scottk/homelab
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/homelab.git synced 2025-11-01 10:27:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(authelia): make cert-manager generate jwks

Browse Source
This commit is contained in:
Vegard Hagen
2024-10-11 08:13:36 +02:00
parent 140fbc249b
commit 403d32b9ed
4 changed files with 60 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
k8s/infra/auth/authelia/cert-ecdsa-jwk.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ecdsa-jwk
namespace: gateway
spec:
dnsNames:
- authelia.stonegarden.dev
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: cloudflare-cluster-issuer
privateKey:
algorithm: ECDSA
encoding: PKCS8
size: 256
secretName: ecdsa-jwk
usages:
- digital signature
- key encipherment

20
k8s/infra/auth/authelia/cert-rsa-jwk.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: rsa-jwk
namespace: gateway
spec:
dnsNames:
- authelia.stonegarden.dev
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: cloudflare-cluster-issuer
privateKey:
algorithm: RSA
encoding: PKCS8
size: 2048
secretName: rsa-jwk
usages:
- digital signature
- key encipherment

2
k8s/infra/auth/authelia/kustomization.yaml
View File

@@ -7,6 +7,8 @@ resources:
- lldap-credentials.yaml - lldap-credentials.yaml
- oidc-argocd.yaml - oidc-argocd.yaml
- oidc-jwks.yaml - oidc-jwks.yaml
- cert-rsa-jwk.yaml
- cert-ecdsa-jwk.yaml
- http-route.yaml - http-route.yaml
helmCharts: helmCharts:

31
k8s/infra/auth/authelia/values.yaml
View File

@@ -51,22 +51,23 @@ configMap:
identity_providers: identity_providers:
oidc: oidc:
## Enables this in the config map. Currently in beta stage. ## Currently in beta stage. See https://www.authelia.com/r/openid-connect/
## See https://www.authelia.com/r/openid-connect/
enabled: true enabled: true
jwks: jwks:
- key_id: 'default' - key_id: 'default'
algorithm: 'RS256' algorithm: 'RS256'
use: 'sig' use: 'sig'
key: key:
path: /secrets/oidc-jwks/default.RS256.private.pem path: /secrets/rsa-jwk/tls.key
certificate_chain: certificate_chain:
path: /secrets/oidc-jwks/default.RS256.public.crt path: /secrets/rsa-jwk/tls.crt
- key_id: 'ecdsa' - key_id: 'ecdsa256'
algorithm: 'ES256' algorithm: 'ES256'
use: 'sig' use: 'sig'
key: key:
path: /secrets/oidc-jwks/ecdsa.P256.private.pem path: /secrets/ecdsa-jwk/tls.key
certificate_chain:
path: /secrets/ecdsa-jwk/tls.crt
cors: cors:
allowed_origins_from_client_redirect_uris: true allowed_origins_from_client_redirect_uris: true
clients: clients:
@@ -100,11 +101,15 @@ secret:
items: items:
- key: clientSecret - key: clientSecret
path: clientSecret path: clientSecret
oidc-jwks: rsa-jwk:
items: items:
- key: default.RS256.private.pem - key: tls.key
path: default.RS256.private.pem path: tls.key
- key: default.RS256.public.crt - key: tls.crt
path: default.RS256.public.crt path: tls.crt
- key: ecdsa.P256.private.pem ecdsa-jwk:
path: ecdsa.P256.private.pem items:
- key: tls.key
path: tls.key
- key: tls.crt
path: tls.crt