diff --git a/frameworks/app-service/config/cluster/deploy/appservice_deploy.yaml b/frameworks/app-service/config/cluster/deploy/appservice_deploy.yaml index 795d2c56..0add76cc 100644 --- a/frameworks/app-service/config/cluster/deploy/appservice_deploy.yaml +++ b/frameworks/app-service/config/cluster/deploy/appservice_deploy.yaml @@ -153,7 +153,7 @@ spec: serviceAccount: os-internal containers: - name: app-service - image: beclab/app-service:0.2.15 + image: beclab/app-service:0.2.16 imagePullPolicy: IfNotPresent securityContext: runAsUser: 0 diff --git a/frameworks/bfl/config/launcher/templates/bfl_deploy.yaml b/frameworks/bfl/config/launcher/templates/bfl_deploy.yaml index 901602c0..7b91cff8 100644 --- a/frameworks/bfl/config/launcher/templates/bfl_deploy.yaml +++ b/frameworks/bfl/config/launcher/templates/bfl_deploy.yaml @@ -289,7 +289,7 @@ spec: value: v0.1.0 - name: ingress - image: beclab/bfl-ingress:v0.2.9 + image: beclab/bfl-ingress:v0.2.10 imagePullPolicy: IfNotPresent volumeMounts: - name: ngxlog diff --git a/third-party/authelia/config/cluster/deploy/auth_backend_deploy.yaml b/third-party/authelia/config/cluster/deploy/auth_backend_deploy.yaml index ead2d3dc..618dcc2d 100644 --- a/third-party/authelia/config/cluster/deploy/auth_backend_deploy.yaml +++ b/third-party/authelia/config/cluster/deploy/auth_backend_deploy.yaml @@ -4,16 +4,19 @@ {{- $auth_secret := (lookup "v1" "Secret" .Release.Namespace "authelia-secrets") -}} {{- $jwt_secret := "" -}} {{- $session_secret := "" -}} +{{- $hmac_secret := "" -}} {{- $encryption_key := "" -}} {{- $redis_password := "" -}} {{ if $auth_secret -}} {{- $jwt_secret = (index $auth_secret "data" "jwt_secret") -}} {{- $session_secret = (index $auth_secret "data" "session_secret") -}} +{{- $hmac_secret = (index $auth_secret "data" "hmac_secret") -}} {{- $encryption_key = (index $auth_secret "data" "encryption_key") -}} {{- $redis_password = (index $auth_secret "data" "redis_password") -}} {{ else -}} {{ $jwt_secret = randAlphaNum 16 | b64enc }} {{ $session_secret = randAlphaNum 16 | b64enc }} +{{ $hmac_secret = randAlphaNum 16 | b64enc }} {{ $encryption_key = randAlphaNum 32 | b64enc }} {{ $redis_password = randAlphaNum 16 | b64enc }} {{- end -}} @@ -28,6 +31,7 @@ type: Opaque data: jwt_secret: {{ $jwt_secret }} session_secret: {{ $session_secret }} + hmac_secret: {{ $hmac_secret }} encryption_key: {{ $encryption_key }} redis_password: {{ $redis_password }} @@ -104,7 +108,132 @@ data: disable_startup_check: false filesystem: filename: /app/notification.txt - + identity_providers: + oidc: + hmac_secret: {{ $hmac_secret | b64dec }} + issuer_certificate_chain: | + -----BEGIN CERTIFICATE----- + MIIFDTCCAvWgAwIBAgIUTY+5CtZNunClFgmYWiqPsR96k60wDQYJKoZIhvcNAQEL + BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wHhcNMjQwNzA0MDcwMzMyWhcNMjUw + NzA0MDcwMzMyWjAWMRQwEgYDVQQDDAtleGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcN + AQEBBQADggIPADCCAgoCggIBAJ1/Z5iEMdkVNiR4moMLjtIvqgWnkjG3RAQH+f+M + KiKBNoD1lKNJyZ8Pi0ntCcwb7Gcb1sFf5Pu9mP+i/rn+PJQMSx/r/QYhUa+0t9V4 + NVsGTettGEfcUtzQsyJtO7DGCUqcX1p7Kum1FOyTK1ENgTR5wnRLeIAbtTDZmZWl + R8Y5NMDS67j6tGImY2R0pvI9i9J6I5ZXln/lj/6J8cIlJX+wY3RV/uo4cSAZ1Ng+ + zfP9S9H1+5l4s8Glf8FnQ0aplfcIEZh+K7sxufubZL57Z14R9rHIUq38knBLfJDZ + 3Xx8zWqVO0/Sm9hUJ4IaohC1TjBpywJ9bHwrXHZbbwCKfDvSWcxfO+1gs0F63a6/ + o34TYN9s3yamsootBoy9xIZN/jghLkVGGh2YH7yBdLrOA/Y+SbqpsySc+hBsHSTO + 0CJ06WCCf1QGgaPvRGaNg49+0pmODb5yrtsAQpmSe9PKkpwRHy8AvPwKvF225HjX + 16luku1XbzACOZCKXd8mosEJtpBa5lsR5OiGzbXN/ZKtF12Jl2/gNJ32qTiWninK + 3A5VXz+C1lPNFB5/PfJSYsOdHiTXvCVqP9oHPDhETcb271VhfeQ4CHjI06uBiYeW + tXxEJVj1gDpSqTFmSO9fdfAFt+OM8ljmxZ22yUdoKgYhH5z9teJ8Rs2ehhUOVO9I + H72tAgMBAAGjUzBRMB0GA1UdDgQWBBS4/5RB4sjqsOTIuCPJkEW66TTeoTAfBgNV + HSMEGDAWgBS4/5RB4sjqsOTIuCPJkEW66TTeoTAPBgNVHRMBAf8EBTADAQH/MA0G + CSqGSIb3DQEBCwUAA4ICAQA7RkClRVWgUnmuUuoN5PfCj2rEHQ2PmucOEBjr09kF + orSifS7xAuzVlA77I+t+NAN9UfgMXh2ar1J0Z0XPi1KBZ2aC9Jb0M0EShIYPYaF0 + I3PQuDamswV2QEifWmJnuSrhvhLVMtxN/XOsGHzG0xtlPInD7KRkfTpOgZFyNbQ8 + ud+aGXq+w5AK/sYgFJfBR1y4DCCSL/BGHg4PZjh+u5oZLkfI6f9CMqZNw/hpzxFu + p9xmvjiMF1PuxiA1c5mUuWEsPepwfzSQLH254+6tvaAW+MBC5Q5H1Q0EPkQUZQLf + wVNmQYCak8b4gf872o7OsPi5pJHCUBATZw33bzz280XuSxU3hxnmTbVO6IHUyFo2 + mTmajQfRNn6KPUJl06M+AvCpovpOxVT8iRmPOnigw86CRdWpAvPleMdR/TuV1QLH + 2gzOtFbKu+Cy8aoJHQBiL9vD7Odn+fLw0PrQXM1b0SSmJ9dv489fjQHIh9rlFxOI + j52MZr7P+4iMZSMhwV5SzUuotVFYPGd3OMoa3ilkI+ZzgXDuMZRU2Tt9MRU/V9vH + 5BHN5aLWNKwPyjjVFj2jaHVAk9GHht/33jbHj666X+KdJ4Hq67xy69/1/tBSKYe9 + 1oC+QpNhZtiUmnU3NGDDvEk3lZU9zDR51pQf1o0pV+o1BGBeDa5jmHSvelif/w5b + uQ== + -----END CERTIFICATE----- + issuer_private_key: | + -----BEGIN PRIVATE KEY----- + MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCdf2eYhDHZFTYk + eJqDC47SL6oFp5Ixt0QEB/n/jCoigTaA9ZSjScmfD4tJ7QnMG+xnG9bBX+T7vZj/ + ov65/jyUDEsf6/0GIVGvtLfVeDVbBk3rbRhH3FLc0LMibTuwxglKnF9aeyrptRTs + kytRDYE0ecJ0S3iAG7Uw2ZmVpUfGOTTA0uu4+rRiJmNkdKbyPYvSeiOWV5Z/5Y/+ + ifHCJSV/sGN0Vf7qOHEgGdTYPs3z/UvR9fuZeLPBpX/BZ0NGqZX3CBGYfiu7Mbn7 + m2S+e2deEfaxyFKt/JJwS3yQ2d18fM1qlTtP0pvYVCeCGqIQtU4wacsCfWx8K1x2 + W28Ainw70lnMXzvtYLNBet2uv6N+E2DfbN8mprKKLQaMvcSGTf44IS5FRhodmB+8 + gXS6zgP2Pkm6qbMknPoQbB0kztAidOlggn9UBoGj70RmjYOPftKZjg2+cq7bAEKZ + knvTypKcER8vALz8CrxdtuR419epbpLtV28wAjmQil3fJqLBCbaQWuZbEeTohs21 + zf2SrRddiZdv4DSd9qk4lp4pytwOVV8/gtZTzRQefz3yUmLDnR4k17wlaj/aBzw4 + RE3G9u9VYX3kOAh4yNOrgYmHlrV8RCVY9YA6UqkxZkjvX3XwBbfjjPJY5sWdtslH + aCoGIR+c/bXifEbNnoYVDlTvSB+9rQIDAQABAoICAA8QydsYAiCu27//XWBdsaq/ + bnceAWkKC9KK5MoiIUGttIX/d9lqzIOPnBZVO1Ov9Bwk2JUk1CWUjFcfw1gNTsQm + rOT/0PNOKp8xHUipOAleAAQeKm1tUOvYdto7MrOFLgxaCvD/ySoT7U14AnO9Y/ee + EhDHy14NyHZEymE7LzNx827ifjPyn2CoJWfNlM6lPoPCtTbDaB0R24VQsrSMkxq0 + x76wHzNOdNvKPMb2swK83wzVh9y1ZBSI/UCF3TScMkEwH2bD4vEEH7NGuQtTiJ7B + /yQgcnA8MdHWFrNQc9Rdp9SjM8o97jRyUFksrQYGIdWVuRqi3sa96xlTQ7n8hUeZ + JFoS4h8FQQDDYKWQU/zuAyrKCNoDn+KlK/UdYBgIGSZa3/pf5sM3UHTqFjMrgWvD + 92FaipyUK643nXQjbvJ4nekRQFUssx5NgkhlH3ottwGwLRzPXSceidZlQJrJ/Nht + XXcZEeWG2KGRzayDj2l/Fml4CNWoxXGe171uAj1XvP/xm4mdOSzXEOTMxsCoBf3r + YOeMm1470hLHDQ8rEo42fJSt0JJkOPX4ygEgwYPuy57FlJhVYUARNrOl0Xn2MetU + d/Kc/oLZ9rnVLumZSo6USm28xLMJRRF2tjA6eH2sSw/NQ0HkEXa6urF7LAlCcSvy + SvouOvLzWOM7d93gx2ahAoIBAQDXRbTJzawLG3LnRoVRXI37U0++nMOG3M5DhDOZ + FazqiVGP+moCKn9PCaM3yzab2ew+2SkPDIoOwnk4cj/tYUeqU+J31PeopwwY/vo1 + +zECiBHpCktMxNPQwphqGQkHaGgODQ+pTyTSyTc9J651rnzTrlsjmp9X2xs8SWeg + PTmig7GnC96UXJ2ZW5RMoQlevP/qMjgexxAiOY10NQHERJXpSO+OZgRZqQ8cHpTy + +ydXUAM8+/pfKKYCacZ12nM8bg3Gk3SmQPnwx8Fz2tLpg8NMiJtMtbvDqLtBmlb6 + sU2WsoV4TINX1uLSmQHmvVVcJAz+hOmvq2MQmGZIQpWJuFpFAoIBAQC7S39g/U6h + q1NmaMZSuy/hKmZD0J3Trhy7TJi2DNYyCbAhyesIbrxL9UxZ6QFzmZdv+jagAHAN + 5nmK/PGA5MBt3vgNd4C1jq3c3Ni0J1StU9LwPcOTRizEY6rJR3ieBOcw7xD8fOJ/ + 793PkILzs+6i+2qdQZGKBdQSxYUiMus/aRzpXp9AXm7vVcvYXDEmjWmx5rYUshVG + UJvbUnvGU8sx3RgynxmOUIy5AFU3HULUVzGvhWiqaIesLUToFyDxMGc8sjOVfYHY + rSR+Rv3YmKzN6yUBwSaj5865qlnOYY+Tif+dM1L+J6na3FhgkkhfnEbMzY7c0EqR + XYIqmwOYNgBJAoIBAHZCuf2++kujyazaJfU7dlhiPUXG0vdsp/eZUctAiBzUUTVa + aRBFjmi6L6s//QEDZ/Bi1laJGfLfzT5ALXRX48njiV8xZNiG5HN657PuCc+NNuGi + IRnMa1yc+qQWmsoyBi/p5vepHd6aYbk76nCF6ddUSoc1s2HNYZnt7XqvB9GKrXbK + Y313n7CXCdJLCV29UI21BvWJgAh9O4Nid1T+JKjiw4+j5bHn2QAmoMcXSFaEAzNm + bfYG26QpvbgSyQmin/i+GvAWc/hdlJ3z0bgtBYYu6bnrgHoNYMm6YxwXeTtXWVFs + Hx+LUlJFcjDzREh5GZZdKA+0hJiiUFZUFdhxqU0CggEBAK2Q2FlMRNsjRuVngSpX + 15YFUcHUiP4KowubfwVuPe0e9z9IvGsTG6IUjw3fFP5IvoMB0C9UWIM5Kzd3EmLN + Gdp3v03Tic42i75aVuQUcq8xOBB0XFKVvJS+fB2NAyUFDC5XzVj+bnP7GIXquMAY + 5bPZ48IZakMLBa3jp2263DDmOum1S0U+ffWDf6VgQhglAmbfk6r4ISkJOHX2KUfw + jSQHbQ40TF2LHe2vdkjd7/mRWDT9H7KTre8MAIhILrn0jic8SPtm1La0NVZkeYeI + bNNi7ueCVEmeXv/F8vWDiadDQkMuteFbZlewzKGpzjH0Q9Q1Rggxanjtu9u5zYn3 + uSkCggEBAMtRkICZpBDXHLMzXmeeMP754SON2/mbqNwZJFrDbbUxNo+OCfVNzFsN + CPTJ4wZyXhO2rxRkZbZqSTRWCboOqjqcEInSMZK/bpG6Mn/w0sBVKShzaBwj+h9o + 7Oy2jg+hrLs/CNCFVWajO/Emrl18qQXNj0lp5M9vnhkn4GLFCRDdwcsWPxoPjg5x + Rx+4apd5v54xVCiTMqA6UtoE3CYX6MAAxGS7eN31bFtGeUhfMZW/ikKyy0C4mgVK + 2AUQXmrLiuGFXjkHox5Ib9NeLk7j0JejykkcKvmIXoc+w4lPM+W0jBXGCwfhkR5u + 1lfw6aleWRKlBuNJVrNWcNzUavPcNcQ= + -----END PRIVATE KEY----- + access_token_lifespan: 1h + authorize_code_lifespan: 1m + id_token_lifespan: 1h + refresh_token_lifespan: 90m + enable_client_debug_messages: false + enforce_pkce: public_clients_only + cors: + endpoints: + - authorization + - token + - revocation + - introspection + clients: + - id: example + description: example + secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. + sector_identifier: '' + public: false + authorization_policy: two_factor + consent_mode: implicit + pre_configured_consent_duration: 1w + audience: [] + scopes: + - openid + - groups + - email + - profile + redirect_uris: + - https://www.example.com/auth/auth/openid_connect/callback + grant_types: + - refresh_token + - authorization_code + response_types: + - code + response_modes: + - form_post + - query + - fragment + userinfo_signing_algorithm: none # users_database.yaml: | # users: # authelia: @@ -145,7 +274,7 @@ spec: serviceAccount: os-internal containers: - name: authelia - image: beclab/auth:0.1.30 + image: beclab/auth:0.1.31 imagePullPolicy: IfNotPresent ports: - containerPort: 9091