From 7ba597784fc3e5fefb35a81faa5853e0947cccbb Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Tue, 21 Nov 2023 22:09:21 +0100 Subject: [PATCH] install rauthy --- apps/rauthy/configmap.yaml | 703 ++++++++++++++++++++++++++++++ apps/rauthy/ingress.yaml | 25 ++ apps/rauthy/kustomization.yaml | 10 + apps/rauthy/secret-generator.yaml | 6 + apps/rauthy/secrets.sops.yaml | 29 ++ apps/rauthy/service.yaml | 23 + apps/rauthy/statefulset.yaml | 121 +++++ system/apps/user/rauthy.yaml | 19 + 8 files changed, 936 insertions(+) create mode 100644 apps/rauthy/configmap.yaml create mode 100644 apps/rauthy/ingress.yaml create mode 100644 apps/rauthy/kustomization.yaml create mode 100644 apps/rauthy/secret-generator.yaml create mode 100644 apps/rauthy/secrets.sops.yaml create mode 100644 apps/rauthy/service.yaml create mode 100644 apps/rauthy/statefulset.yaml create mode 100644 system/apps/user/rauthy.yaml diff --git a/apps/rauthy/configmap.yaml b/apps/rauthy/configmap.yaml new file mode 100644 index 0000000..22f8a6f --- /dev/null +++ b/apps/rauthy/configmap.yaml @@ -0,0 +1,703 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: rauthy-config + namespace: rauthy +data: + rauthy.cfg: |+ + ##################################### + ############## ACCESS ############### + ##################################### + + # If the User Registration endpoint should be accessible by anyone. + # If not, an admin must create each new user. (default: false) + #OPEN_USER_REG=true + + # Can be used when 'OPEN_USER_REG=true' to restrict the domains + # for a registration. For instance, set it to + # 'USER_REG_DOMAIN_RESTRICTION=gmail.com' to allow only + # registrations with 'user@gmail.com' (default: '') + #USER_REG_DOMAIN_RESTRICTION=some-domain.com + + # If set to 'true', this will validate the remote peer IP address with + # each request and compare it with the IP which was used during the initial + # session creation / login. If the IP is different, the session will be + # rejected. This is a security hardening and prevents stolen access credentials, + # for instance if an attacker might have copied the encrypted session cookie + # and the XSRF token from the local storage from a user. However, this event + # is really unlikely, since it may only happen if an attacker has direct access + # to the machine itself. + # + # If your users are using mobile networks and get new IP addresses all the time, + # this means they have to do a new login each time. This is no big deal at all with + # Webauthn / FIDO keys anyway and should not be a reason to deactivate this feature. + # + # Caution: If you are running behind a reverse proxy which does not provide the + # X-FORWARDED-FOR header correctly, or you have the PROXY_MODE in this config + # disabled, this feature will not work. You can validate the IPs for each session + # in the Admin UI. If these are correct, your setup is okay. + # + # (default: true) + #SESSION_VALIDATE_IP=true + + # This value may be set to 'true' to disable the binding cookie checking + # when a user uses the password reset link from an E-Mail. + # + # When using such a link, you will get a so called binding cookie. This + # happens on the very first usage of such a reset link. From that moment on, + # you will only be able to access the password reset form with this very + # device and browser. This is just another security mechanism and prevents + # someone else who might be passively sniffing network traffic to extract + # the (unencrypted) URI from the header and just use it, before the user + # has a change to fill out the form. This is a mechanism to prevent against + # account takeovers during a password reset. + # + # The problem however are companies (e.g. Microsoft) who scan their customers + # E-Mails and even follow links and so on. They call it a "feature". The + # problem is, that their servers get this binding cookie and the user will be + # unable to use this link himself. The usage of this config option is highly + # discouraged, but since everything moves very slow in big enterprises and + # you cannot change your E-Mail provider quickly, you can use it do just make + # it work for the moment and deal with it later. + # + # default: false + #UNSAFE_NO_RESET_BINDING=false + + ##################################### + ############# BACKUPS ############### + ##################################### + + # Cron job for automatic data store backups (default: "0 0 4 * * * *") + # sec min hour day_of_month month day_of_week year + #BACKUP_TASK="0 0 4 * * * *" + + # The name for the data store backups. The current timestamp + # will always be appended automatically. (default: rauthy-backup-) + #BACKUP_NAME="rauthy-backup-" + + # All backups older than the specified hours will be cleaned up + # automatically (default: 720) + #BACKUP_RETENTION_LOCAL=720 + + ##################################### + ############## CACHE ################ + ##################################### + + # If the cache should start in HA mode or standalone + # accepts 'true|false', defaults to 'false' + #HA_MODE=false + + # The connection strings (with hostnames) of the HA instances + # as a CSV. + # Format: 'scheme://hostname:port' + #HA_HOSTS="http://rauthy-0.rauthy:8000, http://rauthy-1.rauthy:8000, http://rauthy-2.rauthy:8000" + + # Overwrite the hostname which is used to identify each cache member. + # Useful in scenarios, where for instance all members are on the same host with + # different ports or for testing. + #HOSTNAME_OVERWRITE="rauthy-0.rauthy:8080" + + ## Define buffer sizes for channels between the components + # Buffer for client requests on the incoming stream - server + # side (default: 128) + # Make sense to have the CACHE_BUF_SERVER set to: + # `(number of total HA cache hosts - 1) * CACHE_BUF_CLIENT` + # In a non-HA deployment, set the same size for both + #CACHE_BUF_SERVER=128 + # Buffer for client requests to remote servers for all cache + # operations (default: 128) + #CACHE_BUF_CLIENT=128 + + # Secret token, which is used to authenticate the cache members + #CACHE_AUTH_TOKEN=SomeSuperSecretAndVerySafeToken1337 + + ## Connections Timeouts + + # The Server sends out keepalive pings with configured timeouts + # The keepalive ping interval in seconds (default: 5) + #CACHE_KEEPALIVE_INTERVAL=5 + # The keepalive ping timeout in seconds (default: 5) + #CACHE_KEEPALIVE_TIMEOUT=5 + + # The timeout for the leader election. If a newly saved leader + # request has not reached quorum after the timeout, the leader + # will be reset and a new request will be sent out. + # CAUTION: + # This should not be lower than CACHE_RECONNECT_TIMEOUT_UPPER, + # since cold starts and elections will be problematic in that + # case. + # value in seconds, default: 15 + #CACHE_ELECTION_TIMEOUT=15 + + # These 2 values define the reconnect timeout for the HA Cache + # Clients. The values are in ms and a random between these 2 + # will be chosen each time to avoid conflicts and race conditions + # (default: 2500) + #CACHE_RECONNECT_TIMEOUT_LOWER=2500 + # (default: 5000) + #CACHE_RECONNECT_TIMEOUT_UPPER=5000 + + ##################################### + ############ DATABASE ############### + ##################################### + + # The database driver will be chosen at runtime depending on + # the given DATABASE_URL format. Examples: + # Sqlite: 'sqlite:data/rauthy.db' or 'sqlite::memory:' + # Postgres: 'postgresql://User:PasswordWithoutSpecialCharacters@localhost:5432/DatabaseName' + # + # NOTE: The password in this case should be alphanumeric. Special + # characters could cause problems in the connection string. + # + # CAUTION: + # To make the automatic migrations work with Postgres15, when + # you do not want to just use the `postgres` user, You need + # to have a user with the same name as the DB / schema. For + # instance, the following would work without granting extra + # access to the `public` schema which is disabled by default + # since PG15: + # + # database: rauthy + # user: rauthy + # schema: rauthy with owner rauthy + # + #DATABASE_URL=sqlite::memory: + #DATABASE_URL=sqlite:data/rauthy.db + #DATABASE_URL=postgresql://rauthy:123SuperSafe@localhost:5432/rauthy + + # Max DB connections - irrelevant for SQLite (default: 5) + #DATABASE_MAX_CONN=5 + + # If specified, the current Database, set with DATABASE_URL, + # will be DELETED and OVERWRITTEN with a migration from the + # given database with this variable. Can be used to migrate + # between different databases. + # + # !!! USE WITH CARE !!! + #MIGRATE_DB_FROM=sqlite:data/rauthy.db + + # Disables the housekeeping schedulers (default: false) + #SCHED_DISABLE=true + + ##################################### + ############# E-MAIL ################ + ##################################### + + # Will be used as the prefix for the E-Mail subject for each E-Mail + # that will be sent out to a