fix(oidc): conceal jwks signing key

2025-10-30 17:37:59 +00:00 · 2024-10-09 22:59:53 +02:00
parent 53855a6d27
commit e0ce01c80f
3 changed files with 31 additions and 46 deletions
--- a/k8s/infra/auth/authelia/kustomization.yaml
+++ b/k8s/infra/auth/authelia/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
  - ns.yaml
  - lldap-credentials.yaml
  - oidc-argocd.yaml
+  - oidc-jwks.yaml
  - http-route.yaml

 helmCharts:
--- a/k8s/infra/auth/authelia/oidc-jwks.yaml
+++ b/k8s/infra/auth/authelia/oidc-jwks.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: oidc-jwks
+  namespace: authelia
+spec:
+  encryptedData:
+    default.RS256.private.pem: AgB+caNplG56fBu5cdQdaG2Nj9WwFtZhYf+8HW0HHOnYAVe7QceNjVU9Ssy+IZb0YIerBiI+8GpbiOZeAPnoJiVP9fwDnQznkk4vjrRVfABAGeSxY6uIN04VSP+VRDFwWc16aBrH+qaQMWkGxBnTJ/16SVzwhXpWo+05mQYzz6s3WxVqD4yyKLf+6vOHtbAPo1j/oiFWu2l7sgdAG/LIe+GQ8FMBwWWkoK0PQ1DfDZupBekUKLrnYT+CFEGxqEGZe8Hcj61hRo1sCHPgHgrd/lZdVyaVK9ggPv/FW6G2/BoJev5Y/FwwXUlEvLESYEutTvAfuAX91OTAoQvI425RGba5dlhU/AQcFnpTRsNTljGGo6p/MqioMThu6ry3/XUjFlUU0Fo3OjsfCu+6SHWzF4mi7n/LUCrSlNFL5YF3O51+TvumZ5MW3SDA+k6YYSYFzCxzbzDMqh6hBEPexfI/ilV/BiyuJB7hz/nxYjImhZRPwM9hiXvT7ovsH3pTys7+9OzBe2qAciV3pr90r/SYEQuqrZOxvqilBBLC+xWm8MIAr24LxKI99B69c+43yo8Kzsnw0Sy2ggXsCyxNOfMoQlnQ6N2ctz5Ov/kdakNhor5AsqsHOo04rTctoCW3yKb9GY+0OCnx92MbvlaxsJkq3yNflodvCnP3MfoZxyG4e+tJ0Um6MoYHDfMs1wImueq6ormcPwcTvvT/3bV/2LOHsVrLxdiMROlgGLitmzcZDpBrIZM/2k7leDwW3QLSMSGzUGicfIa+PLnOENoZ+JujiuGi644u+SZj0c58jgsSL/K5Asre5CBPOs62j7uRHRnu7BrDwfKRVdZ1WvIpfjxvYx9pCtNMlp+dJu+6Jx+a2K/a2mqZhxeu0CpxfUbp5e2+Rf5rITZmtAbV5VT8PWx6OW0mFCjoPfMUuhG7U3oK6PBvAqbnA+uEkdx5Kv1G81UbShlQi0qaJXADjuvNvAiARruvUK4DCJUV08PBoW8tBaTldm8jT2sEI0O74HcRT+J/iP0eQ+GBtmadtrj9ye0nuV1pSKr1LEnobgn6Qt8KJLcc/Wewx2Yi3hpD1PPED+89K55TwUrInMeU7yUsEqO6nAghx9zZ5KE2OoQUYCIJdwiB3c1X/mjGbEkNZ/TFCcHPfeu7ofdSuK4eQGP1nQ3SP+MU7EJ5n1TIKCzony+vrMHEw6RiWA0UvJNgUekRROo8X1fCQgAsjvGpKLvkzKqJf2EbfiNVyV4Vywq9DeGKiJgnHW8qM6WSIgUUyOZ85RKF0HRjwGGK+5KbZFOK2Wf00KcWfeGiOxthme9D7Bp4SDpPNraz