Skip to content

Commit

Permalink
feat(authelia): add Argo CD client
Browse files Browse the repository at this point in the history
  • Loading branch information
@vehagn
vehagn committed Sep 15, 2024
1 parent 8b5d9dc commit 7c66131
Show file tree
Hide file tree
Showing 3 changed files with 117 additions and 10 deletions.
21 changes: 21 additions & 0 deletions k8s/infra/auth/authelia/http-route.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: authelia
namespace: authelia
spec:
parentRefs:
- name: external
namespace: gateway
- name: internal
namespace: gateway
hostnames:
- "authelia.stonegarden.dev"
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: authelia
port: 80
1 change: 1 addition & 0 deletions k8s/infra/auth/authelia/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ namespace: authelia
resources:
- ns.yaml
- lldap-credentials.yaml
- http-route.yaml

helmCharts:
- name: authelia
Expand Down
105 changes: 95 additions & 10 deletions k8s/infra/auth/authelia/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# https://github.com/authelia/chartrepo/blob/master/charts/authelia/values.yaml
image:
registry: ghcr.io
repository: authelia/authelia
Expand All @@ -11,30 +12,30 @@ configMap:
# upgrade to 'two_factor' later
default_policy: 'one_factor'
rules:
- domain_regex: '^.*\.stonegarden.dev$'
policy: 'one_factor'
- domain_regex: '^.*\.stonegarden.dev$'
policy: 'one_factor'

authentication_backend:
ldap:
enabled: true
implementation: 'lldap'
address: 'ldap://lldap.lldap.svc.cluster.local'
base_dn: 'DC=stonegarden,DC=dev'
#users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
#additional_users_dn: 'OU=people'
#groups_filter: '(member={dn})'
additional_groups_dn: 'OU=groups'
base_dn: 'dc=stonegarden,dc=dev'
users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))'
additional_users_dn: 'ou=people'
groups_filter: '(member={dn})'
additional_groups_dn: 'ou=groups'
user: 'UID=authelia,OU=people,DC=stonegarden,DC=dev'
password:
secret_name: 'lldap-auth'
value: 'password'

# file:
# enabled: true
# file:
# enabled: true

session:
cookies:
- subdomain: auth
- subdomain: authelia
domain: stonegarden.dev

storage:
Expand All @@ -49,6 +50,90 @@ configMap:
filesystem:
enabled: true

identity_providers:
oidc:
## Enables this in the config map. Currently in beta stage.
## See https://www.authelia.com/r/openid-connect/
enabled: true
jwks:
- key_id: 'default'
algorithm: 'RS256'
use: 'sig'
# TODO: CHANGE THIS COMPROMISED TEST KEY!
key:
value: |
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCsOCrc4yP2ziCO
MUJoEMA6hIlLgwDNrKviBKHBNjAjQ0EStW3148ZxSHtLZH+xls4HyjenDp79bUDd
hm3kh0N8Z+loSRky6JMx+NUyA4XoWzR35MxGbt6ojx3pHdFCJRUu5/DmU2w8RgVy
FaC/XWQPg03w80yEsXfT6CFT7avKwn/D8KCbjGVaYlLseWUAMPPyGU/pG/31CLR/
VDUaT5rnRHchlM8wsHfAR9rzhWLAn7xefIgK94hkD0l/BrY93g72TkNtkQsS+bgv
5404F0o+sILswoAZNvLWhy2AejwIw8HN+/ssaTbvRzfkXWiyvcBWA5kCK7ltpHMN
Cg5hcnwzAgMBAAECggEAVRrEg7dzVEl0aRAKouZ0N/a66ifow7qqjdyAGryueR6J
D7e8iSBwNhb9ZrpZJ+dAFTVm3xUomE/fGBmQQLhfLyEihLhqzW+FHdK7eCWpjLNV
cFIOaFftjBp9S2/Csw8kMrPHpepfuEFZ+5CYiTibc9cNMx7oF0Kj1oIFxjXTCTTX
/5G2WN9VsduA6SC5xnZNqyd8sKboQzXmGxgop98BRdiPTE5adZZ+oOozVmayYKMD
Y51SAHq+lpAmVW8poAfm59fmyll0gRBsHi3Xrbhpk+1nrWFhWiqS63G6rJ1Y3SQF
S1aztbP45z2T96g7OehNZT+98nrPHDzi4lpeiZ6XgQKBgQDmwLEIk/MWMCgv+BUy
bOuIyGSP0vLRSsNZpKc2NMCln0huKjpfLcfjre41aqISV6mGkAOfk/Y0NBPCPwQP
hO0OXnK/3sORzCyQCTfPW6nCAafjVaMvjCBlsKA/Hjx74Gw9JkrHJiGudrNrDYtQ
dQN5paCtauv/vknXVrDDapExkwKBgQC/D/oo+wRlntvP61HaBJt/zF/nLo7KF9wW
D2HC3lohVcF35KtgB1PbzZrTjQOPFVXbMs7t88g3nBSoc+6czPGkoevvS9UeYoH9
dhTDooiSVn6kmH1HgwSliqpZWMVyKpyFuCZTd014++7aKBg/16KJO+DxS9Uka80C
48pmvcyu4QKBgHguQcX68G9M85FQPxH9QosB+8YgkxDIRIgqxl/oB7H7DIk7+xzZ
RjNhwiAWAoVVHNkVpp11PZSgzu2rTl0a2TBTpqYhym/kDA2Uj3my/u4pWJyBXLWF
4NW1sTBOeif2kckjaWzhgkdQUU/fRQDJgN7ZkZ7ggju3itPZtcSBe097AoGAVzxR
SRLLgCaXUIiuN7Aw25oSE7kDQyy/tWbSiSoC1wOTsU08Hj1aQZrP3VWeUV85czrw
ll7fhNyD5iIAyaEdl8DCu+DQ7u2lUnfupSB54O8TJc3mLZeZsIfunZrVk/n2u2tI
PIXVXq8Q8JSr9cJcGPK5ExM/v0BlO7OL/3sbkKECgYBTj5hTKZvBkLQwyfMLMAoY
rytwq9T4sOQElWpvwi/6NmT8iYSWlXEjRktBnnGOyNjNXvyoLNr2CmtV/TJ2uG0J
fKWga5swZ/Aq4h5kX64+q710r+xGS2s4up6XY8gyT3+WxaF8RpxiQilDFVYCzvee
uzpHa9dV3xVGQQK5fEtWQg==
-----END PRIVATE KEY-----
# path: '/secrets/oidc.jwk.RS256.pem'
# certificate_chain:
# value: |
# -----BEGIN PUBLIC KEY-----
# MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArDgq3OMj9s4gjjFCaBDA
# OoSJS4MAzayr4gShwTYwI0NBErVt9ePGcUh7S2R/sZbOB8o3pw6e/W1A3YZt5IdD
# fGfpaEkZMuiTMfjVMgOF6Fs0d+TMRm7eqI8d6R3RQiUVLufw5lNsPEYFchWgv11k
# D4NN8PNMhLF30+ghU+2rysJ/w/Cgm4xlWmJS7HllADDz8hlP6Rv99Qi0f1Q1Gk+a
# 50R3IZTPMLB3wEfa84ViwJ+8XnyICveIZA9Jfwa2Pd4O9k5DbZELEvm4L+eNOBdK
# PrCC7MKAGTby1octgHo8CMPBzfv7LGk270c35F1osr3AVgOZAiu5baRzDQoOYXJ8
# MwIDAQAB
# -----END PUBLIC KEY-----
# # path: '/secrets.oidc.jwk.RS256.crt'
clients:
- client_id: 'argocd'
# TODO: CHANGE THIS COMPROMISED TEST KEY!
client_secret: #'$pbkdf2-sha512$310000$ms/OlHdUjXSdHDW7xdgVhQ$6HN.cN9/MlttyYmXHMRU4JB0Ngqjs5ErSi1UIkH5k9qmMq2qHnueRrLwUjXTdMmOj6lCOAd1l2pA08VUTScPNw'
value: '$pbkdf2-sha512$310000$ms/OlHdUjXSdHDW7xdgVhQ$6HN.cN9/MlttyYmXHMRU4JB0Ngqjs5ErSi1UIkH5k9qmMq2qHnueRrLwUjXTdMmOj6lCOAd1l2pA08VUTScPNw'
# path: '/secrets/oidc.client.argocd.value'
client_name: 'Argo CD'
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://argocd.stonegarden.dev/auth/callback'
scopes:
- 'openid'
- 'groups'
- 'email'
- 'profile'
userinfo_signed_response_alg: 'none'
- client_id: 'argocd-cli'
client_name: 'Argo CD (CLI)'
public: true
authorization_policy: 'one_factor'
redirect_uris:
- 'http://localhost:8085/auth/callback'
scopes:
- 'openid'
- 'groups'
- 'email'
- 'profile'
- 'offline_access'
userinfo_signed_response_alg: 'none'

secret:
additionalSecrets:
lldap-auth:
Expand Down

0 comments on commit 7c66131

Please sign in to comment.