Merge pull request #23 from linuxfoundation/jme/LFXV2-213

update finalizer claims; fix heimdall key, fix authelia

Author: jordane

charts/lfx-platform/Chart.yaml

@@ -5,7 +5,7 @@ apiVersion: v2
 name: lfx-platform
 description: LFX Platform v2 Helm chart
 type: application
-version: 0.1.4
+version: 0.1.6
 icon: https://github.com/linuxfoundation/lfx-v2-helm/raw/main/img/lfx-logo-color.svg
 dependencies:
   - name: traefik

charts/lfx-platform/templates/authelia/httproute.yaml

@@ -5,8 +5,9 @@
 {{/*
 Generate a cert for Heimdall on install of Chart
   TODO: Create RBAC rule to limit secret access to heimdall Pods
+  TODO: Update to a 4096 bit key instead of 2048, sort out PS512 vs PS256
 */}}
-{{- $heimdallCert := genPrivateKey "rsa" -}}
+{{- $heimdallCert := genCA "foo" 365 }}
 
 apiVersion: v1
 kind: Secret
@@ -22,5 +23,5 @@ metadata:
     helm.sh/hook-weight: "0"
     helm.sh/hook-delete-policy: before-hook-creation
 data:
-  "signer.pem": "{{ $heimdallCert | b64enc }}"
+  "signer.pem": "{{ $heimdallCert.Key | b64enc }}"
 {{- end }}

charts/lfx-platform/templates/authelia/https-redirect-httproute.yaml

@@ -198,6 +198,24 @@ heimdall:
           signer:
             key_store:
               path: /heimdall/cert/signer.pem
+          claims: |
+                    {
+                      "principal": {{
+                        eq .Subject.ID "_anonymous"
+                        | ternary
+                          "_anonymous"
+                          (or
+                            .Subject.Attributes.username
+                            (list "clients@" .Subject.Attributes.client_id | join ""))
+                        | quote
+                      }}
+                      {{ if .Outputs.authelia_userinfo.email -}},
+                      "email": {{ quote .Outputs.authelia_userinfo.email }}
+                      {{ end -}}
+                      {{ if .Values.aud -}},
+                      "aud": {{ quote .Values.aud }}
+                      {{ end -}}
+                    }
 
   default_rule:
     execute:
@@ -252,6 +270,8 @@ mailpit:
 # Authelia configuration
 authelia:
   enabled: true
+  ingress:
+    enabled: true
   secret:
     additionalSecrets:
       authelia-jwks-keys: {}