7zgbaJBAnNHy3LJqB/hS2eKDS1dksvqJPIlVHIa4USZfJpyOxCQKNlt/9LGhTofNRHiB0TnNLTQ2ZniB3npHi3QUWnIj++AGRLqek2ynXIB3er+BrlUty9VAKSG5BxwPUGlW5/Uh6edizJYnxkqZ16Lj+QrzR53la3Qgw86xFbpWvX+pt02wGl2Ut+hc+c3darHt+PZoimUEv2e7IVYVYiRA/QqTexOP+uRTC5wxGYWHx9IU0UuOJYkT6+2IG+N7oesO8BseAaQ3NSUZrd3XuI1bO8FdprVcuRfAY4IOiQjb0BqXP4dfGhTwyPaj4m0gba3oyTDMLaYOziwx8667VuIwB3RcgbbGGosi27yPd1OulVGW+W+9V+F2EoHsW5SUC34HA/krtcocEA5rToMmsSk0F8fEFdsUlRrbhwfU9DFTTtlYl3Q/4uwQngIt0YmuRg7Ai7yUGvmqhjIPeBQFXskw94G7O6oMrhCjdm9DcpzDj+jj4WgBhJz3NOnAmEJg2A62dRJ2BK+qpouHgadDSZxaFnjVICQyPd76maHW7BXnRGGYv8TAMXfDZd7qgg1PjbviPbyGCfx2qpaZp7j9fE6al1auGzbJA2nc7X+EnzZRPpjFdrWbdtYYoqjAzTxeSi1/hT2l0qIpMxF6m+CpP9WwfPSlFczJ/4a04o1jjWbgahsj1pyoc1e+S1pdW4l4oPraKDbcx++aLNcpJDxKeYfIaRG7JxALvFiXbnf8C43rsRowqbo2QjmKH7ZpdKyAxipQWgjoC+uPXHn4m4BoVnNuPc7+Qh8J5XVbErRW7vLcdYScXGskbzGqsgyUIZop1h2/TxO4Y5CJe2rZCxSY4AKEmW5WtNFvrMawE8S7tQ3QTJMogmkdPJ4jxZPyGRo3WO8nUPXqh/GOtXvejHBDiS3OmHYbwmFErI8yOMCIDYZGDjaumMpOyk3OHrWxRwjdDUzPo8u75ixZQN9ZG+uZLgt9CJdr3epbo/DpKzi4AxDSVasGc+7Yi/PQBW/qJAJxSID5/D50JU5xkey7to8eNwOr3fnc2BCotVIJTyteptMDeGWw3wlnpczNPK3DrFRfle/P/nW5o0nq91B56PG4ZhsTyJQEajyJ+327Cn0lGgV0REDLpypl4XQb/GBMonqErzmBKh0IC0uiADVo2seUbE1Eg2dZsHXQ6x7+h9bMIPN/Sz5d7WGp9qMrE4vbR6L3Htlwow1WCdyuImrXUfOKAPuF/OYjEZ0kD7UMfI1iALi+mFBUXV8TMXU8nljPyb1JNPbRMLfECHg6G6QKm20T111XkD8DKMESgolhvRHyMbG0Sw5fYdofp8Xi9kX7LXB7it4aI0mfoc4wfFBQH7W3UpIyoBVwrZ5co7tiYRgbVc9XA6gdcydhWykv0FnLDX+aMXIW+7ENzRdJloPOSQ59pmOL/PBHkYgZEpjfyMJDo0Qgicl/N/Y9P+sKWJw/GZqxyfi3wibb8YkcKcxPP5n+3bFsto3dYmTHrRZcmRaoIT0lBOPi3X6CSAD+DuiP0XGNCf8L4T16OIwHBVUiwIcbWW19CejvRUWzyXrSQymiH00VybjibvNnMN2jAzQN3AsnXGcgEGh/xBfx+Ck8QHAUWBgG4aebDHWGDGHo7Ck0uzqFsDlOwyk=
+    default.RS256.public.crt: AgAVHs+NqdI7fm0SDSwckmmwTy9qGb2Z24epWv7jR/4O/QbNl9+oGhTbBtdgGQxa1uDGFv6jzFLnrTGCuRdkzHrN+DvHIH1aH5eR04sK7Lm5DgVOAR0mUUwQ9HcKW9Vz9oEyHbbQ4ZohsF+hWO3vzzwjlYPrxFsZ+Rje1RN6wWJJl0+JhuDC6Dsh8iqOoXJ7jlWtpQOxT/YNCGxqEziZGeWe0NssS1mc0NgUHtM2dyoQzIuw6TqwzwjOvvOtAiHp7v1EYMtHRC7honspLQXH3eMn1da7/RAKVpeUhqXd29PgrgsKJzltASr4lr9PRYoS8FmKt5haPmsL/f2AZOWZtKyvHYq9AZ2dnSLmDdYxJheZVN9+OQNgjvmyUfY6bOzXkR4b/nAmKRECiNmCRz6x7J2n3y8nShe6i36Lcn4TU5fbea84cNRBpEi1cQk1QZOcDyk3+4ugL3elwTG18cMZL8/KhyIVoDc9YyHoIctDtaXnSv/Z8J3r30QpyWDwzQk5b9bwidQ+K40KsaKw03hPry2KfsDRnxViUlslARb14thM2oTAxq34fuMx7W2jDqKgnB4xHD6X2tC8Xhnx8DA+JkbCbIzdarZl5jmhIemBW1+YSrJfV59Po9tGVdTzrOs0QqNxkUFF2WKv+kjraeLnmsOaDsIaPhiYf0YRkHl3Aejt7YOeN0dJ2OG8sWS37GfGjgerxzDHNelpxKC3s3A9R49ae0xK7ydch7AwIwPnuCfO/tplIGxmn0dhlqv93STmWr2rHyKEwVF09GTpwezgQEQu03kl24OQfObWFvx7woBbJPFRj39ClnIOdrMmY8PvQrzIvpYhTYWT1iGX4/+wy43jJCPtyjjCGa9aAenMw0zCnxtS+/TAguhqqg8u7k09r/zEZ5SVQ8Sj0AgyygZgeQwuCYZBFaCuupjB3WCcA3yn2+9mwCiUMh8rZOagJQuqL3D/f/UUMU6/zUCYSsjaIuxbKM1McICJw3Y+JviwsGcwAQT/AblDTfQuXmVahurtoqcrun2KglZmmJ0T0/2CxvvubjkIUEO8KorpGKQxJZDvtuMxe8HDDlgd5Mxe6vnY9gvnD7yi1quMKvom0PAoxfFfuMQND/idtgVFGEFq+bq7mYozEHGA9Y1bJ9S/1rSp5I05ZPMiel6aEXvxdyixOphnuBGx0ZYIkyENKfH1bt7LdJvr/Ouv0WAf2SmC0qEaA15+pHgXg3u4n6pclgwPMoMZ93PAmujLTZ+4NolluSQMJp0joawIzojCjy21oJF++Pa5nSnqBmc8X9jn3AV+yiDohlXBHHo2Zo5Aeu/zZ5pIaqff7xBw/pMWXVxW4SDlgcAoJ1mWiokDGe8sX7XLBACIswrAmjn5EmeVVT841wsI/uD/I64FzIGaJwbiRqcoEwG0C3OTaVyWxMTllywBmvGDfwSj0+mu6CztV2mM/WXNK0GBpkHV2cs6dtdf5tYp81RKkDcFHqs/BPfKf2vCnfPv3ZmmVFD8wnN2OPpm9I7Kdn3zPDLY51ksmU6mNsCceYtdVtmO0j4ZiObJdf3T+NJX101oK7I4Pr6Kw8swSoSRHcw0IoKUlpSvwoPCW9g42Pao69yGp/tJJhhRQuBeLx7b5k/DiwT8x72+QQ1vIPSY8HM+INq3425BO/yF9ZpeUr67DFqcYK5wIcWlLqIv7jY/S+D8xhT2uyCyprTYkqMNYpSQK9qpD4UILP34hgVvFtdUg2H2vj5SZpMQf61bMWIcH6GyiberiAag4WVGDhzOD2PQiVYfjDHQ67XUjLy05KOLObvZ2G0jHt1V30LadpqXBejL2EIwGYeCHijvi2XumPTSYasX2FkOr7jO/I2FXY6Z0uFj/+dsuSRhAKoNMoRC5crPOdT+NL/P90VJ8s2MPqnZssjEzlz0NVJ6kNh6COIotpa5j8TrUBhqAI0qlMAjwzuNovT1Dfngfg2KQDtN00hpg2nZlwjA2Cyx0o0+EbuLp0v++TuxrZp3w+YvdPov104AY3osQoZcw+kVFVRrED+1GAZ0t428bgFwbxeoDde5IlYZ72wNco6kDxBNuKDGb5EfR2H8lHXqmwftx6fFIGKUhPv2wxPdMdo8du5DTEZP49ooy2hJ0puo1O7kRh7Qfc06uvcJD3zeUSnRFC48FCeTCARu3h1fnCn8qg5ZEt9iGLIq7KMzMCwjhKC76qSd3PjnubLE7w==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: oidc-jwks
