K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FEAT(authentik): add authelia sso

Browse Source 
- replacing authentik
This commit is contained in:
Mayne0213
2025-12-30 21:58:41 +09:00
parent 87b16d13e3
commit 0ec31ac5a9
7 changed files with 236 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
authelia/argocd.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authelia
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
- repoURL: https://charts.authelia.com
chart: authelia
targetRevision: 0.9.*
helm:
valueFiles:
- $values/authelia/helm-values.yaml
- repoURL: https://github.com/Mayne0213/cluster-infrastructure.git
targetRevision: main
ref: values
- repoURL: https://github.com/Mayne0213/cluster-infrastructure.git
targetRevision: main
path: authelia
destination:
server: https://kubernetes.default.svc
namespace: authelia
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- PrunePropagationPolicy=foreground
- PruneLast=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
managedNamespaceMetadata:
labels:
goldilocks.fairwinds.com/enabled: 'true'
revisionHistoryLimit: 10

102
authelia/helm-values.yaml Normal file
View File

@@ -0,0 +1,102 @@
# Authelia Helm Values
# Chart: https://charts.authelia.com
# Domain configuration
domain: mayne0213.kro.kr
# Ingress - disabled, using separate ingress.yaml
ingress:
enabled: false
# Pod configuration
pod:
replicas: 1
resources:
requests:
cpu: 25m
memory: 64Mi
limits:
memory: 128Mi
extraVolumes:
- name: users-database
configMap:
name: authelia-users
extraVolumeMounts:
- name: users-database
mountPath: /config/users_database.yml
subPath: users_database.yml
readOnly: true
# ConfigMap configuration
configMap:
# Authentication backend - file-based users
authentication_backend:
file:
enabled: true
path: /config/users_database.yml
password:
algorithm: argon2
argon2:
variant: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
# Session configuration
session:
cookies:
- domain: mayne0213.kro.kr
authelia_url: https://auth.mayne0213.kro.kr
default_redirection_url: https://mayne.kro.kr
# Storage - local SQLite (lightweight)
storage:
local:
enabled: true
path: /data/db.sqlite3
# Access control rules
access_control:
default_policy: deny
rules:
# Bypass for public services
- domain:
- mayne.kro.kr
- "*.jaejadle.kro.kr"
- "*.joossameng.kro.kr"
- "*.jovies.kro.kr"
- "*.minjo0213.kro.kr"
- "*.todo0213.kro.kr"
policy: bypass
# One factor for admin services
- domain:
- "*.mayne0213.kro.kr"
policy: one_factor
# Notifier - filesystem (no email)
notifier:
filesystem:
enabled: true
filename: /data/notification.txt
# TOTP configuration
totp:
enabled: true
issuer: mayne0213.kro.kr
# Identity providers (OIDC) - can be enabled later
identity_providers:
oidc:
enabled: false
# Secret configuration - use existing secret from Vault
secret:
existingSecret: authelia-secrets
# Persistence for SQLite database
persistence:
enabled: true
storageClass: longhorn
size: 1Gi

24
authelia/ingress.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: authelia-ingress
namespace: authelia
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: traefik
tls:
- hosts:
- auth.mayne0213.kro.kr
secretName: authelia-tls
rules:
- host: auth.mayne0213.kro.kr
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: authelia
port:
number: 80

7
authelia/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- vault/authelia-secrets.yaml
- ingress.yaml
- middleware.yaml
- users-database.yaml

14
authelia/middleware.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: authelia-auth
namespace: authelia
spec:
forwardAuth:
address: http://authelia.authelia.svc.cluster.local/api/authz/forward-auth
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Email
- Remote-Name

19
authelia/users-database.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: authelia-users
namespace: authelia
data:
users_database.yml: |
# Authelia Users Database
# Generate password hash: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2
users:
admin:
disabled: false
displayname: "Admin"
email: admin@mayne0213.kro.kr
# Default password: changeme (CHANGE THIS!)
# Generate new hash: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2
password: "$argon2id$v=19$m=65536,t=3,p=4$placeholder$placeholder"
groups:
- admins

26
authelia/vault/authelia-secrets.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: authelia-secrets
namespace: authelia
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: vault-backend
target:
name: authelia-secrets
creationPolicy: Owner
data:
- secretKey: JWT_TOKEN
remoteRef:
key: cluster-infrastructure/authelia
property: JWT_SECRET
- secretKey: SESSION_ENCRYPTION_KEY
remoteRef:
key: cluster-infrastructure/authelia
property: SESSION_SECRET
- secretKey: STORAGE_ENCRYPTION_KEY
remoteRef:
key: cluster-infrastructure/authelia
property: STORAGE_ENCRYPTION_KEY