feat(auth): add Authelia for OIDC

Use Authelia in an attempt to replace Keycloak. Kanidm is another alternative we're going to try later.
2025-10-30 17:37:59 +00:00 · 2024-09-07 21:14:33 +02:00
parent 6ac8652e24
commit ba69146b4b
6 changed files with 84 additions and 1 deletions
--- a/k8s/apps/homepage/blog/hugo/http-route.yaml
+++ b/k8s/apps/homepage/blog/hugo/http-route.yaml
@@ -18,4 +18,4 @@ spec:
            value: /
      backendRefs:
        - name: hugo
-          port: 80
+          port: 80
--- a/k8s/infra/auth/authelia/kustomization.yaml
+++ b/k8s/infra/auth/authelia/kustomization.yaml
@@ -0,0 +1,14 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: authelia
+
+resources:
+  - ns.yaml
+
+helmCharts:
+  - name: authelia
+    repo: https://charts.authelia.com
+    releaseName: authelia
+    namespace: authelia
+    version: 0.9.5
+    valuesFile: values.yaml
--- a/k8s/infra/auth/authelia/ns.yaml
+++ b/k8s/infra/auth/authelia/ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authelia
--- a/k8s/infra/auth/authelia/values.yaml
+++ b/k8s/infra/auth/authelia/values.yaml
@@ -0,0 +1,60 @@
+image:
+  registry: ghcr.io
+  repository: authelia/authelia
+  tag: 4.38.10 # renovate: docker=ghcr.io/authelia/authelia
+  pullPolicy: IfNotPresent
+
+configMap:
+  theme: 'dark'
+
+  access_control:
+    # upgrade to 'two_factor' later
+    default_policy: 'one_factor'
+    rules:
+     - domain_regex: '^.*\.stonegarden.dev$'
+       policy: 'one_factor'
+
+  authentication_backend:
+    ldap:
+      enabled: true
+      implementation: 'lldap'
+      address: 'ldap://lldap.lldap.svc.cluster.local'
+      base_dn: 'DC=stonegarden,DC=dev'
+      additional_users_dn: 'OU=people'
+      # To allow sign in both with username and email, one can use a filter like
+      # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
+      users_filter: '(&({username_attribute}={input})(objectClass=person))'
+      additional_groups_dn: 'OU=groups'
+      groups_filter: '(member={dn})'
+      user: 'UID=admin,OU=people,DC=stonegarden,DC=dev'
+      password:
+        secret_name: 'lldap-auth'
+        value: 'password'
+
+#    file:
+#      enabled: true
+
+  session:
+    cookies:
+      - subdomain: auth
+        domain: stonegarden.dev
+
+  storage:
+    postgres:
+      enabled: false
+      address: 'tcp://postgres.databases.svc.cluster.local:5432'
+    # Switch to Postgres later
+    local:
+      enabled: true
+
+  notifier:
+    filesystem:
+      enabled: true
+
+secret:
+  additionalSecrets:
+    lldap-auth:
+      items:
+        - key: 'password'
+          path: 'authentication.ldap.password.txt'
+
--- a/k8s/infra/auth/lldap/svc.yaml
+++ b/k8s/infra/auth/lldap/svc.yaml
@@ -11,3 +11,6 @@ spec:
    - name: web
      port: 80
      targetPort: web
+    - name: ldap
+      port: 389
+      targetPort: ldap
--- a/k8s/infra/auth/project.yaml
+++ b/k8s/infra/auth/project.yaml
@@ -9,6 +9,8 @@ spec:
  destinations:
    - namespace: 'argocd'
      server: '*'
+    - namespace: 'authelia'
+      server: '*'
    - namespace: 'keycloak'
      server: '*'
    - namespace: 'lldap'