Dustin C. Hatch
c011a99165
In order to allow access to Authelia from outside the LAN, it needs to be able to handle the _pyrocufflink.net_ domain in addition to _pyrocufflink.blue_. Originally, this was not possible, as Authelia only supported a single cookie/domain. Now that it supports multiple cookies, we can expose both domains. The main reason for doing this now is use Authelia's password reset capability for Mom, since she didn't have a password for her Nextcloud account that she's just begun using.
144 lines
3.7 KiB
YAML
144 lines
3.7 KiB
YAML
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: authelia
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: authelia
|
|
namespace: authelia
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
app.kubernetes.io/component: authelia
|
|
app.kubernetes.io/instance: authelia
|
|
app.kubernetes.io/part-of: authelia
|
|
spec:
|
|
ports:
|
|
- port: 9091
|
|
name: http
|
|
selector:
|
|
app.kubernetes.io/name: authelia
|
|
app.kubernetes.io/component: authelia
|
|
app.kubernetes.io/instance: authelia
|
|
type: ClusterIP
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: authelia
|
|
namespace: authelia
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
app.kubernetes.io/component: authelia
|
|
app.kubernetes.io/instance: authelia
|
|
app.kubernetes.io/part-of: authelia
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: authelia
|
|
app.kubernetes.io/component: authelia
|
|
app.kubernetes.io/instance: authelia
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
app.kubernetes.io/component: authelia
|
|
app.kubernetes.io/instance: authelia
|
|
spec:
|
|
enableServiceLinks: false
|
|
containers:
|
|
- name: authelia
|
|
image: ghcr.io/authelia/authelia
|
|
env:
|
|
- name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
|
|
value: /run/authelia/secrets/jwt.secret
|
|
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
|
|
value: /run/authelia/secrets/ldap.password
|
|
- name: AUTHELIA_SESSION_SECRET_FILE
|
|
value: /run/authelia/secrets/session.secret
|
|
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
|
|
value: /run/authelia/secrets/storage.encryption_key
|
|
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
|
|
value: /run/authelia/secrets/oidc.hmac_secret
|
|
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
|
|
value: /run/authelia/secrets/oidc.issuer_private_key
|
|
ports:
|
|
- containerPort: 9091
|
|
name: http
|
|
protocol: TCP
|
|
- containerPort: 9959
|
|
name: metrics
|
|
protocol: TCP
|
|
startupProbe:
|
|
httpGet:
|
|
port: 9091
|
|
path: /api/health
|
|
failureThreshold: 30
|
|
periodSeconds: 3
|
|
initialDelaySeconds: 5
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
readinessProbe:
|
|
httpGet:
|
|
port: 9091
|
|
path: /api/health
|
|
failureThreshold: 3
|
|
periodSeconds: 60
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /config/configuration.yml
|
|
subPath: configuration.yml
|
|
readOnly: true
|
|
- name: secrets
|
|
mountPath: /run/authelia/secrets
|
|
readOnly: true
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: authelia
|
|
- name: secrets
|
|
secret:
|
|
secretName: authelia
|
|
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: authelia
|
|
namespace: authelia
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
app.kubernetes.io/component: authelia
|
|
app.kubernetes.io/instance: authelia
|
|
app.kubernetes.io/part-of: authelia
|
|
spec:
|
|
ingressClassName: nginx
|
|
tls:
|
|
- hosts:
|
|
- auth.pyrocufflink.blue
|
|
- auth.pyrocufflink.net
|
|
rules:
|
|
- host: auth.pyrocufflink.blue
|
|
http: &http
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: authelia
|
|
port:
|
|
name: http
|
|
- host: auth.pyrocufflink.net
|
|
http: *http
|