apiVersion: apps/v1 kind: Deployment metadata: name: kyoo-auth namespace: kyoo labels: helm.sh/chart: kyoo-5.0.0 app.kubernetes.io/name: kyoo-auth app.kubernetes.io/instance: kyoo app.kubernetes.io/component: auth app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyoo app.kubernetes.io/version: "5.0.0" spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: kyoo-auth app.kubernetes.io/instance: kyoo template: metadata: labels: helm.sh/chart: kyoo-5.0.0 app.kubernetes.io/name: kyoo-auth app.kubernetes.io/instance: kyoo app.kubernetes.io/component: auth app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyoo app.kubernetes.io/version: "5.0.0" spec: securityContext: fsGroup: 1000 fsGroupChangePolicy: OnRootMismatch serviceAccountName: kyoo-auth containers: - name: main image: ghcr.io/zoriya/kyoo_auth:5.0.0 imagePullPolicy: IfNotPresent args: env: - name: EXTRA_CLAIMS value: "{\"permissions\": [\"core.read\", \"core.play\"], \"verified\": false}" - name: FIRST_USER_CLAIMS value: "{\"permissions\": [\"users.read\", \"users.write\", \"apikeys.read\", \"apikeys.write\", \"users.delete\", \"core.read\", \"core.write\", \"core.play\", \"scanner.trigger\", \"scanner.guess\", \"scanner.search\", \"scanner.add\"], \"verified\": true}" - name: GUEST_CLAIMS value: "{\"permissions\": [\"core.read\"], \"verified\": true}" - name: PROTECTED_CLAIMS value: "permissions,verified" - name: PUBLIC_URL value: "https://kyoo.alexlebens.net" - name: KEIBI_APIKEY_SCANNER valueFrom: secretKeyRef: key: scanner-apikey name: kyoo-key-secret - name: KEIBI_APIKEY_SCANNER_CLAIMS value: "{\"permissions\": [\"core.read\", \"core.write\"]}" - name: PGUSER valueFrom: secretKeyRef: key: user name: kyoo-postgresql-18-cluster-app - name: PGPASSWORD valueFrom: secretKeyRef: key: password name: kyoo-postgresql-18-cluster-app - name: PGDATABASE value: "kyoo_auth" - name: PGHOST value: "kyoo-postgresql-18-cluster-rw" - name: PGPORT value: "5432" - name: PGSSLMODE value: "disable" - name: RSA_PRIVATE_KEY_PATH value: /mnt/private_key/private_key.pem - name: OIDC_AUTHENTIK_NAME value: "Authentik" - name: OIDC_AUTHENTIK_LOGO value: "https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/authentik.webp" - name: OIDC_AUTHENTIK_CLIENTID valueFrom: secretKeyRef: key: client name: kyoo-oidc-secret - name: OIDC_AUTHENTIK_SECRET valueFrom: secretKeyRef: key: secret name: kyoo-oidc-secret - name: OIDC_AUTHENTIK_AUTHORIZATION value: "https://authentik.alexlebens.net/application/o/authorize/" - name: OIDC_AUTHENTIK_TOKEN value: "https://authentik.alexlebens.net/application/o/token/" - name: OIDC_AUTHENTIK_PROFILE value: "https://authentik.alexlebens.net/application/o/userinfo/" - name: OIDC_AUTHENTIK_SCOPE value: "email openid profile" - name: OIDC_AUTHENTIK_AUTHMETHOD value: "ClientSecretBasic" ports: - name: main containerPort: 4568 protocol: TCP livenessProbe: httpGet: path: /auth/health port: main readinessProbe: httpGet: path: /auth/ready port: main resources: requests: cpu: 10m memory: 100Mi volumeMounts: - name: profilepictures mountPath: /profile_pictures - name: private-key mountPath: /mnt/private_key readOnly: true volumes: - name: profilepictures persistentVolumeClaim: claimName: kyoo-authprofile-pictures - name: private-key secret: secretName: kyoo-key-secret items: - key: rsa-private path: private_key.pem