From 6cd7eae0d37803868f22e0456513cd3c4647d999 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 2 May 2023 21:58:53 -0500
Subject: [PATCH] phpipam: Use Authelia for authentication

phpIPAM supports "Apache authentication" which effectively delegates
authentication to the web server and trusts the `PHP_AUTH_USER` server
variable.  This variable is usually set by an Apache authentication
module, but it can be set manually in the config.  Here, we're using
`SetEnvIf` to populate it from the value of the `Remote-User` header
set by Authelia.
---
 phpipam/phpipam.yaml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/phpipam/phpipam.yaml b/phpipam/phpipam.yaml
index 2590f3e..8ed3e07 100644
--- a/phpipam/phpipam.yaml
+++ b/phpipam/phpipam.yaml
@@ -6,6 +6,25 @@ metadata:
     app.kubernetes.io/name: phpipam
   name: phpipam
 
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: phpipam-httpd-conf
+  namespace: phpipam
+data:
+  phpipam.conf: |
+    <VirtualHost *:80>
+      DocumentRoot /phpipam
+      SetEnvIf Remote-User "(.*)$" PHP_AUTH_USER=$1
+    </VirtualHost>
+
+    <Directory "/phpipam">
+      AllowOverride All
+      Options FollowSymLinks
+      Require all granted
+    </Directory>
+
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -118,6 +137,11 @@ spec:
             add:
             - NET_ADMIN
             - NET_RAW
+        volumeMounts:
+        - name: httpd-conf
+          mountPath: /etc/apache2/conf.d/phpipam.conf
+          subPath: phpipam.conf
+          readOnly: true
       - image: docker.io/phpipam/phpipam-cron:v1.5.2
         imagePullPolicy: IfNotPresent
         name: phpipam-cron
@@ -136,6 +160,10 @@ spec:
             add:
             - NET_ADMIN
             - NET_RAW
+      volumes:
+      - name: httpd-conf
+        configMap:
+          name: phpipam-httpd-conf
       affinity:
         podAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -199,6 +227,10 @@ kind: Ingress
 metadata:
   annotations:
     nginx.ingress.kubernetes.io/rewrite-target: /
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
   name: phpipam
   namespace: phpipam
 spec: