Davide Piu
c2a803d28b
GitOps manifests for security stack Wave 1: - Vaultwarden (vault.davidepiu.xyz) - password manager - Uptime Kuma (status.davidepiu.xyz) - uptime monitoring - Trivy Operator - vulnerability scanning - Authelia (auth.davidepiu.xyz) - SSO + 2FA All with NetworkPolicies for Traefik ingress.
106 lines
2.3 KiB
YAML
106 lines
2.3 KiB
YAML
---
|
|
apiVersion: source.toolkit.fluxcd.io/v1
|
|
kind: HelmRepository
|
|
metadata:
|
|
name: authelia
|
|
namespace: flux-system
|
|
spec:
|
|
interval: 1h
|
|
url: https://charts.authelia.com
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: authelia
|
|
---
|
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
|
kind: HelmRelease
|
|
metadata:
|
|
name: authelia
|
|
namespace: flux-system
|
|
spec:
|
|
interval: 1h
|
|
targetNamespace: authelia
|
|
install:
|
|
createNamespace: true
|
|
chart:
|
|
spec:
|
|
chart: authelia
|
|
sourceRef:
|
|
kind: HelmRepository
|
|
name: authelia
|
|
interval: 1h
|
|
valuesFrom:
|
|
- kind: Secret
|
|
name: authelia-secrets
|
|
valuesKey: JWT_SECRET
|
|
targetPath: secret.jwt.value
|
|
- kind: Secret
|
|
name: authelia-secrets
|
|
valuesKey: SESSION_SECRET
|
|
targetPath: secret.session.value
|
|
- kind: Secret
|
|
name: authelia-secrets
|
|
valuesKey: STORAGE_ENCRYPTION_KEY
|
|
targetPath: secret.storage.value
|
|
values:
|
|
pod:
|
|
resources:
|
|
requests:
|
|
cpu: 10m
|
|
memory: 64Mi
|
|
limits:
|
|
cpu: 200m
|
|
memory: 128Mi
|
|
ingress:
|
|
enabled: true
|
|
className: traefik
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
|
|
tls:
|
|
enabled: true
|
|
secret: authelia-tls
|
|
configMap:
|
|
theme: light
|
|
default_2fa_method: totp
|
|
server:
|
|
address: tcp://0.0.0.0:9091/
|
|
session:
|
|
cookies:
|
|
- domain: davidepiu.xyz
|
|
subdomain: auth
|
|
default_redirection_url: https://auth.davidepiu.xyz
|
|
storage:
|
|
local:
|
|
enabled: true
|
|
path: /config/db.sqlite3
|
|
access_control:
|
|
default_policy: one_factor
|
|
authentication_backend:
|
|
file:
|
|
enabled: true
|
|
path: /config/users_database.yml
|
|
notifier:
|
|
filesystem:
|
|
enabled: true
|
|
filename: /config/notification.txt
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-ingress-from-traefik
|
|
namespace: authelia
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: kube-system
|
|
ports:
|
|
- port: 9091
|
|
protocol: TCP
|