fleet-infra/clusters/lab/security/authelia.yaml

---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: authelia
  namespace: flux-system
spec:
  interval: 1h
  url: https://charts.authelia.com
---
apiVersion: v1
kind: Namespace
metadata:
  name: authelia
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: authelia
  namespace: flux-system
spec:
  interval: 1h
  targetNamespace: authelia
  install:
    createNamespace: true
  chart:
    spec:
      chart: authelia
      sourceRef:
        kind: HelmRepository
        name: authelia
      interval: 1h
  values:
    pod:
      resources:
        requests:
          cpu: 10m
          memory: 64Mi
        limits:
          cpu: 200m
          memory: 128Mi
    ingress:
      enabled: true
      className: traefik
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-prod
        traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
      tls:
        enabled: true
        secret: authelia-tls
    configMap:
      theme: light
      default_2fa_method: totp
      session:
        cookies:
        - domain: davidepiu.xyz
          subdomain: auth
      storage:
        local:
          enabled: true
          path: /config/db.sqlite3
      access_control:
        default_policy: one_factor
      authentication_backend:
        file:
          enabled: true
          path: /config/users_database.yml
      notifier:
        filesystem:
          enabled: true
          filename: /config/notification.txt
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-ingress-from-traefik
  namespace: authelia
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
    ports:
    - port: 9091
      protocol: TCP