generated from onedr0p/cluster-template
-
Notifications
You must be signed in to change notification settings - Fork 13
/
helmrelease.yaml
133 lines (133 loc) · 3.92 KB
/
helmrelease.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app authelia
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.2.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
dependsOn:
- name: lldap
namespace: security
values:
controllers:
authelia:
replicas: 2
strategy: RollingUpdate
annotations:
reloader.stakater.com/auto: "true"
initContainers:
init-db:
image:
repository: ghcr.io/haraldkoch/postgres-init
tag: 16
envFrom: &envFrom
- secretRef:
name: authelia-secret
containers:
app:
image:
repository: ghcr.io/authelia/authelia
tag: 4.38.8@sha256:19375b10024caeef4e0b119a6247beae84cbaa02c846cfd750e92dea910d4b6a
env:
AUTHELIA_SERVER_ADDRESS: tcp://:80
AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
AUTHELIA_TELEMETRY_METRICS_ADDRESS: tcp://0.0.0.0:8080
AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
AUTHELIA_THEME: dark
X_AUTHELIA_CONFIG: /config/configuration.yaml
X_AUTHELIA_CONFIG_FILTERS: expand-env
envFrom: *envFrom
probes:
liveness: &probes
enabled: true
custom: true
spec:
httpGet:
path: /api/health
port: &port 80
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
readiness: *probes
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
memory: 128Mi
pod:
securityContext:
runAsUser: 568
runAsGroup: 568
runAsNonRoot: true
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
service:
app:
controller: authelia
ipFamilyPolicy: PreferDualStack
ports:
http:
port: *port
primary: true
metrics:
port: 8080
serviceMonitor:
app:
serviceName: authelia
endpoints:
- port: metrics
ingress:
app:
className: external
annotations:
external-dns.alpha.kubernetes.io/target: external.${CLUSTER_DOMAIN}
hajimari.io/appName: authelia
hajimari.io/icon: mdi:shield-account
nginx.ingress.kubernetes.io/configuration-snippet: |
add_header Cache-Control "no-store";
add_header Pragma "no-cache";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
hosts:
- host: auth.${CLUSTER_DOMAIN}
paths:
- path: /
service:
identifier: app
port: http
persistence:
config:
type: configMap
name: authelia-configmap
globalMounts:
- path: /config/configuration.yaml
subPath: configuration.yaml
readOnly: true