authelia: Add Authelia

authelia/basic-auth-middleware.yaml

@@ -0,0 +1,9 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: authelia
+  namespace: auth
+spec:
+  forwardAuth:
+    address: 'http://authelia.auth.svc.cluster.local/api/verify?rd=https://auth.namesny.com'
+    trustForwardHeader: true

authelia/ingress.yaml

@@ -0,0 +1,14 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authelia-ingress
+  namespace: auth
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`auth.namesny.com`)
+    kind: Rule
+    services:
+    - name: authelia
+      port: 80

authelia/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generatorOptions:
+  disableNameSuffixHash: true
+namespace: auth
+resources:
+- namespace.yaml
+- ingress.yaml
+- basic-auth-middleware.yaml
+
+generators:
+- ./secret-generator.yaml
+
+helmCharts:
+- name: authelia
+  releaseName: authelia
+  version: 0.8.58
+  repo: https://charts.authelia.com
+  namespace: auth
+  valuesFile: values.yaml
+

authelia/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: auth

authelia/secret-generator.yaml

@@ -0,0 +1,17 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: authelia-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+secretFrom:
+- metadata:
+    name: authelia-users-secret
+    namespace: auth
+    annotations:
+      kustomize.config.k8s.io/needs-hash: "false"
+  type: Opaque
+  files:
+  - users_database.yaml=./users_database.enc.yaml

authelia/users_database.enc.yaml

@@ -0,0 +1,28 @@
+users:
+    matus:
+        displayname: ENC[AES256_GCM,data:mLFikpU=,iv:Iemii72kWnE1l0py/t+0656eT8Uq1gpngDbTMMeECh8=,tag:QM1/ZMz+2bhAfCn2yvjc/g==,type:str]
+        password: ENC[AES256_GCM,data:nrOc1JNEew5ucfkYAlx3IzS63BWVESLjZhZ/TZf0brsLNFVKvQ35RZX9RxEfy8BbJt/ELeNlv7UBJVXVCp994UjelG0rQGdGqVKdl4d/UJ8FaMVxCKYtmHuAT4yYC9xs9BHm,iv:a7PS17bCSakhDFINBpSePKvI0dDt8CDCn4QnGp4D1W4=,tag:IQyGAAKr4hjR2bQthlw1qQ==,type:str]
+        email: ENC[AES256_GCM,data:eRqp61nZzcnaIDHJAQsr1Wg=,iv:m9/LLx+nVpsukFvxUs+Xtxqrzm2Gg6NuU7vVDYSvORM=,tag:nGvy4YIHgQ/Q89BRVWD41Q==,type:str]
+        groups:
+            - ENC[AES256_GCM,data:WT3SDtr1,iv:HpPaH3bYt6nuUJX4ydm30ndDpzxzTCsJS+O1GqLcT5M=,tag:ZeI+K2re1K5DoZHxbD60GA==,type:str]
+            - ENC[AES256_GCM,data:Vh/i,iv:6Ds1PdJtivewRQvQpAqjtTQeKjhEUDifTWL8aCWaK4A=,tag:D4k6vVlFGCo8nYVeGhRDkA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSOHcvR296TFNDTlFUV2hS
+            UXdqZ0tFWkl5bVBBeGlFN1ZIVFBXQjk3KzBZCllhTXdhYXBJUG5NT1JyZDF2M0xs
+            eHZsbWFraGVwVmpWWlZWaEs5b1V2VlEKLS0tIGpNU0VZSXYxL0xGZmJ4TktzNGcw
+            aCs0NnhLQnF2bStEallaZFRkRTI1d3cKtcZJoDjv/+GLrx32GALmc3MuQGLoZ9iT
+            7y3kEdf+fNJGZG7zr9c2Tx8WpDzX2qb7C2VFneDp52p4OpYBIWmKCQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-28T20:30:26Z"
+    mac: ENC[AES256_GCM,data:uRvVIHdZ/fSi1dKGAn0QEfAwzEKw6cP4GMbpZz3DWMkHkxMnFkR2hcc4NGNg5oRAOxFP5dFTsXMkZCVNN/JiNsb6/Hji7G4YEM6wPWGy3PerWwIwipp+D9r3HvDpR6Viky/TJzCF5NsiVf+sNcN3cMZw8B/IqD0nH8/PXwg3Yvc=,iv:TCqZjgVVv/sMHEjzgFuMvHHs6hfxBgkvOx10MSna3rI=,tag:Tr+hCP5N1nf3lxuE2pfEDg==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1

authelia/values.yaml

@@ -0,0 +1,35 @@
+domain: 'namesny.com'
+configMap:
+  authentication_backend:
+    file:
+      enabled: true
+      path: /users/users_database.yaml
+    ldap:
+      enabled: false
+  access_control:
+    rules:
+      - domain: '*.namesny.com'
+        policy: one_factor
+  session:
+    redis:
+      enabled: false
+  storage:
+    local:
+      enabled: true
+      path: /config/db.sqlite3
+    postgres:
+      enabled: false
+  notifier:
+    smtp:
+      enabled: false
+    filesystem:
+      enabled: true
+
+pod:
+  extraVolumeMounts:
+  - name: authelia-users-vol
+    mountPath: /users
+  extraVolumes:
+  - name: authelia-users-vol
+    secret:
+      secretName: authelia-users-secret