feat(authelia): make cert-manager generate jwks

2025-10-30 17:37:59 +00:00 · 2024-10-11 08:13:36 +02:00
parent 140fbc249b
commit 403d32b9ed
4 changed files with 60 additions and 13 deletions
--- a/k8s/infra/auth/authelia/cert-ecdsa-jwk.yaml
+++ b/k8s/infra/auth/authelia/cert-ecdsa-jwk.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ecdsa-jwk
+  namespace: gateway
+spec:
+  dnsNames:
+    - authelia.stonegarden.dev
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: cloudflare-cluster-issuer
+  privateKey:
+    algorithm: ECDSA
+    encoding: PKCS8
+    size: 256
+  secretName: ecdsa-jwk
+  usages:
+    - digital signature
+    - key encipherment
--- a/k8s/infra/auth/authelia/cert-rsa-jwk.yaml
+++ b/k8s/infra/auth/authelia/cert-rsa-jwk.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: rsa-jwk
+  namespace: gateway
+spec:
+  dnsNames:
+    - authelia.stonegarden.dev
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: cloudflare-cluster-issuer
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  secretName: rsa-jwk
+  usages:
+    - digital signature
+    - key encipherment
--- a/k8s/infra/auth/authelia/kustomization.yaml
+++ b/k8s/infra/auth/authelia/kustomization.yaml
@@ -7,6 +7,8 @@ resources:
  - lldap-credentials.yaml
  - oidc-argocd.yaml
  - oidc-jwks.yaml
+  - cert-rsa-jwk.yaml
+  - cert-ecdsa-jwk.yaml
  - http-route.yaml

 helmCharts:
--- a/k8s/infra/auth/authelia/values.yaml
+++ b/k8s/infra/auth/authelia/values.yaml
@@ -51,22 +51,23 @@ configMap:

  identity_providers:
    oidc:
-      ## Enables this in the config map. Currently in beta stage.
-      ## See https://www.authelia.com/r/openid-connect/
+      ## Currently in beta stage. See https://www.authelia.com/r/openid-connect/
      enabled: true
      jwks:
        - key_id: 'default'
          algorithm: 'RS256'
          use: 'sig'
          key:
-            path: /secrets/oidc-jwks/default.RS256.private.pem
+            path: /secrets/rsa-jwk/tls.key
          certificate_chain:
-            path: /secrets/oidc-jwks/default.RS256.public.crt
-        - key_id: 'ecdsa'
+            path: /secrets/rsa-jwk/tls.crt
+        - key_id: 'ecdsa256'
          algorithm: 'ES256'
          use: 'sig'
          key:
-            path: /secrets/oidc-jwks/ecdsa.P256.private.pem
+            path: /secrets/ecdsa-jwk/tls.key
+          certificate_chain:
+            path: /secrets/ecdsa-jwk/tls.crt
      cors:
        allowed_origins_from_client_redirect_uris: true
      clients:
@@ -100,11 +101,15 @@ secret:
      items:
        - key: clientSecret
          path: clientSecret
-    oidc-jwks:
+    rsa-jwk:
      items:
-        - key: default.RS256.private.pem
-          path: default.RS256.private.pem
-        - key: default.RS256.public.crt
-          path: default.RS256.public.crt
-        - key: ecdsa.P256.private.pem
-          path: ecdsa.P256.private.pem
+        - key: tls.key
+          path: tls.key
+        - key: tls.crt
+          path: tls.crt
+    ecdsa-jwk:
+      items:
+        - key: tls.key
+          path: tls.key
+        - key: tls.crt
+          path: tls.crt