viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/modules/kubernetes/authelia/values.yaml

1717 lines
62 KiB
YAML
Raw Normal View History

add authelia module and a few spam email aliases [ci skip]
2024-01-16 20:24:19 +00:00
---
## @formatter:off
## values.yaml
##
## Repository: authelia https://charts.authelia.com
## Chart: authelia
##
## This values file is designed for full deployment, eventually for in production once the chart makes it to 1.0.0.
## It uses the following providers:
## - authentication: LDAP
## - storage: MySQL
## - session: redis
## Version Override allows changing some chart characteristics that render only on specific versions.
## This does NOT affect the image used, please see the below image section instead for this.
## If this value is not specified, it's assumed the appVersion of the chart is the version.
## The format of this value is x.x.x, for example 4.100.0.
##
## Important Points:
## - No guarantees of support for prior versions is given. The chart is intended to be used with the AppVersion.
## - Does not and will not support any version prior to 4.30.0 due to a significant refactor of the configuration
## system.
versionOverride: ""
## Kubernetes Version Override allows forcibly overriding the detected KubeVersion for fallback capabilities assessment.
## The fallback capabilities assessment only occurs if the APIVersions Capabilities list does not include a known
## APIVersion for a manifest which occurs with some CI/CD tooling. This value will completely override the value
## detected by helm.
kubeVersionOverride: ""
## Image Parameters
## ref: https://hub.docker.com/r/authelia/authelia/tags/
##
image:
# registry: docker.io
registry: ghcr.io
repository: authelia/authelia
tag: ""
pullPolicy: IfNotPresent
pullSecrets: []
# pullSecrets:
# - myPullSecretName
# nameOverride: authelia-deployment-name
# appNameOverride: authelia
##
## extra labels/annotations applied to all resources
##
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
##
## RBAC Configuration.
##
rbac:
## Enable RBAC. Turning this on associates Authelia with a service account.
## If the vault injector is enabled, then RBAC must be enabled.
enabled: false
annotations: {}
labels: {}
serviceAccountName: authelia
## Authelia Domain
## Should be the root domain you want to protect.
## For example if you have apps app1.example.com and app2.example.com it should be example.com
## This affects the ingress (partially sets the domain used) and configMap.
## Authelia must be served from the domain or a subdomain under it.
domain: viktorbarzin.me
service:
type: "ClusterIP"
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
port: 80
add authelia in dev mode but then disabled because didnt get it to solve my problem [ci skip]
2024-08-10 13:26:49 +00:00
#nodePort: 30091
add authelia module and a few spam email aliases [ci skip]
2024-01-16 20:24:19 +00:00
# clusterIP:
ingress:
add authelia in dev mode but then disabled because didnt get it to solve my problem [ci skip]
2024-08-10 13:26:49 +00:00
enabled: true
add authelia module and a few spam email aliases [ci skip]
2024-01-16 20:24:19 +00:00
annotations: {}
# annotations:
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
labels: {}
# labels:
# myLabel: myValue
certManager: false
rewriteTarget: true
## The Ingress Class Name.
# className: ingress-nginx
## Subdomain is the only thing required since we specify the domain as part of the root values of the chart.
## Example: To get Authelia to listen on https://auth.example.com specify 'auth' for ingress.subdomain,
## and specify example.com for the domain.
subdomain: auth
tls:
enabled: true
# secret: authelia-tls
secret: tls-secret
# hostNameOverride:
traefikCRD:
enabled: false
## Use a standard Ingress object, not an IngressRoute.
disableIngressRoute: false
# matchOverride: Host(`auth.example.com`) && PathPrefix(`/`)
entryPoints: []
# entryPoints:
# - http
# priority: 10
# weight: 10
sticky: false
# stickyCookieNameOverride: authelia_traefik_lb
# strategy: RoundRobin
# responseForwardingFlushInterval: 100ms
middlewares:
auth:
# nameOverride: authelia-auth
authResponseHeaders:
- Remote-User
- Remote-Name
- Remote-Email
- Remote-Groups
chains:
auth:
# nameOverride: authelia-auth-chain
# List of Middlewares to apply before the forwardAuth Middleware in the authentication chain.
before: []
# before:
# - name: extra-middleware-name
# namespace: default
# List of Middlewares to apply after the forwardAuth Middleware in the authentication chain.
after: []
# after:
# - name: extra-middleware-name
# namespace: default
ingressRoute:
# List of Middlewares to apply before the middleware in the IngressRoute chain.
before: []
# before:
# - name: extra-middleware-name
# namespace: default
# List of Middlewares to apply after the middleware in the IngressRoute chain.
after: []
# after:
# - name: extra-middleware-name
# namespace: default
# Specific options for the TraefikCRD TLS configuration. The above TLS section is still used.
tls:
## Disables inclusion of the IngressRoute TLSOptions.
disableTLSOptions: false
# existingOptions:
# name: default-traefik-options
# namespace: default
# certResolver: default
# sans:
# - *.example.com
#
options:
# nameOverride: authelia-tls-options
nameOverride: ""
minVersion: VersionTLS12
maxVersion: VersionTLS13
sniStrict: false
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
curvePreferences: []
# curvePreferences:
# - CurveP521
# - CurveP384
pod:
# Must be Deployment, DaemonSet, or StatefulSet.
# kind: DaemonSet
kind: Deployment
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
replicas: 1
revisionHistoryLimit: 5
priorityClassName: ""
strategy:
type: RollingUpdate
# rollingUpdate:
# partition: 1
# maxSurge: 25%
# maxUnavailable: 25%
securityContext:
container: {}
# container:
# runAsUser: 2000
# runAsGroup: 2000
# fsGroup: 2000
pod: {}
# pod:
# readOnlyRootFilesystem: true
# allowPrivilegeEscalation: false
# privileged: false
tolerations: []
# tolerations:
# - key: key1
# operator: Equal
# value: value1
# effect: NoSchedule
# tolerationSeconds: 3600
selectors:
# nodeName: worker-1
nodeSelector: {}
# nodeSelector:
# disktype: ssd
# kubernetes.io/hostname: worker-1
affinity:
nodeAffinity: {}
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: kubernetes.io/hostname
# operator: In
# values:
# - worker-1
# - worker-2
# preferredDuringSchedulingIgnoredDuringExecution:
# - weight: 1
# preference:
# matchExpressions:
# - key: node-label-key
# operator: NotIn
# values:
# - not-this
podAffinity: {}
# podAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# - labelSelector:
# matchExpressions:
# - key: security
# operator: In
# values:
# - S1
# topologyKey: topology.kubernetes.io/zone
podAntiAffinity: {}
# podAntiAffinity:
# preferredDuringSchedulingIgnoredDuringExecution:
# - weight: 100
# podAffinityTerm:
# labelSelector:
# matchExpressions:
# - key: security
# operator: In
# values:
# - S2
# topologyKey: topology.kubernetes.io/zone
env: []
# env:
# - name: TZ
# value: Australia/Melbourne
resources:
limits: {}
# limits:
# cpu: "4.00"
# memory: 125Mi
requests: {}
# requests:
# cpu: "0.25"
# memory: 50Mi
probes:
method:
httpGet:
path: /api/health
port: http
scheme: HTTP
liveness:
initialDelaySeconds: 0
periodSeconds: 30
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readiness:
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
## Note: Startup Probes are a Kubernetes feature gate which must be manually enabled pre-1.18.
## Ref: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
startup:
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
extraVolumeMounts: []
extraVolumes: []
##
## Kubernetes Pod Disruption Budget
##
podDisruptionBudget:
enabled: false
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
minAvailable: 0
maxUnavailable: 0
##
## Kubernetes Network Policy
##
networkPolicy:
enabled: false
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
authelia.com/network-policy: namespace
- podSelector:
matchLabels:
authelia.com/network-policy: pod
ports:
- protocol: TCP
port: 9091
##
## Authelia Config Map Generator
##
configMap:
# Enable the configMap source for the Authelia config.
# If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
enabled: true
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
key: configuration.yaml
existingConfigMap: ""
##
## Server Configuration
##
server:
##
## Port sets the configured port for the daemon, service, and the probes.
## Default is 9091 and should not need to be changed.
##
port: 9091
## Set the single level path Authelia listens on.
## Must be alphanumeric chars and should not contain any slashes.
path: ""
## Set the path on disk to Authelia assets.
## Useful to allow overriding of specific static assets.
# asset_path: /config/assets/
asset_path: ""
## Customize Authelia headers.
headers:
## Read the Authelia docs before setting this advanced option.
## https://www.authelia.com/configuration/miscellaneous/server/#csp_template.
csp_template: ""
## Server Buffers configuration.
buffers:
## Read buffer.
read: 4096
## Write buffer.
write: 4096
## Server Timeouts configuration.
timeouts:
## Read timeout.
read: 6s
## Write timeout.
write: 6s
## Idle timeout.
idle: 30s
log:
## Level of verbosity for logs: info, debug, trace.
level: info
## Format the logs are written as: json, text.
format: text
## TODO: Statefulness check should check if this is set, and the configMap should enable it.
## File path where the logs will be written. If not set logs are written to stdout.
# file_path: /config/authelia.log
file_path: ""
##
## Telemetry Configuration
##
telemetry:
##
## Metrics Configuration
##
metrics:
## Enable Metrics.
# enabled: false
enabled: true
## The port to listen on for metrics. This should be on a different port to the main server.port value.
port: 9959
## Metrics Server Buffers configuration.
buffers:
## Read buffer.
read: 4096
## Write buffer.
write: 4096
## Metrics Server Timeouts configuration.
timeouts:
## Read timeout.
read: 6s
## Write timeout.
write: 6s
## Idle timeout.
idle: 30s
serviceMonitor:
enabled: false
annotations: {}
labels: {}
## Default redirection URL
##
## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end
## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use
## in such a case.
##
## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
## Default is https://www.<domain> (value at the top of the values.yaml).
default_redirection_url: ""
# default_redirection_url: https://example.com
## Set the default 2FA method for new users and for when a user has a preferred method configured that has been
## disabled. This setting must be a method that is enabled.
## Options are totp, webauthn, mobile_push.
default_2fa_method: ""
theme: light
##
## TOTP Configuration
##
## Parameters used for TOTP generation.
totp:
## Disable TOTP.
disable: false
## The issuer name displayed in the Authenticator application of your choice.
## Defaults to <domain>.
issuer: ""
## The TOTP algorithm to use.
## It is CRITICAL you read the documentation before changing this option:
## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#algorithm
algorithm: sha1
## The number of digits a user has to input. Must either be 6 or 8.
## Changing this option only affects newly generated TOTP configurations.
## It is CRITICAL you read the documentation before changing this option:
## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#digits
digits: 6
## The period in seconds a one-time password is valid for.
## Changing this option only affects newly generated TOTP configurations.
period: 30
## The skew controls number of one-time passwords either side of the current one that are valid.
## Warning: before changing skew read the docs link below.
## See: https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#input-validation to read the documentation.
skew: 1
## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20.
secret_size: 32
##
## WebAuthn Configuration
##
## Parameters used for WebAuthn.
webauthn:
## Disable Webauthn.
# disable: false
disable: true
## Adjust the interaction timeout for Webauthn dialogues.
timeout: 60s
## The display name the browser should show the user for when using Webauthn to login/register.
display_name: Authelia
## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
## Options are none, indirect, direct.
attestation_conveyance_preference: indirect
## User verification controls if the user must make a gesture or action to confirm they are present.
## Options are required, preferred, discouraged.
user_verification: preferred
##
## NTP Configuration
##
## This is used to validate the servers time is accurate enough to validate TOTP.
ntp:
## NTP server address.
address: "time.cloudflare.com:123"
## NTP version.
version: 4
## Maximum allowed time offset between the host and the NTP server.
max_desync: 3s
## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
## set this to true, and can operate in a truly offline mode.
disable_startup_check: false
## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
## will continue regardless of results.
disable_failure: false
##
## Duo Push API Configuration
##
## Parameters used to contact the Duo API. Those are generated when you protect an application of type
## "Partner Auth API" in the management panel.
duo_api:
enabled: false
hostname: api-123456789.example.com
integration_key: ABCDEF
enable_self_enrollment: false
##
## Authentication Backend Provider Configuration
##
## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
##
## The available providers are: `file`, `ldap`. You must use one and only one of these providers.
authentication_backend:
## Password Reset Options.
password_reset:
## Disable both the HTML element and the API for reset password functionality
disable: false
## External reset password url that redirects the user to an external reset portal. This disables the internal reset
## functionality.
custom_url: ""
## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
## See the below documentation for more information.
## Duration Notation docs: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
## Refresh Interval docs: https://www.authelia.com/configuration/first-factor/ldap/#refresh-interval
refresh_interval: 5m
## LDAP backend configuration.
##
## This backend allows Authelia to be scaled to more
## than one instance and therefore is recommended for
## production.
ldap:
## Enable LDAP Backend.
# enabled: true
enabled: false
## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
## Acceptable options are as follows:
## - 'activedirectory' - For Microsoft Active Directory.
## - 'custom' - For custom specifications of attributes and filters.
## This currently defaults to 'custom' to maintain existing behaviour.
##
## Depending on the option here certain other values in this section have a default value, notably all of the
## attribute mappings have a default value that this config overrides, you can read more about these default values
## at https://www.authelia.com/reference/guides/ldap/#defaults
implementation: activedirectory
## The url to the ldap server. Format: <scheme>://<address>[:<port>].
## Scheme can be ldap or ldaps in the format (port optional).
url: ldap://openldap.default.svc.cluster.local
## Connection Timeout.
timeout: 5s
## Use StartTLS with the LDAP connection.
start_tls: false
tls:
## The server subject name to check the servers certificate against during the validation process.
## This option is not required if the certificate has a SAN which matches the host portion of the url option.
server_name: ""
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
## defined by the `certificates_directory` option at the top of the configuration.
## It's important to note the public key should be added to the directory, not the private key.
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
## important to the administrator.
skip_verify: false
## Minimum TLS version for the connection.
minimum_version: TLS1.2
## Maximum TLS version for the connection.
maximum_version: TLS1.3
## The base dn for every LDAP query.
base_dn: DC=example,DC=com
## The attribute holding the username of the user. This attribute is used to populate the username in the session
## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this
## attribute holds the unique identifiers for the users binding the user and the configuration stored in database.
## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user
## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also
## be used but we don't recommend using them, we instead advise to use the attributes mentioned above
## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt.
username_attribute: ""
## An additional dn to define the scope to all users.
additional_users_dn: OU=Users
## The users filter used in search queries to find the user profile based on input filled in login form.
## Various placeholders are available in the user filter:
## - {input} is a placeholder replaced by what the user inputs in the login form.
## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`.
## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later
## versions, so please don't use it.
##
## Recommended settings are as follows:
## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
## - OpenLDAP:
## - (&({username_attribute}={input})(objectClass=person))
## - (&({username_attribute}={input})(objectClass=inetOrgPerson))
##
## To allow sign in both with username and email, one can use a filter like
## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
users_filter: ""
## An additional dn to define the scope of groups.
additional_groups_dn: OU=Groups
## The groups filter used in search queries to find the groups of the user.
## - {input} is a placeholder replaced by what the user inputs in the login form.
## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`).
## - {dn} is a matcher replaced by the user distinguished name, aka, user DN.
## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`.
## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later
## versions, so please don't use it.
## - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in
## later version, so please don't use it.
##
## If your groups use the `groupOfUniqueNames` structure use this instead:
## (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
groups_filter: ""
## The attribute holding the name of the group
group_name_attribute: ""
## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
## first one returned by the LDAP server is used.
mail_attribute: ""
## The attribute holding the display name of the user. This will be used to greet an authenticated user.
display_name_attribute: ""
## Follow referrals returned by the server.
## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
permit_referrals: false
## WARNING: This option is strongly discouraged. Please consider disabling unauthenticated binding to your LDAP
## server and utilizing a service account.
permit_unauthenticated_bind: false
## This option is strongly discouraged. If enabled it will ignore errors looking up the RootDSE for supported
## controls/extensions.
permit_feature_detection_failure: false
## The username of the admin user.
user: CN=Authelia,DC=example,DC=com
##
## File (Authentication Provider)
##
## With this backend, the users database is stored in a file which is updated when users reset their passwords.
## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
## implications it is highly recommended you leave the default values. Before considering changing these settings
## please read the docs page: https://www.authelia.com/reference/guides/passwords/#tuning
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
##
file:
# enabled: false
enabled: true
path: /config/users_database.yml
watch: true
search:
email: false
case_insensitive: false
password:
algorithm: argon2
argon2:
variant: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
scrypt:
iterations: 16
block_size: 8
parallelism: 1
key_length: 32
salt_length: 16
pbkdf2:
variant: sha512
iterations: 310000
salt_length: 16
sha2crypt:
variant: sha512
iterations: 50000
salt_length: 16
bcrypt:
variant: standard
cost: 12
##
## Password Policy Configuration.
##
password_policy:
## The standard policy allows you to tune individual settings manually.
standard:
enabled: false
## Require a minimum length for passwords.
min_length: 8
## Require a maximum length for passwords.
max_length: 0
## Require uppercase characters.
require_uppercase: true
## Require lowercase characters.
require_lowercase: true
## Require numeric characters.
require_number: true
## Require special characters.
require_special: true
## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
zxcvbn:
enabled: false
## Configures the minimum score allowed.
min_score: 0
##
## Access Control Configuration
##
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
##
## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
## to anyone. Otherwise restrictions follow the rules defined.
##
## Note: One can use the wildcard * to match any subdomain.
## It must stand at the beginning of the pattern. (example: *.mydomain.com)
##
## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
##
## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
##
## - 'domain' defines which domain or set of domains the rule applies to.
##
## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
## provided. If provided, the parameter represents either a user or a group. It should be of the form
## 'user:<username>' or 'group:<groupname>'.
##
## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
##
## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
## is optional and matches any resource if not provided.
##
## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
access_control:
## Configure the ACL as a Secret instead of part of the ConfigMap.
secret:
## Enables the ACL section being generated as a secret.
enabled: false
## The key in the secret which contains the file to mount.
key: configuration.acl.yaml
## An existingSecret name, if configured this will force the secret to be mounted using the key above.
existingSecret: ""
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
## resource if there is no policy to be applied to the user.
default_policy: deny
networks: []
# networks:
# - name: private
# networks:
# - 10.0.0.0/8
# - 172.16.0.0/12
# - 192.168.0.0/16
# - name: vpn
# networks:
# - 10.9.0.0/16
rules: []
# rules:
# - domain_regex: '^.*\.example.com$'
# policy: bypass
# - domain: public.example.com
# policy: bypass
# - domain: "*.example.com"
# policy: bypass
# methods:
# - OPTIONS
# - domain: secure.example.com
# policy: one_factor
# networks:
# - private
# - vpn
# - 192.168.1.0/24
# - 10.0.0.1
# - domain:
# - secure.example.com
# - private.example.com
# policy: two_factor
# - domain: singlefactor.example.com
# policy: one_factor
# - domain: "mx2.mail.example.com"
# subject: "group:admins"
# policy: deny
# - domain: "*.example.com"
# subject:
# - "group:admins"
# - "group:moderators"
# policy: two_factor
# - domain: dev.example.com
# resources:
# - "^/groups/dev/.*$"
# subject: "group:dev"
# policy: two_factor
# - domain: dev.example.com
# resources:
# - "^/users/john/.*$"
# subject:
# - ["group:dev", "user:john"]
# - "group:admins"
# policy: two_factor
# - domain: "{user}.example.com"
# policy: bypass
##
## Session Provider Configuration
##
## The session cookies identify the user once logged in.
## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
session:
## The name of the session cookie. (default: authelia_session).
name: authelia_session
## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
## Please read https://www.authelia.com/configuration/session/introduction/#same_site
same_site: lax
## The time in seconds before the cookie expires and session is reset.
expiration: 1h
## The inactivity time in seconds before the session is reset.
inactivity: 5m
## The remember me duration.
## Value is in seconds, or duration notation. Value of 0 disables remember me.
## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
## Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to
## spy or attack. Currently the default is 1M or 1 month.
remember_me_duration: 1M
##
## Redis Provider
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
##
## The redis connection details
redis:
enabled: true
enabledSecret: false
# host: redis.databases.svc.cluster.local
host: redis.redis.svc.cluster.local
port: 6379
## Optional username to be used with authentication.
# username: authelia
username: ""
## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
database_index: 0
## The maximum number of concurrent active connections to Redis.
maximum_active_connections: 8
## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
minimum_idle_connections: 0
## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
tls:
enabled: false
## The server subject name to check the servers certificate against during the validation process.
## This option is not required if the certificate has a SAN which matches the host option.
server_name: ""
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
## defined by the `certificates_directory` option at the top of the configuration.
## It's important to note the public key should be added to the directory, not the private key.
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
## important to the administrator.
skip_verify: false
## Minimum TLS version for the connection.
minimum_version: TLS1.2
## Maximum TLS version for the connection.
maximum_version: TLS1.3
## The Redis HA configuration options.
## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
high_availability:
enabled: false
enabledSecret: false
## Sentinel Name / Master Name
sentinel_name: mysentinel
## The Redis Sentinel-specific username. If supplied, authentication will be done via Redis 6+ ACL-based
## authentication. If left blank, authentication to sentinels will be done via `requirepass`.
username: ""
## The additional nodes to pre-seed the redis provider with (for sentinel).
## If the host in the above section is defined, it will be combined with this list to connect to sentinel.
## For high availability to be used you must have either defined; the host above or at least one node below.
nodes: []
# nodes:
# - host: sentinel-0.databases.svc.cluster.local
# port: 26379
# - host: sentinel-1.databases.svc.cluster.local
# port: 26379
## Choose the host with the lowest latency.
route_by_latency: false
## Choose the host randomly.
route_randomly: false
##
## Regulation Configuration
##
## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are done
## in a short period of time.
regulation:
## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
max_retries: 3
## The time range during which the user can attempt login before being banned. The user is banned if the
## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation.
## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
find_time: 2m
## The length of time before a banned user can login again. Ban Time accepts duration notation.
## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
ban_time: 5m
##
## Storage Provider Configuration
##
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
storage:
##
## Local (Storage Provider)
##
## This stores the data in a SQLite3 Database.
## This is only recommended for lightweight non-stateful installations.
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
##
local:
# enabled: false
enabled: true
path: /config/db.sqlite3
##
## MySQL (Storage Provider)
##
## Also supports MariaDB
##
mysql:
enabled: false
host: mysql.databases.svc.cluster.local
port: 3306
database: authelia
username: authelia
timeout: 5s
tls:
enabled: false
## The server subject name to check the servers certificate against during the validation process.
## This option is not required if the certificate has a SAN which matches the host option.
server_name: ""
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
## defined by the `certificates_directory` option at the top of the configuration.
## It's important to note the public key should be added to the directory, not the private key.
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
## important to the administrator.
skip_verify: false
## Minimum TLS version for the connection.
minimum_version: TLS1.2
## Maximum TLS version for the connection.
maximum_version: TLS1.3
##
## PostgreSQL (Storage Provider)
##
postgres:
# enabled: true
enabled: false
host: postgres.databases.svc.cluster.local
port: 5432
database: authelia
schema: public
username: authelia
timeout: 5s
tls:
enabled: false
## The server subject name to check the servers certificate against during the validation process.
## This option is not required if the certificate has a SAN which matches the host option.
server_name: ""
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
## defined by the `certificates_directory` option at the top of the configuration.
## It's important to note the public key should be added to the directory, not the private key.
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
## important to the administrator.
skip_verify: false
## Minimum TLS version for the connection.
minimum_version: TLS1.2
## Maximum TLS version for the connection.
maximum_version: TLS1.3
##
## Notification Provider
##
##
## Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration.
## The available providers are: filesystem, smtp. You must use one and only one of these providers.
notifier:
## You can disable the notifier startup check by setting this to true.
disable_startup_check: false
##
## File System (Notification Provider)
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
##
filesystem:
# enabled: false
enabled: true
filename: /config/notification.txt
##
## SMTP (Notification Provider)
##
## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate.
## [Security] By default Authelia will:
## - force all SMTP connections over TLS including unauthenticated connections
## - use the disable_require_tls boolean value to disable this requirement
## (only works for unauthenticated connections)
## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
## (configure in tls section)
smtp:
# enabled: true
enabled: false
enabledSecret: false
host: smtp.mail.svc.cluster.local
port: 25
timeout: 5s
username: test
sender: admin@example.com
## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
identifier: localhost
## Subject configuration of the emails sent.
## {title} is replaced by the text from the notifier
subject: "[Authelia] {title}"
## This address is used during the startup check to verify the email configuration is correct.
## It's not important what it is except if your email server only allows local delivery.
startup_check_address: test@authelia.com
## Disables sending HTML formatted emails.
disable_html_emails: false
## By default we require some form of TLS. This disables this check though is not advised.
disable_require_tls: false
## Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when they in fact do not. For
## security reasons Authelia refuses to send messages to these servers. This option disables this measure and is
## enabled AT YOUR OWN RISK. Its strongly recommended that instead of enabling this option you either fix the
## issue with the SMTP servers configuration or have the administrators of the server fix it. If the issue cant
## be fixed by configuration we recommend lodging an issue with the authors of the SMTP server. See [security] for
## more information.
disable_starttls: false
tls:
## The server subject name to check the servers certificate against during the validation process.
## This option is not required if the certificate has a SAN which matches the host option.
server_name: ""
## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
## certificate or the certificate of the authority signing the certificate to the certificates directory which is
## defined by the `certificates_directory` option at the top of the configuration.
## It's important to note the public key should be added to the directory, not the private key.
## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
## important to the administrator.
skip_verify: false
## Minimum TLS version for the connection.
minimum_version: TLS1.2
## Maximum TLS version for the connection.
maximum_version: TLS1.3
identity_providers:
oidc:
## Enables this in the config map. Currently in beta stage.
## See https://www.authelia.com/r/openid-connect/
enabled: false
# enabled: true
access_token_lifespan: 1h
authorize_code_lifespan: 1m
id_token_lifespan: 1h
refresh_token_lifespan: 90m
## Adjusts the PKCE enforcement. Options are always, public_clients_only, never.
## For security reasons it's recommended this option is public_clients_only or always, however always is not
## compatible with all clients.
enforce_pkce: public_clients_only
## Enables the plain PKCE challenge which is not recommended for security reasons but may be necessary for some clients.
enable_pkce_plain_challenge: false
## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
## security reasons.
minimum_parameter_entropy: 8
## Enables additional debug messages.
enable_client_debug_messages: false
## The issuer_certificate_chain is an optional PEM encoded certificate chain. It's used in conjunction with the
## issuer_private_key to sign JWT's. All certificates in the chain must be within the validity period, and every
## certificate included must be signed by the certificate immediately after it if provided.
issuer_certificate_chain: ""
# issuer_certificate_chain: |
# -----BEGIN CERTIFICATE-----
# MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
# ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
# /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
# LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
# 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
# kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
# Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
# AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
# AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
# /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
# lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
# wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
# OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
# ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
# EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
# MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
# ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
# zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
# 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
# kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
# ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
# Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
# AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
# Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
# kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
# 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
# HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
# D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
# 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
# qocikt3WAdU^invalid DO NOT USE=
# -----END CERTIFICATE-----
## Cross-Origin Resource Sharing (CORS) settings.
cors:
## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
# endpoints:
# - authorization
# - token
# - revocation
# - introspection
# - userinfo
endpoints: []
## List of allowed origins.
## Any origin with https is permitted unless this option is configured or the
## allowed_origins_from_client_redirect_uris option is enabled.
# allowed_origins:
# - https://example.com
allowed_origins: []
## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
## provided they have the scheme http or https and do not have the hostname of localhost.
allowed_origins_from_client_redirect_uris: true
clients: []
# clients:
# -
## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
# id: myapp
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
# description: My Application
## The client secret is a shared secret between Authelia and the consumer of this client.
# secret: apple123
## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
## necessary. Read the documentation for more information.
## The subject identifier must be the host component of a URL, which is a domain name with an optional port.
# sector_identifier: example.com
## Sets the client to public. This should typically not be set, please see the documentation for usage.
# public: false
## The policy to require for this client; one_factor or two_factor.
# authorization_policy: two_factor
## The consent mode controls how consent is obtained.
# consent_mode: auto
## This value controls the duration a consent on this client remains remembered when the consent mode is
## configured as 'auto' or 'pre-configured'.
# pre_configured_consent_duration: 30d
## Audience this client is allowed to request.
# audience: []
## Scopes this client is allowed to request.
# scopes:
# - openid
# - profile
# - email
# - groups
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
# redirect_uris:
# - https://oidc.example.com/oauth2/callback
## Grant Types configures which grants this client can obtain.
## It's not recommended to configure this unless you know what you're doing.
# grant_types:
# - refresh_token
# - authorization_code
## Response Types configures which responses this client can be sent.
## It's not recommended to configure this unless you know what you're doing.
# response_types:
# - code
## Response Modes configures which response modes this client supports.
## It's not recommended to configure this unless you know what you're doing.
# response_modes:
# - form_post
# - query
# - fragment
## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
# userinfo_signing_algorithm: none
##
## Authelia Secret Generator.
##
## If both the values and existingSecret are not defined, this chart randomly generates a new secret on each
## install. It is recommended that you use something like sealed-secrets (https://github.com/bitnami-labs/sealed-secrets)
## and use the existingSecrets. All secrets can be stored in a single k8s secret if desired using the key option.
##
secret:
existingSecret: ""
# existingSecret: authelia
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
mountPath: /secrets
excludeVolumeAndMounts: false
## Secrets.
jwt:
key: JWT_TOKEN
value: ""
filename: JWT_TOKEN
ldap:
key: LDAP_PASSWORD
value: ""
filename: LDAP_PASSWORD
storage:
key: STORAGE_PASSWORD
value: ""
filename: STORAGE_PASSWORD
storageEncryptionKey:
key: STORAGE_ENCRYPTION_KEY
value: ""
filename: STORAGE_ENCRYPTION_KEY
session:
key: SESSION_ENCRYPTION_KEY
value: ""
filename: SESSION_ENCRYPTION_KEY
duo:
key: DUO_API_KEY
value: ""
filename: DUO_API_KEY
redis:
key: REDIS_PASSWORD
value: ""
filename: REDIS_PASSWORD
redisSentinel:
key: REDIS_SENTINEL_PASSWORD
value: ""
filename: REDIS_SENTINEL_PASSWORD
smtp:
key: SMTP_PASSWORD
value: ""
filename: SMTP_PASSWORD
oidcPrivateKey:
key: OIDC_PRIVATE_KEY
value: ""
filename: OIDC_PRIVATE_KEY
oidcHMACSecret:
key: OIDC_HMAC_SECRET
value: ""
filename: OIDC_HMAC_SECRET
## HashiCorp Vault Injector configuration.
vaultInjector:
