coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8db000e5f03bc2bd80c19c99aedb993da0d68a63
net-kingdom/sso-mfa/k8s/authelia/deployment.yaml
Bernd Worsch 0754dc32e6 feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05) 
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.

Stack:
  kc.coulomb.social   — KeyCape OIDC server (stateless, custom Go)
  auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
  lldap.coulomb.social — LLDAP admin UI (IP-restricted)
  pink.coulomb.social — privacyIDEA MFA engine (unchanged)

Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 08:31:51 +00:00

148 lines
4.6 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Deployment + Service — Authelia (namespace: sso)
#
# Authelia is the authentication frontend: it handles username/password entry
# and redirects back to KeyCape with an authorization code. KeyCape then
# invokes the privacyIDEA adapter to perform the MFA step.
#
# Prerequisites (apply in order):
# 1. pvc.yaml — authelia-data PVC
# 2. configmap.yaml — authelia-config ConfigMap
# 3. create-secrets.sh — authelia-secrets (JWT, session, storage, LDAP, OIDC keys)
# 4. This file
# 5. ingress.yaml
#
# Sensitive values are passed as *_FILE env vars pointing to Secret-mounted files.
# See configmap.yaml for the full list of injected secrets.
apiVersion: apps/v1
kind: Deployment
metadata:
name: authelia
namespace: sso
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: authelia
strategy:
type: Recreate # single replica; SQLite cannot be accessed concurrently
template:
metadata:
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
securityContext:
runAsNonRoot: true
runAsUser: 8000 # authelia default user
fsGroup: 8000
containers:
- name: authelia
# Pin to a specific 4.x release. Check https://hub.docker.com/r/authelia/authelia
image: authelia/authelia:4.38
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 9091
protocol: TCP
# ── Secret file paths — Authelia reads *_FILE env vars ──────────
env:
- name: AUTHELIA_JWT_SECRET_FILE
value: /run/secrets/authelia/jwt_secret
- name: AUTHELIA_SESSION_SECRET_FILE
value: /run/secrets/authelia/session_secret
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
value: /run/secrets/authelia/storage_encryption_key
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
value: /run/secrets/authelia/ldap_password
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
value: /run/secrets/authelia/oidc_hmac_secret
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
value: /run/secrets/authelia/oidc_issuer_private_key
- name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE
value: /run/secrets/authelia/keycape_client_secret_hash
volumeMounts:
# Config from ConfigMap
- name: config
mountPath: /config/configuration.yml
subPath: configuration.yml
readOnly: true
# Secrets as files
- name: secrets
mountPath: /run/secrets/authelia
readOnly: true
# Writable data (SQLite DB + notification log)
- name: data
mountPath: /var/authelia/data
startupProbe:
httpGet:
path: /api/health
port: 9091
initialDelaySeconds: 5
periodSeconds: 5
failureThreshold: 18 # 18 × 5s = 90s for initial LDAP connection
livenessProbe:
httpGet:
path: /api/health
port: 9091
initialDelaySeconds: 0
periodSeconds: 15
failureThreshold: 3
readinessProbe:
httpGet:
path: /api/health
port: 9091
initialDelaySeconds: 0
periodSeconds: 10
failureThreshold: 3
resources:
requests:
cpu: "50m"
memory: "128Mi"
limits:
cpu: "500m"
memory: "256Mi"
volumes:
- name: config
configMap:
name: authelia-config
- name: secrets
secret:
secretName: authelia-secrets
- name: data
persistentVolumeClaim:
claimName: authelia-data
---
# Service — ClusterIP; Traefik and KeyCape reach Authelia via port 9091.
apiVersion: v1
kind: Service
metadata:
name: authelia
namespace: sso
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: authelia
ports:
- name: http
port: 9091
targetPort: 9091
protocol: TCP
Reference in New Issue View Git Blame Copy Permalink