oleksandr/homelab
1
0
Fork 0
Code Pull Requests Activity

feat(k8s/infrastructure/authelia): add Authelia deployment

Browse Source
This commit is contained in:
Oleksandr Berezovskyi
2026-02-18 21:53:19 +02:00
parent 3c2031c167
commit ddb1d133fd
8 changed files with 160 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
kubernetes/dev/config/cluster-vars.sops.yaml
View File

@@ -5,6 +5,7 @@ metadata:
namespace: flux-system
stringData:
LUBELOGGER_HOST: ENC[AES256_GCM,data:OvDY/XIE/YW8lSDJmhHYI63r4eLQOojsMjjkUIge,iv:v1JafZB4cmVFjX+yA7FjjoXfx7jPpZQaq1HyXvNXvsY=,tag:+h5Gg/q3bKP3l7xCNLaBqA==,type:str]
AUTHELIA_DOMAIN: ENC[AES256_GCM,data:2OL1YD3202Haab4AyQACHtDaYw==,iv:2NtGj9Y3s0CW4xtqeCUr6Kwh7QNXhNsq/y6tGfTcBi4=,tag:c5WzQpJiwuU0vWQxUtEVpg==,type:str]
sops:
age:
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
@@ -16,7 +17,7 @@ sops:
LzhUN3Z4cExIL1IyS3ZCNWh5aWpLbDgKQ7c3MmLykA00NaLoctKVDfJvPqTqh3Ia
cDZJUc6jYJXOJYM6YYyZOYcCL2z8V2RpIfA9sPg8PB2eiipZxjk+Cg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-10T12:00:08Z"
mac: ENC[AES256_GCM,data:MeENbnkjALwbIkd833zmBx/nCfCTqO7+5i5L98lI6UJrgOhrT5gsrP33jiWgyv6qPHqbgLb1XzJ/Z+DbTl6O/sW7NDrgRr3AXPg0L6ej1fCCcdpIQDbgkWzcUSgxSfv8WyFINh3f2HP0TFaZNRaDvkR0IDkwR3KHapkM8fl5uxQ=,iv:/RNS5e0IfOLobot6f+IHuYULbXSoLBYlg6EK9j4Bqic=,tag:re0Ip1/1eX96J5HRN3r46Q==,type:str]
lastmodified: "2026-02-18T19:49:59Z"
mac: ENC[AES256_GCM,data:IulhbCsswVhvtAL49xuhiZeemLqT+pm0An+md4rlVNV4BunMZ/VYX/FIKn74ku3vLFWnTsAZTv6uB6xHdg9KVX0x78igiulp+TXqVA0JpdMsHYUXsoeb88ODDbG49KbUYaL1Id+1+m0G/P7wkGJ8ppQLA8aofKTKRhGsTpcqfv0=,iv:YfZJ2iKBJmjDuBYAIg9B0U3xF67Z/Fa2YqEcZrR/Y7A=,tag:4hxcbZgU/UDcgMEMG0R3dg==,type:str]
encrypted_regex: ^(data|stringData|email)$
version: 3.11.0

23
kubernetes/dev/infrastructure/authelia/configmap.sops.yaml Normal file
View File

File diff suppressed because one or more lines are too long

5
kubernetes/dev/infrastructure/authelia/namespace.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: authelia

13
kubernetes/dev/infrastructure/authelia/pvc.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: authelia-data
namespace: authelia
spec:
accessModes:
- ReadWriteOnce
storageClassName: nfs-synology-ssd
resources:
requests:
storage: 1Gi