## Enable the vault injector annotations. This will disable secret injection via other means.
## To see the annotations and what they do see: https://www.vaultproject.io/docs/platform/k8s/injector/annotations
## Annotations with a blank string do not get configured at all.
## Additional annotations can be configured via the secret.annotations: {} above.
## Secrets are by default rendered in the /secrets directory. Changing this can be done via editing the
## secret.mountPath value. You can alter the filenames with the secret.<secretName>.filename values.
## Secrets are loaded from vault path specified below with secrets.<secretName>.path values. Its format should be
## <SECRET_PATH>:<KEY_NAME>.
## Secrets are by default rendered by template suitable for vault KV v1 or database secrets engines. If other used,
## it can be overriden per each secret by specifying secrets.<secretName>.templateValue. For example for KV v2
## secrets engine would be '{{ with secret "<SECRET_PATH>" }}{{ .Data.data.<KEY_NAME> }}{{ end }}'.
enabled: false
## The vault role to assign via annotations.
## Annotation: vault.hashicorp.com/role
role: authelia
agent:
## Annotation: vault.hashicorp.com/agent-inject-status
status: update
## Annotation: vault.hashicorp.com/agent-configmap
configMap: ""
## Annotation: vault.hashicorp.com/agent-image
image: ""
## Annotation: vault.hashicorp.com/agent-init-first
initFirst: "false"
## Annotation: vault.hashicorp.com/agent-inject-command
command: "sh -c 'kill HUP $(pidof authelia)'"
## Annotation: vault.hashicorp.com/agent-run-as-same-user
runAsSameUser: "true"
secrets:
jwt:
## Vault Path to the Authelia JWT secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-jwt
path: secrets/authelia/jwt:token
## Vault template specific to JWT.
## Annotation: vault.hashicorp.com/agent-inject-template-jwt
templateValue: ""
## Vault after render command specific to JWT.
## Annotation: vault.hashicorp.com/agent-inject-command-jwt
command: ""
ldap:
## Vault Path to the Authelia LDAP secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-ldap
path: secrets/authelia/ldap:password
## Vault template specific to LDAP.
## Annotation: vault.hashicorp.com/agent-inject-template-ldap
templateValue: ""
## Vault after render command specific to LDAP.
## Annotation: vault.hashicorp.com/agent-inject-command-ldap
command: ""
storage:
## Vault Path to the Authelia storage password secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-storage
path: secrets/authelia/storage:password
## Vault template specific to the storage password.
## Annotation: vault.hashicorp.com/agent-inject-template-storage
templateValue: ""
## Vault after render command specific to the storage password.
## Annotation: vault.hashicorp.com/agent-inject-command-storage
command: ""
storageEncryptionKey:
## Vault Path to the Authelia storage encryption key secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-storage-encryption-key
path: secrets/authelia/storage:encryption_key
## Vault template specific to the storage encryption key.
## Annotation: vault.hashicorp.com/agent-inject-template-storage-encryption-key
templateValue: ""
## Vault after render command specific to the storage encryption key.
## Annotation: vault.hashicorp.com/agent-inject-command-storage-encryption-key
command: ""
session:
## Vault Path to the Authelia session secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-session
path: secrets/authelia/session:encryption_key
## Vault template specific to session.
## Annotation: vault.hashicorp.com/agent-inject-template-session
templateValue: ""
## Vault after render command specific to session.
## Annotation: vault.hashicorp.com/agent-inject-command-session
command: ""
duo:
## Vault Path to the Authelia duo secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-duo
path: secrets/authelia/duo:api_key
## Vault template specific to duo.
## Annotation: vault.hashicorp.com/agent-inject-template-duo
templateValue: ""
## Vault after render command specific to duo.
## Annotation: vault.hashicorp.com/agent-inject-command-duo
command: ""
redis:
## Vault Path to the Authelia redis secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-redis
path: secrets/authelia/redis:password
## Vault template specific to redis.
## Annotation: vault.hashicorp.com/agent-inject-template-redis
templateValue: ""
## Vault after render command specific to redis.
## Annotation: vault.hashicorp.com/agent-inject-command-redis
command: ""
redisSentinel:
## Vault Path to the Authelia redis sentinel secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-redis-sentinel
path: secrets/authelia/redis_sentinel:password
## Vault template specific to redis sentinel.
## Annotation: vault.hashicorp.com/agent-inject-template-redis-sentinel
templateValue: ""
## Vault after render command specific to redis sentinel.
## Annotation: vault.hashicorp.com/agent-inject-command-redis-sentinel
command: ""
smtp:
## Vault Path to the Authelia SMTP secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-smtp
path: secrets/authelia/smtp:password
## Vault template specific to SMTP.
## Annotation: vault.hashicorp.com/agent-inject-template-smtp
templateValue: ""
## Vault after render command specific to SMTP.
## Annotation: vault.hashicorp.com/agent-inject-command-smtp
command: ""
oidcPrivateKey:
## Vault Path to the Authelia OIDC private key secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-oidc-private-key
path: secrets/authelia/oidc:private_key
## Vault template specific to OIDC private key.
## Annotation: vault.hashicorp.com/agent-inject-template-oidc-private-key
templateValue: ""
## Vault after render command specific to OIDC private key.
## Annotation: vault.hashicorp.com/agent-inject-command-oidc-private-key
command: ""
oidcHMACSecret:
## Vault Path to the Authelia OIDC HMAC secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-oidc-hmac-secret
path: secrets/authelia/oidc:hmac_secret
## Vault template specific to OIDC HMAC secret.
## Annotation: vault.hashicorp.com/agent-inject-template-oidc-hmac-secret
templateValue: ""
## Vault after render command specific to OIDC HMAC secret.
## Annotation: vault.hashicorp.com/agent-inject-command-oidc-hmac-secret
command: ""
certificates:
existingSecret: ""
# existingSecret: authelia
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
values: []
# values:
# - name: Example_Com_Root_Certificate_Authority_B64.pem
# secretValue: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lMQkFBQUFBQUJJVmhUQ0tJd0RRWUpLb1pJaHZjTkFRRUxCUUF3VERFZ01CNEcKQTFVRUN4TVhSMnh2WW1Gc1UybG5iaUJTYjI5MElFTkJJQzBnVWpNeEV6QVJCZ05WQkFvVENrZHNiMkpoYkZOcApaMjR4RXpBUkJnTlZCQU1UQ2tkc2IySmhiRk5wWjI0d0hoY05NRGt3TXpFNE1UQXdNREF3V2hjTk1qa3dNekU0Ck1UQXdNREF3V2pCTU1TQXdIZ1lEVlFRTEV4ZEhiRzlpWVd4VGFXZHVJRkp2YjNRZ1EwRWdMU0JTTXpFVE1CRUcKQTFVRUNoTUtSMnh2WW1Gc1UybG5iakVUTUJFR0ExVUVBeE1LUjJ4dlltRnNVMmxuYmpDQ0FTSXdEUVlKS29aSQpodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU13bGRwQjVCbmdpRnZYQWc3YUV5aWllL1FWMkVjV3RpSEw4ClJnSkR4N0tLblFSZkpNc3VTK0ZnZ2tiaFVxc01nVWR3Yk4xazBldjFMS01QZ2owTUs2NlgxN1lVaGhCNXV6c1QKZ0hlTUNPRkowbXBpTHg5ZStwWm8zNGtubFRpZkJ0Yyt5Y3NtV1ExejNyREk2U1lPZ3hYRzcxdUwwZ1JneWttbQpLUFpwTy9iTHlDaVI1WjJLWVZjM3JIUVUzSFRnT3U1eUx5NmMrOUM3di9VOUFPRUdNK2lDSzY1VHBqb1djNHpkClFRNGdPc0MwcDZIcHNrK1FMakpnNlZmTHVRU1NhR2psT0NaZ2RiS2ZkLytSRk8rdUlFbjhyVUFWU05FQ01XRVoKWHJpWDc2MTN0MlNhZXI5ZndSUHZtMkw3RFd6Z1ZHa1dxUVBhYnVtRGszRjJ4bW1GZ2hjQ0F3RUFBYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJL3dTMytvCkxrVWtyazFRK21PYWk5N2kzUnU4TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCTFFOdkFVS3IreUF6djk1WlUKUlVtN2xnQUpRYXl6RTRhR0tBY3p5bXZtZExtNkFDMnVwQXJUOWZIeEQ0cS9jMmRLZzhkRWUzamdyMjVzYndNcApqak01UmNPTzVMbFhiS3I4RXBic1U4WXQ1Q1JzdVpSais5eFRhR2RXUG9PNHp6VWh3OGxvL3M3YXdsT3F6SkNLCjZmQmRSb3lWM1hwWUtCb3ZIZDdOQURkQmorMUViZGRUS0pkKzgyY0VIaFhYaXBhMDA5NU1KNlJNRzNOemR2UVgKbWNJZmVnN2pMUWl0Q2h3cy96eXJWUTRQa1g0MjY4TlhTYjdoTGkxOFlJdkRRVkVUSTUzTzl6SnJsQUdvbWVjcwpNeDg2T3lYU2hrRE9PeXlHZU1saEx4UzY3dHRWYjkrRTdnVUpUYjBvMkhMTzAySlFaUjdya3BlRE1kbXp0Y3BICldEOWYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
# - name: Example_Com_Root_Certificate_Authority.pem
# value: |
# -----BEGIN CERTIFICATE-----
# MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
# A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
# Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
# MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
# A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
# hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
# RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
# gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
# KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
# QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
# XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
# DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
# LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
# RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
# jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
# 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
# mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
# Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
# WD9f
# -----END CERTIFICATE-----
##
## Authelia Persistence Configuration.
##
## Useful in scenarios where you need persistent storage.
## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
##
persistence:
enabled: false
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
readOnly: false
subPath: ""
existingClaim: ""
# existingClaim: my-claim-name
storageClass: ""
# storageClass: "my-storage-class"
## Persistent Volume Name
## Useful if Persistent Volumes have been provisioned in advance and you want to use a specific one
##
volumeName: ""
accessModes:
- ReadWriteOnce
size: 100Mi
selector: {}
---
Reference in a new issue Copy permalink