feat(authelia): make cert-manager generate jwks

k8s/infra/auth/authelia/cert-ecdsa-jwk.yaml

@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ecdsa-jwk
+  namespace: gateway
+spec:
+  dnsNames:
+    - authelia.stonegarden.dev
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: cloudflare-cluster-issuer
+  privateKey:
+    algorithm: ECDSA
+    encoding: PKCS8
+    size: 256
+  secretName: ecdsa-jwk
+  usages:
+    - digital signature
+    - key encipherment

k8s/infra/auth/authelia/cert-rsa-jwk.yaml

@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: rsa-jwk
+  namespace: gateway
+spec:
+  dnsNames:
+    - authelia.stonegarden.dev
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: cloudflare-cluster-issuer
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  secretName: rsa-jwk
+  usages:
+    - digital signature
+    - key encipherment

k8s/infra/auth/authelia/kustomization.yaml

@@ -7,6 +7,8 @@ resources:
   - lldap-credentials.yaml
   - oidc-argocd.yaml
   - oidc-jwks.yaml
+  - cert-rsa-jwk.yaml
+  - cert-ecdsa-jwk.yaml
   - http-route.yaml
 
 helmCharts:

k8s/infra/auth/authelia/values.yaml

@@ -51,22 +51,23 @@ configMap:
 
   identity_providers:
     oidc:
-      ## Enables this in the config map. Currently in beta stage.
+      ## Currently in beta stage. See https://www.authelia.com/r/openid-connect/
-      ## See https://www.authelia.com/r/openid-connect/
       enabled: true
       jwks:
         - key_id: 'default'
           algorithm: 'RS256'
           use: 'sig'
           key:
-            path: /secrets/oidc-jwks/default.RS256.private.pem
+            path: /secrets/rsa-jwk/tls.key
           certificate_chain:
-            path: /secrets/oidc-jwks/default.RS256.public.crt
+            path: /secrets/rsa-jwk/tls.crt
-        - key_id: 'ecdsa'
+        - key_id: 'ecdsa256'
           algorithm: 'ES256'
           use: 'sig'
           key:
-            path: /secrets/oidc-jwks/ecdsa.P256.private.pem
+            path: /secrets/ecdsa-jwk/tls.key
+          certificate_chain:
+            path: /secrets/ecdsa-jwk/tls.crt
       cors:
         allowed_origins_from_client_redirect_uris: true
       clients:
@@ -100,11 +101,15 @@ secret:
       items:
         - key: clientSecret
           path: clientSecret
-    oidc-jwks:
+    rsa-jwk:
       items:
-        - key: default.RS256.private.pem
+        - key: tls.key
-          path: default.RS256.private.pem
+          path: tls.key
-        - key: default.RS256.public.crt
+        - key: tls.crt
-          path: default.RS256.public.crt
+          path: tls.crt
-        - key: ecdsa.P256.private.pem
+    ecdsa-jwk:
-          path: ecdsa.P256.private.pem
+      items:
+        - key: tls.key
+          path: tls.key
+        - key: tls.crt
+          path: tls.crt