feat: protect Uptime Kuma and Weave GitOps with Authelia ForwardAuth

- Add Traefik ForwardAuth middleware pointing to Authelia
- Apply to status.davidepiu.xyz and flux.davidepiu.xyz
- Users must login via auth.davidepiu.xyz before accessing these services

clusters/lab/apps/uptime-kuma.yaml

@@ -36,7 +36,7 @@ spec:
       className: traefik
       annotations:
         cert-manager.io/cluster-issuer: letsencrypt-prod
-        traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+        traefik.ingress.kubernetes.io/router.middlewares: default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
       hosts:
       - host: status.davidepiu.xyz
         paths:

clusters/lab/infrastructure/weave-gitops.yaml

@@ -64,7 +64,7 @@ metadata:
   namespace: flux-system
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
 spec:
   ingressClassName: traefik
   rules:

clusters/lab/security/authelia-forwardauth.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: authelia-forwardauth
+  namespace: default
+spec:
+  forwardAuth:
+    address: http://authelia-authelia.authelia.svc.cluster.local/api/authz/forward-auth
+    trustForwardHeader: true
+    authResponseHeaders:
+    - Remote-User
+    - Remote-Groups
+    - Remote-Email
+    - Remote-Name