Authelia
Background
Authelia works in conjunction with Traefik to provide SSO with credentials stored in Samba (Active Directory compatible) directory tree.
Samba resides outside Kubernetes cluster as it's difficuilt to containerize while keeping it usable from outside the cluster due to Samba's networking.
The MariaDB instance is used to store MFA tokens. Redis is used to store session info.
Deployment
Inspect changes with git diff and proceed to deploy:
kubectl apply -n authelia -f application.yml -f keydb.yml -f mariadb.yml
kubectl create secret generic -n authelia mysql-secrets \
    --from-literal=rootPassword=$(cat /dev/urandom | base64 | head -c 30)
kubectl create secret generic -n authelia mariadb-secrets \
    --from-literal=MYSQL_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) \
    --from-literal=MYSQL_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)
kubectl create secret generic -n authelia redis-secrets \
    --from-literal=REDIS_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)
kubectl -n authelia rollout restart deployment/authelia
To change secrets create secret.yml:
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: application-secrets
data:
  JWT_TOKEN: ...
  SESSION_ENCRYPTION_KEY: ...
  STORAGE_PASSWORD: ...
  STORAGE_ENCRYPTION_KEY: ...
  LDAP_PASSWORD: ...
  STORAGE_PASSWORD: ...
  SMTP_PASSWORD: ...
Apply with:
kubectl apply -n authelia -f application-secrets.yml 
kubectl annotate -n authelia secret application-secrets reloader.stakater.com/match=true
OIDC secrets
OIDC secrets are separated from the main configuration until Authelia will add CRD-s for these.
Generally speaking for untrusted applications, that is stuff that is running
outside the Kubernetes cluster eg web browser based (JS) and
local command line clients one
should use public: true and omit secret: ....
Populate oidc-secrets.yml with approximately following:
identity_providers:
  oidc:
    clients:
    - id: kubelogin
      description: Kubernetes cluster
      secret: ...
      authorization_policy: two_factor
      redirect_uris:
      - http://localhost:27890
      scopes:
      - openid
      - groups
      - email
      - profile
    - id: proxmox
      description: Proxmox Virtual Environment
      secret: ...
      authorization_policy: two_factor
      redirect_uris:
      - https://pve.k-space.ee
      scopes:
      - openid
      - groups
      - email
      - profile
    - id: argocd
      description: ArgoCD
      secret: ...
      authorization_policy: two_factor
      redirect_uris:
      - https://argocd.k-space.ee/auth/callback
      scopes:
      - openid
      - groups
      - email
      - profile
    - id: harbor
      description: Harbor
      secret: ...
      authorization_policy: two_factor
      redirect_uris:
      - https://harbor.k-space.ee/c/oidc/callback
      scopes:
      - openid
      - groups
      - email
      - profile
    - id: gitea
      description: Gitea
      secret: ...
      authorization_policy: one_factor
      redirect_uris:
      - https://git.k-space.ee/user/oauth2/authelia/callback
      scopes:
      - openid
      - profile
      - email
      - groups
      grant_types:
      - refresh_token
      - authorization_code
      response_types:
      - code
      userinfo_signing_algorithm: none
    - id: grafana
      description: Grafana
      secret: ...
      authorization_policy: one_factor
      redirect_uris:
      - https://grafana.k-space.ee/login/generic_oauth
      scopes:
      - openid
      - groups
      - email
      - profile
To upload the file to Kubernetes secrets:
kubectl -n authelia delete secret oidc-secrets
kubectl -n authelia create secret generic oidc-secrets \
    --from-file=oidc-secrets.yml=oidc-secrets.yml
kubectl annotate -n authelia secret oidc-secrets reloader.stakater.com/match=true
kubectl -n authelia rollout restart deployment/authelia
Synchronize OIDC secrets:
kubectl -n argocd delete secret argocd-secret
kubectl -n argocd create secret generic argocd-secret \
    --from-literal=server.secretkey=$(cat /dev/urandom | base64 | head -c 30) \
    --from-literal=oidc.config.clientSecret=$( \
      kubectl get secret -n authelia oidc-secrets -o json \
        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
        | jq '.identity_providers.oidc.clients[] | select(.id == "argocd") | .secret' -r)
kubectl -n monitoring delete secret oidc-secret
kubectl -n monitoring create secret generic oidc-secret \
    --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$( \
      kubectl get secret -n authelia oidc-secrets -o json \
        | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \
        | jq '.identity_providers.oidc.clients[] | select(.id == "grafana") | .secret' -r)