authelia: Install Authelia

Authelia is a general authentication provider that works (primarily)
by integrating with *nginx* using its subrequest mechanism.  It works
great with Kubernetes/*ingress-nginx* to provide authentication for
services running in the cluster, especially those that do not provide
their own authentication system.

Authelia needs a database to store session data.  It supports various
engines, but since we're only running a very small instance with no real
need for HA, SQLite on a Longhorn persistent volume is sufficient.

Configuration is done mostly through a YAML document, although some
secret values are stored in separate files, which are pointed to by
environment variables.

authelia/authelia.yaml

@@ -0,0 +1,147 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authelia
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: authelia
+  namespace: authelia
+  labels:
+    app.kubernetes.io/name: authelia
+    app.kubernetes.io/component: authelia
+    app.kubernetes.io/instance: authelia
+    app.kubernetes.io/part-of: authelia
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authelia
+  namespace: authelia
+  labels:
+    app.kubernetes.io/name: authelia
+    app.kubernetes.io/component: authelia
+    app.kubernetes.io/instance: authelia
+    app.kubernetes.io/part-of: authelia
+spec:
+  ports:
+  - port: 9091
+    name: http
+  selector:
+    app.kubernetes.io/name: authelia
+    app.kubernetes.io/component: authelia
+    app.kubernetes.io/instance: authelia
+  type: ClusterIP
+
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: authelia
+  namespace: authelia
+  labels:
+    app.kubernetes.io/name: authelia
+    app.kubernetes.io/component: authelia
+    app.kubernetes.io/instance: authelia
+    app.kubernetes.io/part-of: authelia
+spec:
+  serviceName: authelia
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: authelia
+      app.kubernetes.io/component: authelia
+      app.kubernetes.io/instance: authelia
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: authelia
+        app.kubernetes.io/component: authelia
+        app.kubernetes.io/instance: authelia
+    spec:
+      enableServiceLinks: false
+      containers:
+      - name: authelia
+        image: ghcr.io/authelia/authelia
+        env:
+        - name: AUTHELIA_JWT_SECRET_FILE
+          value: /run/authelia/secrets/jwt.secret
+        - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
+          value: /run/authelia/secrets/ldap.password
+        - name: AUTHELIA_SESSION_SECRET_FILE
+          value: /run/authelia/secrets/session.secret
+        - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
+          value: /run/authelia/secrets/storage.encryption_key
+        readinessProbe:
+          httpGet:
+            port: 9091
+            path: /api/health
+          failureThreshold: 3
+          periodSeconds: 60
+          initialDelaySeconds: 5
+          successThreshold: 1
+          timeoutSeconds: 1
+        volumeMounts:
+        - name: config
+          mountPath: /config/configuration.yml
+          subPath: configuration.yml
+          readOnly: true
+        - name: secrets
+          mountPath: /run/authelia/secrets
+          readOnly: true
+        - name: data
+          mountPath: /var/lib/authelia
+          subPath: authelia
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      volumes:
+      - name: config
+        configMap:
+          name: authelia
+      - name: secrets
+        secret:
+          secretName: authelia
+      - name: data
+        persistentVolumeClaim:
+          claimName: authelia
+
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authelia
+  namespace: authelia
+  labels:
+    app.kubernetes.io/name: authelia
+    app.kubernetes.io/component: authelia
+    app.kubernetes.io/instance: authelia
+    app.kubernetes.io/part-of: authelia
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - auth.pyrocufflink.blue
+  rules:
+  - host: auth.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: authelia
+            port:
+              name: http
+

authelia/configuration.yml

@@ -0,0 +1,30 @@
+access_control:
+  default_policy: one_factor
+
+authentication_backend:
+  ldap:
+    base_dn: DC=pyrocufflink,DC=blue
+    implementation: activedirectory
+    tls:
+      minimum_version: TLS1.2
+    url: ldaps://pyrocufflink.blue
+    user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue
+
+log:
+  level: trace
+
+notifier:
+  smtp:
+    disable_require_tls: true
+    host: mail.pyrocufflink.blue
+    port: 25
+    sender: auth@pyrocufflink.net
+
+session:
+  domain: pyrocufflink.blue
+  expiration: 1d
+  inactivity: 4h
+
+storage:
+  local:
+    path: /var/lib/authelia/db.sqlite3

authelia/kustomization.yaml

@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- authelia.yaml
+
+configMapGenerator:
+- name: authelia
+  namespace: authelia
+  files:
+  - configuration.yml
+  options:
+    disableNameSuffixHash: true
+
+secretGenerator:
+- name: authelia
+  namespace: authelia
+  files:
+  - jwt.secret
+  - ldap.password
+  - session.secret
+  - storage.encryption_key
+  options:
+    disableNameSuffixHash: true