K3S/addons/authelia/role/chart/templates/deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "authelia.name" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "authelia.labels" . | nindent 4 }}
spec:
  replicas: 1
  # Recreate required for ReadWriteOnce PVC (SQLite)
  strategy:
    type: Recreate
  selector:
    matchLabels:
      {{- include "authelia.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "authelia.selectorLabels" . | nindent 8 }}
      annotations:
        # Force pod restart when config/users secrets change
        checksum/config: {{ tpl (.Files.Get "files/configuration.yml.tpl") . | sha256sum }}
        checksum/secrets: {{ .Values.secrets | toJson | sha256sum }}
        checksum/users: {{ .Values.users | toJson | sha256sum }}
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 8000
        runAsGroup: 8000
        fsGroup: 8000
      containers:
        - name: authelia
          image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command:
            - authelia
            - --config=/config/configuration.yml
          ports:
            - name: http
              containerPort: 9091
              protocol: TCP
          env:
            # Core secrets — read from mounted files
            - name: AUTHELIA_JWT_SECRET_FILE
              value: /secrets/jwt_secret
            - name: AUTHELIA_SESSION_SECRET_FILE
              value: /secrets/session_secret
            - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
              value: /secrets/storage_encryption_key
            {{- if .Values.oidc.enabled }}
            - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
              value: /secrets/oidc_hmac_secret
            - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
              value: /secrets/oidc_private_key
            {{- end }}
            {{- if eq .Values.storage.type "postgresql" }}
            - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
              value: /secrets/db_password
            {{- end }}
            {{- if .Values.notifier.smtp.enabled }}
            - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
              value: /secrets/smtp_password
            {{- end }}
            - name: TZ
              value: Europe/Moscow
          volumeMounts:
            - name: config
              mountPath: /config
              readOnly: true
            - name: users
              mountPath: /config/users_database.yml
              subPath: users_database.yml
              readOnly: true
            - name: secrets
              mountPath: /secrets
              readOnly: true
            - name: data
              mountPath: /data
          readinessProbe:
            httpGet:
              path: /api/health
              port: 9091
            initialDelaySeconds: 10
            periodSeconds: 10
            failureThreshold: 3
          livenessProbe:
            httpGet:
              path: /api/health
              port: 9091
            initialDelaySeconds: 30
            periodSeconds: 30
            failureThreshold: 3
          startupProbe:
            httpGet:
              path: /api/health
              port: 9091
            initialDelaySeconds: 10
            periodSeconds: 5
            failureThreshold: 12
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
      volumes:
        - name: config
          secret:
            secretName: {{ include "authelia.name" . }}-config
        - name: users
          secret:
            secretName: {{ include "authelia.name" . }}-users
        - name: secrets
          secret:
            secretName: {{ include "authelia.name" . }}-secrets
            defaultMode: 0400
        - name: data
          persistentVolumeClaim:
            claimName: {{ include "authelia.name" . }}-data