|
| 1 | +--- |
| 2 | +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json |
| 3 | +apiVersion: helm.toolkit.fluxcd.io/v2 |
| 4 | +kind: HelmRelease |
| 5 | +metadata: |
| 6 | + name: &app authelia |
| 7 | +spec: |
| 8 | + interval: 30m |
| 9 | + chart: |
| 10 | + spec: |
| 11 | + chart: app-template |
| 12 | + version: 3.2.1 |
| 13 | + sourceRef: |
| 14 | + kind: HelmRepository |
| 15 | + name: bjw-s |
| 16 | + namespace: flux-system |
| 17 | + install: |
| 18 | + remediation: |
| 19 | + retries: 3 |
| 20 | + upgrade: |
| 21 | + cleanupOnFail: true |
| 22 | + remediation: |
| 23 | + strategy: rollback |
| 24 | + retries: 3 |
| 25 | + dependsOn: |
| 26 | + - name: glauth |
| 27 | + namespace: auth |
| 28 | + values: |
| 29 | + controllers: |
| 30 | + authelia: |
| 31 | + strategy: RollingUpdate |
| 32 | + annotations: |
| 33 | + reloader.stakater.com/auto: "true" |
| 34 | + initContainers: |
| 35 | + init-db: |
| 36 | + image: |
| 37 | + repository: ghcr.io/onedr0p/postgres-init |
| 38 | + tag: 16 |
| 39 | + env: |
| 40 | + INIT_POSTGRES_HOST: &dbHost postgres16-rw.database.svc.cluster.local |
| 41 | + INIT_POSTGRES_DBNAME: &dbName authelia |
| 42 | + INIT_POSTGRES_USER: |
| 43 | + valueFrom: |
| 44 | + secretKeyRef: |
| 45 | + name: authelia-secret |
| 46 | + key: AUTHELIA_STORAGE_POSTGRES_USERNAME |
| 47 | + INIT_POSTGRES_PASS: |
| 48 | + valueFrom: |
| 49 | + secretKeyRef: |
| 50 | + name: authelia-secret |
| 51 | + key: AUTHELIA_STORAGE_POSTGRES_PASSWORD |
| 52 | + INIT_POSTGRES_SUPER_PASS: |
| 53 | + valueFrom: |
| 54 | + secretKeyRef: |
| 55 | + name: cloudnative-pg-secret |
| 56 | + key: password |
| 57 | + containers: |
| 58 | + app: |
| 59 | + image: |
| 60 | + repository: ghcr.io/authelia/authelia |
| 61 | + tag: 4.38.8@sha256:19375b10024caeef4e0b119a6247beae84cbaa02c846cfd750e92dea910d4b6a |
| 62 | + env: |
| 63 | + AUTHELIA_THEME: light |
| 64 | + AUTHELIA_SERVER_ADDRESS: tcp://0.0.0.0:80 |
| 65 | + AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true" |
| 66 | + AUTHELIA_TELEMETRY_METRICS_ADDRESS: tcp://0.0.0.0:8080 |
| 67 | + AUTHELIA_TELEMETRY_METRICS_ENABLED: "true" |
| 68 | + AUTHELIA_SESSION_REDIS_HOST: dragonfly.database.svc.cluster.local |
| 69 | + AUTHELIA_SESSION_REDIS_PORT: 6379 |
| 70 | + AUTHELIA_SESSION_REDIS_PASSWORD: |
| 71 | + valueFrom: |
| 72 | + secretKeyRef: |
| 73 | + name: dragonfly-secret |
| 74 | + key: password |
| 75 | + AUTHELIA_SESSION_REDIS_DATABASE_INDEX: 2 |
| 76 | + AUTHELIA_STORAGE_POSTGRES_DATABASE: *dbName |
| 77 | + AUTHELIA_STORAGE_POSTGRES_ADDRESS: *dbHost |
| 78 | + AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK: "true" |
| 79 | + AUTHELIA_NOTIFIER_SMTP_ADDRESS: maddy.default.svc.cluster.local:25 |
| 80 | + AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia <${SMTP_FROM}>" |
| 81 | + AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: "true" |
| 82 | + AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE: "true" |
| 83 | + AUTHELIA_AUTHENTICATION_BACKEND_REFRESH_INTERVAL: 1m |
| 84 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION: custom |
| 85 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDRESS: ldap://glauth.auth.svc.cluster.local:389 |
| 86 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT: 5s |
| 87 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS: "false" |
| 88 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN: dc=home,dc=arpa |
| 89 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER: "(&({username_attribute}={input})(objectClass=posixAccount))" |
| 90 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN: ou=people,ou=users |
| 91 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN: ou=users |
| 92 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER: "(&(uniqueMember={dn})(objectClass=posixGroup))" |
| 93 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: cn=search,ou=svcaccts,ou=users,dc=home,dc=arpa |
| 94 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_USERNAME: uid |
| 95 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_DISPLAY_NAME: givenName |
| 96 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_GROUP_NAME: ou |
| 97 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_MAIL: mail |
| 98 | + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_MEMBER_OF: memberOf |
| 99 | + AUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY: one_factor |
| 100 | + AUTHELIA_TOTP_DISABLE: false |
| 101 | + AUTHELIA_TOTP_ISSUER: authelia.com |
| 102 | + X_AUTHELIA_CONFIG: /config/configuration.yaml |
| 103 | + X_AUTHELIA_CONFIG_FILTERS: template |
| 104 | + SECRET_EXTERNAL_DOMAIN: "${SECRET_EXTERNAL_DOMAIN}" |
| 105 | + SECRET_INTERNAL_DOMAIN: "${SECRET_INTERNAL_DOMAIN}" |
| 106 | + CLUSTER_CIDR: "${CLUSTER_CIDR}" |
| 107 | + NODE_CIDR: "${NODE_CIDR}" |
| 108 | + HOME_CIDR: "${HOME_CIDR}" |
| 109 | + envFrom: |
| 110 | + - secretRef: |
| 111 | + name: authelia-secret |
| 112 | + probes: |
| 113 | + liveness: &probes |
| 114 | + enabled: true |
| 115 | + custom: true |
| 116 | + spec: |
| 117 | + httpGet: |
| 118 | + path: /api/health |
| 119 | + port: &port 80 |
| 120 | + initialDelaySeconds: 0 |
| 121 | + periodSeconds: 10 |
| 122 | + timeoutSeconds: 1 |
| 123 | + failureThreshold: 3 |
| 124 | + readiness: *probes |
| 125 | + securityContext: |
| 126 | + allowPrivilegeEscalation: false |
| 127 | + readOnlyRootFilesystem: true |
| 128 | + capabilities: { drop: ["ALL"] } |
| 129 | + resources: |
| 130 | + requests: |
| 131 | + cpu: 10m |
| 132 | + limits: |
| 133 | + memory: 128Mi |
| 134 | + defaultPodOptions: |
| 135 | + securityContext: |
| 136 | + runAsNonRoot: true |
| 137 | + runAsUser: 65534 |
| 138 | + runAsGroup: 65534 |
| 139 | + seccompProfile: { type: RuntimeDefault } |
| 140 | + topologySpreadConstraints: |
| 141 | + - maxSkew: 1 |
| 142 | + topologyKey: kubernetes.io/hostname |
| 143 | + whenUnsatisfiable: DoNotSchedule |
| 144 | + labelSelector: |
| 145 | + matchLabels: |
| 146 | + app.kubernetes.io/name: *app |
| 147 | + service: |
| 148 | + app: |
| 149 | + controller: authelia |
| 150 | + ports: |
| 151 | + http: |
| 152 | + port: *port |
| 153 | + metrics: |
| 154 | + port: 8080 |
| 155 | + serviceMonitor: |
| 156 | + app: |
| 157 | + serviceName: authelia |
| 158 | + endpoints: |
| 159 | + - port: metrics |
| 160 | + scheme: http |
| 161 | + path: /metrics |
| 162 | + interval: 1m |
| 163 | + scrapeTimeout: 10s |
| 164 | + ingress: |
| 165 | + app: |
| 166 | + className: external |
| 167 | + annotations: |
| 168 | + external-dns.alpha.kubernetes.io/target: "external.${SECRET_EXTERNAL_DOMAIN}" |
| 169 | + nginx.ingress.kubernetes.io/configuration-snippet: | |
| 170 | + add_header Cache-Control "no-store"; |
| 171 | + add_header Pragma "no-cache"; |
| 172 | + add_header X-Frame-Options "SAMEORIGIN"; |
| 173 | + add_header X-XSS-Protection "1; mode=block"; |
| 174 | + gethomepage.dev/enabled: "true" |
| 175 | + gethomepage.dev/group: Services |
| 176 | + gethomepage.dev/name: Authelia |
| 177 | + gethomepage.dev/icon: mdi-two-factor-authentication |
| 178 | + hosts: |
| 179 | + - host: "auth.${SECRET_EXTERNAL_DOMAIN}" |
| 180 | + paths: |
| 181 | + - path: / |
| 182 | + service: |
| 183 | + identifier: app |
| 184 | + port: http |
| 185 | + persistence: |
| 186 | + config: |
| 187 | + type: configMap |
| 188 | + name: authelia-config |
| 189 | + globalMounts: |
| 190 | + - path: /config/configuration.yaml |
| 191 | + subPath: configuration.yaml |
| 192 | + readOnly: true |
0 commit comments