From 2929bcbc5fec502e1eca826b85e75d2729326458 Mon Sep 17 00:00:00 2001 From: sebadob Date: Tue, 31 Oct 2023 16:15:31 +0100 Subject: [PATCH 1/2] helm chart creation: base + sts added --- justfile | 6 + rauthy-book/src/config/config.md | 4 +- rauthy-helm/.helmignore | 23 + rauthy-helm/Chart.yaml | 24 + rauthy-helm/templates/config.yaml | 634 ++++++++++++++++++++++++++ rauthy-helm/templates/service.yaml | 12 + rauthy-helm/templates/sts.yaml | 100 ++++ rauthy-helm/templates/validation.yaml | 20 + rauthy-helm/values.yaml | 58 +++ rauthy.cfg | 2 +- 10 files changed, 880 insertions(+), 3 deletions(-) create mode 100644 rauthy-helm/.helmignore create mode 100644 rauthy-helm/Chart.yaml create mode 100644 rauthy-helm/templates/config.yaml create mode 100644 rauthy-helm/templates/service.yaml create mode 100644 rauthy-helm/templates/sts.yaml create mode 100644 rauthy-helm/templates/validation.yaml create mode 100644 rauthy-helm/values.yaml diff --git a/justfile b/justfile index e30755e8..7d2ecad6 100644 --- a/justfile +++ b/justfile @@ -299,3 +299,9 @@ publish-latest: publish-versions docker pull ghcr.io/sebadob/rauthy:$TAG docker tag ghcr.io/sebadob/rauthy:$TAG ghcr.io/sebadob/rauthy:latest docker push ghcr.io/sebadob/rauthy:latest + + +# prints out the raw computed helm template for easier development and debugging +helm-debug: + #!/usr/bin/env bash + helm install --debug --dry-run rauthy ./rauthy-helm diff --git a/rauthy-book/src/config/config.md b/rauthy-book/src/config/config.md index cc008284..23e70c0d 100644 --- a/rauthy-book/src/config/config.md +++ b/rauthy-book/src/config/config.md @@ -179,8 +179,8 @@ SMTP_FROM= ###### ENCRYPTION / HASHING ######### ##################################### -# Format: "key_id/enc_key another_key_id/another_enc_key" - the -# enc_key itself must be exactly 32 characters long and and +# Format: "key_id/enc_key another_key_id/another_enc_key" +# The enc_key itself must be exactly 32 characters long and # should not contain special characters. # The ID must match '[a-zA-Z0-9]{2,20}' #ENC_KEYS="bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA" diff --git a/rauthy-helm/.helmignore b/rauthy-helm/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/rauthy-helm/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/rauthy-helm/Chart.yaml b/rauthy-helm/Chart.yaml new file mode 100644 index 00000000..e3a49259 --- /dev/null +++ b/rauthy-helm/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: rauthy +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "0.17.0" diff --git a/rauthy-helm/templates/config.yaml b/rauthy-helm/templates/config.yaml new file mode 100644 index 00000000..b4980289 --- /dev/null +++ b/rauthy-helm/templates/config.yaml @@ -0,0 +1,634 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config + namespace: {{ .Release.Namespace }} +data: + rauthy.cfg: | + ##################################### + ############## ACCESS ############### + ##################################### + + # If the User Registration endpoint should be accessible by anyone. + # If not, an admin must create each new user. (default: false) + #OPEN_USER_REG=false + + # Can be used when 'OPEN_USER_REG=true' to restrict the domains + # for a registration. For instance, set it to + # 'USER_REG_DOMAIN_RESTRICTION=gmail.com' to allow only + # registrations with 'user@gmail.com' (default: '') + #USER_REG_DOMAIN_RESTRICTION=some-domain.com + + # If set to 'true', this will validate the remote peer IP address with each request + # and compare it with the IP which was used during the initial session creation / login. + # If the IP is different, the session will be rejected. + # This is a security hardening and prevents stolen access credentials, for instance if + # an attacker might have copied the encrypted session cookie and the XSRF token from + # the local storage from a user. However, this event is really unlikely, since it may + # only happen if an attacker has direct access to the machine itself. + # + # If your users are using mobile networks and get new IP addresses all the time, this + # means they have to do a new login each time. This is no big deal at all with + # Webauthn / FIDO keys anyway and should not be a reason to deactivate this feature. + # + # Caution: If you are running behind a reverse proxy which does not provide the + # X-FORWARDED-FOR header correctly, or you have the PROXY_MODE in this config disabled, + # this feature will not work. You can validate the IPs for each session in the Admin + # UI. If these are correct, your setup is okay. + # + # (default: true) + #SESSION_VALIDATE_IP=true + + ##################################### + ############# BACKUPS ############### + ##################################### + + # Cron job for automatic data store backups (default: "0 0 4 * * * *") + # sec min hour day_of_month month day_of_week year + #BACKUP_TASK="0 0 4 * * * *" + + # The name for the data store backups. The current timestamp + # will always be appended automatically. (default: rauthy-backup-) + #BACKUP_NAME="rauthy-backup-" + + # All backups older than the specified hours will be cleaned up + # automatically (default: 720) + #BACKUP_RETENTION_LOCAL=720 + + ##################################### + ############## CACHE ################ + ##################################### + + # If the cache should start in HA mode or standalone + # accepts 'true|false', defaults to 'false' + #HA_MODE=false + + # The connection strings (with hostnames) of the HA instances + # as a CSV. + # Format: 'scheme://hostname:port' + #HA_HOSTS="http://rauthy-0.rauthy:8000, http://rauthy-1.rauthy:8000, http://rauthy-2.rauthy:8000" + + # Overwrite the hostname which is used to identify each cache member. + # Useful in scenarios, where for instance all members are on the same host with + # different ports or for testing. + #HOSTNAME_OVERWRITE="rauthy-0.rauthy:8080" + + ## Define buffer sizes for channels between the components + # Buffer for client requests on the incoming stream - server + # side (default: 128) + # Make sense to have the CACHE_BUF_SERVER set to: + # `(number of total HA cache hosts - 1) * CACHE_BUF_CLIENT` + # In a non-HA deployment, set the same size for both + #CACHE_BUF_SERVER=128 + # Buffer for client requests to remote servers for all cache + # operations (default: 128) + #CACHE_BUF_CLIENT=128 + + # Secret token, which is used to authenticate the cache members + #CACHE_AUTH_TOKEN=SomeSuperSecretAndVerySafeToken1337 + + ## Connections Timeouts + + # The Server sends out keepalive pings with configured timeouts + # The keepalive ping interval in seconds (default: 5) + #CACHE_KEEPALIVE_INTERVAL=5 + # The keepalive ping timeout in seconds (default: 5) + #CACHE_KEEPALIVE_TIMEOUT=5 + + # The timeout for the leader election. If a newly saved leader + # request has not reached quorum after the timeout, the leader + # will be reset and a new request will be sent out. + # CAUTION: + # This should not be lower than CACHE_RECONNECT_TIMEOUT_UPPER, + # since cold starts and elections will be problematic in that + # case. + # value in seconds, default: 15 + #CACHE_ELECTION_TIMEOUT=15 + + # These 2 values define the reconnect timeout for the HA Cache + # Clients. The values are in ms and a random between these 2 + # will be chosen each time to avoid conflicts and race conditions + # (default: 2500) + #CACHE_RECONNECT_TIMEOUT_LOWER=2500 + # (default: 5000) + #CACHE_RECONNECT_TIMEOUT_UPPER=5000 + + ##################################### + ############ DATABASE ############### + ##################################### + + # The database driver will be chosen at runtime depending on + # the given DATABASE_URL format. Examples: + # Sqlite: 'sqlite:data/rauthy.db' or 'sqlite::memory:' + # Postgres: 'postgresql://User:PasswordWithoutSpecialCharacters@localhost:5432/DatabaseName' + # + # NOTE: The password in this case should be alphanumeric. Special + # characters could cause problems in the connection string. + # + # CAUTION: + # To make the automatic migrations work with Postgres15, when + # you do not want to just use the `postgres` user, You need + # to have a user with the same name as the DB / schema. For + # instance, the following would work without granting extra + # access to the `public` schema which is disabled by default + # since PG15: + # + # database: rauthy + # user: rauthy + # schema: rauthy with owner rauthy + # + #DATABASE_URL=sqlite::memory: + #DATABASE_URL=sqlite:data/rauthy.db + #DATABASE_URL=postgresql://rauthy:123SuperSafe@localhost:5432/rauthy + {{- if .Values.sqlite.enabled }} + DATABASE_URL=sqlite:data/rauthy.db + {{- end }} + + # Max DB connections - irrelevant for SQLite (default: 5) + #DATABASE_MAX_CONN=5 + + # If specified, the current Database, set with DATABASE_URL, + # will be DELETED and OVERWRITTEN with a migration from the + # given database with this variable. Can be used to migrate + # between different databases. + # + # !!! USE WITH CARE !!! + #MIGRATE_DB_FROM=sqlite:data/rauthy.db + + # Disables the housekeeping schedulers (default: false) + #SCHED_DISABLE=true + + ##################################### + ############# E-MAIL ################ + ##################################### + + # Will be used as the prefix for the E-Mail subject for each E-Mail + # that will be sent out to a client. + # This can be used to further customize your deployment. + # default: "Rauthy IAM" + EMAIL_SUB_PREFIX="Rauthy IAM" + + SMTP_USERNAME= + #SMTP_PASSWORD= + SMTP_URL= + # Format: "Rauthy " + SMTP_FROM= + + ##################################### + ###### ENCRYPTION / HASHING ######### + ##################################### + + # Format: "key_id/enc_key another_key_id/another_enc_key" - the + # enc_key itself must be exactly 32 characters long and and + # should not contain special characters. + # The ID must match '[a-zA-Z0-9]{2,20}' + #ENC_KEYS="bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA" + ENC_KEY_ACTIVE=bVCyTsGaggVy5yqQ + + # M_COST should never be below 32768 in production + ARGON2_M_COST=32768 + # T_COST should never be below 1 in production + ARGON2_T_COST=3 + # P_COST should never be below 2 in production + ARGON2_P_COST=2 + + # Limits the maximum amount of parallel password hashes at + # the exact same time to never exceed system memory while + # still allowing a good amount of memory for the argon2id + # algorithm (default: 2) + # CAUTION: You must make sure, that you have at least + # (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + ~30 MB of memory + # available. + MAX_HASH_THREADS=1 + + # The time in ms when to log a warning, if a request waited + # longer than this time. This is an indicator, that you have + # more concurrent logins than allowed and may need config + # adjustments, + # if this happens more often. (default: 500) + #HASH_AWAIT_WARN_TIME=500 + + # JWKS auto rotate cronjob. This will (by default) rotate + # all JWKs every 1. day of the month. If you need smaller + # intervals, you may adjust this value. For security reasons, + # you cannot fully disable it. + # In a HA deployment, this job will only be executed on the + # current cache leader at that time. + # Format: "sec min hour day_of_month month day_of_week year" + # default: "0 30 3 1 * * *" + JWK_AUTOROTATE_CRON="0 30 3 1 * * *" + + ##################################### + ######### EVENTS / AUDIT ############ + ##################################### + + # The E-Mail address event notifications should be sent to. + # If left empty, no messages will be sent to Slack. + #EVENT_EMAIL=admin@localhost.de + + # Matrix variables for event notifications. + # `EVENT_MATRIX_USER_ID` and `EVENT_MATRIX_ROOM_ID` are mandatory. + # Depending on your Matrix setup, additionally one of + # `EVENT_MATRIX_ACCESS_TOKEN` or `EVENT_MATRIX_USER_PASSWORD` is needed. + # If you log in to Matrix with User + Password, you may use `EVENT_MATRIX_USER_PASSWORD`. + # If you log in via OIDC SSO (or just want to use a session token you can revoke), + # you should provide `EVENT_MATRIX_ACCESS_TOKEN`. + # If both are given, the `EVENT_MATRIX_ACCESS_TOKEN` will be preferred. + # + # If left empty, no messages will be sent to Slack. + # Format: `@:` + #EVENT_MATRIX_USER_ID= + # Format: `!:` + #EVENT_MATRIX_ROOM_ID= + #EVENT_MATRIX_ACCESS_TOKEN= + #EVENT_MATRIX_USER_PASSWORD= + # Optional path to a PEM Root CA certificate file for the Matrix client. + #EVENT_MATRIX_ROOT_CA_PATH=path/to/my/root_ca_cert.pem + # May be set to disable the TLS validation for the Matrix client. + # default: false + #EVENT_MATRIX_DANGER_DISABLE_TLS_VALIDATION=false + + # The Webhook for Slack Notifications. + # If left empty, no messages will be sent to Slack. + #EVENT_SLACK_WEBHOOK= + + # The notification level for events. Works the same way as a logging level. + # For instance: 'notice' means send out a notifications for all events with + # the info level or higher. + # Possible values: + # - info + # - notice + # - warning + # - critical + # + # default: 'warning' + EVENT_NOTIFY_LEVEL_EMAIL=warning + # default: 'notice' + EVENT_NOTIFY_LEVEL_MATRIX=notice + # default: 'notice' + EVENT_NOTIFY_LEVEL_SLACK=notice + + # Define the level from which on events should be persisted inside the + # database. All events with a lower level will be lost, if there is no + # active event subscriber. + # Possible values: + # - info + # - notice + # - warning + # - critical + # default: 'info' + EVENT_PERSIST_LEVEL=info + + # Define the number of days when events should be cleaned up from the database. + # default: 31 + EVENT_CLEANUP_DAYS=31 + + # The level for the generated Event after a new user has been registered. + # default: info + EVENT_LEVEL_NEW_USER=info + # The level for the generated Event after a user has changed his E-Mail + # default: notice + EVENT_LEVEL_USER_EMAIL_CHANGE=notice + # The level for the generated Event after a user has reset its password + # default: notice + EVENT_LEVEL_USER_PASSWORD_RESET=notice + # The level for the generated Event after a user has been given the + # 'rauthy_admin' role + # default: notice + EVENT_LEVEL_RAUTHY_ADMIN=notice + # The level for the generated Event after a new App version has been found + # default: notice + EVENT_LEVEL_RAUTHY_VERSION=notice + # The level for the generated Event after the JWKS has been rotated + # default: notice + EVENT_LEVEL_JWKS_ROTATE=notice + # The level for the generated Event after DB secrets have been migrated + # to a new key + # default: notice + EVENT_LEVEL_SECRETS_MIGRATED=notice + # The level for the generated Event after a Rauthy instance has been + # started + # default: info + EVENT_LEVEL_RAUTHY_START=info + # The level for the generated Event after a Rauthy entered a healthy + # state (again) + # default: notice + EVENT_LEVEL_RAUTHY_HEALTHY=notice + # The level for the generated Event after a Rauthy entered an unhealthy + #state + # default: critical + EVENT_LEVEL_RAUTHY_UNHEALTHY=critical + # The level for the generated Event after an IP has been blacklisted + # default: warning + EVENT_LEVEL_IP_BLACKLISTED=warning + # The level for the generated Event after certain amounts of false + # logins from an IP + # default: criticao + EVENT_LEVEL_FAILED_LOGINS_25=critical + # default: criticao + EVENT_LEVEL_FAILED_LOGINS_20=critical + # default: warning + EVENT_LEVEL_FAILED_LOGINS_15=warning + # default: warning + EVENT_LEVEL_FAILED_LOGINS_10=warning + # default: notice + EVENT_LEVEL_FAILED_LOGINS_7=notice + # default: info + EVENT_LEVEL_FAILED_LOGIN=info + + # If set to 'true', it will disable the app version checker. + # This is a scheduled task that looks up the latest version periodically + # by doing a request to the Github API to check the latest release. + # This ignores any type of prerelease and will only notify for a new stable. + # default: false + #DISABLE_APP_VERSION_CHECK=false + + ##################################### + ####### LIFETIMES / TIMEOUTS ######## + ##################################### + + # Set the grace time in seconds for how long in seconds the + # refresh token should still be valid after usage. Keep this + # value small, but do not set it to 0 with an HA deployment + # to not get issues with small HA cache latencies. + # + # If you have an external client, which does concurrent + # requests, from which the request interceptor wants to refresh + # the token, you may have multiple hits on the endpoint and all + # of them should be valid. + # + # Caching is done on the endpoint itself, but grace time of 0 + # will only be good for a single instance of rauthy. + # default: 5 + #REFRESH_TOKEN_GRACE_TIME=5 + + # Lifetime for offline tokens in hours (default: 