feat(authelia): use a cnpg managed db

use a database for presistent storage of users and sessions
2025-10-30 17:37:59 +00:00 · 2025-01-05 21:07:29 +01:00
parent 2eacd07803
commit ce5fc25504
9 changed files with 56 additions and 63 deletions
--- a/k8s/infra/auth/authelia/cnpg-db.yaml
+++ b/k8s/infra/auth/authelia/cnpg-db.yaml
@@ -0,0 +1,39 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: authelia-postgres
+  namespace: authelia
+spec:
+  instances: 1
+  affinity:
+    nodeSelector:
+      topology.kubernetes.io/zone: euclid
+  monitoring:
+    enablePodMonitor: true
+  postgresql:
+    parameters:
+      timezone: Europe/Oslo
+  bootstrap:
+    initdb:
+      database: authelia
+      owner: authelia
+  managed:
+    services:
+      disabledDefaultServices: [ "ro", "r" ]
+#      additional:
+#        - selectorType: rw
+#          updateStrategy: patch
+#          serviceTemplate:
+#            metadata:
+#              name: authelia-postgres-db
+#              annotations:
+#                io.cilium/lb-ipam-ips: 192.168.1.240
+#            spec:
+#              type: LoadBalancer
+  storage:
+    size: 512M
+    pvcTemplate:
+      storageClassName: proxmox-csi
+      volumeName: pv-authelia-postgres
+      accessModes:
+        - ReadWriteOnce
--- a/k8s/infra/auth/authelia/kustomization.yaml
+++ b/k8s/infra/auth/authelia/kustomization.yaml
@@ -10,6 +10,7 @@ resources:
  - cert-ecdsa-jwk.yaml
  - oidc-argocd.yaml
  - http-route.yaml
+  - cnpg-db.yaml

 helmCharts:
  - name: authelia
--- a/k8s/infra/auth/authelia/values.yaml
+++ b/k8s/infra/auth/authelia/values.yaml
@@ -31,11 +31,12 @@ configMap:
  storage:
    encryption_key: { secret_name: crypto }
    postgres:
-      enabled: false
-      address: 'tcp://postgres.databases.svc.cluster.local:5432'
-    # Switch to Postgres later
-    local:
      enabled: true
+      deploy: false
+      address: tcp://authelia-postgres-rw:5432
+      database: authelia
+      username: authelia
+      password: { secret_name: authelia-postgres-app }

  notifier:
    filesystem:
@@ -52,7 +53,7 @@ configMap:
      groups_filter: '(member={dn})'
      additional_groups_dn: 'ou=groups'
      user: 'UID=authelia,OU=people,DC=stonegarden,DC=dev'
-      password: { secret_name: 'lldap-auth' }
+      password: { secret_name: lldap-auth }

  identity_providers:
    oidc:
@@ -102,6 +103,10 @@ configMap:

 secret:
  additionalSecrets:
+    authelia-postgres-app:
+      items:
+        - key: password
+          path: storage.postgres.password.txt
    lldap-auth:
      items:
        - key: password
--- a/k8s/infra/database/pg-cluster/cnpg-cluster.yaml
+++ b/k8s/infra/database/pg-cluster/cnpg-cluster.yaml
@@ -1,10 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: cluster-example
-  namespace: cnpg-database
-spec:
-  instances: 3
-  storage:
-    storageClass: proxmox-csi
-    size: 4G
--- a/k8s/infra/database/pg-cluster/kustomization.yaml
+++ b/k8s/infra/database/pg-cluster/kustomization.yaml
@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: cnpg-database
-
-resources:
-  - cnpg-cluster.yaml
--- a/k8s/infra/database/pg-single/cnpg-single.yaml
+++ b/k8s/infra/database/pg-single/cnpg-single.yaml
@@ -1,30 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: single-example
-  namespace: cnpg-database
-spec:
-  instances: 1
-  affinity:
-    nodeSelector:
-      topology.kubernetes.io/zone: euclid
-  managed:
-    services:
-      disabledDefaultServices: [ "ro", "r" ]
-      additional:
-        - selectorType: rw
-          updateStrategy: patch
-          serviceTemplate:
-            metadata:
-              name: single-example-ext
-              annotations:
-                io.cilium/lb-ipam-ips: 192.168.1.230
-            spec:
-              type: LoadBalancer
-  storage:
-    size: 4G
-    pvcTemplate:
-      storageClassName: proxmox-csi
-      volumeName: pv-single-database
-      accessModes:
-        - ReadWriteOnce
--- a/k8s/infra/database/pg-single/kustomization.yaml
+++ b/k8s/infra/database/pg-single/kustomization.yaml
@@ -1,6 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: cnpg-database
-
-resources:
-  - cnpg-single.yaml
--- a/k8s/infra/vpn/netbird/management/x-oidc-client.yaml
+++ b/k8s/infra/vpn/netbird/management/x-oidc-client.yaml
@@ -8,9 +8,9 @@ spec:
  displayName: Netbird Backend
  description: Netbird Backend Client
  clientSecretSecretRef:
-    name: netbird-backend-oidc-credentials
+    name: management-oidc-credentials
    namespace: netbird
-    key: clientSecret
+    key: NETBIRD_IDP_CLIENT_SECRET
  type: CONFIDENTIAL
  grantTypes:
    - client_credentials
--- a/tofu/kubernetes/main.tf
+++ b/tofu/kubernetes/main.tf
@@ -128,6 +128,10 @@ module "volumes" {
      node = "euclid"
      size = "1G"
    }
+    pv-authelia-postgres = {
+      node = "euclid"
+      size = "512M"
+    }
    pv-keycloak-postgres = {
      node = "euclid"
      size = "2G"
@@ -152,9 +156,5 @@ module "volumes" {
      node = "abel"
      size = "10G"
    }
-    pv-single-database = {
-      node = "euclid"
-      size = "4G"
-    }
  }
 }