+      namespace: authelia
--- a/k8s/infra/auth/authelia/values.yaml
+++ b/k8s/infra/auth/authelia/values.yaml
@@ -60,48 +60,9 @@ configMap:
          use: 'sig'
          # TODO: CHANGE THIS COMPROMISED TEST KEY!
          key:
-            value: |
-              -----BEGIN PRIVATE KEY-----
-              MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCsOCrc4yP2ziCO
-              MUJoEMA6hIlLgwDNrKviBKHBNjAjQ0EStW3148ZxSHtLZH+xls4HyjenDp79bUDd
-              hm3kh0N8Z+loSRky6JMx+NUyA4XoWzR35MxGbt6ojx3pHdFCJRUu5/DmU2w8RgVy
-              FaC/XWQPg03w80yEsXfT6CFT7avKwn/D8KCbjGVaYlLseWUAMPPyGU/pG/31CLR/
-              VDUaT5rnRHchlM8wsHfAR9rzhWLAn7xefIgK94hkD0l/BrY93g72TkNtkQsS+bgv
-              5404F0o+sILswoAZNvLWhy2AejwIw8HN+/ssaTbvRzfkXWiyvcBWA5kCK7ltpHMN
-              Cg5hcnwzAgMBAAECggEAVRrEg7dzVEl0aRAKouZ0N/a66ifow7qqjdyAGryueR6J
-              D7e8iSBwNhb9ZrpZJ+dAFTVm3xUomE/fGBmQQLhfLyEihLhqzW+FHdK7eCWpjLNV
-              cFIOaFftjBp9S2/Csw8kMrPHpepfuEFZ+5CYiTibc9cNMx7oF0Kj1oIFxjXTCTTX
-              /5G2WN9VsduA6SC5xnZNqyd8sKboQzXmGxgop98BRdiPTE5adZZ+oOozVmayYKMD
-              Y51SAHq+lpAmVW8poAfm59fmyll0gRBsHi3Xrbhpk+1nrWFhWiqS63G6rJ1Y3SQF
-              S1aztbP45z2T96g7OehNZT+98nrPHDzi4lpeiZ6XgQKBgQDmwLEIk/MWMCgv+BUy
-              bOuIyGSP0vLRSsNZpKc2NMCln0huKjpfLcfjre41aqISV6mGkAOfk/Y0NBPCPwQP
-              hO0OXnK/3sORzCyQCTfPW6nCAafjVaMvjCBlsKA/Hjx74Gw9JkrHJiGudrNrDYtQ
-              dQN5paCtauv/vknXVrDDapExkwKBgQC/D/oo+wRlntvP61HaBJt/zF/nLo7KF9wW
-              D2HC3lohVcF35KtgB1PbzZrTjQOPFVXbMs7t88g3nBSoc+6czPGkoevvS9UeYoH9
-              dhTDooiSVn6kmH1HgwSliqpZWMVyKpyFuCZTd014++7aKBg/16KJO+DxS9Uka80C
-              48pmvcyu4QKBgHguQcX68G9M85FQPxH9QosB+8YgkxDIRIgqxl/oB7H7DIk7+xzZ
-              RjNhwiAWAoVVHNkVpp11PZSgzu2rTl0a2TBTpqYhym/kDA2Uj3my/u4pWJyBXLWF
-              4NW1sTBOeif2kckjaWzhgkdQUU/fRQDJgN7ZkZ7ggju3itPZtcSBe097AoGAVzxR
-              SRLLgCaXUIiuN7Aw25oSE7kDQyy/tWbSiSoC1wOTsU08Hj1aQZrP3VWeUV85czrw
