feat: protect Uptime Kuma and Weave GitOps with Authelia ForwardAuth

- Add Traefik ForwardAuth middleware pointing to Authelia - Apply to status.davidepiu.xyz and flux.davidepiu.xyz - Users must login via auth.davidepiu.xyz before accessing these services
2026-02-19 23:18:38 +00:00
parent bc89216548
commit 914890b339
3 changed files with 17 additions and 2 deletions
--- a/clusters/lab/apps/uptime-kuma.yaml
+++ b/clusters/lab/apps/uptime-kuma.yaml
@@ -36,7 +36,7 @@ spec:
      className: traefik
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-prod
-        traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+        traefik.ingress.kubernetes.io/router.middlewares: default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
      hosts:
      - host: status.davidepiu.xyz
        paths:
--- a/clusters/lab/infrastructure/weave-gitops.yaml
+++ b/clusters/lab/infrastructure/weave-gitops.yaml
@@ -64,7 +64,7 @@ metadata:
  namespace: flux-system
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
-    traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
 spec:
  ingressClassName: traefik
  rules:
--- a/clusters/lab/security/authelia-forwardauth.yaml
+++ b/clusters/lab/security/authelia-forwardauth.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: authelia-forwardauth
+  namespace: default
+spec:
+  forwardAuth:
+    address: http://authelia-authelia.authelia.svc.cluster.local/api/authz/forward-auth
+    trustForwardHeader: true
+    authResponseHeaders:
+    - Remote-User
+    - Remote-Groups
+    - Remote-Email
+    - Remote-Name