apiVersion: v1
kind: Namespace
metadata:
  name: authelia

---
apiVersion: v1
kind: Service
metadata:
  name: authelia
  namespace: authelia
  labels:
    app.kubernetes.io/name: authelia
    app.kubernetes.io/component: authelia
    app.kubernetes.io/instance: authelia
    app.kubernetes.io/part-of: authelia
spec:
  ports:
  - port: 9091
    name: http
  selector:
    app.kubernetes.io/name: authelia
    app.kubernetes.io/component: authelia
    app.kubernetes.io/instance: authelia
  type: ClusterIP

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: authelia
  namespace: authelia
  labels:
    app.kubernetes.io/name: authelia
    app.kubernetes.io/component: authelia
    app.kubernetes.io/instance: authelia
    app.kubernetes.io/part-of: authelia
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: authelia
      app.kubernetes.io/component: authelia
      app.kubernetes.io/instance: authelia
  template:
    metadata:
      labels:
        app.kubernetes.io/name: authelia
        app.kubernetes.io/component: authelia
        app.kubernetes.io/instance: authelia
    spec:
      enableServiceLinks: false
      containers:
      - name: authelia
        image: ghcr.io/authelia/authelia
        env:
        - name: AUTHELIA_JWT_SECRET_FILE
          value: /run/authelia/secrets/jwt.secret
        - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
          value: /run/authelia/secrets/ldap.password
        - name: AUTHELIA_SESSION_SECRET_FILE
          value: /run/authelia/secrets/session.secret
        - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
          value: /run/authelia/secrets/storage.encryption_key
        - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
          value: /run/authelia/secrets/oidc.hmac_secret
        - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
          value: /run/authelia/secrets/oidc.issuer_private_key
        startupProbe:
          httpGet:
            port: 9091
            path: /api/health
          failureThreshold: 30
          periodSeconds: 3
          initialDelaySeconds: 5
          successThreshold: 1
          timeoutSeconds: 1
        readinessProbe:
          httpGet:
            port: 9091
            path: /api/health
          failureThreshold: 3
          periodSeconds: 60
          successThreshold: 1
          timeoutSeconds: 1
        volumeMounts:
        - name: config
          mountPath: /config/configuration.yml
          subPath: configuration.yml
          readOnly: true
        - name: secrets
          mountPath: /run/authelia/secrets
          readOnly: true
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      volumes:
      - name: config
        configMap:
          name: authelia
      - name: secrets
        secret:
          secretName: authelia

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: authelia
  namespace: authelia
  labels:
    app.kubernetes.io/name: authelia
    app.kubernetes.io/component: authelia
    app.kubernetes.io/instance: authelia
    app.kubernetes.io/part-of: authelia
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - auth.pyrocufflink.blue
  rules:
  - host: auth.pyrocufflink.blue
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: authelia
            port:
              name: http