apiVersion: v1
kind: Namespace
metadata:
  name: authelia

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: authelia
  namespace: authelia
  labels:
    app.kubernetes.io/name: authelia
    app.kubernetes.io/component: authelia
    app.kubernetes.io/instance: authelia
    app.kubernetes.io/part-of: authelia
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi

---
apiVersion: v1
kind: Service
metadata:
  name: authelia
  namespace: authelia
  labels:
    app.kubernetes.io/name: authelia
    app.kubernetes.io/component: authelia
    app.kubernetes.io/instance: authelia
    app.kubernetes.io/part-of: authelia
spec:
  ports:
  - port: 9091
    name: http
  selector:
    app.kubernetes.io/name: authelia
    app.kubernetes.io/component: authelia
    app.kubernetes.io/instance: authelia
  type: ClusterIP

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: authelia
  namespace: authelia
  labels:
    app.kubernetes.io/name: authelia
    app.kubernetes.io/component: authelia
    app.kubernetes.io/instance: authelia
    app.kubernetes.io/part-of: authelia
spec:
  serviceName: authelia
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: authelia
      app.kubernetes.io/component: authelia
      app.kubernetes.io/instance: authelia
  template:
    metadata:
      labels:
        app.kubernetes.io/name: authelia
        app.kubernetes.io/component: authelia
        app.kubernetes.io/instance: authelia
    spec:
      enableServiceLinks: false
      containers:
      - name: authelia
        image: ghcr.io/authelia/authelia
        env:
        - name: AUTHELIA_JWT_SECRET_FILE
          value: /run/authelia/secrets/jwt.secret
        - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
          value: /run/authelia/secrets/ldap.password
        - name: AUTHELIA_SESSION_SECRET_FILE
          value: /run/authelia/secrets/session.secret
        - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
          value: /run/authelia/secrets/storage.encryption_key
        startupProbe:
          httpGet:
            port: 9091
            path: /api/health
          failureThreshold: 30
          periodSeconds: 3
          initialDelaySeconds: 5
          successThreshold: 1
          timeoutSeconds: 1
        readinessProbe:
          httpGet:
            port: 9091
            path: /api/health
          failureThreshold: 3
          periodSeconds: 60
          successThreshold: 1
          timeoutSeconds: 1
        volumeMounts:
        - name: config
          mountPath: /config/configuration.yml
          subPath: configuration.yml
          readOnly: true
        - name: secrets
          mountPath: /run/authelia/secrets
          readOnly: true
        - name: data
          mountPath: /var/lib/authelia
          subPath: authelia
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      volumes:
      - name: config
        configMap:
          name: authelia
      - name: secrets
        secret:
          secretName: authelia
      - name: data
        persistentVolumeClaim:
          claimName: authelia

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: authelia
  namespace: authelia
  labels:
    app.kubernetes.io/name: authelia
    app.kubernetes.io/component: authelia
    app.kubernetes.io/instance: authelia
    app.kubernetes.io/part-of: authelia
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - auth.pyrocufflink.blue
  rules:
  - host: auth.pyrocufflink.blue
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: authelia
            port:
              name: http