add app key

clusters/cl01tl/applications/koel/templates/ingress-route.yaml

@@ -0,0 +1,33 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: koel
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: koel
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`koel.alexlebens.net`)
+      middlewares:
+        - name: authentik-koel
+          namespace: {{ .Release.Namespace }}
+      priority: 10
+      services:
+        - kind: Service
+          name: koel
+          port: 80
+    - kind: Rule
+      match: Host(`koel.alexlebens.net`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      priority: 15
+      services:
+        - kind: Service
+          name: authentik-outpost-proxy
+          port: 9000
+          namespace: authentik

clusters/cl01tl/applications/koel/templates/middleware.yaml

@@ -0,0 +1,27 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: authentik-koel
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: authentik-koel
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: auth
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  forwardAuth:
+    address: http://authentik-outpost-proxy.authentik:9000/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version

clusters/cl01tl/applications/koel/values.yaml

@@ -20,6 +20,11 @@ koel:
               value: true
             - name: APP_URL
               value: https://koel.alexlebens.dev
+            - name: APP_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: koel-config-secret
+                  key: app-key
             - name: STREAMING_METHOD
               value: x-accel-redirect
             - name: OUTPUT_BIT_RATE
@@ -92,26 +97,6 @@ koel:
           port: 80
           targetPort: 80
           protocol: HTTP
-  ingress:
-    main:
-      enabled: true
-      className: traefik
-      annotations:
-        traefik.ingress.kubernetes.io/router.entrypoints: websecure
-        traefik.ingress.kubernetes.io/router.tls: "true"
-        cert-manager.io/cluster-issuer: letsencrypt-issuer
-      hosts:
-        - host: koel.alexlebens.net
-          paths:
-            - path: /
-              pathType: Prefix
-              service:
-                name: koel
-                port: 80
-      tls:
-        - secretName: koel-secret-tls
-          hosts:
-            - koel.alexlebens.net
   persistence:
     covers:
       storageClass: ceph-block