phpipam: Use Authelia for authentication
phpIPAM supports "Apache authentication" which effectively delegates authentication to the web server and trusts the `PHP_AUTH_USER` server variable. This variable is usually set by an Apache authentication module, but it can be set manually in the config. Here, we're using `SetEnvIf` to populate it from the value of the `Remote-User` header set by Authelia.dch-webhooks-secrets
parent
2867210d38
commit
6cd7eae0d3
|
|
@ -6,6 +6,25 @@ metadata:
|
||||||
app.kubernetes.io/name: phpipam
|
app.kubernetes.io/name: phpipam
|
||||||
name: phpipam
|
name: phpipam
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: phpipam-httpd-conf
|
||||||
|
namespace: phpipam
|
||||||
|
data:
|
||||||
|
phpipam.conf: |
|
||||||
|
<VirtualHost *:80>
|
||||||
|
DocumentRoot /phpipam
|
||||||
|
SetEnvIf Remote-User "(.*)$" PHP_AUTH_USER=$1
|
||||||
|
</VirtualHost>
|
||||||
|
|
||||||
|
<Directory "/phpipam">
|
||||||
|
AllowOverride All
|
||||||
|
Options FollowSymLinks
|
||||||
|
Require all granted
|
||||||
|
</Directory>
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: PersistentVolumeClaim
|
kind: PersistentVolumeClaim
|
||||||
|
|
@ -118,6 +137,11 @@ spec:
|
||||||
add:
|
add:
|
||||||
- NET_ADMIN
|
- NET_ADMIN
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
|
volumeMounts:
|
||||||
|
- name: httpd-conf
|
||||||
|
mountPath: /etc/apache2/conf.d/phpipam.conf
|
||||||
|
subPath: phpipam.conf
|
||||||
|
readOnly: true
|
||||||
- image: docker.io/phpipam/phpipam-cron:v1.5.2
|
- image: docker.io/phpipam/phpipam-cron:v1.5.2
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
name: phpipam-cron
|
name: phpipam-cron
|
||||||
|
|
@ -136,6 +160,10 @@ spec:
|
||||||
add:
|
add:
|
||||||
- NET_ADMIN
|
- NET_ADMIN
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
|
volumes:
|
||||||
|
- name: httpd-conf
|
||||||
|
configMap:
|
||||||
|
name: phpipam-httpd-conf
|
||||||
affinity:
|
affinity:
|
||||||
podAffinity:
|
podAffinity:
|
||||||
preferredDuringSchedulingIgnoredDuringExecution:
|
preferredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
|
@ -199,6 +227,10 @@ kind: Ingress
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
nginx.ingress.kubernetes.io/rewrite-target: /
|
nginx.ingress.kubernetes.io/rewrite-target: /
|
||||||
|
nginx.ingress.kubernetes.io/auth-method: GET
|
||||||
|
nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
|
||||||
|
nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
|
||||||
|
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
|
||||||
name: phpipam
|
name: phpipam
|
||||||
namespace: phpipam
|
namespace: phpipam
|
||||||
spec:
|
spec:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue