--- apiVersion: v1 kind: Secret type: Opaque metadata: name: authelia-certificates labels: app.kubernetes.io/name: authelia data: ldaps.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZJekNDQXd1Z0F3SUJBZ0lVRzNaYnI0MGVVMlRHak1Lek5XaDhOTDJkRDRZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0lURWZNQjBHQTFVRUF3d1dVMkZ0WW1FZ1lYUWdZV1F1YXkxemNHRmpaUzVsWlRBZUZ3MHlNVEV5TVRRdwpOekk0TlRGYUZ3MHlOakV5TVRNd056STROVEZhTUNFeEh6QWRCZ05WQkFNTUZsTmhiV0poSUdGMElHRmtMbXN0CmMzQmhZMlV1WldVd2dnSWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJS0FvSUNBUURub3hEZFlicjAKVFJHOEErdk0xT0I1Rzg4Z05YL1pXeFNLb0VaM2p0ekF0NEc3blV0aUhoVzI1cUhEeXZGVGEzTzJiMUFVSEhzbwpVQXpVTWNVV1FRb3J2RjF4L1VsYitpcnk0QkxFTklaVTdYMVpxb2ZKYXgwZTcrbit1YVM3R015dnB4VXliNGlYCkd3djdZZEh5SmM4WjZROHd2MTdNV2F2ejNaOE5CWFdoeG1xc3ljTlphVkl2S1lNRVpGazNUTnA3T20vSTFpdkYKWDJuNVNtb2d2NmdBVmpVODhSeWc2NlRFVStiaGY5QWdiU0VxWjhMaVd6c20xdHc0WnJXMDVVK25JVjRzTHdlaQp2SXppblFMYmFMTkc2ZUl0cUtQZGVsWWhRNHlCeHM3QXpTOCtieVVBZk9jRktzUTI5alFVdUxNbE1pUmt6MjV5Cnc5UUZxSGVuRjNIYXJqU1JTL3ZZV3J3K0RNbmo2Tit3QVdtd21SR3NzVmxPMjFSLzAzNThBK0h5VzhyLzlsTm8KV1FoMmt3VGRPdjdxMzFwRmZQQUhHUkFITnZUN0dRKzVCeFFjdG83cG1GQ2t2OTdpbmhiZG50d2ViSmM1VWI3NQpBeHNWVC9uNk9aTjJSU09NV0RKY1pjVkpXYjQxdTNTL2lBVHlvbDBuOEZMRlRRZm9xdXdvVkQ1UnpwU0NsVm50Cjd1eENyaGNsYXhTYnhUUDhqa29ERXQzc1NycWoySm5PNlhtQ3R2VlZkMmQvWVZQQ21qQm54TWc1bld1WEwwZTgKNkh3MTd5TGtYeFgzVERkdjF2VThvYTdpTmZyNmc3Vlcrd2ZsUkJoVW5WRUluNXZEdm80STVSdWRXaEJxcHN6VQo3bGQrUDVjZE5GWEdjUlRQdFFlbXkxUllKMG5ZejkybGtRSURBUUFCbzFNd1VUQWRCZ05WSFE0RUZnUVVjZ1JrCnZ4U3V1QnNFaktzbXQvN3dpRHIxbHVRd0h3WURWUjBqQkJnd0ZvQVVjZ1JrdnhTdXVCc0VqS3NtdC83d2lEcjEKbHVRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVNlNXM1aU04QjQ2agp6bXZMOUQ4dUJrQ0VIOW9mMnc1VFluL1NPZkFRVnhBOGxBYndORitlWmgyakdGSUN6citNYmlTMlhZdkxJNnVrClZ5cFJrN28vdExmdmY0alpqZnRpeEliWEM1MjYrUk1xOEcvV2xGbzJnWFZ0eW5BcXp5bXJVYjV1MVZJcG53QWYKNTBzNHlDOURFUXF1aGErYzJCWTBRQ3ZySnUvYy9KTUs3QTdYOFdRSzVDUy8wZkNPdzBPY2xkZzA0c3VWVlU2eQp0MEZmV0kvTlhURFFrU2JWVXN5OElmaXd4a0o5NmNsTjFNWVArQ015Mkh1eWF0aTZySnhVZFBEbS9tYzdRWXNPClNTSzQyNXJQOFFZMmduNlNXUXJXdUJic2dLSEpoVzRBYjdTTldkb0Q0QytwVDA2V1MzVXphMnhZd09TV1IvTWMKR1V5YXRwLzlxR05tOWM1d2RFQ3FtdkVQc2twQkp5ZWR6MUk2V2lxdjRuK0UvRk9qRGl0VVpFd3BFZXRUQktXZgoyRnZRa1pGRmpRU3VIdG5KT040cVRvWmlaNW4vbis4Z1k2Z1Y5Wnd0NHM5OGlpdnUwTFc4UlZGSTNkS0tiYm5lCkY1KzltNE9vMjF0SlU2QThXVGpqVXpLUnFKdEZSa1JpWGtOTGRoY2MrdTdMOFFlZTFOUjIyalg5N2NaVDNGUGoKYmpOUlpId3k5K1dhMG1zcC9EYUR5RnlaOStPUUhReUJJazdCSS9LdU0rT2dta3dlSHBNSE5CMUs1NHZQenZKawpHaFN1QUNIeTRybmdvQTBvMzNhZzJ6a3lEY3NocVRtK2Q3UXFWOWUzU2pONFpUUXlTeWNpa0I1bFJKVHAydVFkCk5jVjBtcG5nREl1aFVlSFRKWkJ0SVZCZnp4bHdHd2c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K --- apiVersion: v1 kind: ConfigMap metadata: name: authelia-config labels: app.kubernetes.io/name: authelia annotations: reloader.stakater.com/match: "true" data: authelia-config.yml: | --- log: level: warn certificates_directory: /certificates theme: light default_redirection_url: https://members.k-space.ee totp: issuer: K-SPACE authentication_backend: ldap: implementation: activedirectory url: ldaps://ad.k-space.ee base_dn: dc=ad,dc=k-space,dc=ee username_attribute: sAMAccountName additional_users_dn: ou=Membership users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) additional_groups_dn: cn=Users groups_filter: (&(member={dn})(objectclass=group)) group_name_attribute: cn mail_attribute: mail display_name_attribute: displayName user: cn=authelia,cn=Users,dc=ad,dc=k-space,dc=ee session: domain: k-space.ee same_site: lax expiration: 1M inactivity: 120h remember_me_duration: "0" redis: host: redis port: 6379 regulation: ban_time: 5m find_time: 2m max_retries: 3 storage: mysql: host: mariadb database: authelia username: authelia notifier: disable_startup_check: true smtp: host: mail.k-space.ee port: 465 username: authelia sender: authelia@k-space.ee subject: "[Authelia] {title}" startup_check_address: lauri@k-space.ee access_control: default_policy: deny rules: # Longhorn dashboard - domain: longhorn.k-space.ee policy: two_factor subject: group:Longhorn Admins - domain: longhorn.k-space.ee policy: deny # Members site - domain: members.k-space.ee policy: bypass resources: - ^/?$ - domain: members.k-space.ee policy: two_factor resources: - ^/login/authelia/?$ - domain: members.k-space.ee policy: bypass # Webmail - domain: webmail.k-space.ee policy: two_factor # Etherpad - domain: pad.k-space.ee policy: two_factor resources: - ^/p/board- subject: group:Board Members - domain: pad.k-space.ee policy: deny resources: - ^/p/board- - domain: pad.k-space.ee policy: two_factor resources: - ^/p/members- - domain: pad.k-space.ee policy: deny resources: - ^/p/members- - domain: pad.k-space.ee policy: bypass # phpMyAdmin - domain: phpmyadmin.k-space.ee policy: two_factor # Require login for everything else protected by traefik-sso middleware - domain: '*.k-space.ee' policy: one_factor ... --- apiVersion: v1 kind: Service metadata: name: authelia labels: app.kubernetes.io/name: authelia spec: type: ClusterIP sessionAffinity: None selector: app.kubernetes.io/name: authelia ports: - name: http protocol: TCP port: 80 targetPort: http --- apiVersion: apps/v1 kind: Deployment metadata: name: authelia labels: app.kubernetes.io/name: authelia annotations: reloader.stakater.com/search: "true" spec: selector: matchLabels: app.kubernetes.io/name: authelia replicas: 2 revisionHistoryLimit: 0 template: metadata: labels: app.kubernetes.io/name: authelia spec: enableServiceLinks: false containers: - name: authelia image: authelia/authelia:4 command: - authelia - --config=/config/authelia-config.yml - --config=/config/oidc-secrets.yml resources: limits: cpu: "4.00" memory: 125Mi requests: cpu: "0.25" memory: 50Mi env: - name: AUTHELIA_SERVER_DISABLE_HEALTHCHECK value: "true" - name: AUTHELIA_JWT_SECRET_FILE value: /secrets/JWT_TOKEN - name: AUTHELIA_SESSION_SECRET_FILE value: /secrets/SESSION_ENCRYPTION_KEY - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE value: /secrets/LDAP_PASSWORD - name: AUTHELIA_SESSION_REDIS_PASSWORD valueFrom: secretKeyRef: name: redis-secrets key: REDIS_PASSWORD - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE value: /secrets/STORAGE_ENCRYPTION_KEY - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE value: /mariadb-secrets/MYSQL_PASSWORD - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE value: /secrets/OIDC_HMAC_SECRET - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE value: /secrets/OIDC_PRIVATE_KEY - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE value: /secrets/SMTP_PASSWORD - name: TZ value: Europe/Tallinn startupProbe: failureThreshold: 6 httpGet: path: /api/health port: http scheme: HTTP initialDelaySeconds: 10 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 livenessProbe: failureThreshold: 5 httpGet: path: /api/health port: http scheme: HTTP initialDelaySeconds: 0 periodSeconds: 30 successThreshold: 1 timeoutSeconds: 5 readinessProbe: failureThreshold: 5 httpGet: path: /api/health port: http scheme: HTTP initialDelaySeconds: 0 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 5 ports: - name: http containerPort: 9091 protocol: TCP volumeMounts: - mountPath: /config/authelia-config.yml name: authelia-config readOnly: true subPath: authelia-config.yml - mountPath: /config/oidc-secrets.yml name: oidc-secrets readOnly: true subPath: oidc-secrets.yml - mountPath: /secrets name: secrets readOnly: true - mountPath: /certificates name: certificates readOnly: true - mountPath: /mariadb-secrets name: mariadb-secrets readOnly: true volumes: - name: authelia-config configMap: name: authelia-config - name: secrets secret: secretName: application-secrets items: - key: JWT_TOKEN path: JWT_TOKEN - key: SESSION_ENCRYPTION_KEY path: SESSION_ENCRYPTION_KEY - key: STORAGE_ENCRYPTION_KEY path: STORAGE_ENCRYPTION_KEY - key: STORAGE_PASSWORD path: STORAGE_PASSWORD - key: LDAP_PASSWORD path: LDAP_PASSWORD - key: OIDC_PRIVATE_KEY path: OIDC_PRIVATE_KEY - key: OIDC_HMAC_SECRET path: OIDC_HMAC_SECRET - key: SMTP_PASSWORD path: SMTP_PASSWORD - name: certificates secret: secretName: authelia-certificates - name: mariadb-secrets secret: secretName: mariadb-secrets - name: redis-secrets secret: secretName: redis-secrets - name: oidc-secrets secret: secretName: oidc-secrets items: - key: oidc-secrets.yml path: oidc-secrets.yml --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: authelia labels: app.kubernetes.io/name: authelia annotations: cert-manager.io/cluster-issuer: default external-dns.alpha.kubernetes.io/target: traefik.k-space.ee kubernetes.io/tls-acme: "true" traefik.ingress.kubernetes.io/router.entryPoints: websecure traefik.ingress.kubernetes.io/router.middlewares: authelia-chain-k6-authelia@kubernetescrd traefik.ingress.kubernetes.io/router.tls: "true" spec: rules: - host: auth.k-space.ee http: paths: - path: / pathType: Prefix backend: service: name: authelia port: number: 80 tls: - hosts: - auth.k-space.ee secretName: authelia-tls --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: forwardauth-k6-authelia labels: app.kubernetes.io/name: authelia spec: forwardAuth: address: http://authelia.authelia.svc.cluster.local/api/verify?rd=https://auth.k-space.ee/ trustForwardHeader: true authResponseHeaders: - Remote-User - Remote-Name - Remote-Email - Remote-Groups --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: headers-k6-authelia labels: app.kubernetes.io/name: authelia spec: headers: browserXssFilter: true customFrameOptionsValue: "SAMEORIGIN" customResponseHeaders: Cache-Control: "no-store" Pragma: "no-cache" --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: chain-k6-authelia-auth labels: app.kubernetes.io/name: authelia spec: chain: middlewares: - name: forwardauth-k6-authelia namespace: authelia --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: chain-k6-authelia labels: app.kubernetes.io/name: authelia spec: chain: middlewares: - name: headers-k6-authelia namespace: authelia --- apiVersion: mysql.oracle.com/v2 kind: InnoDBCluster metadata: name: mysql-cluster spec: secretName: mysql-secrets instances: 3 router: instances: 2 tlsUseSelfSigned: true datadirVolumeClaimTemplate: storageClassName: local-path accessModes: - ReadWriteOnce resources: requests: storage: "1Gi" podSpec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app.kubernetes.io/managed-by operator: In values: - mysql-operator topologyKey: kubernetes.io/hostname nodeSelector: dedicated: storage tolerations: - key: dedicated operator: Equal value: storage effect: NoSchedule --- apiVersion: codemowers.io/v1alpha1 kind: KeyDBCluster metadata: name: redis spec: replicas: 3