From bde033a3b0bd48f9026cc6c8b7dbeada98ee5056 Mon Sep 17 00:00:00 2001 From: Aner Zakobar Date: Sun, 24 Sep 2023 15:30:29 +0300 Subject: [PATCH] AUTHENTICATION BABYYYY --- files/authelia-config.yaml | 60 +++++ files/gitea-app.ini | 95 ++++++++ templates/_definitions.yaml | 30 +-- templates/auth.yaml | 436 ++++++++++++++++++++---------------- templates/gitea.yaml | 92 -------- templates/ldap-auth.yaml | 70 ------ templates/nextcloud.yaml | 206 ----------------- templates/phpldapadmin.yaml | 16 ++ 8 files changed, 429 insertions(+), 576 deletions(-) create mode 100644 files/authelia-config.yaml create mode 100644 files/gitea-app.ini delete mode 100644 templates/gitea.yaml delete mode 100644 templates/ldap-auth.yaml delete mode 100644 templates/nextcloud.yaml diff --git a/files/authelia-config.yaml b/files/authelia-config.yaml new file mode 100644 index 0000000..8fd84f8 --- /dev/null +++ b/files/authelia-config.yaml @@ -0,0 +1,60 @@ +############################################################### +# Authelia minimal configuration # +############################################################### +theme: "light" +log: + level: "debug" +jwt_secret: {{ .homey_authelia_jwt | quote }} +authentication_backend: + ldap: + implementation: "custom" + url: "ldap://openldap:389" + timeout: "5s" + start_tls: false + base_dn: "{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim}}" + users_filter: "({username_attribute}={input})" + username_attribute: "uid" + additional_users_dn: "ou=users" + groups_filter: "(&(uniquemember=uid={input},ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim}})(objectclass=groupOfUniqueNames))" + group_name_attribute: "cn" + additional_groups_dn: "ou=groups" + mail_attribute: "mail" + display_name_attribute: "uid" + permit_referrals: false + permit_unauthenticated_bind: false + user: "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}" + password: {{ .homey_openldap_ro | quote }} +totp: + issuer: "{{ .Values.homey.url }}" + disable: false +session: + name: authelia_session + secret: {{ .homey_authelia_session | quote }} + expiration: 3600 # 1 hour + inactivity: 7200 # 2 hours + domain: "{{ .Values.homey.url}}" # needs to be your root domain +storage: + local: + path: "/config/db.sqlite3" + encryption_key: {{ .homey_authelia_encryption_key | quote }} +access_control: + default_policy: "deny" + rules: + - domain: + - "auth.zakobar.com" + policy: bypass + - domain: + - "ldapadmin.{{ .Values.homey.url }}" + subject: + - 'group:admins' + policy: "two_factor" + - domain: + - "ldapadmin.{{ .Values.homey.url }}" + - "longhorn.{{ .Values.homey.url }}" + policy: "deny" + # - domain: + # - "git.{{ .Values.homey.url }}" + # policy: "one_factor" +notifier: + filesystem: + filename: "/var/lib/authelia/emails.txt" diff --git a/files/gitea-app.ini b/files/gitea-app.ini new file mode 100644 index 0000000..ad31759 --- /dev/null +++ b/files/gitea-app.ini @@ -0,0 +1,95 @@ +APP_NAME = {{ .Values.homey.organization }} +RUN_MODE = prod +RUN_USER = git +WORK_PATH = /data/gitea + +[repository] +ROOT = /data/git/repositories + +[repository.local] +LOCAL_COPY_PATH = /data/gitea/tmp/local-repo + +[repository.upload] +TEMP_PATH = /data/gitea/uploads + +[server] +APP_DATA_PATH = /data/gitea +DOMAIN = git.{{ .Values.homey.url }} +HTTP_PORT = 3000 +ROOT_URL = https://git.{{ .Values.homey.url }}/ +DISABLE_SSH = true +SSH_PORT = 443 +SSH_LISTEN_PORT = 22 +LFS_START_SERVER = true +LFS_JWT_SECRET = {{ .homey_gitea_lfs_jwt_secret | b64enc | replace "=" "" }} +OFFLINE_MODE = false + +[lfs] +PATH = /data/git/lfs + +[database] +PATH = /data/gitea/gitea.db +DB_TYPE = sqlite3 +HOST = localhost:3306 +NAME = gitea +USER = root +PASSWD = +LOG_SQL = false +SCHEMA = +SSL_MODE = disable +CHARSET = utf8 + +[indexer] +ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve + +[session] +PROVIDER_CONFIG = /data/gitea/sessions +PROVIDER = file + +[picture] +AVATAR_UPLOAD_PATH = /data/gitea/avatars +REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars +DISABLE_GRAVATAR = false +ENABLE_FEDERATED_AVATAR = false + +[attachment] +PATH = /data/gitea/attachments + +[log] +MODE = console +LEVEL = info +ROUTER = console +ROOT_PATH = /data/gitea/log + +[security] +INSTALL_LOCK = true +SECRET_KEY = +REVERSE_PROXY_LIMIT = 1 +REVERSE_PROXY_TRUSTED_PROXIES = * +INTERNAL_TOKEN = {{ .homey_gitea_random_internal_token }} +PASSWORD_HASH_ALGO = pbkdf2 + +[service] +DISABLE_REGISTRATION = true +REQUIRE_SIGNIN_VIEW = false +REGISTER_EMAIL_CONFIRM = false +ENABLE_NOTIFY_MAIL = false +ALLOW_ONLY_EXTERNAL_REGISTRATION = true +ENABLE_CAPTCHA = false +DEFAULT_KEEP_EMAIL_PRIVATE = false +DEFAULT_ALLOW_CREATE_ORGANIZATION = true +DEFAULT_ENABLE_TIMETRACKING = true +NO_REPLY_ADDRESS = noreply.localhost +ENABLE_REVERSE_PROXY_AUTHENTICATION = true +ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true + +[mailer] +ENABLED = false + +[openid] +ENABLE_OPENID_SIGNIN = false +ENABLE_OPENID_SIGNUP = false + +[oauth2] +ENABLE = false +JWT_SECRET = {{ .homey_gitea_oauth2_jwt_secret | b64enc | replace "=" "" }} diff --git a/templates/_definitions.yaml b/templates/_definitions.yaml index 0d031a6..8aadb54 100644 --- a/templates/_definitions.yaml +++ b/templates/_definitions.yaml @@ -1,32 +1,20 @@ --- +{{- define "homey.lookuporgensecret" -}} +{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace .secretname ) | default dict -}} +{{- $secretData := (get $secretObj "data") | default dict -}} +{{- $ret := (get $secretData "password" | b64dec ) | default (randAlphaNum 32 ) -}} +{{ $ret -}} +{{- end -}} +--- {{- define "homey.randomsecret"}} apiVersion: v1 kind: Secret metadata: - name: {{ .secretname }} + name: {{ (replace "\"" "" .secretname ) }} type: Opaque data: - {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (.secretname | quote)) | default dict }} - {{- $secretData := (get $secretObj "data") | default dict }} - {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} - password: {{ $pass | quote }} + password: {{ .secretval | b64enc | quote }} {{- end }} - -{{- define "homey.lookuprandomsecret" -}} -{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (.secretname | quote)) | default dict -}} -{{- $secretData := (get $secretObj "data") | default dict -}} -{{- $pass := (get $secretData "password") | default "UNDEFINED" -}} -{{- $pass | quote -}} -{{- end -}} - -{{- /* - Returns given number of random Hex characters. - - randNumeric 4 | atoi generates a random number in [0, 10^4) - This is a range range evenly divisble by 16, but even if off by one, - that last partial interval offsetting randomness is only 1 part in 625. - - mod N 16 maps to the range 0-15 - - printf "%x" represents a single number 0-15 as a single hex character -*/}} --- {{- define "homey.randHex"}} {{- $result := "" }} diff --git a/templates/auth.yaml b/templates/auth.yaml index 488968c..e07ca6c 100644 --- a/templates/auth.yaml +++ b/templates/auth.yaml @@ -1,4 +1,4 @@ ---- + --- apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -11,34 +11,23 @@ spec: storage: 100Mi storageClassName: longhorn --- -{{- define "homey.auth.ingress.annotations" }} - # nginx.ingress.kubernetes.io/auth-signin: "https://auth.zakobar.com" - nginx.ingress.kubernetes.io/auth-url: "http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80" - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email - nginx.ingress.kubernetes.io/location-snippets: |- - auth_request /auth - nginx.ingress.kubernetes.io/configuration-snippet: |- - location /auth { - # proxy_pass http://ldap-auth-internal; - proxy_pass_request_body off; - proxy_set_header X-Target http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80; - proxy_set_header X-Ldap-URL "ldap://openldap"; - proxy_set_header X-Ldap-BaseDN "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; - proxy_set_header X-Ldap-BindDN "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; - proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}}; - proxy_set_header X-CookieName "homey.auth.cookie"; - proxy_set_header Cookie $cookie_homey.auth.cookie; - proxy_set_header X-Remote-User $remote_user; - proxy_set_header X-Forwarded-Method $request_method; - proxy_set_header X-Ldap-Template "(uid=%(username)s)"; - } -{{- end }} +{{- $_ := set $ "homey_openldap_admin" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-admin") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "openldap-admin" "secretval" .homey_openldap_admin) $) }} +# --- +{{- $_ := set $ "homey_openldap_config" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-config") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "openldap-config" "secretval" .homey_openldap_config) $) }} +# --- +{{- $_ := set $ "homey_openldap_ro" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-ro") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "openldap-ro" "secretval" .homey_openldap_ro) $) }} --- -{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-admin") $) }} -# --- -{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-config") $) }} -# --- -{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-ro") $) }} +{{- $_ := set $ "homey_authelia_jwt" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-jwt") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "authelia-jwt" "secretval" .homey_authelia_jwt) $) }} +--- +{{- $_ := set $ "homey_authelia_session" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-session") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "authelia-session" "secretval" .homey_authelia_session) $) }} +--- +{{- $_ := set $ "homey_authelia_encryption_key" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-encryption-key") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "authelia-encryption-key" "secretval" .homey_authelia_encryption_key) $) }} --- apiVersion: apps/v1 kind: Deployment @@ -121,163 +110,236 @@ spec: selector: app.kubernetes.io/name: openldap --- -# --- -# apiVersion: v1 -# kind: ConfigMap -# metadata: -# name: keycloak-postgres-config -# labels: -# app: keycloak-postgres -# data: -# POSTGRES_DB: keycloak-db -# POSTGRES_USER: keycloak-admin -# --- -# apiVersion: apps/v1 -# kind: Deployment -# metadata: -# name: keycloak-postgres -# labels: -# app: keycloak-postgres -# spec: -# replicas: 1 -# selector: -# matchLabels: -# app: keycloak-postgres -# template: -# metadata: -# labels: -# app: keycloak-postgres -# name: keycloak-postgres -# spec: -# containers: -# - name: postgres -# image: postgres:10.4 -# imagePullPolicy: "IfNotPresent" -# ports: -# - containerPort: 5432 -# envFrom: -# - configMapRef: -# name: keycloak-postgres-config -# env: -# - name: POSTGRES_PASSWORD -# valueFrom: -# secretKeyRef: -# name: keycloak-db-pass -# key: password -# volumeMounts: -# - mountPath: /var/lib/postgresql/data -# subPath: keycloak/db/data -# name: keycloak-postgresdb -# volumes: -# - name: keycloak-postgresdb -# persistentVolumeClaim: -# claimName: homey-pvc-longhorn -# --- -# apiVersion: v1 -# kind: Service -# metadata: -# name: keycloak-postgres-service -# labels: -# app: keycloak-postgres -# spec: -# ports: -# - port: 5432 -# selector: -# app: keycloak-postgres -# --- -# apiVersion: apps/v1 -# kind: Deployment -# metadata: -# name: keycloak -# labels: -# app: keycloak -# spec: -# replicas: 1 -# selector: -# matchLabels: -# app: keycloak -# template: -# metadata: -# labels: -# app: keycloak -# spec: -# containers: -# - name: keycloak -# image: mihaibob/keycloak:18.0.2-legacy -# env: -# - name: KEYCLOAK_USER -# value: "admin" -# - name: KEYCLOAK_PASSWORD -# valueFrom: -# secretKeyRef: -# name: keycloak-pass -# key: password -# - name: PROXY_ADDRESS_FORWARDING -# value: "true" -# - name: DB_ADDR -# value: keycloak-postgres-service -# - name: DB_DATABASE -# value: "keycloak-db" -# - name: DB_VENDOR -# value: postgres -# - name: DB_USER -# value: keycloak-admin -# - name: DB_PASSWORD -# valueFrom: -# secretKeyRef: -# name: keycloak-db-pass -# key: password -# ports: -# - name: http -# containerPort: 8080 -# readinessProbe: -# failureThreshold: 3 -# httpGet: -# path: /auth/realms/master/ -# port: http -# initialDelaySeconds: 240 -# timeoutSeconds: 240 -# livenessProbe: -# failureThreshold: 3 -# httpGet: -# path: /auth/ -# port: http -# initialDelaySeconds: 240 -# timeoutSeconds: 240 -# --- -# apiVersion: v1 -# kind: Service -# metadata: -# name: keycloak-web -# labels: -# app: keycloak -# spec: -# ports: -# - name: http -# port: 8080 -# targetPort: http -# selector: -# app: keycloak -# --- -# apiVersion: networking.k8s.io/v1 -# kind: Ingress -# metadata: -# name: keycloak -# spec: -# ingressClassName: {{ .Values.homey.ingress_class }} -# tls: -# - hosts: -# - keycloak.{{ .Values.homey.url }} -# secretName: {{ .Values.homey.certname }} -# rules: -# - host: keycloak.