74
kubernetes/dev/infrastructure/authelia/release.yaml Normal file
View File

@@ -0,0 +1,74 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: authelia
namespace: flux-system
spec:
chart:
spec:
chart: authelia
reconcileStrategy: ChartVersion
sourceRef:
kind: HelmRepository
name: authelia
namespace: flux-system
version: 0.10.49
interval: 1m0s
targetNamespace: authelia
values:
pod:
kind: Deployment
extraVolumes:
- name: authelia-config
configMap:
name: authelia-config
- name: authelia-data
persistentVolumeClaim:
claimName: authelia-data
- name: authelia-custom-secrets
secret:
secretName: authelia-secrets
items:
- key: OIDC_ISSUER_PRIVATE_KEY
path: OIDC_ISSUER_PRIVATE_KEY
- key: SMTP_PASSWORD
path: SMTP_PASSWORD
extraVolumeMounts:
- name: authelia-config
mountPath: /configuration.yaml
subPath: configuration.yml
- name: authelia-config
mountPath: /users_database.yml
subPath: users_database.yml
- name: authelia-data
mountPath: /data
- name: authelia-custom-secrets
mountPath: /secrets
readOnly: true
ingress:
enabled: true
certManager: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt
tls:
enabled: true
secret: authelia-tls
traefikCRD:
enabled: true
disableIngressRoute: true
middlewares:
auth:
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Email
- Remote-Name
configMap:
disabled: true
session:
cookies:
- subdomain: auth
domain: ${AUTHELIA_DOMAIN}
secret:
existingSecret: authelia-secrets

9
kubernetes/dev/infrastructure/authelia/repository.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: authelia
namespace: flux-system
spec:
interval: 1m0s
url: https://charts.authelia.com/

