authelia: Point to external PostgreSQL server

If there is an issue with the in-cluster database server, accessing the
Kubernetes API becomes impossible by normal means.  This is because the
Kubernetes API uses Authelia for authentication and authorization, and
Authelia relies on the in-cluster database server.  To solve this
chicken-and-egg scenario, I've set up a dedicated PostgreSQL database
server on a virtual machine, totally external to the Kubernetes cluster.

With this commit, I have changed the Authelia configuration to point at
this new database server.  The contents of the new database server were
restored from a backup from the in-cluster server, so of Authelia's
state was migrated automatically.  Thus, updating the configuration is
all that is necessary to switch to using it.

The new server uses certificate-based authentication.  In order for
Authelia to access it, it needs a certificate issued by the
_postgresql-ca_ ClusterIssuer, managed by _cert-manager_.  Although the
environment variables for pointing to the certificate and private key
are not listed explicitly in the Authelia documentation, their names
can be inferred from the configuration document schema and work as
expected.

authelia/configuration.yml

@@ -157,9 +157,10 @@ server:
 
 storage:
   postgres:
-    host: default.postgresql
+    host: postgresql.pyrocufflink.blue
     database: authelia
-    username: authelia.authelia
+    username: authelia
+    password: unused
     tls:
       skip_verify: false
 

authelia/kustomization.yaml

@@ -13,6 +13,7 @@ resources:
 - redis.yaml
 - authelia.yaml
 - oidc-cluster-admin.yaml
+- postgres-cert.yaml
 
 replicas:
 - name: authelia
@@ -23,10 +24,6 @@ configMapGenerator:
   namespace: authelia
   files:
   - configuration.yml
-- name: postgresql-ca
-  namespace: authelia
-  files:
-  - postgresql-ca.crt
 
 patches:
 - patch: |-
@@ -41,24 +38,20 @@ patches:
           containers:
           - name: authelia
             env:
-            - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
-              value: /run/authelia/secrets/postgresql/password
+            - name: AUTHELIA_STORAGE_POSTGRES_TLS_CERTIFICATE_CHAIN_FILE
+              value: /run/authelia/certs/postgresql/tls.crt
+            - name: AUTHELIA_STORAGE_POSTGRES_TLS_PRIVATE_KEY_FILE
+              value: /run/authelia/certs/postgresql/tls.key
             volumeMounts:
-            - mountPath: /run/authelia/certs/postgresql-ca.crt
-              name: postgresql-ca
-              subPath: postgresql-ca.crt
             - mountPath: /run/authelia/certs/dch-root-ca.crt
               name: dch-root-ca
               subPath: dch-root-ca.crt
-            - mountPath: /run/authelia/secrets/postgresql
-              name: postgresql-auth
+            - mountPath: /run/authelia/certs/postgresql
+              name: postgresql-cert
           volumes:
-          - name: postgresql-auth
+          - name: postgresql-cert
             secret:
-              secretName: authelia.authelia.default.credentials.postgresql.acid.zalan.do
-          - name: postgresql-ca
-            configMap:
-              name: postgresql-ca
+              secretName: postgres-client-cert
           - name: dch-root-ca
             configMap:
               name: dch-root-ca

authelia/postgres-cert.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-client-cert
+spec:
+  commonName: authelia
+  privateKey:
+    algorithm: ECDSA
+  secretName: postgres-client-cert
+  issuerRef:
+    name: postgresql-ca
+    kind: ClusterIssuer