From df126909580bf79147060cfd5c3f19142670cf9a Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Fri, 13 Jan 2023 19:37:14 -0600
Subject: [PATCH] storage: Use Authelia for Longhorn UI auth

Instead of using a static username/password and HTTP Basic
authentication for the Longhorn UI, we can now use Authelia via the
*nginx* auth subrequest functionality.
---
 storage/README.md             | 11 ++---------
 storage/longhorn-ingress.yaml | 14 ++++++--------
 2 files changed, 8 insertions(+), 17 deletions(-)

diff --git a/storage/README.md b/storage/README.md
index 1a88a36..1e1dd43 100644
--- a/storage/README.md
+++ b/storage/README.md
@@ -23,18 +23,11 @@ kubectl apply -f longhorn.yaml
 Expose the Longhorn UI outside the cluster:
 
 ```sh
-printf 'Longhorn username: '
-read longhorn_username
-printf 'Longhorn password: '
-read -s longhorn_password
-printf '%s:%s\n' \
-    "${longhorn_username}" \
-    "$(openssl passwd -stdin -apr1 <<< "${longhorn_password}")" \
-    > auth
-kubectl create secret generic -n longhorn-system basic-auth --from-file auth
 kubectl apply -f longhorn-ingress.yaml
 ```
 
+Authentication to the UI is handled by Authelia.
+
 
 [0]: https://longhorn.io/docs/1.3.0/deploy/install/install-with-kubectl/
 [1]: https://longhorn.io/docs/1.3.0/advanced-resources/deploy/node-selector/
diff --git a/storage/longhorn-ingress.yaml b/storage/longhorn-ingress.yaml
index dd573c8..45e18b9 100644
--- a/storage/longhorn-ingress.yaml
+++ b/storage/longhorn-ingress.yaml
@@ -4,14 +4,12 @@ metadata:
   name: longhorn-ingress
   namespace: longhorn-system
   annotations:
-    # type of authentication
-    nginx.ingress.kubernetes.io/auth-type: basic
-    # prevent the controller from redirecting (308) to HTTPS
-    nginx.ingress.kubernetes.io/ssl-redirect: 'false'
-    # name of the secret that contains the user/password definitions
-    nginx.ingress.kubernetes.io/auth-secret: basic-auth
-    # message to display with an appropriate context why the authentication is required
-    nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required '
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Method $request_method;
     # custom max body size for file uploading like backing image uploading
     nginx.ingress.kubernetes.io/proxy-body-size: 10000m
 spec: