monorepo/dezendorf/homelab/k3s/authelia/authelia.yaml

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: authelia
  labels:
    app: authelia

spec:
  replicas: 1
  selector:
    matchLabels:
      app: authelia
  #enableServiceLinks: false
  template:
    metadata:
      labels:
        app: authelia
    spec:
      containers:
      - name: authelia
        image: authelia/authelia
        ports:
        - name: web
          containerPort: 9091
        volumeMounts:
        - name: authelia-config
          mountPath: "/config"
      volumes:
      - name: authelia-config
        persistentVolumeClaim:
          claimName: authelia-volume

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: authelia-volume
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: nfs
  resources:
    requests:
      storage: 100M

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: authelia-ingress-route
  namespace: default
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`sso.dezendorf.net`)
    kind: Rule
    services:
    - name: authelia
      port: 9091
---
apiVersion: v1
kind: Service
metadata:
  name: authelia
spec:
  type: ClusterIP
  ports:
    - name: web
      port: 9091
  selector:
    app: authelia

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: authelia-websecure-route
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`sso.dezendorf.net`)
    kind: Rule
    services:
    - name: authelia
      port: 9091
  tls:
    certResolver: myresolver
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: authelia
spec:
  forwardAuth:
    address: "http://authelia.default.svc.cluster.local:9091/api/verify?rd=https://sso.dezendorf.net/"
    trustForwardHeader: true
    authResponseHeaders:
      - "Remote-User"
      - "Remote-Groups"
      - "Remote-Email"
      - "Remote-Name"