27
kubernetes/dev/infrastructure/authelia/secret.sops.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: v1
kind: Secret
metadata:
name: authelia-secrets
namespace: authelia
stringData:
OIDC_ISSUER_PRIVATE_KEY: ENC[AES256_GCM,data:PDGGuupGLm3L44/aIuaWSK9122fqKWbXEMyDu8Q0H+kRrJYZMyWHW348Gt7423MS0gfEt0EcCmi78me9UGZgI1Xv3EmYvLQwetaOQ5/IKvD6AjbxK1V4+v+vsE/Se8jur2GrKzQBHQ+NSXrAQ/txpXD1ptczKPX5HTiZPsYjm/AFCtV+NKLIAHeHsl8vMjib56S9USXwVkra09GhrGJ74JWB46zFQC9ClJQgM2jpGMgZpa9LVwVIBrp2njrcWGxyJsZ75F3uKFIikXuRRQatezT4tXkdom4TLwI7V8E4mcTjelIRpMVmIDcLtuDRmi/6sv7Tq2I8uzRB2KugS5bvB1t3t0VPczCgoGol3Dm/NYYqCRkhyYyqWjNLIMzrhWQhLOu3wmjyShU6KDecLW7pwtdw0esgRT3ed2F0fvhe5YWRL7kB035RA/rCsi2qjEgU/a4nYtuV6LDTZBvsqZe0tca62GawexqwVyeGdebW6w4CMgYD3ZaUNV9CpVTidnKweID9nYSoHUEKsEAIVI6SuCiYYhm0CXl9rHdRGA9YmDXcJLjgvbMjkcBqOVzWzZW6Q70KwLdlpA1rtrM30tNW4Sw4NMqHM+g1xpXTJf3gTroBTukWnSlpef43n16Lq07j59Z3A8O0omYacFKm7smMBpppQ6zaSi1813EMcvo98qqGvZQtuSt76ZsiZRlddmcrEx5j0JijQ8xIAwf1+en7f6Tqaf72wDypIzOrFGPfJo+aYk8sGF716fbOrl6ERpMTVjqxCf2gW9SgFT276I5V6J7zLAggltmCiykt88Wfzwrhav18NOw1FPzumI4qg+0wFfpg/4BmCo3fUY0LRyA+zuZB3r3MYvlYolGhunZiSiESXoz9wEJM+l3VE+Mdha3ONaUrF/iEm2LnFgb0nEzM/pk8SuzXofBrE44CvxW46jy5fG6+6koFTBaifLmZGWiFSLUeQ5XMpYtqICAUTSWigz9RhKBeFNVIj091Knqkznpa9f1N6INODz4hduoJH7jViERdYIz1IfE8XWLJ1RXMHm1zE/cqX7CAIuj9GBSzP23XjpZDzpQ93Au+RkLBcamDRwCHKc0nGk0Rru6Jea48PYKF3DUq62SAcc46suKHA4+zho0EWEqI96CUhK4ll6jsfOUUQxjrt/h2ic80Eqic+R655dS2rOs5OsKXRILmGkPEFvKWrXmfT0o9TgKLNANBjCZxo+3zZ4Jjr7n7t0+zgKxgpq5wDj+fEANmU7jJ1VUNqvJfRdVmuj/brjhp86DgNJKq0IonImN9PKbY7KblhEyhRAjdA1jM+mqSaezSLiZ8ombDvd1XUYVs6aZD5VIiu4Q+f+SW/f170jdoz2icG/FPZz08pAYTEAuXM43/cVbiD1bW1qqgMCPvreUJPsag5j7+/RvO0Mey3QL3xc1XbnxE7SaOwCKl0ejyh6anzOYd/Ohk+/YHVybSDpG0NUghoj13poShvNwk3UtAeDLp+2qn2spA6jJlsx3XrRj7+/HUM+3bsWB7F87mySgcVEUZ+SIBscf/ZJ4GaMZg5sswLcu49hCzIUTfZzXWEFcLNAYs8VMFoWwlwh584AkMnXe8mfGL0GqYtyuWLlAkLk5VDqAJ6gaNQgBR7+K34o5oQ35/1wR0FHlv0nJ1w0kyhGNbVX6ANZzxQCgU+lXzUmlrGmAuQRwoffLAfW+wr6vXlve6XqdOj0ch/8QKxggngK9Acc79rBulcwbm85b4rkDLUqs3gcMNOjsDgXSPtchQ3F7+UBBu30jgv1D+1hAhc+xaGiRYhmtgWi3Nl6mpk1Q2sJvDCpEjKEac8mSS6vOAe2n4fgwICaOxfIuZbWL6OxBnKm+q65DIBM7mLoFMnrs58cBHxFwB2wlLtQvomqeZeNduwWtqW50TnDp7jxX+HE6PnX23F3ZfhNQYYKSpetbxoZBUIgxbJSvIj1nHNGEakJOkSelmPoQ8yZepU8tejs8iZ1SxyvOeATbAslJ7a5lpMO7riAN+X6xnp3JcgqRd9aMVvfTTh8XwzBmf9SFuV68ZOvD3hmCPoBvroExkYoKOoaiEBoLiA706bdH22bEC4UPaqmlnHPWTi7yiRAi3794jCDb+Nh3Ebd+XbXqMvACacdMQW7FTK/ytn14ypFWFwjX4WiJRsrpEgMdMTrsfYmcg2BwaJnWlaZsYMknwOJlE0bg5GU7ASL5g7+Ma+dknmN0nKKW8mK0c2CiI/AAhjK40EeJA5J8hqZaSZHay1gZYxT+TRb0vMvsu,iv:U1smwRB2mQSJHPeGSD8HFaon6ugk0JFPWtz41QdoGTs=,tag:TvetAkJqhGMIxm6+NcHCzg==,type:str]
SMTP_PASSWORD: ENC[AES256_GCM,data:zcQbkOhsrrsof84ZvRXHVS4=,iv:cchXKmCPH8wBi9kDHY0Dr47QfOohQa7rPbjMsnYLNdI=,tag:O+gDLjkGe5V8St+kYGc6pQ==,type:str]
identity_validation.reset_password.jwt.hmac.key: ENC[AES256_GCM,data:+eLVPSg8VIclVrT1trWdmHj1llhQVKHBYmQbrY3TnH8JAsssINoBPXoFOoT3m/YAktmvIFotrpi8k+cu0gkt9v1xf9FT3ppSPAspCujjvH5GNWWD+aVGxp0xHSwkQ3GDwG80ERezEYFcD/0FdhxPmeD52sh3heJnYdFluOAu95bD,iv:kIXe80T+Uh+NiqqH0n35XHZtoJ7lU3ifST/t34D6iKM=,tag:Bzs50EU0dUBieBOxtyvQ1Q==,type:str]
session.encryption.key: ENC[AES256_GCM,data:4M0piJnmrpWnzqFEzCWEIWZ3E88l78HZriEBJDvRr1JwNXz2evbHlg1kBf0dw7M9u/c0z68C91BMf3i+Ym5PNJezCv6otcUqFOvdn43uWOh7qvEBnxyyblDobxSMWkfei9V9z3qsCq46t7LDrrpSjD/ugATzaBrnG5b4YFyCFPI2,iv:S0sUiqeAipJstGmsUZNy4HW+v/Voy9atAAmaevvLHoo=,tag:BbuPrFN7ElV5qxWa5wmEfQ==,type:str]
storage.encryption.key: ENC[AES256_GCM,data:vUvA3FAT//CSu1fO0GSxYY8lDwbNQDB5RaSuLXboujUIN9wWKAJt+WH0pQ5fU4K3i2cZjJT/LouP6uDhdEPs7NFDRYHUs59CimB2tqBGzOLHbUMVNgUZRM61l+O8eSurx4TkiC4q5JSmQUrlg4+/58dLNNWBte6Niz8nfDaeDnUY,iv:xBUvaXHBC5ipIxP8XBshzHc8mCrWnqjPlPinN5E/Eh8=,tag:6I4+lqUD2HwYY8NsqfBMFQ==,type:str]
identity_providers.oidc.hmac.key: ENC[AES256_GCM,data:W4yp/fk6F/p90YuPH3GaQ5fBq19nDvdEbv6lUQcBbTajAnxMBqSph5JufGKG6gW1XU9ZpUAUiKr1r8nLPN5wvpM1Gu9VUG4ciLkcwmLpgl6lsnLPDHxxQ5xpdQ4YoZqFnffga14NxnVv4ALAOvUDbZFAB8kSbKGKfez2m+W7uQLC,iv:TBiQJhd9hgqVvQyO/gaZH4Vzg0+bKd6jc10dgHKwobY=,tag:2wZhbZo0/st2NBEbrN8zUg==,type:str]
sops:
age:
- recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMDVSbERpdkRLSy9TcnVG
VWdVRitPTGRhUzM3QXp2WTl2STVYU2lRa1I4CjVRcitJbzQxTFJ5c0pmcEJScDVo
Vk9FQ0Q5a20xT1RjcWM4T1A3enVpckEKLS0tIFkzbTMzOTFVaVR3T1daNTNLdzVk
ZzFsaDBkN1RKdG4yTlVUendQWFY1OFEKZZWj+gvQZ+578nqrYmpFivZeqPGV6Fu0
QnAHACCjYI/3D0sLWqM54XMYe98DfX0dFnqZTNZ85hohLNCnq1w5Uw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-18T20:09:04Z"
mac: ENC[AES256_GCM,data:NCIM5lGLDmIbl+R+rC0wA6Lp/irgWnhSqBhwnHtp1T8NUSK5GSJ162Cc8W3TOLMsVbKPzLfCOPi3ZNT9YKrutUj4h7VCLOlPIhXev81qx9J8iJImJyOM1Xry8gvRQ+XyZfi/ZbYxyR1X1fr8H8xQ+Rfc47bmgnIjhNR7F3vKRTY=,iv:OpmsIZb6gcOc5iJ6Q34RspBKE337cArfqeo48AfNTfY=,tag:3bDIp6rrIfXdTm87RcCekA==,type:str]
encrypted_regex: ^(data|stringData|email)$
version: 3.11.0

6
kubernetes/dev/infrastructure/ks.yaml
View File

@@ -11,7 +11,13 @@ spec:
sourceRef:
kind: GitRepository
name: flux-system
dependsOn:
- name: config
decryption:
provider: sops
secretRef:
name: sops-age
postBuild:
substituteFrom:
- kind: Secret
name: cluster-vars