flux-infra/apps/authelia/release.yaml

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: authelia
spec:
  chart:
    spec:
      chart: authelia
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: authelia
      version: 0.9.9
  interval: 15m
  values:
    pod:
      replicas: 2
    ingress:
      enabled: true
      tls:
        enabled: true
        secret: ${domain//./-}-tls
      traefikCRD:
        enabled: true
        entryPoints:
          - websecure

    secret:
      additionalSecrets:
        authelia-db-cluster-app:
          key: authelia-db-cluster-app
        authelia-lldap:
          key: authelia-lldap

    configMap:
      authentication_backend:
        ldap:
          enabled: true
          implementation: custom
          address: ldap://lldap.lldap.svc.cluster.local:3890
          base_dn: dc=huizinga,dc=dev
          additional_users_dn: ou=people
          users_filter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"
          additional_groups_dn: ou=groups
          groups_filter: "(member={dn})"
          attributes:
            display_name: displayName
            username: uid
            group_name: cn
            mail: mail
          user: uid=authelia,ou=people,dc=huizinga,dc=dev
          password:
            secret_name: authelia-lldap
            path: password

      session:
        cookies:
          - subdomain: login${subdomain}
            domain: ${topdomain}
        redis:
          enabled: true
          host: dragonflydb.authelia

      storage:
        postgres:
          enabled: true
          address: tcp://authelia-db-cluster-rw.authelia:5432
          database: app
          username: app
          password:
            secret_name: authelia-db-cluster-app
            path: password

      notifier:
        filesystem:
          enabled: true

      access_control:
        rules:
          - domain: traefik.${domain}
            policy: one_factor
            subject: "group:lldap_admin"
          # Deny by default, mainly a placeholder to allow patching in other rules
          - domain: "*"
            policy: deny