fix(k8s/infra): split infrastructure into controllers and configs stages

ClusterIssuer dry-run fails because cert-manager CRDs are not yet installed when the single infrastructure Kustomization is applied. Split into infrastructure-controllers (Helm charts that install CRDs) and infrastructure-configs (CRD-dependent resources like ClusterIssuer) with a dependency between them.
2026-02-21 23:45:15 +02:00
parent a36a925451
commit db16af0d27
18 changed files with 26 additions and 3 deletions
--- a/kubernetes/infrastructure/controllers/authelia/release.yaml
+++ b/kubernetes/infrastructure/controllers/authelia/release.yaml
@@ -0,0 +1,74 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authelia
+  namespace: flux-system
+spec:
+  chart:
+    spec:
+      chart: authelia
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: authelia
+        namespace: flux-system
+      version: 0.10.49
+  interval: 1m0s
+  targetNamespace: authelia
+  values:
+    pod:
+      kind: Deployment
+      extraVolumes:
+        - name: authelia-config
+          configMap:
+            name: authelia-config
+        - name: authelia-data
+          persistentVolumeClaim:
+            claimName: authelia-data
+        - name: authelia-custom-secrets
+          secret:
+            secretName: authelia-secrets
+            items:
+              - key: OIDC_ISSUER_PRIVATE_KEY
+                path: OIDC_ISSUER_PRIVATE_KEY
+              - key: SMTP_PASSWORD
+                path: SMTP_PASSWORD
+      extraVolumeMounts:
+        - name: authelia-config
+          mountPath: /configuration.yaml
+          subPath: configuration.yml
+        - name: authelia-config
+          mountPath: /users_database.yml
+          subPath: users_database.yml
+        - name: authelia-data
+          mountPath: /data
+        - name: authelia-custom-secrets
+          mountPath: /secrets
+          readOnly: true
+    ingress:
+      enabled: true
+      certManager: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+      tls:
+        enabled: true
+        secret: authelia-tls
+      traefikCRD:
+        enabled: true
+        disableIngressRoute: true
+        middlewares:
+          auth:
+            authResponseHeaders:
+              - Remote-User
+              - Remote-Groups
+              - Remote-Email
+              - Remote-Name
+    configMap:
+      disabled: true
+      session:
+        cookies:
+          - subdomain: auth
+            domain: ${AUTHELIA_DOMAIN}
+    secret:
+      existingSecret: authelia-secrets