720) + #OFFLINE_TOKEN_LIFETIME=720 + + # Session lifetime in seconds - the session can not be + # extended beyond this time and a new login will be forced. + # This is the session for the authorization code flow. (default: 14400) + #SESSION_LIFETIME=14400 + + # If 'true', a 2FA / MFA check will be done with each automatic + # token generation, even with an active session, which kind of + # makes the session useless with Webauthn enabled, but provides + # maximum amount of security. + # If 'false', the user will not get a MFA prompt with an active + # session at the authorization endpoint. + # (default: false) + #SESSION_RENEW_MFA=false + + # Session timeout in seconds + # When a new token / login is requested before this timeout hits + # the limit, the user will be authenticated without prompting for + # the credentials again. + # This is the value which can extend the session, until it hits + # its maximum lifetime set with SESSION_LIFETIME. + #SESSION_TIMEOUT=5400 + + # ML: magic link + # LT: lifetime + # Lifetime in minutes for reset password magic links (default: 30) + #ML_LT_PWD_RESET=30 + + # Lifetime in minutes for the first password magic link, for + # setting the initial password. (default: 86400) + #ML_LT_PWD_FIRST=86400 + + # The interval in seconds in which keep-alives should be sent to SSE clients. + # Depending on your network setup, proxy timeouts, ... + # you may adjust this value to fit your needs. + # default: 30 + #SSE_KEEP_ALIVE=30 + + ##################################### + ############# LOGGING ############### + ##################################### + + # This is the log level for stdout logs + # Accepts: error, info, debug, trace (default: info) + #LOG_LEVEL=info + + # This is a special config which allows the configuration of + # customized access logs. These logs will be logged with each + # request in addition to the normal LOG_LEVEL logs. + # The following values are valid: + # - Debug + # CAUTION: The Debug setting logs every information available + # to the middleware which includes SENSITIVE HEADERS + # DO NOT use the Debug level in a working production environment! + # - Verbose + # Verbose logging without headers - generates huge outputs + # - Basic + # Logs access to all endpoints apart from the Frontend ones + # which all js, css, ... + # - Modifying + # Logs only requests to modifying endpoints and skips all GET + # - Off + # (default: Modifying) + LOG_LEVEL_ACCESS=Basic + + ##################################### + ################ MFA ################ + ##################################### + + # If 'true', MFA for an account must be enabled to access the + # rauthy admin UI (default: true) + ADMIN_FORCE_MFA=false + + ##################################### + ############## POW ################# + ##################################### + + ## Proof of Work (PoW) configuration for Client Endpoints like + # User Registration. The iteration count for the PoW calculation + # (default: 1000000) + #POW_IT=1000000 + + # The expiration duration in seconds when a saved PoW should be + # cleaned up (default: 300) + #POW_EXP=300 + + ##################################### + ############# SERVER ################ + ##################################### + + # The server address to listen on. Can bind to a specific IP. + # (default: 0.0.0.0) + #LISTEN_ADDRESS=0.0.0.0 + + # The listen ports for HTTP / HTTPS, depending on the + # activated 'LISTEN_SCHEME' + # default: 8080 + #LISTEN_PORT_HTTP=8080 + # default: 8443 + #LISTEN_PORT_HTTPS=8443 + + # The scheme to use locally, valid values: + # http | https | http_https (default: http_https) + LISTEN_SCHEME=http + + # The Public URL of the whole deployment + # The LISTEN_SCHEME + PUB_URL must match the HTTP ORIGIN + # HEADER later on, which is especially important when running + # rauthy behind a reverse proxy. In case of a non-standard + # port (80/443), you need to add the port to the PUB_URL + PUB_URL=localhost:8080 + + # default value: number of available physical cores + #HTTP_WORKERS=1 + + # When rauthy is running behind a reverse proxy, set to true + # (default: false) + PROXY_MODE=false + + # To enable or disable the additional HTTP server to expose the /metrics endpoint + # default: true + #METRICS_ENABLE=true + + # The IP address to listen on for the /metrics endpoint. + # You do not want to expose your metrics on a publicly reachable endpoint! + # default: 0.0.0.0 + #METRICS_ADDR=0.0.0.0 + + # The post to listen on for the /metrics endpoint. + # You do not want to expose your metrics on a publicly reachable endpoint! + # default: 9090 + #METRICS_PORT=9090 + + # If the Swagger UI should be served together with the /metrics route on the internal + # server. It it then reachable via: + # http://METRICS_ADDR:METRICS_PORT/docs/v1/swagger-ui/ + # (default: true) + #SWAGGER_UI_INTERNAL=true + + # If the Swagger UI should be served externally as well. This makes the link in the + # Admin UI work. + # + # CAUTION: The Swagger UI is open and does not require any login to be seen! + # Rauthy is open source, which means anyone could just download it and see on their + # own, but it may be a security concern to just expose less information. + # (default: false) + #SWAGGER_UI_EXTERNAL=false + + ##################################### + ############### TLS ################# + ##################################### + + ## Rauthy TLS + + # Overwrite the path to the TLS certificate file in PEM + # format for rauthy (default: tls/tls.crt) + #TLS_CERT=tls/tls.crt + # Overwrite the path to the TLS private key file in PEM + # format for rauthy. If the path / filename ends with + # '.der', rauthy will parse it as DER, otherwise as PEM. + # (default: tls/tls.key) + #TLS_KEY=tls/tls.key + + ## CACHE TLS + + # Enable / disable TLS for the cache communication + # (default: true) + CACHE_TLS=true + # The path to the server TLS certificate PEM file + # (default: tls/redhac.local.cert.pem) + CACHE_TLS_SERVER_CERT=tls/redhac.local.cert.pem + # The path to the server TLS key PEM file + # (default: tls/redhac.local.key.pem) + CACHE_TLS_SERVER_KEY=tls/redhac.local.key.pem + # If not empty, the PEM file from the specified location + # will be added as the CA certificate chain for validating + # the servers TLS certificate (default: tls/ca-chain.cert.pem) + CACHE_TLS_CA_SERVER=tls/ca-chain.cert.pem + + # The path to the client mTLS certificate PEM file + # (default: tls/redhac.local.cert.pem) + CACHE_TLS_CLIENT_CERT=tls/redhac.local.cert.pem + # The path to the client mTLS key PEM file + # (default: tls/redhac.local.key.pem) + CACHE_TLS_CLIENT_KEY=tls/redhac.local.key.pem + # If not empty, the PEM file from the specified location will + # be added as the CA certificate chain for validating + # the clients mTLS certificate (default: tls/ca-chain.cert.pem) + CACHE_TLS_CA_CLIENT=tls/ca-chain.cert.pem + + # The domain / CN the client should validate the certificate + # against. This domain MUST be inside the + # 'X509v3 Subject Alternative Name' when you take a look at the + # servers certificate with the openssl tool. + # default: redhac.local + CACHE_TLS_CLIENT_VALIDATE_DOMAIN=redhac.local + + # Can be used, if you need to overwrite the SNI when the client + # connects to the server, for instance if you are behind + # a loadbalancer which combines multiple certificates. (default: "") + #CACHE_TLS_SNI_OVERWRITE= + + ##################################### + ############# WEBAUTHN ############## + ##################################### + + # The 'Relaying Party (RP) ID' - effective domain name + # (default: localhost) + # CAUTION: When this changes, already registered devices will stop + # working and users cannot log in anymore! + RP_ID=localhost + + # Url containing the effective domain name + # (default: http://localhost:8080) + # CAUTION: Must include the port number! + RP_ORIGIN=http://localhost:8080 + + # Non critical RP Name + # Has no security properties and may be changed without issues + # (default: Rauthy Webauthn) + RP_NAME='Rauthy Webauthn' + + # The Cache lifetime in seconds for Webauthn requests. Within + # this time, a webauthn request must have been validated. + # (default: 60) + #WEBAUTHN_REQ_EXP=60 + + # The Cache lifetime for additional Webauthn Data like auth + # codes and so on. Should not be lower than WEBAUTHN_REQ_EXP. + # The value is in seconds (default: 90) + #WEBAUTHN_DATA_EXP=90 + + # With webauthn enabled for a user, he needs to enter + # username / password on a new system. If these credentials are + # verified, rauthy will set an additional cookie, which will + # determine how long the user can then use only (safe) MFA + # passwordless webauthn login with yubikeys, apple touch id, + # Windows hello, ... until he needs to verify his credentials + # again. + # Passwordless login is generally much safer than logging in + # with a password. But sometimes it is possible, that the + # Webauthn devices do not force the user to include a second + # factor, which in that case would be a single factor login + # again. That is why we should ask for the original password + # in addition once in a while to set the cookie. + # The value is in hours (default: 2160) + #WEBAUTHN_RENEW_EXP=2160 + + # This feature can be set to 'true' to force User verification + # during the Webauthn ceremony. UV will be true, if the user + # does not only need to verify its presence by touching the key, + # but by also providing proof that he knows (or is) some secret + # via a PIN or biometric key for instance. With UV, we have a + # true MFA scenario where UV == false (user presence only) + # would be a 2FA scenario (with password). Be careful with this + # option, since Android and some special combinations of OS + + # browser to not support UV yet. + # (default: false) + #WEBAUTHN_FORCE_UV=false + + # Can be set to 'true' to disable password expiry for users + # that have at least one active passkey. When set to 'false', + # the same password expiry from the set policy will apply to + # these users as well. + # With this option active, rauthy will ignore any password + # expiry set by the password policy for Webauthn users. + # default: true + #WEBAUTHN_NO_PASSWORD_EXPIRY=true diff --git a/rauthy-helm/templates/service.yaml b/rauthy-helm/templates/service.yaml new file mode 100644 index 00000000..ba5f9700 --- /dev/null +++ b/rauthy-helm/templates/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} +spec: + selector: + app: {{ .Release.Name }} + ports: + - name: requests + port: 8080 + targetPort: 8080 diff --git a/rauthy-helm/templates/sts.yaml b/rauthy-helm/templates/sts.yaml new file mode 100644 index 00000000..f010a758 --- /dev/null +++ b/rauthy-helm/templates/sts.yaml @@ -0,0 +1,100 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .Release.