157 lines
4.0 KiB
YAML
157 lines
4.0 KiB
YAML
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: authelia
|
|
namespace: authelia
|
|
labels:
|
|
app: authelia
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: authelia
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: authelia
|
|
spec:
|
|
containers:
|
|
- name: authelia
|
|
image: authelia:dist
|
|
ports:
|
|
- containerPort: 443
|
|
readinessProbe:
|
|
httpGet:
|
|
scheme: HTTPS
|
|
path: /api/health
|
|
port: 443
|
|
initialDelaySeconds: 3
|
|
periodSeconds: 3
|
|
volumeMounts:
|
|
- name: authelia-config
|
|
mountPath: /config/configuration.yml
|
|
readOnly: true
|
|
- name: authelia-ssl
|
|
mountPath: /pki
|
|
readOnly: true
|
|
- name: secrets
|
|
mountPath: /config/secrets
|
|
readOnly: true
|
|
env:
|
|
# We set secrets directly here for ease of deployment but all secrets
|
|
# should be stored in the Kube Vault in production.
|
|
- name: AUTHELIA_JWT_SECRET_FILE
|
|
value: /config/secrets/jwt_secret
|
|
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
|
|
value: /config/secrets/ldap_password
|
|
- name: AUTHELIA_SESSION_SECRET_FILE
|
|
value: /config/secrets/session
|
|
- name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
|
|
value: /config/secrets/sql_password
|
|
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
|
|
value: /config/secrets/encryption_key
|
|
- name: ENVIRONMENT
|
|
value: dev
|
|
volumes:
|
|
- name: authelia-config
|
|
hostPath:
|
|
path: /configmaps/authelia/configuration.yml
|
|
type: File
|
|
- name: authelia-ssl
|
|
hostPath:
|
|
path: /configmaps/authelia/ssl
|
|
type: Directory
|
|
- name: secrets
|
|
secret:
|
|
secretName: authelia
|
|
items:
|
|
- key: jwt_secret
|
|
path: jwt_secret
|
|
- key: session
|
|
path: session
|
|
- key: sql_password
|
|
path: sql_password
|
|
- key: ldap_password
|
|
path: ldap_password
|
|
- key: encryption_key
|
|
path: encryption_key
|
|
...
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: authelia-service
|
|
namespace: authelia
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/service.serverstransport: authelia-skipverify@kubernetescrd
|
|
spec:
|
|
selector:
|
|
app: authelia
|
|
ports:
|
|
- protocol: TCP
|
|
port: 443
|
|
targetPort: 443
|
|
...
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
type: Opaque
|
|
metadata:
|
|
name: authelia
|
|
namespace: authelia
|
|
labels:
|
|
app: authelia
|
|
data:
|
|
jwt_secret: YW5fdW5zZWN1cmVfc2VjcmV0 # an_unsecure_secret
|
|
ldap_password: cGFzc3dvcmQ= # password
|
|
session: dW5zZWN1cmVfcGFzc3dvcmQ= # unsecure_password
|
|
sql_password: cGFzc3dvcmQ= # password
|
|
encryption_key: YV9ub3Rfc29fc2VjdXJlX2VuY3J5cHRpb25fa2V5
|
|
...
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: authelia-ingress
|
|
namespace: authelia
|
|
annotations:
|
|
kubernetes.io/ingress.class: traefik
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
spec:
|
|
rules:
|
|
- host: login.example.com
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: authelia-service
|
|
port:
|
|
number: 443
|
|
...
|
|
---
|
|
apiVersion: traefik.containo.us/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: forwardauth-authelia
|
|
namespace: authelia
|
|
labels:
|
|
app.kubernetes.io/instance: authelia
|
|
app.kubernetes.io/name: authelia
|
|
spec:
|
|
forwardAuth:
|
|
address: 'https://authelia-service.authelia.svc.cluster.local/api/authz/forward-auth'
|
|
trustForwardHeader: true
|
|
authResponseHeaders:
|
|
- 'Authorization'
|
|
- 'Proxy-Authorization'
|
|
- 'Remote-User'
|
|
- 'Remote-Groups'
|
|
- 'Remote-Email'
|
|
- 'Remote-Name'
|
|
tls:
|
|
insecureSkipVerify: true
|
|
...
|