feat(longhorn): enable auth via authelia (#159)

martinohmann · Dec 28, 2023 · c25cec6 · c25cec6
1 parent 5658b94
commit c25cec6
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/kubernetes/apps/default/authelia/app/resources/configuration.yaml b/kubernetes/apps/default/authelia/app/resources/configuration.yaml
@@ -66,7 +66,13 @@ access_control:
   networks:
     - name: internal
       networks: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
-  rules: []
+  rules:
+    - domain: longhorn.18b.haus
+      policy: one_factor
+      subject:
+        - ['group:admins']
+    - domain: longhorn.18b.haus
+      policy: deny
 
 identity_providers:
   oidc:

diff --git a/kubernetes/apps/longhorn-system/longhorn/app/helmrelease.yaml b/kubernetes/apps/longhorn-system/longhorn/app/helmrelease.yaml
@@ -53,5 +53,11 @@ spec:
         hajimari.io/appName: Longhorn
         hajimari.io/group: storage
         hajimari.io/icon: mdi:harddisk-plus
+        nginx.ingress.kubernetes.io/auth-method: GET
+        nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+        nginx.ingress.kubernetes.io/auth-signin: https://auth.18b.haus?rm=$request_method
+        nginx.ingress.kubernetes.io/auth-snippet: |
+          proxy_set_header X-Forwarded-Method $request_method;
+        nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local/api/verify
       tls: true
       host: "longhorn.18b.haus"