From 42bc4ae1875dca768648cb33105b0e85a61c029f Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 13 Jan 2023 19:03:04 -0600 Subject: [PATCH] authelia: Install Authelia Authelia is a general authentication provider that works (primarily) by integrating with *nginx* using its subrequest mechanism. It works great with Kubernetes/*ingress-nginx* to provide authentication for services running in the cluster, especially those that do not provide their own authentication system. Authelia needs a database to store session data. It supports various engines, but since we're only running a very small instance with no real need for HA, SQLite on a Longhorn persistent volume is sufficient. Configuration is done mostly through a YAML document, although some secret values are stored in separate files, which are pointed to by environment variables. --- authelia/authelia.yaml | 147 ++++++++++++++++++++++++++++++++++++ authelia/configuration.yml | 30 ++++++++ authelia/kustomization.yaml | 24 ++++++ 3 files changed, 201 insertions(+) create mode 100644 authelia/authelia.yaml create mode 100644 authelia/configuration.yml create mode 100644 authelia/kustomization.yaml diff --git a/authelia/authelia.yaml b/authelia/authelia.yaml new file mode 100644 index 0000000..568dae8 --- /dev/null +++ b/authelia/authelia.yaml @@ -0,0 +1,147 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: authelia + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: authelia + namespace: authelia + labels: + app.kubernetes.io/name: authelia + app.kubernetes.io/component: authelia + app.kubernetes.io/instance: authelia + app.kubernetes.io/part-of: authelia +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + +--- +apiVersion: v1 +kind: Service +metadata: + name: authelia + namespace: authelia + labels: + app.kubernetes.io/name: authelia + app.kubernetes.io/component: authelia + app.kubernetes.io/instance: authelia + app.kubernetes.io/part-of: authelia +spec: + ports: + - port: 9091 + name: http + selector: + app.kubernetes.io/name: authelia + app.kubernetes.io/component: authelia + app.kubernetes.io/instance: authelia + type: ClusterIP + +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: authelia + namespace: authelia + labels: + app.kubernetes.io/name: authelia + app.kubernetes.io/component: authelia + app.kubernetes.io/instance: authelia + app.kubernetes.io/part-of: authelia +spec: + serviceName: authelia + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: authelia + app.kubernetes.io/component: authelia + app.kubernetes.io/instance: authelia + template: + metadata: + labels: + app.kubernetes.io/name: authelia + app.kubernetes.io/component: authelia + app.kubernetes.io/instance: authelia + spec: + enableServiceLinks: false + containers: + - name: authelia + image: ghcr.io/authelia/authelia + env: + - name: AUTHELIA_JWT_SECRET_FILE + value: /run/authelia/secrets/jwt.secret + - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE + value: /run/authelia/secrets/ldap.password + - name: AUTHELIA_SESSION_SECRET_FILE + value: /run/authelia/secrets/session.secret + - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE + value: /run/authelia/secrets/storage.encryption_key + readinessProbe: + httpGet: + port: 9091 + path: /api/health + failureThreshold: 3 + periodSeconds: 60 + initialDelaySeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 + volumeMounts: + - name: config + mountPath: /config/configuration.yml + subPath: configuration.yml + readOnly: true + - name: secrets + mountPath: /run/authelia/secrets + readOnly: true + - name: data + mountPath: /var/lib/authelia + subPath: authelia + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + volumes: + - name: config + configMap: + name: authelia + - name: secrets + secret: + secretName: authelia + - name: data + persistentVolumeClaim: + claimName: authelia + +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: authelia + namespace: authelia + labels: + app.kubernetes.io/name: authelia + app.kubernetes.io/component: authelia + app.kubernetes.io/instance: authelia + app.kubernetes.io/part-of: authelia +spec: + ingressClassName: nginx + tls: + - hosts: + - auth.pyrocufflink.blue + rules: + - host: auth.pyrocufflink.blue + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: authelia + port: + name: http + diff --git a/authelia/configuration.yml b/authelia/configuration.yml new file mode 100644 index 0000000..4311d60 --- /dev/null +++ b/authelia/configuration.yml @@ -0,0 +1,30 @@ +access_control: + default_policy: one_factor + +authentication_backend: + ldap: + base_dn: DC=pyrocufflink,DC=blue + implementation: activedirectory + tls: + minimum_version: TLS1.2 + url: ldaps://pyrocufflink.blue + user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue + +log: + level: trace + +notifier: + smtp: + disable_require_tls: true + host: mail.pyrocufflink.blue + port: 25 + sender: auth@pyrocufflink.net + +session: + domain: pyrocufflink.blue + expiration: 1d + inactivity: 4h + +storage: + local: + path: /var/lib/authelia/db.sqlite3 diff --git a/authelia/kustomization.yaml b/authelia/kustomization.yaml new file mode 100644 index 0000000..9ce5efc --- /dev/null +++ b/authelia/kustomization.yaml @@ -0,0 +1,24 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- authelia.yaml + +configMapGenerator: +- name: authelia + namespace: authelia + files: + - configuration.yml + options: + disableNameSuffixHash: true + +secretGenerator: +- name: authelia + namespace: authelia + files: + - jwt.secret + - ldap.password + - session.secret + - storage.encryption_key + options: + disableNameSuffixHash: true