client. + # This can be used to further customize your deployment. + # default: "Rauthy IAM" + EMAIL_SUB_PREFIX="Rauthy IAM" + + SMTP_USERNAME= + #SMTP_PASSWORD= + SMTP_URL= + # Format: "Rauthy " + SMTP_FROM= + + ##################################### + ###### ENCRYPTION / HASHING ######### + ##################################### + + # Format: "key_id/enc_key another_key_id/another_enc_key" - the + # enc_key itself must be exactly 32 characters long and and + # should not contain special characters. + # The ID must match '[a-zA-Z0-9]{2,20}' + #ENC_KEYS="bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA" + ENC_KEY_ACTIVE=bVCyTsGaggVy5yqQ + + # M_COST should never be below 32768 in production + ARGON2_M_COST=32768 + # T_COST should never be below 1 in production + ARGON2_T_COST=3 + # P_COST should never be below 2 in production + ARGON2_P_COST=2 + + # Limits the maximum amount of parallel password hashes at + # the exact same time to never exceed system memory while + # still allowing a good amount of memory for the argon2id + # algorithm (default: 2) + # CAUTION: You must make sure, that you have at least + # (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + ~30 MB of memory + # available. + MAX_HASH_THREADS=1 + + # The time in ms when to log a warning, if a request waited + # longer than this time. This is an indicator, that you have + # more concurrent logins than allowed and may need config + # adjustments, + # if this happens more often. (default: 500) + #HASH_AWAIT_WARN_TIME=500 + + # JWKS auto rotate cronjob. This will (by default) rotate + # all JWKs every 1. day of the month. If you need smaller + # intervals, you may adjust this value. For security reasons, + # you cannot fully disable it. + # In a HA deployment, this job will only be executed on the + # current cache leader at that time. + # Format: "sec min hour day_of_month month day_of_week year" + # default: "0 30 3 1 * * *" + JWK_AUTOROTATE_CRON="0 30 3 1 * * *" + + ##################################### + ####### EPHEMERAL CLIENTS ########### + ##################################### + + # Can be set to 'true' to allow the dynamic client lookup via URLs as + # 'client_id's during authorization_code flow initiation. + # default: false + #ENABLE_EPHEMERAL_CLIENTS=false + + # Can be set to 'true' to enable WebID functionality like needed + # for things like Solid OIDC. + # default: false + ENABLE_WEB_ID=true + + # If set to 'true', 'solid' will be added to the 'aud' claim from the ID token + # for ephemeral clients. + # default: false + #ENABLE_SOLID_AUD=false + + # If set to 'true', MFA / Passkeys will be forced for ephemeral clients. + # default: false + #EPHEMERAL_CLIENTS_FORCE_MFA=false + + # The allowed flows separated by ' ' for ephemeral clients. + # default: "authorization_code" + #EPHEMERAL_CLIENTS_ALLOWED_FLOWS="authorization_code refresh_token" + + # The allowed scopes separated by ' ' for ephemeral clients. + # default: "openid profile email webid" + #EPHEMERAL_CLIENTS_ALLOWED_SCOPES="openid profile email webid" + + # The lifetime in seconds ephemeral clients will be kept inside the cache. + # default: 3600 + #EPHEMERAL_CLIENTS_CACHE_LIFETIME=3600 + + ##################################### + ######### EVENTS / AUDIT ############ + ##################################### + + # The E-Mail address event notifications should be sent to. + # If left empty, no messages will be sent to Slack. + #EVENT_EMAIL=admin@localhost.de + + # Matrix variables for event notifications. + # `EVENT_MATRIX_USER_ID` and `EVENT_MATRIX_ROOM_ID` are mandatory. + # Depending on your Matrix setup, additionally one of + # `EVENT_MATRIX_ACCESS_TOKEN` or `EVENT_MATRIX_USER_PASSWORD` is needed. + # If you log in to Matrix with User + Password, you may use `EVENT_MATRIX_USER_PASSWORD`. + # If you log in via OIDC SSO (or just want to use a session token you can revoke), + # you should provide `EVENT_MATRIX_ACCESS_TOKEN`. + # If both are given, the `EVENT_MATRIX_ACCESS_TOKEN` will be preferred. + # + # If left empty, no messages will be sent to Slack. + # Format: `@:` + #EVENT_MATRIX_USER_ID= + # Format: `!:` + #EVENT_MATRIX_ROOM_ID= + #EVENT_MATRIX_ACCESS_TOKEN= + #EVENT_MATRIX_USER_PASSWORD= + # Optional path to a PEM Root CA certificate file for the Matrix client. + #EVENT_MATRIX_ROOT_CA_PATH=path/to/my/root_ca_cert.pem + # May be set to disable the TLS validation for the Matrix client. + # default: false + #EVENT_MATRIX_DANGER_DISABLE_TLS_VALIDATION=false + # The default behavior is, that Rauthy will panic at startup if it cannot connect + # to a configured Matrix server. The reason is that event notifications cannot be + # dropped silently. + # However, if you use a self-hosted Matrix server which uses Rauthy as its OIDC + # provider and both instances went offline, you will have a chicken and egg problem: + # - Rauthy cannot connect to Matrix and will panic + # - Your Matrix server cannot connect to Rauthy and will panic + # To solve this issue, you can temporarily set this value to 'true' and revert + # back, after the system is online again. + # default: false + #EVENT_MATRIX_ERROR_NO_PANIC=false + + # The Webhook for Slack Notifications. + # If left empty, no messages will be sent to Slack. + #EVENT_SLACK_WEBHOOK= + + # The notification level for events. Works the same way as a logging level. + # For instance: 'notice' means send out a notifications for all events with + # the info level or higher. + # Possible values: + # - info + # - notice + # - warning + # - critical + # + # default: 'warning' + EVENT_NOTIFY_LEVEL_EMAIL=warning + # default: 'notice' + EVENT_NOTIFY_LEVEL_MATRIX=notice + # default: 'notice' + EVENT_NOTIFY_LEVEL_SLACK=notice + + # Define the level from which on events should be persisted inside the + # database. All events with a lower level will be lost, if there is no + # active event subscriber. + # Possible values: + # - info + # - notice + # - warning + # - critical + # default: 'info' + EVENT_PERSIST_LEVEL=info + + # Define the number of days when events should be cleaned up from the database. + # default: 31 + EVENT_CLEANUP_DAYS=31 + + # The level for the generated Event after a new user has been registered. + # default: info + EVENT_LEVEL_NEW_USER=info + # The level for the generated Event after a user has changed his E-Mail + # default: notice + EVENT_LEVEL_USER_EMAIL_CHANGE=notice + # The level for the generated Event after a user has reset its password + # default: notice + EVENT_LEVEL_USER_PASSWORD_RESET=notice + # The level for the generated Event after a user has been given the + # 'rauthy_admin' role + # default: notice + EVENT_LEVEL_RAUTHY_ADMIN=notice + # The level for the generated Event after a new App version has been found + # default: notice + EVENT_LEVEL_RAUTHY_VERSION=notice + # The level for the generated Event after the JWKS has been rotated + # default: notice + EVENT_LEVEL_JWKS_ROTATE=notice + # The level for the generated Event after DB secrets have been migrated + # to a new key + # default: notice + EVENT_LEVEL_SECRETS_MIGRATED=notice + # The level for the generated Event after a Rauthy instance has been + # started + # default: info + EVENT_LEVEL_RAUTHY_START=info + # The level for the generated Event after a Rauthy entered a healthy + # state (again) + # default: notice + EVENT_LEVEL_RAUTHY_HEALTHY=notice + # The level for the generated Event after a Rauthy entered an unhealthy + #state + # default: critical + EVENT_LEVEL_RAUTHY_UNHEALTHY=critical + # The level for the generated Event after an IP has been blacklisted + # default: warning + EVENT_LEVEL_IP_BLACKLISTED=warning + # The level for the generated Event after certain amounts of false + # logins from an IP + # default: critical + EVENT_LEVEL_FAILED_LOGINS_25=critical + # default: critical + EVENT_LEVEL_FAILED_LOGINS_20=critical + # default: warning + EVENT_LEVEL_FAILED_LOGINS_15=warning + # default: warning + EVENT_LEVEL_FAILED_LOGINS_10=warning + # default: notice + EVENT_LEVEL_FAILED_LOGINS_7=notice + # default: info + EVENT_LEVEL_FAILED_LOGIN=info + + # If set to 'true', it will disable the app version checker. + # This is a scheduled task that looks up the latest version periodically + # by doing a request to the Github API to check the latest release. + # This ignores any type of prerelease and will only notify for a new stable. + # default: false + #DISABLE_APP_VERSION_CHECK=false + + ##################################### + ####### LIFETIMES / TIMEOUTS ######## + ##################################### + + # Set the grace time in seconds for how long in seconds the + # refresh token should still be valid after usage. Keep this + # value small, but do not set it to 0 with an HA deployment + # to not get issues with small HA cache latencies. + # + # If you have an external client, which does concurrent + # requests, from which the request