{{ .Values.homey.url }} -# http: -# paths: -# - path: / -# pathType: Prefix -# backend: -# service: -# name: keycloak-web -# port: -# number: 8080 +apiVersion: v1 +kind: ConfigMap +metadata: + name: authelia-conf +data: + configuration.yml: |- +{{ tpl (.Files.Get "files/authelia-config.yaml" | indent 4) . }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: authelia-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 100Mi + storageClassName: longhorn +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authelia + labels: + app.kubernetes.io/name: authelia +spec: + selector: + matchLabels: + app.kubernetes.io/name: authelia + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/name: authelia + spec: + enableServiceLinks: false + containers: + - name: authelia + image: authelia/authelia + imagePullPolicy: "IfNotPresent" + env: + - name: TZ + value: "Jerusalem/Israel" + ports: + - name: tcp + containerPort: 9091 + volumeMounts: + - mountPath: /config/configuration.yml + name: authelia-conf + subPath: configuration.yml + readOnly: true + - mountPath: /config + subPath: authelia/config + name: authelia-volume + volumes: + - name: authelia-conf + configMap: + name: authelia-conf + items: + - key: configuration.yml + path: configuration.yml + - name: authelia-volume + persistentVolumeClaim: + claimName: authelia-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: authelia + labels: + app.kubernetes.io/name: authelia +spec: + type: ClusterIP + ports: + - name: tcp + port: 9091 + targetPort: tcp + selector: + app.kubernetes.io/name: authelia +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: authelia +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - auth.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: auth.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: authelia + port: + number: 9091 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gitea-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5Gi + storageClassName: longhorn +--- +{{- $_ := set $ "homey_gitea_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-admin-pass") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "gitea-admin-pass" "secretval" .homey_gitea_admin_pass) $) }} +--- +{{- $_ := set $ "homey_gitea_lfs_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-lfs-jwt-secret") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "gitea-lfs-jwt-secret" "secretval" .homey_gitea_lfs_jwt_secret) $) }} +--- +{{- $_ := set $ "homey_gitea_oauth2_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret" "secretval" .homey_gitea_oauth2_jwt_secret) $) }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: gitea-random-internal-token + annotations: + "helm.sh/resource-policy": "keep" +type: Opaque +data: +{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-random-internal-token") | default dict -}} +{{- $secretData := (get $secretObj "data") | default dict -}} +{{- $pass := (get $secretData "password") | default (randAlphaNum 100 | b64enc) -}} +{{- $_ := set $ "homey_gitea_random_internal_token" ($pass | b64dec) }} + password: {{ $pass | quote }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-conf +data: + app.ini: |- +{{ tpl (.Files.Get "files/gitea-app.ini" | indent 4) . }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitea +spec: + replicas: 1 + selector: + matchLabels: + app: gitea + template: + metadata: + labels: + app: gitea + spec: + containers: + - name: gitea + image: gitea/gitea:latest + ports: + - containerPort: 3000 + name: http + volumeMounts: + - name: gitea-persistent-storage + mountPath: /data + subPath: gitea/gitea/data + - name: gitea-conf + mountPath: /data/gitea/conf/app.ini + subPath: app.ini + readOnly: true + # startProbe: + # httpGet: + # path: / + # port: 3000 + # initialDelaySeconds: 15 + # lifecycle: + # postStart: + # exec: + # {{- $gitea_cmd := (printf "gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host ldap --port 389 --user-search-base ou=users,%s --user-filter \\\"(&(objectClass=inetOrgPerson)(|(uid=%[1]s)(mail=%[1]s)))\\\" --email-attribute mail --bind-dn=\\\"cn=readonly,%s\\\" --bind-password=\\\"%s\\\"" ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) (.homey_openldap_ro | replace "\"" ""))}} + # command: ["/bin/sh", "-c", "{{$gitea_cmd}}"] + volumes: + - name: gitea-persistent-storage + persistentVolumeClaim: + claimName: gitea-pvc + - name: gitea-conf + configMap: + name: gitea-conf + items: + - key: app.ini + path: app.ini +--- +apiVersion: v1 +kind: Service +metadata: + name: gitea-svc +spec: + selector: + app: gitea + ports: + - name: http-port + protocol: TCP + port: 3000 + targetPort: http + selector: + app: gitea +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: gitea-ingress +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - git.