From 0ec31ac5a9443e19d09ab81ae6ce3818c8b07aee Mon Sep 17 00:00:00 2001
From: Mayne0213 <bluemayne0213@icloud.com>
Date: Tue, 30 Dec 2025 21:58:41 +0900
Subject: [PATCH] FEAT(authentik): add authelia sso

- replacing authentik
---
 authelia/argocd.yaml                 |  44 ++++++++++++
 authelia/helm-values.yaml            | 102 +++++++++++++++++++++++++++
 authelia/ingress.yaml                |  24 +++++++
 authelia/kustomization.yaml          |   7 ++
 authelia/middleware.yaml             |  14 ++++
 authelia/users-database.yaml         |  19 +++++
 authelia/vault/authelia-secrets.yaml |  26 +++++++
 7 files changed, 236 insertions(+)
 create mode 100644 authelia/argocd.yaml
 create mode 100644 authelia/helm-values.yaml
 create mode 100644 authelia/ingress.yaml
 create mode 100644 authelia/kustomization.yaml
 create mode 100644 authelia/middleware.yaml
 create mode 100644 authelia/users-database.yaml
 create mode 100644 authelia/vault/authelia-secrets.yaml

diff --git a/authelia/argocd.yaml b/authelia/argocd.yaml
new file mode 100644
index 0000000..fd97071
--- /dev/null
+++ b/authelia/argocd.yaml
@@ -0,0 +1,44 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: authelia
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  sources:
+  - repoURL: https://charts.authelia.com
+    chart: authelia
+    targetRevision: 0.9.*
+    helm:
+      valueFiles:
+      - $values/authelia/helm-values.yaml
+  - repoURL: https://github.com/Mayne0213/cluster-infrastructure.git
+    targetRevision: main
+    ref: values
+  - repoURL: https://github.com/Mayne0213/cluster-infrastructure.git
+    targetRevision: main
+    path: authelia
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: authelia
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - PrunePropagationPolicy=foreground
+    - PruneLast=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+    managedNamespaceMetadata:
+      labels:
+        goldilocks.fairwinds.com/enabled: 'true'
+  revisionHistoryLimit: 10
diff --git a/authelia/helm-values.yaml b/authelia/helm-values.yaml
new file mode 100644
index 0000000..01c1105
--- /dev/null
+++ b/authelia/helm-values.yaml
@@ -0,0 +1,102 @@
+# Authelia Helm Values
+# Chart: https://charts.authelia.com
+
+# Domain configuration
+domain: mayne0213.kro.kr
+
+# Ingress - disabled, using separate ingress.yaml
+ingress:
+  enabled: false
+
+# Pod configuration
+pod:
+  replicas: 1
+  resources:
+    requests:
+      cpu: 25m
+      memory: 64Mi
+    limits:
+      memory: 128Mi
+  extraVolumes:
+    - name: users-database
+      configMap:
+        name: authelia-users
+  extraVolumeMounts:
+    - name: users-database
+      mountPath: /config/users_database.yml
+      subPath: users_database.yml
+      readOnly: true
+
+# ConfigMap configuration
+configMap:
+  # Authentication backend - file-based users
+  authentication_backend:
+    file:
+      enabled: true
+      path: /config/users_database.yml
+      password:
+        algorithm: argon2
+        argon2:
+          variant: argon2id
+          iterations: 3
+          memory: 65536
+          parallelism: 4
+          key_length: 32
+          salt_length: 16
+
+  # Session configuration
+  session:
+    cookies:
+      - domain: mayne0213.kro.kr
+        authelia_url: https://auth.mayne0213.kro.kr
+        default_redirection_url: https://mayne.kro.kr
+
+  # Storage - local SQLite (lightweight)
+  storage:
+    local:
+      enabled: true
+      path: /data/db.sqlite3
+
+  # Access control rules
+  access_control:
+    default_policy: deny
+    rules:
+      # Bypass for public services
+      - domain:
+          - mayne.kro.kr
+          - "*.jaejadle.kro.kr"
+          - "*.joossameng.kro.kr"
+          - "*.jovies.kro.kr"
+          - "*.minjo0213.kro.kr"
+          - "*.todo0213.kro.kr"
+        policy: bypass
+      # One factor for admin services
+      - domain:
+          - "*.mayne0213.kro.kr"
+        policy: one_factor
+
+  # Notifier - filesystem (no email)
+  notifier:
+    filesystem:
+      enabled: true
+      filename: /data/notification.txt
+
+  # TOTP configuration
+  totp:
+    enabled: true
+    issuer: mayne0213.kro.kr
+
+  # Identity providers (OIDC) - can be enabled later
+  identity_providers:
+    oidc:
+      enabled: false
+
+# Secret configuration - use existing secret from Vault
+secret:
+  existingSecret: authelia-secrets
+
+# Persistence for SQLite database
+persistence:
+  enabled: true
+  storageClass: longhorn
+  size: 1Gi
diff --git a/authelia/ingress.yaml b/authelia/ingress.yaml
new file mode 100644
index 0000000..88199c5
--- /dev/null
+++ b/authelia/ingress.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: authelia-ingress
+  namespace: authelia
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts:
+        - auth.mayne0213.kro.kr
+      secretName: authelia-tls
+  rules:
+    - host: auth.mayne0213.kro.kr
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: authelia
+                port:
+                  number: 80
diff --git a/authelia/kustomization.yaml b/authelia/kustomization.yaml
new file mode 100644
index 0000000..d379879
--- /dev/null
+++ b/authelia/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- vault/authelia-secrets.yaml
+- ingress.yaml
+- middleware.yaml
+- users-database.yaml
diff --git a/authelia/middleware.yaml b/authelia/middleware.yaml
new file mode 100644
index 0000000..42c48df
--- /dev/null
+++ b/authelia/middleware.yaml
@@ -0,0 +1,14 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: authelia-auth
+  namespace: authelia
+spec:
+  forwardAuth:
+    address: http://authelia.authelia.svc.cluster.local/api/authz/forward-auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - Remote-User
+      - Remote-Groups
+      - Remote-Email
+      - Remote-Name
diff --git a/authelia/users-database.yaml b/authelia/users-database.yaml
new file mode 100644
index 0000000..b7dd0b8
--- /dev/null
+++ b/authelia/users-database.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authelia-users
+  namespace: authelia
+data:
+  users_database.yml: |
+    # Authelia Users Database
+    # Generate password hash: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2
+    users:
+      admin:
+        disabled: false
+        displayname: "Admin"
+        email: admin@mayne0213.kro.kr
+        # Default password: changeme (CHANGE THIS!)
+        # Generate new hash: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2
+        password: "$argon2id$v=19$m=65536,t=3,p=4$placeholder$placeholder"
+        groups:
+          - admins
diff --git a/authelia/vault/authelia-secrets.yaml b/authelia/vault/authelia-secrets.yaml
new file mode 100644
index 0000000..49b8a00
--- /dev/null
+++ b/authelia/vault/authelia-secrets.yaml
@@ -0,0 +1,26 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: authelia-secrets
+  namespace: authelia
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-backend
+  target:
+    name: authelia-secrets
+    creationPolicy: Owner
+  data:
+    - secretKey: JWT_TOKEN
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: JWT_SECRET
+    - secretKey: SESSION_ENCRYPTION_KEY
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: SESSION_SECRET
+    - secretKey: STORAGE_ENCRYPTION_KEY
+      remoteRef:
+        key: cluster-infrastructure/authelia
+        property: STORAGE_ENCRYPTION_KEY