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Release.Name }} +spec: + serviceName: {{ .Release.Name }} + replicas: {{ if eq .Values.haMode false }}1{{ else }}3{{ end }} + selector: + matchLabels: + app: {{ .Release.Name }} + template: + metadata: + labels: + app: {{ .Release.Name }} + spec: + securityContext: + fsGroup: 10001 + containers: + - name: {{ .Release.Name }} + image: {{ if .Values.sqlite.enabled }}"{{ $.Values.image }}-lite"{{ else }}{{ $.Values.image }}{{ end }} + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 10001 + runAsGroup: 10001 + allowPrivilegeEscalation: false + ports: + - containerPort: 8080 + env: + {{- if .Values.postgres.enabled}} + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: {{ .Values.postgres.url.secretName | required "postgres.url.secretName must be set" }} + key: {{ .Values.postgres.url.secretKey | required "postgres.url.secretKey must be set" }} + {{- end }} + {{- with .Values.secret }} + - name: SMTP_USERNAME + valueFrom: + secretKeyRef: + name: {{ .smtp.secretName | required "secrets.smtp.secretName must be set" }} + key: {{ .smtp.usernameKey | required "secrets.smtp.usernameKey must be set" }} + - name: SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .smtp.secretName | required "secrets.smtp.secretName must be set" }} + key: {{ .smtp.passwordKey | required "secrets.smtp.passwordKey must be set" }} + - name: ENC_KEYS + valueFrom: + secretKeyRef: + name: {{ .encKeys.secretName | required "secrets.encKeys.secretName must be set" }} + key: {{ .encKeys.secretKey | required "secrets.encKeys.secretKey must be set" }} + {{- end }} + volumeMounts: + - mountPath: /app/data + name: {{ .Release.Name }}-data + readOnly: false + - mountPath: /app/rauthy.cfg + subPath: rauthy.cfg + name: {{ .Release.Name }}-config + readOnly: true + readinessProbe: + httpGet: + path: /auth/v1/ping + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 10 + livenessProbe: + httpGet: + path: /auth/v1/health + port: 8080 + initialDelaySeconds: 1 + periodSeconds: 30 + resources: + requests: + memory: 128Mi + cpu: 100m + volumes: + - name: {{ .Release.Name }}-config + configMap: + name: {{ .Release.Name }}-config + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + {{- if .Values.sqlite.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: {{ .Release.Name }}-data + spec: + accessModes: [ "ReadWriteOnce" ] + {{- if .Values.sqlite.persistence.storageClassName }} + storageClassName: {{ .Values.sqlite.persistence.storageClassName }} + {{- end }} + resources: + requests: + storage: {{ .Values.sqlite.persistence.storage | required "sqlite.persistence.storage must be set" }} + {{ end }} diff --git a/rauthy-helm/templates/validation.yaml b/rauthy-helm/templates/validation.yaml new file mode 100644 index 00000000..5fc89105 --- /dev/null +++ b/rauthy-helm/templates/validation.yaml @@ -0,0 +1,20 @@ +{{ if .Values.haMode }} + # make sure replicas is >= 3 in ha mode + {{ if lt (int .Values.replicas) 3 }} + {{ fail "'replicas' mut be at least 3 with haMode == true" }} + {{ end }} + + # cannot use sqlite in ha mode + {{ if .Values.sqlite.enabled }} + {{ fail "You cannot use SQLite with HA mode"}} + {{ end }} + + # error is postgres is disabled + {{ if .Values.sqlite.enabled }} + {{ fail "You must enable Postgres with HA mode" }} + {{ end }} +{{ end}} + +{{ if eq .Values.sqlite.enabled .Values.postgres.enabled }} + {{ fail "You can only use SQLite OR Postgres" }} +{{ end }} diff --git a/rauthy-helm/values.yaml b/rauthy-helm/values.yaml new file mode 100644 index 00000000..e00e6ae0 --- /dev/null +++ b/rauthy-helm/values.yaml @@ -0,0 +1,58 @@ +# Default values for rauthy. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# The currently used container image +image: ghcr.io/sebadob/rauthy:0.17.0 +# Define custom image pull secrets for a private registry +#imagePullSecrets: "myImagePullSecretsName" + +# Enable HA mode +haMode: false +# Will always be 1 if HA mode is not enabled. Should be an odd number >= 3 otherwise. +replicas: 1 + +sqlite: + # If you want to deploy Rauthy in HA mode, you cannot use SQLite, you need Postgres instead + enabled: false + + persistence: + # If set to false, Rauthy will use an in-memory SQLite instance + enabled: false + # Overwrite the default storage class + #storageClassName: myCustomStorageClass + # The size of the PVC + storage: 1Gi + +postgres: + # If you want to deploy Rauthy in HA mode, you can only use Postgres + enabled: true + url: + # The secret name which contains the database url connection string + secretName: rauthy-secrets + # This must contain the postgres connection string in the format: + # postgresql://username:password@host:5432/rauthy + # Currently, some passwords with special characters might cause problems. + # Choose a longer alphanumeric one instead. + secretKey: DATABASE_URL + +secrets: + # SMTP secrets + smtp: + # The secret name which contains the smtp credentials + secretName: rauthy-secrets + # The secret key which contains the SMTP username + usernameKey: SMTP_USERNAME + # The secret key which contains the SMTP password + passwordKey: SMTP_PASSWORD + + # Encryption Key Secrets + # Format: "key_id/enc_key another_key_id/another_enc_key" + # The enc_key itself must be exactly 32 characters long + # and should not contain special characters. + # The ID must match '[a-zA-Z0-9]{2,20}' + encKeys: + # The secret name which contains the encryption keys + secretName: rauthy-secrets + # The secret key which contains the encryption keys + secretKey: ENC_KEYS diff --git a/rauthy.cfg b/rauthy.cfg index e1ae5fe6..5e2e61da 100644 --- a/rauthy.cfg +++ b/rauthy.cfg @@ -159,7 +159,7 @@ EMAIL_SUB_PREFIX="Rauthy IAM" ###### ENCRYPTION / HASHING ######### ##################################### -# Format: "key_id/enc_key another_key_id/another_enc_key" - the enc_key itself must be exactly 32 characters long and +# Format: "key_id/enc_key another_key_id/another_enc_key" - the enc_key itself must be exactly 32 characters long # and should not contain special characters. # The ID must match '[a-zA-Z0-9]{2,20}' ENC_KEYS="bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA" From 1038654d678fda6122f278f75b090572a74ee307 Mon Sep 17 00:00:00 2001 From: sebadob Date: Wed, 1 Nov 2023 08:05:18 +0100 Subject: [PATCH 2/2] start creating config vars --- rauthy-helm/templates/config.yaml | 33 ++++++----- rauthy-helm/templates/sts.yaml | 6 +- rauthy-helm/values.yaml | 93 +++++++++++++++++++++++++++++-- 3 files changed, 112 insertions(+), 20 deletions(-) diff --git a/rauthy-helm/templates/config.yaml b/rauthy-helm/templates/config.yaml index b4980289..e17b8cda 100644 --- a/rauthy-helm/templates/config.yaml +++ b/rauthy-helm/templates/config.yaml @@ -11,13 +11,16 @@ data: # If the User Registration endpoint should be accessible by anyone. # If not, an admin must create each new user. (default: false) - #OPEN_USER_REG=false + OPEN_USER_REG={{- if .Values.access.userRegistration.open }} # Can be used when 'OPEN_USER_REG=true' to restrict the domains # for a registration. For instance, set it to # 'USER_REG_DOMAIN_RESTRICTION=gmail.com' to allow only # registrations with 'user@gmail.com' (default: '') #USER_REG_DOMAIN_RESTRICTION=some-domain.com + {{- if .Values.access.userRegistration.domainRestriction }} + USER_REG_DOMAIN_RESTRICTION={{ .Values.access.userRegistration.domainRestriction }} + {{- end }} # If set to 'true', this will validate the remote peer IP address with each request # and compare it with the IP which was used during the initial session creation / login. @@ -37,7 +40,7 @@ data: # UI. If these are correct, your setup is okay. # # (default: true) - #SESSION_VALIDATE_IP=true + SESSION_VALIDATE_IP={{ .Values.access.sessionValidateIp }} ##################################### ############# BACKUPS ############### @@ -46,6 +49,7 @@ data: # Cron job for automatic data store backups (default: "0 0 4 * * * *") # sec min hour day_of_month month day_of_week year #BACKUP_TASK="0 0 4 * * * *" + BACKUP_TASK={{ .Values.sqlite.backups.cron }} # The name for the data store backups. The current timestamp # will always be appended automatically. (default: rauthy-backup-) @@ -53,7 +57,7 @@ data: # All backups older than the specified hours will be cleaned up # automatically (default: 720) - #BACKUP_RETENTION_LOCAL=720 + BACKUP_RETENTION_LOCAL={{ .Values.sqlite.backups.keepForHours }} ##################################### ############## CACHE ################ @@ -61,12 +65,15 @@ data: # If the cache should start in HA mode or standalone # accepts 'true|false', defaults to 'false' - #HA_MODE=false + HA_MODE={{ .Values.haMode }} # The connection strings (with hostnames) of the HA instances # as a CSV. # Format: 'scheme://hostname:port' #HA_HOSTS="http://rauthy-0.rauthy:8000, http://rauthy-1.rauthy:8000, http://rauthy-2.rauthy:8000" + {{- if eq .Values.replicas 3}} + HA_HOSTS="http://rauthy-0.rauthy:8000, http://rauthy-1.rauthy:8000, http://rauthy-2.rauthy:8000" + # TODO # Overwrite the hostname which is used to identify each cache member. # Useful in scenarios, where for instance all members are on the same host with @@ -145,7 +152,7 @@ data: {{- end }} # Max DB connections - irrelevant for SQLite (default: 5) - #DATABASE_MAX_CONN=5 + DATABASE_MAX_CONN={{ .Values.postgres.poolMaxConnections }} # If specified, the current Database, set with DATABASE_URL, # will be DELETED and OVERWRITTEN with a migration from the @@ -166,13 +173,13 @@ data: # that will be sent out to a client. # This can be used to further customize your deployment. # default: "Rauthy IAM" - EMAIL_SUB_PREFIX="Rauthy IAM" + EMAIL_SUB_PREFIX={{ .Values.email.smtpUrl | quote }} - SMTP_USERNAME= + #SMTP_USERNAME= #SMTP_PASSWORD= - SMTP_URL= + SMTP_URL={{ .Values.email.smtpUrl }} # Format: "Rauthy " - SMTP_FROM= + SMTP_FROM={{ .Values.email.sender | quote }} ##################################### ###### ENCRYPTION / HASHING ######### @@ -186,11 +193,11 @@ data: ENC_KEY_ACTIVE=bVCyTsGaggVy5yqQ # M_COST should never be below 32768 in production - ARGON2_M_COST=32768 + ARGON2_M_COST={{ .Values.hashing.argon2id.mCost }} # T_COST should never be below 1 in production - ARGON2_T_COST=3 + ARGON2_T_COST={{ .Values.hashing.argon2id.tCost }} # P_COST should never be below 2 in production - ARGON2_P_COST=2 + ARGON2_P_COST={{ .Values.hashing.argon2id.pCost }} # Limits the maximum amount of parallel password hashes at # the exact same time to never exceed system memory while @@ -199,7 +206,7 @@ data: # CAUTION: You must make sure, that you have at least # (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + ~30 MB of memory # available. - MAX_HASH_THREADS=1 + MAX_HASH_THREADS={{ .Values.hashing.maxHashThreads }} # The time in ms when to log a warning, if a request waited # longer than this time. This is an indicator, that you have diff --git a/rauthy-helm/templates/sts.yaml b/rauthy-helm/templates/sts.yaml index f010a758..7a56bd35 100644 --- a/rauthy-helm/templates/sts.yaml +++ b/rauthy-helm/templates/sts.yaml @@ -20,7 +20,7 @@ spec: fsGroup: 10001 containers: - name: {{ .Release.Name }} - image: {{ if .Values.sqlite.enabled }}"{{ $.Values.image }}-lite"{{ else }}{{ $.Values.image }}{{ end }} + image: {{ if .Values.sqlite.enabled }}{{ $.Values.image }}-lite{{ else }}{{ $.Values.image }}{{ end }} imagePullPolicy: IfNotPresent securityContext: runAsUser: 10001 @@ -54,9 +54,11 @@ spec: key: {{ .encKeys.secretKey | required "secrets.encKeys.secretKey must be set" }} {{- end }} volumeMounts: + {{- if and .Values.sqlite.enabled .Values.sqlite.persistence.enabled }} - mountPath: /app/data name: {{ .Release.Name }}-data readOnly: false + {{- end }} - mountPath: /app/rauthy.cfg subPath: rauthy.cfg name: {{ .Release.Name }}-config @@ -85,7 +87,7 @@ spec: imagePullSecrets: - name: {{ .Values.imagePullSecrets }} {{- end }} - {{- if .Values.sqlite.persistence.enabled }} + {{- if and .Values.sqlite.enabled .Values.sqlite.persistence.enabled }} volumeClaimTemplates: - metadata: name: {{ .Release.Name }}-data diff --git a/rauthy-helm/values.yaml b/rauthy-helm/values.yaml index e00e6ae0..6325f4b6 100644 --- a/rauthy-helm/values.yaml +++ b/rauthy-helm/values.yaml @@ -9,12 +9,14 @@ image: ghcr.io/sebadob/rauthy:0.17.0 # Enable HA mode haMode: false -# Will always be 1 if HA mode is not enabled. Should be an odd number >= 3 otherwise. +# Will always be 1 if HA mode is not enabled. +# Should be an odd number >= 3 otherwise. replicas: 1 sqlite: - # If you want to deploy Rauthy in HA mode, you cannot use SQLite, you need Postgres instead - enabled: false + # If you want to deploy Rauthy in HA mode, you cannot use SQLite, + # you need Postgres instead + enabled: true persistence: # If set to false, Rauthy will use an in-memory SQLite instance @@ -22,11 +24,21 @@ sqlite: # Overwrite the default storage class #storageClassName: myCustomStorageClass # The size of the PVC - storage: 1Gi + storage: 256Mi + + backups: + # Cron job for automatic data store backups (default: "0 0 4 * * * *") + # sec min hour day_of_month month day_of_week year + cron: "0 0 4 * * * *" + + # All backups older than the specified hours will be cleaned up + # automatically (default: 720) + keepForHours: 720 postgres: # If you want to deploy Rauthy in HA mode, you can only use Postgres - enabled: true + enabled: false + url: # The secret name which contains the database url connection string secretName: rauthy-secrets @@ -36,6 +48,64 @@ postgres: # Choose a longer alphanumeric one instead. secretKey: DATABASE_URL + # The maximum amount of database connections inside the database pool + poolMaxConnections: 10 + +access: + userRegistration: + # If the User Registration endpoint should be accessible by anyone. + # If not, an admin must create each new user. (default: false) + open: false + # If the user registration is opened, this value can restrict the registration. + # For instance, only "my-user@example.com" could register, but not "my-user@notallowed.org" + #domainRestriction: "example.com" + + # If set to 'true', this will validate the remote peer IP address with each request + # and compare it with the IP which was used during the initial session creation / login. + # If the IP is different, the session will be rejected. + # This is a security hardening and prevents stolen access credentials, for instance if + # an attacker might have copied the encrypted session cookie and the XSRF token from + # the local storage from a user. However, this event is really unlikely, since it may + # only happen if an attacker has direct access to the machine itself. + # + # If your users are using mobile networks and get new IP addresses all the time, this + # means they have to do a new login each time. This is no big deal at all with + # Webauthn / FIDO keys anyway and should not be a reason to deactivate this feature. + # + # Caution: If you are running behind a reverse proxy which does not provide the + # X-FORWARDED-FOR header correctly, or you have the PROXY_MODE in this config disabled, + # this feature will not work. You can validate the IPs for each session in the Admin + # UI. If these are correct, your setup is okay. + # + # (default: true) + sessionValidateIp: true + +email: + # The Sender for E-Mails coming from Rauthy. This may be overridden by your E-Mail provider. + sender: "Rauthy " + # The SMTP URL for sending out E-Mails + smtpUrl: smtp.example.com + # This prefix will be added to each E-Mail subject that Rauthy will be sending out. + prefix: "Rauthy IAM" + +hashing: + # These are the settings for the Argon2ID password hashing algorithm. + # The configuration and best values are explained in the Admin UI -> Config -> Argon2 Parameters + # The default values are the recommended minimum values which are quite a + # bit above the recommended values from the OWASP cheat sheet: + # https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id + argon2id: + mCost: 32768 + tCost: 3 + pCost: 2 + + # Limits the maximum amount of parallel password hashes at the exact same time + # to never exceed system memory while still allowing a good amount of memory + # for the Argon2ID algorithm. + # The default value of 1 means, that only one password will be hashed actively + # at the exact same time. + maxHashThreads: 1 + secrets: # SMTP secrets smtp: @@ -56,3 +126,16 @@ secrets: secretName: rauthy-secrets # The secret key which contains the encryption keys secretKey: ENC_KEYS + +# The resources for Rauthy are a bit tricky. +# Don't get fooled by the resources when you take a look at them after a few hours. +# This really depends on your Argon2ID settings and max hash threads config. +# Rauthy itself is really memory efficient, but a Password Hash like Argon2ID on +# the other hand should by definition be as resource hungry as you can afford, +# but only for a very short amount of time. +# A good rule for the memory costs is: +# (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + ~30 MB +resources: + requests: + memory: 128Mi + cpu: 100m