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: git.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: gitea-svc + port: + number: 3000 --- diff --git a/templates/gitea.yaml b/templates/gitea.yaml deleted file mode 100644 index ad26392..0000000 --- a/templates/gitea.yaml +++ /dev/null @@ -1,92 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: gitea-pvc -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 5Gi - storageClassName: longhorn ---- -apiVersion: v1 -kind: Secret -metadata: - name: gitea-admin-pass - annotations: - "helm.sh/resource-policy": "keep" -type: Opaque -data: -{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-admin-pass") | default dict -}} -{{- $secretData := (get $secretObj "data") | default dict -}} -{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) -}} - password: {{ $pass | quote }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: gitea -spec: - replicas: 1 - selector: - matchLabels: - app: gitea - template: - metadata: - labels: - app: gitea - spec: - containers: - - name: gitea - image: gitea/gitea:latest - ports: - - containerPort: 3000 - name: http - volumeMounts: - - name: gitea-persistent-storage - mountPath: /data - subPath: gitea/gitea/data - volumes: - - name: gitea-persistent-storage - persistentVolumeClaim: - claimName: gitea-pvc ---- -apiVersion: v1 -kind: Service -metadata: - name: gitea-svc -spec: - selector: - app: gitea - ports: - - name: http-port - protocol: TCP - port: 3000 - targetPort: http - selector: - app: gitea ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: gitea-ingress -spec: - ingressClassName: {{ .Values.homey.ingress_class }} - tls: - - hosts: - - git.{{ .Values.homey.url }} - secretName: {{ .Values.homey.certname }} - rules: - - host: git.{{ .Values.homey.url }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: gitea-svc - port: - number: 3000 ---- diff --git a/templates/ldap-auth.yaml b/templates/ldap-auth.yaml deleted file mode 100644 index 7b11b59..0000000 --- a/templates/ldap-auth.yaml +++ /dev/null @@ -1,70 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ldap-auth - labels: - app: ldap-auth -spec: - replicas: 1 - selector: - matchLabels: - app: ldap-auth - template: - metadata: - labels: - app: ldap-auth - name: ldap-auth - spec: - containers: - - name: ldap-auth - image: linuxserver/ldap-auth - imagePullPolicy: Always ---- -#https://stackoverflow.com/questions/51149921/how-to-authenticate-nginx-with-ldap -apiVersion: v1 -kind: Service -metadata: - name: ldap-auth -spec: - selector: - app: ldap-auth - ports: - - port: 80 - targetPort: 9000 ---- -apiVersion: v1 -kind: Service -metadata: - name: ldap-auth-internal -spec: - selector: - app: ldap-auth - ports: - - port: 80 - targetPort: 8888 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ldap-auth-ingress - annotations: -spec: - ingressClassName: {{ .Values.homey.ingress_class }} - tls: - - hosts: - - auth.{{ .Values.homey.url }} - secretName: {{ .Values.homey.certname }} - rules: - - host: auth.{{ .Values.homey.url }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: ldap-auth - port: - number: 80 ---- - diff --git a/templates/nextcloud.yaml b/templates/nextcloud.yaml deleted file mode 100644 index 60dd593..0000000 --- a/templates/nextcloud.yaml +++ /dev/null @@ -1,206 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-pvc -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 30Gi - storageClassName: longhorn ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-postgres-pvc -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 5Gi - storageClassName: longhorn ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nextcloud-data-pvc -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 