feat(authelia): harden oidc clients

k8s/infra/auth/authelia/values.yaml

@@ -75,43 +75,63 @@ configMap:
         allowed_origins_from_client_redirect_uris: true
         endpoints: [ userinfo, authorization, token, revocation, introspection ]
       clients:
+
         - client_id: argocd
           client_secret: { path: /secrets/client-argocd/client_secret.txt }
           client_name: Argo CD
           public: false
           authorization_policy: two_factor
+          pre_configured_consent_duration: 1 month
           redirect_uris:
             - https://argocd.stonegarden.dev/auth/callback
             - https://argocd.stonegarden.dev/applications
           scopes: [ openid, groups, email, profile, offline_access ]
           userinfo_signed_response_alg: none
           id_token_signed_response_alg: ES256
+          access_token_signed_response_alg: ES256
+
         - client_id: argocd-cli
           client_name: Argo CD (CLI)
           public: true
           authorization_policy: two_factor
+          pre_configured_consent_duration: 1 month
           redirect_uris: [ http://localhost:8085/auth/callback ]
           scopes: [ openid, groups, email, profile, offline_access ]
-          userinfo_signed_response_alg: none
+          id_token_signed_response_alg: ES256
+          access_token_signed_response_alg: ES256
+
         - client_id: kubectl
           client_name: kubectl
           public: true
           authorization_policy: two_factor
+          pre_configured_consent_duration: 1 month
+          require_pkce: true
           redirect_uris: [ http://localhost:8000, http://localhost:18000 ]
           scopes: [ openid, groups, email, profile, offline_access ]
-          userinfo_signed_response_alg: none
+          id_token_signed_response_alg: ES256
+          access_token_signed_response_alg: ES256
+
         - client_id: netbird
           client_secret: { path: /secrets/client-netbird/client_secret.txt }
           client_name: NetBird
           public: false
           authorization_policy: two_factor
+          pre_configured_consent_duration: 1 month
+          require_pkce: true
+          pkce_challenge_method: S256
           audience: [ netbird ]
           redirect_uris:
             - http://localhost:53000
             - https://netbird.stonegarden.dev/callback
             - https://netbird.stonegarden.dev/silent-callback
-          scopes: [ openid, profile, email ]
+          scopes: [ openid, profile, email, offline_access ]
           token_endpoint_auth_method: client_secret_post
+          id_token_signed_response_alg: ES256
+          access_token_signed_response_alg: ES256
+          userinfo_signed_response_alg: none
+          introspection_signed_response_alg: none
+          request_object_signing_alg: ES256
+          token_endpoint_auth_signing_alg: ES256
 
 secret:
   additionalSecrets:

k8s/infra/vpn/netbird/agent/daemon-set.yaml

@@ -40,7 +40,7 @@ spec:
               mountPath: /var/lib/netbird
           resources:
             requests:
-              memory: 192Mi
+              memory: 128Mi
               cpu: 100m
             limits:
               memory: 256Mi

k8s/infra/vpn/netbird/management/deployment.yaml

@@ -80,7 +80,7 @@ spec:
               containerPort: 80
           resources:
             requests:
-              memory: 256Mi
+              memory: 64Mi
               cpu: 200m
             limits:
               memory: 512Mi

k8s/infra/vpn/netbird/relay/deployment.yaml

@@ -35,3 +35,10 @@ spec:
             - containerPort: 80
               name: relay
               protocol: TCP
+          resources:
+            requests:
+              memory: 16Mi
+              cpu: 10m
+            limits:
+              memory: 64Mi
+              cpu: 4000m