/helm.sh~1chart

12
apps/authelia/base/kustomization.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./pg.yaml
- ./authelia.custom.yaml
patches:
- path: ./helm.patch.yaml
target:
labelSelector: app.kubernetes.io/managed-by=Helm
- path: daemonset.patch.yaml

4
apps/authelia/base/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: authelia-system

30
apps/authelia/base/pg.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: pg-authelia
spec:
instances: 1
storage:
size: 1Gi
# Credentials in secret pg-authelia-app
# https://cloudnative-pg.io/documentation/1.24/applications/#secrets
bootstrap:
initdb:
database: authelia
# enableSuperuserAccess: true
# resources:
# requests:
# memory: "512Mi"
# cpu: "1"
# limits:
# memory: "1Gi"
# cpu: "2"
# affinity:
# enablePodAntiAffinity: true
# topologyKey: failure-domain.beta.kubernetes.io/zone

11
apps/authelia/overlays/system/config.json Normal file
View file

@ -0,0 +1,11 @@
{
"appName": "authelia",
"userGivenName": "authelia",
"destNamespace": "authelia-system",
"destServer": "https://kubernetes.default.svc",
"srcPath": "apps/authelia/overlays/system",
"srcRepoURL": "ssh://git@gitea-ssh.gitops.svc.cluster.local:2222/davad/argo.git",
"srcTargetRevision": "",
"labels": null,
"annotations": null
}

7
apps/authelia/overlays/system/kustomization.yaml Normal file
View file

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../base
generators:
- ./secret-generator.yaml

14
apps/authelia/overlays/system/secret-generator.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: authelia-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
# if the binary is in your PATH, you can do
path: ksops
# otherwise, path should be relative to manifest files, like
# path: ../../../ksops
files:
- ./secret.enc.yaml

34
apps/authelia/overlays/system/secret.enc.yaml Normal file
View file

@ -0,0 +1,34 @@
# Source: authelia/templates/secret.yaml
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: authelia
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/version: 4.38.16
data:
identity_validation.reset_password.jwt.hmac.key: ENC[AES256_GCM,data:nd+F68f3PyWMKAw3tgRO7mtmiNaJVtRHmGbeUSbAZniOXRItXrJuB4GVaIttYI0B+EUet3poAwFrw2SybBBGKHVHF5OzOFh+fKoNlAwIa5Br8jO/49d722jxiL2sWPqJgJLY+M9mnvtWRBgTXWOIabAP8ZCadZyyAyKm0JITBhaDvUz6aqkQyhMtS5HcHtEHWtIX6cx9K9DLpl4VN9eCvwOFnUzQuIG1JuuogQ==,iv:pcKUgmWZ8j7XGn0DDvTXgVpIRaHYmiT83M0Lfeu6gMI=,tag:r5zmcWOHNthRdxOEDxNhQg==,type:str]
session.encryption.key: ENC[AES256_GCM,data:2HYKCXdVMwhDW0yByFuizMp0DGM81sPHEzjKrtmIqof1F5/izpDN6i/Vh46hBlgsiiAqcALFmfAZXR7KCtksMaIv/plViFvCoYIfprwyboYY2jMhm1zHSe9wTpi+PGX/0pO6OunLIoeECcXlbXG2xyY2nYBxbrowNzbgE/cMNTgENhKn+UdEgwUGYF2X7xyz4G661nYg8rbz70PfO3D6ymsemDxVcX0a4YsNow==,iv:w3MU/BIdNnfatBQPSOS6mMmXReA/nVYmZa3nZ5HZsoY=,tag:x+j5TchnmjXegTuhTEJCTw==,type:str]
storage.encryption.key: ENC[AES256_GCM,data:M9rgJx3clzISUr26zR2AQvVISqnCtugid3AEo1p0UlsKrkpWKF5qbqYxbvP7wiuuOx51fw08jwDKIgow6H2WFwSqIN2ZmUUPXKewxoseSqU5YFCKebgJ4GA6RQKIGfjJSwQ/qhw9OCTkPTD7HQxPJhV5YNXqrhDQDEvlFRzvq4YoZTBHek5PWfvVeuijMH4sPDSvQMz7j7QDdD07GVH94DhWfdWWTe+bIIX6fA==,iv:MojUB+hWex47aFl4gzndLDKpKj074ZC86/q+hKp9/vM=,tag:IfIFb5BT8kRtu8Rc0wo7vw==,type:str]
storage.postgres.password.txt: ENC[AES256_GCM,data:oLikQ+m2gJVf5h3bD+qCszQ8p/46PiCdzw3THXyanOQymDfsldsUMxngtfp5s3pm2zZrup0huDHJ0aiFkmijqNIg7YH8y+mHezGpNcnlBMBoyPiWJIDjpb+3cmQlUPNNw/JvPI7tkRtOkr4XZF+V77fqgHLaTxmgjXFfZ+CHiIobFHs/Cvk+hjRlnmka8GzyNAGSjB73bfCHXMymKAiASzISb1iZ7ca6I5aleA==,iv:w5EzV3NjRGY3E4dbcGYEkF48252Zy5/g6PPeop0AW7Q=,tag:wHWPOfFKDWWWFguSONSm3Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOOC9CT1VwYmRISnFqd2xw
WG1ONG9qKzdQMUVQVkNybmJnOFhJYXZsZTNnCnUzMUwvTTBmbW5kRXRPVDMyM1hi
YjNxb1g2eHUxZk5aamE0Uy9CY2RPS2MKLS0tIGptOGNLU0xZREkyUkVXVkFvajdD
THk3d2h2bGtSaDRBSm5xejlNL0Y5TmcKgsYivnUfBodeXlRkStB/vJ41oaVZi7iE
OhGGmsTD0xNJYypTjlwl+e7qXClcC7mt1Lgg9mUCMVUvdT7RwJJobw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-09T19:27:37Z"
mac: ENC[AES256_GCM,data:zhimwhlc3IOChp3Ydwm9SneOw24hoqK4bswkG5Bq5mXNfX7UQjv072U6OuY44ynkaULfkh+o8cif9IkYEcel8rPHD/neFZ+GRjhL6SVXl2+//1iSBtUM2a8QKJIWn9zxlqZyVFhq77oyf9PKKIgSQN3KU8RDCc+j6desThOzXbU=,iv:D6Pg7b1Tz+Vzzyc7PXR2U4WOxnBzgMqfWAJLoifwKUQ=,tag:s3qRNhlL4Y2bo2FoXh+oxQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.9.1

11
apps/authelia/update-manifest-from-helm.sh Executable file
View file

@ -0,0 +1,11 @@
#!/usr/bin/env sh
helm repo add authelia https://charts.authelia.com --force-update
helm template \
authelia authelia/authelia \
--version 0.9.9 \
-f values.yaml \
> base/authelia.custom.yaml
# Full documentation for helm values at
# https://artifacthub.io/packages/helm/cert-manager/cert-manager

1568
apps/authelia/values.yaml Normal file
View file

File diff suppressed because it is too large Load diff