Dustin C. Hatch
92497004be
If there is an issue with the in-cluster database server, accessing the Kubernetes API becomes impossible by normal means. This is because the Kubernetes API uses Authelia for authentication and authorization, and Authelia relies on the in-cluster database server. To solve this chicken-and-egg scenario, I've set up a dedicated PostgreSQL database server on a virtual machine, totally external to the Kubernetes cluster. With this commit, I have changed the Authelia configuration to point at this new database server. The contents of the new database server were restored from a backup from the in-cluster server, so of Authelia's state was migrated automatically. Thus, updating the configuration is all that is necessary to switch to using it. The new server uses certificate-based authentication. In order for Authelia to access it, it needs a certificate issued by the _postgresql-ca_ ClusterIssuer, managed by _cert-manager_. Although the environment variables for pointing to the certificate and private key are not listed explicitly in the Authelia documentation, their names can be inferred from the configuration document schema and work as expected.
172 lines
4.0 KiB
YAML
172 lines
4.0 KiB
YAML
access_control:
|
|
default_policy: one_factor
|
|
networks:
|
|
- name: internal
|
|
networks:
|
|
- 172.30.0.0/26
|
|
- 172.31.1.0/24
|
|
rules:
|
|
- domain: paperless.pyrocufflink.blue
|
|
policy: two_factor
|
|
subject:
|
|
- 'group:Paperless-ngx Users'
|
|
- domain: paperless.pyrocufflink.blue
|
|
policy: deny
|
|
- domain: firefly.pyrocufflink.blue
|
|
resources:
|
|
- '^/api/'
|
|
policy: bypass
|
|
- domain: firefly.pyrocufflink.blue
|
|
policy: two_factor
|
|
subject:
|
|
- 'group:Firefly III Users'
|
|
- domain: firefly-importer.pyrocufflink.blue
|
|
policy: two_factor
|
|
subject:
|
|
- 'group:Firefly III Users'
|
|
- domain: firefly-importer.pyrocufflink.blue
|
|
policy: one_factor
|
|
subject:
|
|
- 'user:svc.xactfetch'
|
|
- domain: firefly.pyrocufflink.blue
|
|
policy: deny
|
|
- domain: firefly-importer.pyrocufflink.blue
|
|
policy: deny
|
|
- domain: scan.pyrocufflink.blue
|
|
networks:
|
|
- internal
|
|
policy: bypass
|
|
- domain: metrics.pyrocufflink.blue
|
|
networks:
|
|
- internal
|
|
resources:
|
|
- '^/alertmanager([/?].*)?$'
|
|
methods:
|
|
- GET
|
|
- HEAD
|
|
- OPTIONS
|
|
policy: bypass
|
|
- domain: hlcforms.pyrocufflink.blue
|
|
resources:
|
|
- '^/submit/.*'
|
|
policy: bypass
|
|
|
|
authentication_backend:
|
|
ldap:
|
|
base_dn: DC=pyrocufflink,DC=blue
|
|
implementation: activedirectory
|
|
tls:
|
|
minimum_version: TLS1.2
|
|
url: ldaps://pyrocufflink.blue
|
|
user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue
|
|
|
|
certificates_directory: /run/authelia/certs
|
|
|
|
identity_providers:
|
|
oidc:
|
|
clients:
|
|
- id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
|
|
description: Jenkins
|
|
secret: >-
|
|
$argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
|
|
redirect_uris:
|
|
- https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
|
|
scopes:
|
|
- openid
|
|
- groups
|
|
- profile
|
|
- email
|
|
- offline_access
|
|
authorization_policy: one_factor
|
|
pre_configured_consent_duration: 8h
|
|
token_endpoint_auth_method: client_secret_post
|
|
- id: kubernetes
|
|
description: Kubernetes
|
|
public: true
|
|
redirect_uris:
|
|
- http://localhost:8000
|
|
- http://localhost:18000
|
|
authorization_policy: one_factor
|
|
pre_configured_consent_duration: 8h
|
|
- id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
|
|
description: MinIO
|
|
secret: >-
|
|
$pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
|
|
redirect_uris:
|
|
- https://burp.pyrocufflink.blue:9090/oauth_callback
|
|
- id: step-ca
|
|
description: step-ca
|
|
public: true
|
|
redirect_uris:
|
|
- http://127.0.0.1
|
|
pre_configured_consent_duration: 8h
|
|
- id: argocd
|
|
description: Argo CD
|
|
pre_configured_consent_duration: 8h
|
|
redirect_uris:
|
|
- https://argocd.pyrocufflink.blue/auth/callback
|
|
secret: >-
|
|
$pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
|
|
- id: argocd-cli
|
|
description: argocd CLI
|
|
public: true
|
|
pre_configured_consent_duration: 8h
|
|
audience:
|
|
- argocd-cli
|
|
redirect_uris:
|
|
- http://localhost:8085/auth/callback
|
|
scopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
- groups
|
|
- offline_access
|
|
- id: sshca
|
|
description: SSHCA
|
|
public: true
|
|
pre_configured_consent_duration: 4h
|
|
redirect_uris:
|
|
- http://127.0.0.1
|
|
scopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
- groups
|
|
|
|
log:
|
|
level: info
|
|
|
|
notifier:
|
|
smtp:
|
|
disable_require_tls: true
|
|
host: mail.pyrocufflink.blue
|
|
port: 25
|
|
sender: auth@pyrocufflink.net
|
|
|
|
session:
|
|
domain: pyrocufflink.blue
|
|
expiration: 1d
|
|
inactivity: 4h
|
|
redis:
|
|
host: redis
|
|
port: 6379
|
|
|
|
server:
|
|
buffers:
|
|
read: 16384
|
|
|
|
storage:
|
|
postgres:
|
|
host: postgresql.pyrocufflink.blue
|
|
database: authelia
|
|
username: authelia
|
|
password: unused
|
|
tls:
|
|
skip_verify: false
|
|
|
|
telemetry:
|
|
metrics:
|
|
enabled: true
|
|
|
|
theme: auto
|