# Deployment + Service — Authelia (namespace: sso) # # Authelia is the authentication frontend: it handles username/password entry # and redirects back to KeyCape with an authorization code. KeyCape then # invokes the privacyIDEA adapter to perform the MFA step. # # Prerequisites (apply in order): # 1. pvc.yaml — authelia-data PVC # 2. configmap.yaml — authelia-config ConfigMap # 3. create-secrets.sh — authelia-secrets (JWT, session, storage, LDAP, OIDC keys) # 4. This file # 5. ingress.yaml # # Sensitive values are passed as *_FILE env vars pointing to Secret-mounted files. # See configmap.yaml for the full list of injected secrets. apiVersion: apps/v1 kind: Deployment metadata: name: authelia namespace: sso labels: app.kubernetes.io/name: authelia app.kubernetes.io/part-of: net-kingdom-sso-mfa net-kingdom/component: sso spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: authelia strategy: type: Recreate # single replica; SQLite cannot be accessed concurrently template: metadata: labels: app.kubernetes.io/name: authelia app.kubernetes.io/part-of: net-kingdom-sso-mfa net-kingdom/component: sso spec: securityContext: runAsNonRoot: true runAsUser: 8000 # authelia default user fsGroup: 8000 containers: - name: authelia # Pin to a specific 4.x release. Check https://hub.docker.com/r/authelia/authelia image: authelia/authelia:4.38 imagePullPolicy: IfNotPresent ports: - name: http containerPort: 9091 protocol: TCP # ── Secret file paths — Authelia reads *_FILE env vars ────────── env: - name: AUTHELIA_JWT_SECRET_FILE value: /run/secrets/authelia/jwt_secret - name: AUTHELIA_SESSION_SECRET_FILE value: /run/secrets/authelia/session_secret - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE value: /run/secrets/authelia/storage_encryption_key - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE value: /run/secrets/authelia/ldap_password - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE value: /run/secrets/authelia/oidc_hmac_secret - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE value: /run/secrets/authelia/oidc_issuer_private_key volumeMounts: # Config from ConfigMap - name: config mountPath: /config/configuration.yml subPath: configuration.yml readOnly: true # Secrets as files - name: secrets mountPath: /run/secrets/authelia readOnly: true # Writable data (SQLite DB + notification log) - name: data mountPath: /var/authelia/data startupProbe: httpGet: path: /api/health port: 9091 initialDelaySeconds: 5 periodSeconds: 5 failureThreshold: 18 # 18 × 5s = 90s for initial LDAP connection livenessProbe: httpGet: path: /api/health port: 9091 initialDelaySeconds: 0 periodSeconds: 15 failureThreshold: 3 readinessProbe: httpGet: path: /api/health port: 9091 initialDelaySeconds: 0 periodSeconds: 10 failureThreshold: 3 resources: requests: cpu: "50m" memory: "128Mi" limits: cpu: "500m" memory: "256Mi" volumes: - name: config configMap: name: authelia-config - name: secrets secret: secretName: authelia-secrets - name: data persistentVolumeClaim: claimName: authelia-data --- # Service — ClusterIP; Traefik and KeyCape reach Authelia via port 9091. apiVersion: v1 kind: Service metadata: name: authelia namespace: sso labels: app.kubernetes.io/name: authelia app.kubernetes.io/part-of: net-kingdom-sso-mfa net-kingdom/component: sso spec: type: ClusterIP selector: app.kubernetes.io/name: authelia ports: - name: http port: 9091 targetPort: 9091 protocol: TCP