--- apiVersion: apps/v1 kind: Deployment metadata: name: authelia namespace: authelia labels: app: authelia spec: replicas: 1 selector: matchLabels: app: authelia template: metadata: labels: app: authelia spec: containers: - name: authelia image: authelia:dist ports: - containerPort: 443 readinessProbe: httpGet: scheme: HTTPS path: /api/health port: 443 initialDelaySeconds: 3 periodSeconds: 3 volumeMounts: - name: authelia-config mountPath: /config/configuration.yml readOnly: true - name: authelia-ssl mountPath: /pki readOnly: true - name: secrets mountPath: /config/secrets readOnly: true env: # We set secrets directly here for ease of deployment but all secrets # should be stored in the Kube Vault in production. - name: AUTHELIA_JWT_SECRET_FILE value: /config/secrets/jwt_secret - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE value: /config/secrets/ldap_password - name: AUTHELIA_SESSION_SECRET_FILE value: /config/secrets/session - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE value: /config/secrets/sql_password - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE value: /config/secrets/encryption_key - name: ENVIRONMENT value: dev volumes: - name: authelia-config hostPath: path: /configmaps/authelia/configuration.yml type: File - name: authelia-ssl hostPath: path: /configmaps/authelia/ssl type: Directory - name: secrets secret: secretName: authelia items: - key: jwt_secret path: jwt_secret - key: session path: session - key: sql_password path: sql_password - key: ldap_password path: ldap_password - key: encryption_key path: encryption_key ... --- apiVersion: v1 kind: Service metadata: name: authelia-service namespace: authelia annotations: traefik.ingress.kubernetes.io/service.serverstransport: authelia-skipverify@kubernetescrd spec: selector: app: authelia ports: - protocol: TCP port: 443 targetPort: 443 ... --- apiVersion: v1 kind: Secret type: Opaque metadata: name: authelia namespace: authelia labels: app: authelia data: jwt_secret: YW5fdW5zZWN1cmVfc2VjcmV0 # an_unsecure_secret ldap_password: cGFzc3dvcmQ= # password session: dW5zZWN1cmVfcGFzc3dvcmQ= # unsecure_password sql_password: cGFzc3dvcmQ= # password encryption_key: YV9ub3Rfc29fc2VjdXJlX2VuY3J5cHRpb25fa2V5 ... --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: authelia-ingress namespace: authelia annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure spec: rules: - host: login.example.com http: paths: - path: / pathType: Prefix backend: service: name: authelia-service port: number: 443 ... --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: forwardauth-authelia namespace: authelia labels: app.kubernetes.io/instance: authelia app.kubernetes.io/name: authelia spec: forwardAuth: address: 'https://authelia-service.authelia.svc.cluster.local/api/authz/forward-auth' trustForwardHeader: true authResponseHeaders: - 'Authorization' - 'Proxy-Authorization' - 'Remote-User' - 'Remote-Groups' - 'Remote-Email' - 'Remote-Name' tls: insecureSkipVerify: true ...