-              ll7fhNyD5iIAyaEdl8DCu+DQ7u2lUnfupSB54O8TJc3mLZeZsIfunZrVk/n2u2tI
-              PIXVXq8Q8JSr9cJcGPK5ExM/v0BlO7OL/3sbkKECgYBTj5hTKZvBkLQwyfMLMAoY
-              rytwq9T4sOQElWpvwi/6NmT8iYSWlXEjRktBnnGOyNjNXvyoLNr2CmtV/TJ2uG0J
-              fKWga5swZ/Aq4h5kX64+q710r+xGS2s4up6XY8gyT3+WxaF8RpxiQilDFVYCzvee
-              uzpHa9dV3xVGQQK5fEtWQg==
-              -----END PRIVATE KEY-----
-          #  path: '/secrets/oidc.jwk.RS256.pem'
-#          certificate_chain:
-#            value: |
-#              -----BEGIN PUBLIC KEY-----
-#              MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArDgq3OMj9s4gjjFCaBDA
-#              OoSJS4MAzayr4gShwTYwI0NBErVt9ePGcUh7S2R/sZbOB8o3pw6e/W1A3YZt5IdD
-#              fGfpaEkZMuiTMfjVMgOF6Fs0d+TMRm7eqI8d6R3RQiUVLufw5lNsPEYFchWgv11k
-#              D4NN8PNMhLF30+ghU+2rysJ/w/Cgm4xlWmJS7HllADDz8hlP6Rv99Qi0f1Q1Gk+a
-#              50R3IZTPMLB3wEfa84ViwJ+8XnyICveIZA9Jfwa2Pd4O9k5DbZELEvm4L+eNOBdK
-#              PrCC7MKAGTby1octgHo8CMPBzfv7LGk270c35F1osr3AVgOZAiu5baRzDQoOYXJ8
-#              MwIDAQAB
-#              -----END PUBLIC KEY-----
-#          #  path: '/secrets.oidc.jwk.RS256.crt'
+            path: /secrets/oidc-jwks/default.RS256.private.pem
+          certificate_chain:
+            path: /secrets/oidc-jwks/default.RS256.public.crt
      clients:
        - client_id: 'argocd'
          # TODO: CHANGE THIS COMPROMISED TEST KEY!
@@ -128,10 +89,17 @@ secret:
  additionalSecrets:
    lldap-auth:
      items:
-        - key: 'password'
-          path: 'authentication.ldap.password.txt'
+        - key: password
+          path: authentication.ldap.password.txt
    oidc-argocd:
      items:
-        - key: 'clientSecret'
-          path: 'clientSecret'
+        - key: clientSecret
+          path: clientSecret
+    oidc-jwks:
+      items:
+        - key: default.RS256.private.pem
+          path: default.RS256.private.pem
+        - key: default.RS256.public.crt
+          path: default.RS256.public.crt
+