30Gi - storageClassName: longhorn ---- -apiVersion: v1 -kind: Secret -metadata: - name: nextcloud-postgres-pass - annotations: - "helm.sh/resource-policy": "keep" -type: Opaque -data: - {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "nextcloud-postgres-pass") | default dict }} - {{- $secretData := (get $secretObj "data") | default dict }} - {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} - password: {{ $pass | quote }} ---- -# apiVersion: extensions/v1beta1 -apiVersion: v1 -kind: ConfigMap -metadata: - name: nextcloud-postgres-config - labels: - app: nextcloud-postgres -data: - POSTGRES_DB: nextcloud_db - POSTGRES_USER: postgres ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nextcloud-postgres - labels: - app: nextcloud-postgres -spec: - replicas: 1 - selector: - matchLabels: - app: nextcloud-postgres - template: - metadata: - labels: - app: nextcloud-postgres - name: nextcloud-postgres - spec: - containers: - - name: nextcloud-postgres - image: postgres:10.4 - imagePullPolicy: "IfNotPresent" - ports: - - containerPort: 5432 - envFrom: - - configMapRef: - name: nextcloud-postgres-config - env: - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: nextcloud-postgres-pass - key: password - volumeMounts: - - mountPath: /var/lib/postgresql/data - subPath: nextcloud/db - name: nextcloud-postgredb - volumes: - - name: nextcloud-postgredb - persistentVolumeClaim: - claimName: nextcloud-postgres-pvc ---- -apiVersion: v1 -kind: Service -metadata: - name: nextcloud-postgres - labels: - app: nextcloud-postgres -spec: - ports: - - port: 5432 - selector: - app: nextcloud-postgres ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nextcloud - labels: - app: nextcloud -spec: - replicas: 1 - selector: - matchLabels: - app: nextcloud - template: - metadata: - labels: - app: nextcloud - name: nextcloud - spec: - containers: - - name: nextcloud - image: nextcloud - imagePullPolicy: Always - volumeMounts: - - name: nextcloud-volume - mountPath: "/var/www/html" - subPath: nextcloud/html - - name: nextcloud-media - mountPath: "/var/www/html/data" - subPath: nextcloud/html/data - envFrom: - - configMapRef: - name: nextcloud-postgres-config - env: - - name: POSTGRES_HOST - value: "nextcloud-postgres" - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: nextcloud-postgres-pass - key: password - - name: OVERWRITEPROTOCOL - value: "https" - volumes: - - name: nextcloud-volume - persistentVolumeClaim: - claimName: nextcloud-pvc - - name: nextcloud-media - persistentVolumeClaim: - claimName: nextcloud-data-pvc ---- -apiVersion: v1 -kind: Service -metadata: - name: nextcloud -spec: - selector: - app: nextcloud - ports: - - port: 80 - targetPort: 80 - name: nextcloud ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: nextcloud-ingress - annotations: - nginx.ingress.kubernetes.io/proxy-body-size: 5g - nginx.ingress.kubernetes.io/server-snippet: | - # Make a regex exception for `/.well-known` so that clients can still - # access it despite the existence of the regex rule - # `location ~ /(\.|autotest|...)` which would otherwise handle requests - # for `/.well-known`. - location = /.well-known/carddav { return 301 https://nextcloud.zakobar.com/remote.php/dav/; } - location = /.well-known/caldav { return 301 https://nextcloud.zakobar.com/remote.php/dav/; } -spec: - ingressClassName: {{ .Values.homey.ingress_class }} - tls: - - hosts: - - nextcloud.{{ .Values.homey.url }} - secretName: {{ .Values.homey.certname }} - rules: - - host: nextcloud.{{ .Values.homey.url }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: nextcloud - port: - number: 80 ---- diff --git a/templates/phpldapadmin.yaml b/templates/phpldapadmin.yaml index ae0c22e..95e40fc 100644 --- a/templates/phpldapadmin.yaml +++ b/templates/phpldapadmin.yaml @@ -43,6 +43,22 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: phpldapadmin + annotations: + kubernetes.io/ingress.allow-http: "false" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Method $request_method; + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + proxy_set_header X-Webauth-User $user; + proxy_set_header X-Webauth-Fullname $name; + proxy_set_header X-Webauth-Email $email; spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: