phpipam: Use Authelia for authentication

phpIPAM supports "Apache authentication" which effectively delegates authentication to the web server and trusts the `PHP_AUTH_USER` server variable. This variable is usually set by an Apache authentication module, but it can be set manually in the config. Here, we're using `SetEnvIf` to populate it from the value of the `Remote-User` header set by Authelia.
2023-05-02 21:58:53 -05:00 · 2023-05-02 21:58:53 -05:00 · 6cd7eae0d3
parent 2867210d38
commit 6cd7eae0d3
1 changed files with 32 additions and 0 deletions
--- a/phpipam/phpipam.yaml
+++ b/phpipam/phpipam.yaml
@ -6,6 +6,25 @@ metadata:
    app.kubernetes.io/name: phpipam
  name: phpipam

+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: phpipam-httpd-conf
+  namespace: phpipam
+data:
+  phpipam.conf: |
+    <VirtualHost *:80>
+      DocumentRoot /phpipam
+      SetEnvIf Remote-User "(.*)$" PHP_AUTH_USER=$1
+    </VirtualHost>
+
+    <Directory "/phpipam">
+      AllowOverride All
+      Options FollowSymLinks
+      Require all granted
+    </Directory>
+
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@ -118,6 +137,11 @@ spec:
            add:
            - NET_ADMIN
            - NET_RAW
+        volumeMounts:
+        - name: httpd-conf
+          mountPath: /etc/apache2/conf.d/phpipam.conf
+          subPath: phpipam.conf
+          readOnly: true
      - image: docker.io/phpipam/phpipam-cron:v1.5.2
        imagePullPolicy: IfNotPresent
        name: phpipam-cron
@ -136,6 +160,10 @@ spec:
            add:
            - NET_ADMIN
            - NET_RAW
+      volumes:
+      - name: httpd-conf
+        configMap:
+          name: phpipam-httpd-conf
      affinity:
        podAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
@ -199,6 +227,10 @@ kind: Ingress
 metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
  name: phpipam
  namespace: phpipam
 spec: