Add authelia

infrastructure/base/authelia/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: auth
+
+resources:
+- namespace.yaml
+- repository.yaml
+- release.yaml

infrastructure/base/authelia/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: auth

infrastructure/base/authelia/release.yaml

@@ -0,0 +1,16 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authelia
+  namespace: auth
+spec:
+  interval: 12h
+  chart:
+    spec:
+      chart: authelia
+      version: 0.8.58
+      sourceRef:
+        kind: HelmRepository
+        name: authelia
+        namespace: auth
+      interval: 12h

infrastructure/base/authelia/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: authelia
+  namespace: auth
+spec:
+  interval: 24h
+  url: https://charts.authelia.com

infrastructure/base/cert-manager/release.yaml

@@ -4,7 +4,7 @@ metadata:
   name: cert-manager
   namespace: cert-manager
 spec:
-  interval: 30m
+  interval: 12h
   chart:
     spec:
       chart: cert-manager

infrastructure/prod/authelia/forward-auth-middleware.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: authelia
+  namespace: auth
+spec:
+  forwardAuth:
+    address: 'http://authelia.auth.svc.cluster.local/api/verify?rd=https://auth.namesny.com'
+    trustForwardHeader: true
+    authResponseHeaders:
+    - "Remote-User"
+    - "Remote-Groups"
+    - "Remote-Email"
+    - "Remote-Name"

infrastructure/prod/authelia/ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authelia-ingress
+  namespace: auth
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`auth.namesny.com`)
+    kind: Rule
+    services:
+    - name: authelia
+      port: 80

infrastructure/prod/authelia/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: auth
+
+resources:
+  - release.yaml
+  - ingress.yaml
+  - forward-auth-middleware.yaml
+
+configMapGenerator:
+  - name: authelia-prod-values
+    namespace: auth
+    files:
+      - values.yaml
+
+patchesStrategicMerge:
+  - release.yaml

infrastructure/prod/authelia/release.yaml

@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authelia
+  namespace: auth
+spec:
+  interval: 12h
+  chart:
+    spec:
+      chart: authelia
+      version: 0.8.58
+      sourceRef:
+        kind: HelmRepository
+        name: authelia
+        namespace: auth
+      interval: 12h
+  valuesFrom:
+    - kind: ConfigMap
+      name: authelia-prod-values

infrastructure/prod/authelia/values.yaml

@@ -0,0 +1,40 @@
+domain: 'namesny.com'
+configMap:
+  authentication_backend:
+    file:
+      enabled: true
+      path: /users/users_database.yaml
+      password:
+        algorithm: argon2
+        argon2:
+          variant: argon2id
+          memory: 65536
+    ldap:
+      enabled: false
+  access_control:
+    rules:
+      - domain: '*.namesny.com'
+        policy: one_factor
+  session:
+    redis:
+      enabled: false
+  storage:
+    local:
+      enabled: true
+      path: /config/db.sqlite3
+    postgres:
+      enabled: false
+  notifier:
+    smtp:
+      enabled: false
+    filesystem:
+      enabled: true
+
+pod:
+  extraVolumeMounts:
+  - name: authelia-users-vol
+    mountPath: /users
+  extraVolumes:
+  - name: authelia-users-vol
+    secret:
+      secretName: authelia-users-secret