diff --git a/authelia/authelia.yaml b/authelia/authelia.yaml index 03b33b3..eb6a98d 100644 --- a/authelia/authelia.yaml +++ b/authelia/authelia.yaml @@ -3,24 +3,6 @@ kind: Namespace metadata: name: authelia ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: authelia - namespace: authelia - labels: - app.kubernetes.io/name: authelia - app.kubernetes.io/component: authelia - app.kubernetes.io/instance: authelia - app.kubernetes.io/part-of: authelia -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - --- apiVersion: v1 kind: Service @@ -44,7 +26,7 @@ spec: --- apiVersion: apps/v1 -kind: StatefulSet +kind: Deployment metadata: name: authelia namespace: authelia @@ -54,7 +36,6 @@ metadata: app.kubernetes.io/instance: authelia app.kubernetes.io/part-of: authelia spec: - serviceName: authelia replicas: 1 selector: matchLabels: @@ -110,9 +91,6 @@ spec: - name: secrets mountPath: /run/authelia/secrets readOnly: true - - name: data - mountPath: /var/lib/authelia - subPath: authelia securityContext: runAsNonRoot: true runAsUser: 1000 @@ -125,9 +103,6 @@ spec: - name: secrets secret: secretName: authelia - - name: data - persistentVolumeClaim: - claimName: authelia --- apiVersion: networking.k8s.io/v1 diff --git a/authelia/configuration.yml b/authelia/configuration.yml index fb8708f..810870a 100644 --- a/authelia/configuration.yml +++ b/authelia/configuration.yml @@ -28,6 +28,8 @@ authentication_backend: url: ldaps://pyrocufflink.blue user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue +certificates_directory: /run/authelia/certs + identity_providers: oidc: clients: @@ -99,11 +101,18 @@ session: domain: pyrocufflink.blue expiration: 1d inactivity: 4h + redis: + host: redis + port: 6379 server: buffers: read: 16384 storage: - local: - path: /var/lib/authelia/db.sqlite3 + postgres: + host: default.postgresql + database: authelia + username: authelia.authelia + tls: + skip_verify: false diff --git a/authelia/kustomization.yaml b/authelia/kustomization.yaml index 47f6ef0..0437bf4 100644 --- a/authelia/kustomization.yaml +++ b/authelia/kustomization.yaml @@ -7,6 +7,7 @@ labels: resources: - secrets.yaml +- redis.yaml - authelia.yaml - oidc-cluster-admin.yaml @@ -15,3 +16,35 @@ configMapGenerator: namespace: authelia files: - configuration.yml +- name: postgresql-ca + namespace: authelia + files: + - postgresql-ca.crt + +patches: +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: authelia + namespace: authelia + spec: + template: + spec: + containers: + - name: authelia + env: + - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE + value: /run/authelia/secrets/postgresql/password + volumeMounts: + - mountPath: /run/authelia/certs + name: postgresql-ca + - mountPath: /run/authelia/secrets/postgresql + name: postgresql-auth + volumes: + - name: postgresql-auth + secret: + secretName: authelia.authelia.default.credentials.postgresql.acid.zalan.do + - name: postgresql-ca + configMap: + name: postgresql-ca diff --git a/authelia/migrate.yaml b/authelia/migrate.yaml new file mode 100644 index 0000000..ac282bc --- /dev/null +++ b/authelia/migrate.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: authelia-migration + namespace: authelia +spec: + template: + spec: + containers: + - name: migrate + image: docker.io/dimitri/pgloader + command: + - pgloader + - sqlite:///var/lib/authelia/db.sqlite3 + - postgresql:///authelia + env: + - name: PGHOST + value: default.postgresql + - name: PGUSER + valueFrom: + secretKeyRef: + name: authelia.authelia.default.credentials.postgresql.acid.zalan.do + key: username + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: authelia.authelia.default.credentials.postgresql.acid.zalan.do + key: password + - name: PGDATABASE + value: authelia + volumeMounts: + - name: data + mountPath: /var/lib/authelia + subPath: authelia + nodeSelector: + kubernetes.io/arch: amd64 + volumes: + - name: data + persistentVolumeClaim: + claimName: authelia + restartPolicy: Never diff --git a/authelia/postgresql-ca.crt b/authelia/postgresql-ca.crt new file mode 100644 index 0000000..0cd0f1a --- /dev/null +++ b/authelia/postgresql-ca.crt @@ -0,0 +1,45 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 05:09:51:c6:62:f6:1e:54:45:6a:0c:66:6b:5f:d0:b7 + Signature Algorithm: ecdsa-with-SHA256 + Issuer: CN = PostgreSQL CA + Validity + Not Before: Oct 18 16:23:46 2023 GMT + Not After : Oct 15 16:23:46 2034 GMT + Subject: CN = PostgreSQL CA + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (256 bit) + pub: + 04:64:33:c3:cc:09:7a:3b:e2:06:18:35:d9:9e:dc: + e7:ba:08:2f:d9:26:0f:8e:03:a8:9e:78:c9:54:5c: + fa:32:cb:ae:c3:87:dc:ce:6d:29:a4:cc:7b:73:3f: + 73:49:4e:35:91:42:bf:09:5f:0b:a3:8b:92:40:61: + 6e:f7:bf:cd:9c + ASN1 OID: prime256v1 + NIST CURVE: P-256 + X509v3 extensions: + X509v3 Key Usage: critical + Digital Signature, Key Encipherment, Certificate Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + F1:84:E9:B9:96:86:8F:DF:58:61:AA:E4:31:B3:E3:E0:4D:AF:BD:DA + Signature Algorithm: ecdsa-with-SHA256 + Signature Value: + 30:44:02:20:42:2f:2b:b2:76:56:13:bf:3f:60:92:a8:ed:48: + 85:aa:cf:69:68:f0:a7:a5:52:0b:d2:1a:40:69:ac:ee:a0:ff: + 02:20:56:0b:92:3e:42:f3:5c:ff:0a:6f:d4:95:d9:b8:5b:f8: + 27:55:8b:1c:32:5e:5c:18:30:84:7c:33:92:9b:d3:1b +-----BEGIN CERTIFICATE----- +MIIBbzCCARagAwIBAgIQBQlRxmL2HlRFagxma1/QtzAKBggqhkjOPQQDAjAYMRYw +FAYDVQQDEw1Qb3N0Z3JlU1FMIENBMB4XDTIzMTAxODE2MjM0NloXDTM0MTAxNTE2 +MjM0NlowGDEWMBQGA1UEAxMNUG9zdGdyZVNRTCBDQTBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABGQzw8wJejviBhg12Z7c57oIL9kmD44DqJ54yVRc+jLLrsOH3M5t +KaTMe3M/c0lONZFCvwlfC6OLkkBhbve/zZyjQjBAMA4GA1UdDwEB/wQEAwICpDAP +BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTxhOm5loaP31hhquQxs+PgTa+92jAK +BggqhkjOPQQDAgNHADBEAiBCLyuydlYTvz9gkqjtSIWqz2lo8KelUgvSGkBprO6g +/wIgVguSPkLzXP8Kb9SV2bhb+CdVixwyXlwYMIR8M5Kb0xs= +-----END CERTIFICATE----- diff --git a/authelia/redis.yaml b/authelia/redis.yaml new file mode 100644 index 0000000..357579a --- /dev/null +++ b/authelia/redis.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/name: redis + app.kubernetes.io/component: redis + app.kubernetes.io/instance: authelia + app.kubernetes.io/part-of: authelia + name: redis + namespace: authelia +spec: + ports: + - name: redis + port: 6379 + selector: + app.kubernetes.io/name: redis + app.kubernetes.io/component: redis + app.kubernetes.io/instance: authelia + type: ClusterIP + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis + namespace: authelia + labels: + app.kubernetes.io/name: redis + app.kubernetes.io/component: redis + app.kubernetes.io/instance: authelia + app.kubernetes.io/part-of: authelia +spec: + selector: + matchLabels: + app.kubernetes.io/name: redis + app.kubernetes.io/component: redis + app.kubernetes.io/instance: authelia + template: + metadata: + labels: + app.kubernetes.io/name: redis + app.kubernetes.io/component: redis + app.kubernetes.io/instance: authelia + spec: + containers: + - name: redis + image: docker.io/library/redis:7 + args: + - --save + - '' + - --appendonly + - 'no' + ports: + - name: redis + containerPort: 6379 + securityContext: + runAsNonRoot: true + readOnlyRootFilesystem: true + runAsUser: 999 + runAsGroup: 999 + volumeMounts: + - name: tmp + mountPath: /tmp + securityContext: + fsGroup: 999 + volumes: + - name: tmp + emptyDir: diff --git a/postgresql/default-cluster.yaml b/postgresql/default-cluster.yaml index 3483b82..259ca51 100644 --- a/postgresql/default-cluster.yaml +++ b/postgresql/default-cluster.yaml @@ -13,6 +13,8 @@ spec: tls: secretName: default-cert users: + authelia.authelia: + - login dustin: - superuser - createdb @@ -21,6 +23,7 @@ spec: home-assistant.homeassistant: - login databases: + authelia: authelia.authelia dustin: dustin firefly: firefly-iii.firefly homeassistant: home-assistant.homeassistant