feat(authelia): use a cnpg managed db

use a database for presistent storage of users and sessions

k8s/infra/auth/authelia/cnpg-db.yaml

@@ -0,0 +1,39 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: authelia-postgres
+  namespace: authelia
+spec:
+  instances: 1
+  affinity:
+    nodeSelector:
+      topology.kubernetes.io/zone: euclid
+  monitoring:
+    enablePodMonitor: true
+  postgresql:
+    parameters:
+      timezone: Europe/Oslo
+  bootstrap:
+    initdb:
+      database: authelia
+      owner: authelia
+  managed:
+    services:
+      disabledDefaultServices: [ "ro", "r" ]
+#      additional:
+#        - selectorType: rw
+#          updateStrategy: patch
+#          serviceTemplate:
+#            metadata:
+#              name: authelia-postgres-db
+#              annotations:
+#                io.cilium/lb-ipam-ips: 192.168.1.240
+#            spec:
+#              type: LoadBalancer
+  storage:
+    size: 512M
+    pvcTemplate:
+      storageClassName: proxmox-csi
+      volumeName: pv-authelia-postgres
+      accessModes:
+        - ReadWriteOnce

k8s/infra/auth/authelia/kustomization.yaml

@@ -10,6 +10,7 @@ resources:
   - cert-ecdsa-jwk.yaml
   - oidc-argocd.yaml
   - http-route.yaml
+  - cnpg-db.yaml
 
 helmCharts:
   - name: authelia

k8s/infra/auth/authelia/values.yaml

@@ -31,11 +31,12 @@ configMap:
   storage:
     encryption_key: { secret_name: crypto }
     postgres:
-      enabled: false
-      address: 'tcp://postgres.databases.svc.cluster.local:5432'
-    # Switch to Postgres later
-    local:
       enabled: true
+      deploy: false
+      address: tcp://authelia-postgres-rw:5432
+      database: authelia
+      username: authelia
+      password: { secret_name: authelia-postgres-app }
 
   notifier:
     filesystem:
@@ -52,7 +53,7 @@ configMap:
       groups_filter: '(member={dn})'
       additional_groups_dn: 'ou=groups'
       user: 'UID=authelia,OU=people,DC=stonegarden,DC=dev'
-      password: { secret_name: 'lldap-auth' }
+      password: { secret_name: lldap-auth }
 
   identity_providers:
     oidc:
@@ -102,6 +103,10 @@ configMap:
 
 secret:
   additionalSecrets:
+    authelia-postgres-app:
+      items:
+        - key: password
+          path: storage.postgres.password.txt
     lldap-auth:
       items:
         - key: password

k8s/infra/database/pg-cluster/cnpg-cluster.yaml

@@ -1,10 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: cluster-example
-  namespace: cnpg-database
-spec:
-  instances: 3
-  storage:
-    storageClass: proxmox-csi
-    size: 4G

k8s/infra/database/pg-cluster/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: cnpg-database
-
-resources:
-  - cnpg-cluster.yaml

k8s/infra/database/pg-single/cnpg-single.yaml

@@ -1,30 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: single-example
-  namespace: cnpg-database
-spec:
-  instances: 1
-  affinity:
-    nodeSelector:
-      topology.kubernetes.io/zone: euclid
-  managed:
-    services:
-      disabledDefaultServices: [ "ro", "r" ]
-      additional:
-        - selectorType: rw
-          updateStrategy: patch
-          serviceTemplate:
-            metadata:
-              name: single-example-ext
-              annotations:
-                io.cilium/lb-ipam-ips: 192.168.1.230
-            spec:
-              type: LoadBalancer
-  storage:
-    size: 4G
-    pvcTemplate:
-      storageClassName: proxmox-csi
-      volumeName: pv-single-database
-      accessModes:
-        - ReadWriteOnce

k8s/infra/database/pg-single/kustomization.yaml

@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: cnpg-database
-
-resources:
-  - cnpg-single.yaml

k8s/infra/vpn/netbird/management/x-oidc-client.yaml

@@ -8,9 +8,9 @@ spec:
   displayName: Netbird Backend
   description: Netbird Backend Client
   clientSecretSecretRef:
-    name: netbird-backend-oidc-credentials
+    name: management-oidc-credentials
     namespace: netbird
-    key: clientSecret
+    key: NETBIRD_IDP_CLIENT_SECRET
   type: CONFIDENTIAL
   grantTypes:
     - client_credentials

tofu/kubernetes/main.tf

@@ -128,6 +128,10 @@ module "volumes" {
       node = "euclid"
       size = "1G"
     }
+    pv-authelia-postgres = {
+      node = "euclid"
+      size = "512M"
+    }
     pv-keycloak-postgres = {
       node = "euclid"
       size = "2G"
@@ -152,9 +156,5 @@ module "volumes" {
       node = "abel"
       size = "10G"
     }
-    pv-single-database = {
-      node = "euclid"
-      size = "4G"
-    }
   }
 }