interceptor wants to refresh + # the token, you may have multiple hits on the endpoint and all + # of them should be valid. + # + # Caching is done on the endpoint itself, but grace time of 0 + # will only be good for a single instance of rauthy. + # default: 5 + #REFRESH_TOKEN_GRACE_TIME=5 + + # Lifetime for offline tokens in hours (default: 720) + #OFFLINE_TOKEN_LIFETIME=720 + + # Session lifetime in seconds - the session can not be + # extended beyond this time and a new login will be forced. + # This is the session for the authorization code flow. (default: 14400) + #SESSION_LIFETIME=14400 + + # If 'true', a 2FA / MFA check will be done with each automatic + # token generation, even with an active session, which kind of + # makes the session useless with Webauthn enabled, but provides + # maximum amount of security. + # If 'false', the user will not get a MFA prompt with an active + # session at the authorization endpoint. + # (default: false) + #SESSION_RENEW_MFA=false + + # Session timeout in seconds + # When a new token / login is requested before this timeout hits + # the limit, the user will be authenticated without prompting for + # the credentials again. + # This is the value which can extend the session, until it hits + # its maximum lifetime set with SESSION_LIFETIME. + #SESSION_TIMEOUT=5400 + + # ML: magic link + # LT: lifetime + # Lifetime in minutes for reset password magic links (default: 30) + #ML_LT_PWD_RESET=30 + + # Lifetime in minutes for the first password magic link, for + # setting the initial password. (default: 4320) + #ML_LT_PWD_FIRST=4320 + + # The interval in seconds in which keep-alives should be sent to SSE clients. + # Depending on your network setup, proxy timeouts, ... + # you may adjust this value to fit your needs. + # default: 30 + #SSE_KEEP_ALIVE=30 + + ##################################### + ############# LOGGING ############### + ##################################### + + # This is the log level for stdout logs + # Accepts: error, info, debug, trace (default: info) + #LOG_LEVEL=info + + # This is a special config which allows the configuration of + # customized access logs. These logs will be logged with each + # request in addition to the normal LOG_LEVEL logs. + # The following values are valid: + # - Debug + # CAUTION: The Debug setting logs every information available + # to the middleware which includes SENSITIVE HEADERS + # DO NOT use the Debug level in a working production environment! + # - Verbose + # Verbose logging without headers - generates huge outputs + # - Basic + # Logs access to all endpoints apart from the Frontend ones + # which all js, css, ... + # - Modifying + # Logs only requests to modifying endpoints and skips all GET + # - Off + # (default: Modifying) + LOG_LEVEL_ACCESS=Basic + + ##################################### + ################ MFA ################ + ##################################### + + # If 'true', MFA for an account must be enabled to access the + # rauthy admin UI (default: true) + ADMIN_FORCE_MFA=false + + ##################################### + ############## POW ################# + ##################################### + + ## Proof of Work (PoW) configuration for Client Endpoints like + # User Registration. The iteration count for the PoW calculation + # (default: 1000000) + #POW_IT=1000000 + + # The expiration duration in seconds when a saved PoW should be + # cleaned up (default: 300) + #POW_EXP=300 + + ##################################### + ############# SERVER ################ + ##################################### + + # The server address to listen on. Can bind to a specific IP. + # (default: 0.0.0.0) + #LISTEN_ADDRESS=0.0.0.0 + + # The listen ports for HTTP / HTTPS, depending on the + # activated 'LISTEN_SCHEME' + # default: 8080 + #LISTEN_PORT_HTTP=8080 + # default: 8443 + #LISTEN_PORT_HTTPS=8443 + + # The scheme to use locally, valid values: + # http | https | http_https (default: http_https) + LISTEN_SCHEME=http + + # The Public URL of the whole deployment + # The LISTEN_SCHEME + PUB_URL must match the HTTP ORIGIN + # HEADER later on, which is especially important when running + # rauthy behind a reverse proxy. In case of a non-standard + # port (80/443), you need to add the port to the PUB_URL + PUB_URL=localhost:8080 + + # default value: number of available physical cores + #HTTP_WORKERS=1 + + # When rauthy is running behind a reverse proxy, set to true + # (default: false) + PROXY_MODE=false + + # To enable or disable the additional HTTP server to expose the /metrics endpoint + # default: true + #METRICS_ENABLE=true + + # The IP address to listen on for the /metrics endpoint. + # You do not want to expose your metrics on a publicly reachable endpoint! + # default: 0.0.0.0 + #METRICS_ADDR=0.0.0.0 + + # The post to listen on for the /metrics endpoint. + # You do not want to expose your metrics on a publicly reachable endpoint! + # default: 9090 + #METRICS_PORT=9090 + + # If the Swagger UI should be served together with the /metrics route on the internal + # server. It it then reachable via: + # http://METRICS_ADDR:METRICS_PORT/docs/v1/swagger-ui/ + # (default: true) + #SWAGGER_UI_INTERNAL=true + + # If the Swagger UI should be served externally as well. This makes the link in the + # Admin UI work. + # + # CAUTION: The Swagger UI is open and does not require any login to be seen! + # Rauthy is open source, which means anyone could just download it and see on their + # own, but it may be a security concern to just expose less information. + # (default: false) + #SWAGGER_UI_EXTERNAL=false + + ##################################### + ############### TLS ################# + ##################################### + + ## Rauthy TLS + + # Overwrite the path to the TLS certificate file in PEM + # format for rauthy (default: tls/tls.crt) + #TLS_CERT=tls/tls.crt + # Overwrite the path to the TLS private key file in PEM + # format for rauthy. If the path / filename ends with + # '.der', rauthy will parse it as DER, otherwise as PEM. + # (default: tls/tls.key) + #TLS_KEY=tls/tls.key + + ## CACHE TLS + + # Enable / disable TLS for the cache communication + # (default: true) + CACHE_TLS=true + + # The path to the server TLS certificate PEM file + # default: tls/redhac.cert-chain.pem + CACHE_TLS_SERVER_CERT=tls/cert-chain.pem + # The path to the server TLS key PEM file + # default: tls/redhac.key.pem + CACHE_TLS_SERVER_KEY=tls/key.pem + + # The path to the client mTLS certificate PEM file. This is optional. + #CACHE_TLS_CLIENT_CERT=tls/cert-chain.pem + # The path to the client mTLS key PEM file. This is optional. + #CACHE_TLS_CLIENT_KEY=tls/key.pem + + # If not empty, the PEM file from the specified location will be + # added as the CA certificate chain for validating + # the servers TLS certificate. This is optional. + #CACHE_TLS_CA_SERVER=tls/ca-chain.pem + # If not empty, the PEM file from the specified location will + # be added as the CA certificate chain for validating + # the clients mTLS certificate. This is optional. + #CACHE_TLS_CA_CLIENT=tls/ca-chain.pem + + # The domain / CN the client should validate the certificate + # against. This domain MUST be inside the + # 'X509v3 Subject Alternative Name' when you take a look at + # the servers certificate with the openssl tool. + # default: redhac.local + CACHE_TLS_CLIENT_VALIDATE_DOMAIN=redhac.local + + # Can be used if you need to overwrite the SNI when the + # client connects to the server, for instance if you are + # behind a loadbalancer which combines multiple certificates. + # default: "" + #CACHE_TLS_SNI_OVERWRITE= + + ##################################### + ############# WEBAUTHN ############## + ##################################### + + # The 'Relaying Party (RP) ID' - effective domain name + # (default: localhost) + # CAUTION: When this changes, already registered devices will stop + # working and users cannot log in anymore! + RP_ID=localhost + + # Url containing the effective domain name + # (default: http://localhost:8080) + # CAUTION: Must include the port number! + RP_ORIGIN=http://localhost:8080 + + # Non critical RP Name + # Has no security properties and may be changed without issues + # (default: Rauthy Webauthn) + RP_NAME='Rauthy Webauthn' + + # The Cache lifetime in seconds for Webauthn requests. Within + # this time, a webauthn request must have been validated. + # (default: 60) + #WEBAUTHN_REQ_EXP=60 + + # The Cache lifetime for additional Webauthn Data like auth + # codes and so on. Should not be lower than WEBAUTHN_REQ_EXP. + # The value is in seconds (default: 90) + #WEBAUTHN_DATA_EXP=90 + + # With webauthn enabled for a user, he needs to enter + # username / password on a new system. If these credentials are + # verified, rauthy will set an additional cookie, which will + # determine how long the user can then use only (safe) MFA + # passwordless webauthn login with yubikeys, apple touch id, + # Windows hello, ... until he needs to verify his credentials + # again. + # Passwordless login is generally much safer than logging in + # with a password. But sometimes it is possible, that the + # Webauthn devices do not force the user to include a second + # factor, which in that case would be a single factor login + # again. That is why we should ask for the original password + # in addition once in a while to set the cookie. + # The value is in hours (default: 2160) + #WEBAUTHN_RENEW_EXP=2160 + + # This feature can be set to 'true' to force User verification + # during the Webauthn ceremony. UV will be true, if the user + # does not only need to verify its presence by touching the key, + # but by also providing proof that he knows (or is) some secret + # via a PIN or biometric key for instance. With UV, we have a + # true MFA scenario where UV == false (user presence only) + # would be a 2FA scenario (with password). Be careful with this + # option, since Android and some special combinations of OS + + # browser to not support UV yet. + # (default: false) + #WEBAUTHN_FORCE_UV=false + + # Can be set to 'true' to disable password expiry for users + # that have at least one active passkey. When set to 'false', + # the same password expiry from the set policy will apply to + # these users as well. + # With this option active, rauthy will ignore any password + # expiry set by the password policy for Webauthn users. + # default: true + #WEBAUTHN_NO_PASSWORD_EXPIRY=true + diff --git a/apps/rauthy/ingress.yaml b/apps/rauthy/ingress.yaml new file mode 100644 index 0000000..d10b5cf --- /dev/null +++ b/apps/rauthy/ingress.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + traefik.ingress.kubernetes.io/router.middlewares: kube-system-redirect-https@kubernetescrd + name: rauthy + labels: + app: rauthy +spec: + rules: + - host: id.tobru.ch + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: rauthy + port: + number: 8080 + tls: + - hosts: + - id.tobru.ch + secretName: id-tobru-ch-cert diff --git a/apps/rauthy/kustomization.yaml b/apps/rauthy/kustomization.yaml new file mode 100644 index 0000000..7c173b4 --- /dev/null +++ b/apps/rauthy/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: odoo +resources: + - configmap.yaml + - statefulset.yaml + - service.yaml + - ingress.yaml +generators: + - secret-generator.yaml diff --git a/apps/rauthy/secret-generator.yaml b/apps/rauthy/secret-generator.yaml new file mode 100644 index 0000000..faa80d6 --- /dev/null +++ b/apps/rauthy/secret-generator.yaml @@ -0,0 +1,6 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: secret-generator +files: + - secret.sops.yaml diff --git a/apps/rauthy/secrets.sops.yaml b/apps/rauthy/secrets.sops.yaml new file mode 100644 index 0000000..8b4a65c --- /dev/null +++ b/apps/rauthy/secrets.sops.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Secret +metadata: + name: rauthy-secrets +type: Opaque +stringData: + DATABASE_URL: ENC[AES256_GCM,data:7bL3UgDaVHnOnPAnvexMlcXNfkLu,iv:KfrewSX7UaQXMID7Sy33OnIlCDGKAzNxBgMKZvUiJ5Y=,tag:mb1B3t7Tlhfj7l/QGMNOnQ==,type:str] + ENC_KEYS: ENC[AES256_GCM,data:Tg7bOmHcdkiBHLs7p1in/moOsghdOD4slZjylEHt2NaLUJb7v5PzDSM=,iv:4tXRr89u/0AJuyBCphWrXrOfYR2ZhwkCIjbqqsCOKMg=,tag:mkeb7m1oJAr2Aozf64qQMQ==,type:str] + SMTP_PASSWORD: ENC[AES256_GCM,data:QHwEE/SYsg==,iv:dHCKwHdMS3mC87tJzUCMGniQ96u3V4Ky5KT0d6fFfog=,tag:4brW+KyANX/gVkKC/Wrs/Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1dfk8euu7afvw7ge5l2qek45z23hdq5anjd56cy4d7kcsf0e0e5pqfjylx8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZlJadDR6QWdLTStGQ0tR + QVdHK3EzSDZWM291NkxOS0wzakY0cGFFVTBRCmJnMDVwbUo5ZFkzZDhXdWFrMFJC + SnVjcXRhSXhEajhKZENMRXB1Vmw3ZE0KLS0tIHJJLzVYL0FxSGNRTk8rUjViQ3hV + amdlMDZHSTlTUWRnZGQ3ZWlZRG1zbHMKN3OBmYiC09MJxuv8hdCR70UmJQDW102M + bLkcqw73GumzZsaPRBgIDpR3AKCsXlKC0orU/0HCjcc4qcS2WQ0cwA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-21T21:08:40Z" + mac: ENC[AES256_GCM,data:3jV++001/kUJkfG0jGZLZNiQFrXci5nWY34rjMqyUAeHLGWVtS6LJpmijlGyTMwhwKxQQFeugJovVHpM4wyXlOTtS0UHWyjlzFYBexp2e9EDaSaxJOh0L+G1UnIjmmSVhTb0zQNRo8pqa9phP16REfMf+NUwK9zx77sLm3HOcv4=,iv:XmDzp9KTElz8COR9KgLtTSGGc+TL+o9+PCkIXvMuG8A=,tag:Uy3ScFEnv/tqZLQSx+g20A==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/apps/rauthy/service.yaml b/apps/rauthy/service.yaml new file mode 100644 index 0000000..263afcf --- /dev/null +++ b/apps/rauthy/service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: rauthy + namespace: rauthy +spec: + selector: + app: rauthy + ports: + # If you use the HA feature later on, the port over which the cache layer does + # communicate. + - name: cache + port: 8000 + targetPort: 8000 + # Assuming that this example file will run behind a Kubernetes ingress and does + # use HTTP internally. + - name: http + port: 8080 + targetPort: 8080 + # Uncomment, if you change to direct HTTPS without a reverse proxy + #- name: https + # port: 8443 + # targetPort: 8443 \ No newline at end of file diff --git a/apps/rauthy/statefulset.yaml b/apps/rauthy/statefulset.yaml new file mode 100644 index 0000000..2d5c96b --- /dev/null +++ b/apps/rauthy/statefulset.yaml @@ -0,0 +1,121 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: rauthy + namespace: rauthy + labels: + app: rauthy +spec: + serviceName: rauthy + # Do not just scale up replicas without a proper HA Setup + replicas: 1 + selector: + matchLabels: + app: rauthy + template: + metadata: + labels: + app: rauthy + spec: + securityContext: + fsGroup: 10001 + containers: + - name: rauthy + image: ghcr.io/sebadob/rauthy:0.19.1-lite + imagePullPolicy: IfNotPresent + securityContext: + # User ID 10001 is actually built into the container at the creation for + # better security + runAsUser: 10001 + runAsGroup: 10001 + allowPrivilegeEscalation: false + ports: + - containerPort: 8000 + # You may need to adjust this, if you decide to start in https only mode + # or use another port + - containerPort: 8080 + - containerPort: 8443 + env: + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: rauthy-secrets + key: DATABASE_URL + - name: ENC_KEYS + valueFrom: + secretKeyRef: + name: rauthy-secrets + key: ENC_KEYS + - name: SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: rauthy-secrets + key: SMTP_PASSWORD + volumeMounts: + - mountPath: /app/data + name: rauthy-data + readOnly: false + - mountPath: /app/rauthy.cfg + subPath: rauthy.cfg + name: rauthy-config + readOnly: true + readinessProbe: + httpGet: + # You may need to adjust this, if you decide to start in https only + # mode or use another port + scheme: HTTP + port: 8080 + #scheme: HTTPS + #port: 8443 + path: /auth/v1/ping + initialDelaySeconds: 1 + periodSeconds: 10 + livenessProbe: + httpGet: + # You may need to adjust this, if you decide to start in https only + # mode or use another port + scheme: HTTP + port: 8080 + #scheme: HTTPS + #port: 8443 + path: /auth/v1/health + initialDelaySeconds: 1 + periodSeconds: 30 + resources: + requests: + # Tune the memory requests value carefully. Make sure, that the + # pods request at least: + # `ARGON2_M_COST` / 1024 * `MAX_HASH_THREADS` Mi + # With SQLite: for small deployments, add additional ~20-30Mi for + # "the rest", for larger ones ~50-70 Mi should be enough. + memory: 64Mi + # The CPU needs to be adjusted during runtime. This heavily + # depends on your use case. + cpu: 100m + limits: + # Be careful with the memory limit. You must make sure, that the + # (very costly) password hashing has enough memory available. If not, + # the application will crash. You do not really need a memory limit, + # since Rust is not a garbage collected language. Better take a close + # look at what the container actually needs during + # prime time and set the requested resources above properly. + #memory: + # A CPU limit may make sense in case of DDoS attacks or something + # like this, if you do not have external rate limiting or other + # mechanisms. Otherwise, `MAX_HASH_THREADS` is the main mechanism + # to limit resources. + cpu: 1000m + volumes: + - name: rauthy-config + configMap: + name: rauthy-config + volumeClaimTemplates: + - metadata: + name: rauthy-data + spec: + accessModes: + - "ReadWriteOnce" + resources: + requests: + storage: 128Mi + #storageClassName: provideIfYouHaveMultipleOnes \ No newline at end of file diff --git a/system/apps/user/rauthy.yaml b/system/apps/user/rauthy.yaml new file mode 100644 index 0000000..d654cb1 --- /dev/null +++ b/system/apps/user/rauthy.yaml @@ -0,0 +1,19 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: rauthy + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: apps + source: + path: apps/rauthy + repoURL: https://git.tbrnt.ch/tobru/gitops-zurrli.git + targetRevision: HEAD + destination: + namespace: rauthy + server: https://kubernetes.default.svc + syncPolicy: + syncOptions: + - CreateNamespace=true