feat(authelia): harden oidc clients

2025-10-31 09:57:59 +00:00 · 2025-01-11 10:41:59 +01:00
parent ae355bb427
commit d816953b98
4 changed files with 24 additions and 5 deletions
--- a/k8s/infra/auth/authelia/values.yaml
+++ b/k8s/infra/auth/authelia/values.yaml
@@ -75,42 +75,54 @@ configMap:
        allowed_origins_from_client_redirect_uris: true
        endpoints: [ userinfo, authorization, token, revocation, introspection ]
      clients:
+
        - client_id: argocd
          client_secret: { path: /secrets/client-argocd/client_secret.txt }
          client_name: Argo CD
          public: false
          authorization_policy: two_factor
+          pre_configured_consent_duration: 1 month
          redirect_uris:
            - https://argocd.stonegarden.dev/auth/callback
            - https://argocd.stonegarden.dev/applications
          scopes: [ openid, groups, email, profile, offline_access ]
          userinfo_signed_response_alg: none
          id_token_signed_response_alg: ES256
+          access_token_signed_response_alg: ES256
+
        - client_id: argocd-cli
          client_name: Argo CD (CLI)
          public: true
          authorization_policy: two_factor
+          pre_configured_consent_duration: 1 month
          redirect_uris: [ http://localhost:8085/auth/callback ]
          scopes: [ openid, groups, email, profile, offline_access ]
-          userinfo_signed_response_alg: none
+          id_token_signed_response_alg: ES256
+          access_token_signed_response_alg: ES256
+
        - client_id: kubectl
          client_name: kubectl
          public: true
          authorization_policy: two_factor
+          pre_configured_consent_duration: 1 month
+          require_pkce: true
          redirect_uris: [ http://localhost:8000, http://localhost:18000 ]
          scopes: [ openid, groups, email, profile, offline_access ]
-          userinfo_signed_response_alg: none
+
        - client_id: netbird
          client_secret: { path: /secrets/client-netbird/client_secret.txt }
          client_name: NetBird
          public: false
          authorization_policy: two_factor
+          pre_configured_consent_duration: 1 month
+          require_pkce: true
+          pkce_challenge_method: S256
          audience: [ netbird ]
          redirect_uris:
            - http://localhost:53000
            - https://netbird.stonegarden.dev/callback
            - https://netbird.stonegarden.dev/silent-callback
-          scopes: [ openid, profile, email ]
+          scopes: [ openid, profile, email, offline_access ]
          token_endpoint_auth_method: client_secret_post

 secret:
--- a/k8s/infra/vpn/netbird/agent/daemon-set.yaml
+++ b/k8s/infra/vpn/netbird/agent/daemon-set.yaml
@@ -40,7 +40,7 @@ spec:
              mountPath: /var/lib/netbird
          resources:
            requests:
-              memory: 192Mi
+              memory: 128Mi
              cpu: 100m
            limits:
              memory: 256Mi
--- a/k8s/infra/vpn/netbird/management/deployment.yaml
+++ b/k8s/infra/vpn/netbird/management/deployment.yaml
@@ -80,7 +80,7 @@ spec:
              containerPort: 80
          resources:
            requests:
-              memory: 256Mi
+              memory: 64Mi
              cpu: 200m
            limits:
              memory: 512Mi
--- a/k8s/infra/vpn/netbird/relay/deployment.yaml
+++ b/k8s/infra/vpn/netbird/relay/deployment.yaml
@@ -35,3 +35,10 @@ spec:
            - containerPort: 80
              name: relay
              protocol: TCP
+          resources:
+            requests:
+              memory: 16Mi
+              cpu: 10m
+            limits:
+              memory: 64Mi
+              cpu: 4000m