Dustin C. Hatch
b07e141fa3
By default, Authelia uses a local SQLite database for persistent data (e.g. authenticator keys, TOTP secrets, etc.) and keeps session data in memory. Together, these have some undesirable side effects. First, since needing access to the filesystem to store the SQLite database means that the pod has to be managed by a StatefulSet. Restarting StatefulSet pods means stopping them all and then starting them back up, which causes downtime. Additionally, the SQLite database file needs to be backed up, which I never got around to setting up. Further, any time the service is restarted, all sessions are invalidated, so users have to sign back in. All of these issues can be resolved by configuring Authelia to store all of its state externally. The persistent data can be stored in a PostgreSQL database and the session state can be stored in Redis. Using a database managed by the existing Postgres Operator infrastructure automaticaly enables high availability and backups as well. To migrate the contents of the database, I used [pgloader]. With Authelia shut down, I ran the migration job. Authelia's database schema is pretty simple, so there were no problems with the conversion. Authelia started back up with the new database configuration without any issues. Session state are still stored only in memory of the Redis process. This is probably fine, since Redis will not need restarted often, except for updates. At least restarting Authelia to adjust its configuration will not log everyone out. [pgloader]: https://pgloader.readthedocs.io/en/latest/ref/sqlite.html
135 lines
3.4 KiB
YAML
135 lines
3.4 KiB
YAML
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: authelia
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: authelia
|
|
namespace: authelia
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
app.kubernetes.io/component: authelia
|
|
app.kubernetes.io/instance: authelia
|
|
app.kubernetes.io/part-of: authelia
|
|
spec:
|
|
ports:
|
|
- port: 9091
|
|
name: http
|
|
selector:
|
|
app.kubernetes.io/name: authelia
|
|
app.kubernetes.io/component: authelia
|
|
app.kubernetes.io/instance: authelia
|
|
type: ClusterIP
|
|
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: authelia
|
|
namespace: authelia
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
app.kubernetes.io/component: authelia
|
|
app.kubernetes.io/instance: authelia
|
|
app.kubernetes.io/part-of: authelia
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: authelia
|
|
app.kubernetes.io/component: authelia
|
|
app.kubernetes.io/instance: authelia
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
app.kubernetes.io/component: authelia
|
|
app.kubernetes.io/instance: authelia
|
|
spec:
|
|
enableServiceLinks: false
|
|
containers:
|
|
- name: authelia
|
|
image: ghcr.io/authelia/authelia
|
|
env:
|
|
- name: AUTHELIA_JWT_SECRET_FILE
|
|
value: /run/authelia/secrets/jwt.secret
|
|
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
|
|
value: /run/authelia/secrets/ldap.password
|
|
- name: AUTHELIA_SESSION_SECRET_FILE
|
|
value: /run/authelia/secrets/session.secret
|
|
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
|
|
value: /run/authelia/secrets/storage.encryption_key
|
|
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
|
|
value: /run/authelia/secrets/oidc.hmac_secret
|
|
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
|
|
value: /run/authelia/secrets/oidc.issuer_private_key
|
|
startupProbe:
|
|
httpGet:
|
|
port: 9091
|
|
path: /api/health
|
|
failureThreshold: 30
|
|
periodSeconds: 3
|
|
initialDelaySeconds: 5
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
readinessProbe:
|
|
httpGet:
|
|
port: 9091
|
|
path: /api/health
|
|
failureThreshold: 3
|
|
periodSeconds: 60
|
|
successThreshold: 1
|
|
timeoutSeconds: 1
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /config/configuration.yml
|
|
subPath: configuration.yml
|
|
readOnly: true
|
|
- name: secrets
|
|
mountPath: /run/authelia/secrets
|
|
readOnly: true
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: authelia
|
|
- name: secrets
|
|
secret:
|
|
secretName: authelia
|
|
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: authelia
|
|
namespace: authelia
|
|
labels:
|
|
app.kubernetes.io/name: authelia
|
|
app.kubernetes.io/component: authelia
|
|
app.kubernetes.io/instance: authelia
|
|
app.kubernetes.io/part-of: authelia
|
|
spec:
|
|
ingressClassName: nginx
|
|
tls:
|
|
- hosts:
|
|
- auth.pyrocufflink.blue
|
|
rules:
|
|
- host: auth.pyrocufflink.blue
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: authelia
|
|
port:
|
|
name: http
|
|
|