diff --git a/modules/kubernetes/authelia/main.tf b/modules/kubernetes/authelia/main.tf new file mode 100644 index 00000000..ed411309 --- /dev/null +++ b/modules/kubernetes/authelia/main.tf @@ -0,0 +1,28 @@ +variable "tls_secret_name" {} + +resource "kubernetes_namespace" "authelia" { + metadata { + name = "authelia" + labels = { + "istio-injection" : "enabled" + } + } +} + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = "authelia" + tls_secret_name = var.tls_secret_name +} + +resource "helm_release" "authelia" { + namespace = "authelia" + create_namespace = true + name = "authelia" + atomic = true + + repository = "https://charts.authelia.com" + chart = "authelia" + + values = [templatefile("${path.module}/values.yaml", {})] +} diff --git a/modules/kubernetes/authelia/values.yaml b/modules/kubernetes/authelia/values.yaml new file mode 100644 index 00000000..82477943 --- /dev/null +++ b/modules/kubernetes/authelia/values.yaml @@ -0,0 +1,1716 @@ +--- +## @formatter:off +## values.yaml +## +## Repository: authelia https://charts.authelia.com +## Chart: authelia +## +## This values file is designed for full deployment, eventually for in production once the chart makes it to 1.0.0. +## It uses the following providers: +## - authentication: LDAP +## - storage: MySQL +## - session: redis + +## Version Override allows changing some chart characteristics that render only on specific versions. +## This does NOT affect the image used, please see the below image section instead for this. +## If this value is not specified, it's assumed the appVersion of the chart is the version. +## The format of this value is x.x.x, for example 4.100.0. +## +## Important Points: +## - No guarantees of support for prior versions is given. The chart is intended to be used with the AppVersion. +## - Does not and will not support any version prior to 4.30.0 due to a significant refactor of the configuration +## system. +versionOverride: "" + +## Kubernetes Version Override allows forcibly overriding the detected KubeVersion for fallback capabilities assessment. +## The fallback capabilities assessment only occurs if the APIVersions Capabilities list does not include a known +## APIVersion for a manifest which occurs with some CI/CD tooling. This value will completely override the value +## detected by helm. +kubeVersionOverride: "" + +## Image Parameters +## ref: https://hub.docker.com/r/authelia/authelia/tags/ +## +image: + # registry: docker.io + registry: ghcr.io + repository: authelia/authelia + tag: "" + pullPolicy: IfNotPresent + pullSecrets: [] + # pullSecrets: + # - myPullSecretName + +# nameOverride: authelia-deployment-name +# appNameOverride: authelia + +## +## extra labels/annotations applied to all resources +## +annotations: {} +# annotations: +# myAnnotation: myValue + +labels: {} +# labels: +# myLabel: myValue + +## +## RBAC Configuration. +## +rbac: + ## Enable RBAC. Turning this on associates Authelia with a service account. + ## If the vault injector is enabled, then RBAC must be enabled. + enabled: false + + annotations: {} + labels: {} + + serviceAccountName: authelia + +## Authelia Domain +## Should be the root domain you want to protect. +## For example if you have apps app1.example.com and app2.example.com it should be example.com +## This affects the ingress (partially sets the domain used) and configMap. +## Authelia must be served from the domain or a subdomain under it. +domain: viktorbarzin.me + +service: + type: "ClusterIP" + annotations: {} + # annotations: + # myAnnotation: myValue + + labels: {} + # labels: + # myLabel: myValue + + port: 80 + nodePort: 30091 + # clusterIP: + +ingress: + enabled: false + + annotations: {} + # annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + labels: {} + # labels: + # myLabel: myValue + + certManager: false + rewriteTarget: true + + ## The Ingress Class Name. + # className: ingress-nginx + + ## Subdomain is the only thing required since we specify the domain as part of the root values of the chart. + ## Example: To get Authelia to listen on https://auth.example.com specify 'auth' for ingress.subdomain, + ## and specify example.com for the domain. + subdomain: auth + + tls: + enabled: true + # secret: authelia-tls + secret: tls-secret + + # hostNameOverride: + + traefikCRD: + enabled: false + + ## Use a standard Ingress object, not an IngressRoute. + disableIngressRoute: false + + # matchOverride: Host(`auth.example.com`) && PathPrefix(`/`) + + entryPoints: [] + # entryPoints: + # - http + + # priority: 10 + + # weight: 10 + + sticky: false + + # stickyCookieNameOverride: authelia_traefik_lb + + # strategy: RoundRobin + + # responseForwardingFlushInterval: 100ms + + middlewares: + auth: + # nameOverride: authelia-auth + authResponseHeaders: + - Remote-User + - Remote-Name + - Remote-Email + - Remote-Groups + + chains: + auth: + # nameOverride: authelia-auth-chain + + # List of Middlewares to apply before the forwardAuth Middleware in the authentication chain. + before: [] + # before: + # - name: extra-middleware-name + # namespace: default + + # List of Middlewares to apply after the forwardAuth Middleware in the authentication chain. + after: [] + # after: + # - name: extra-middleware-name + # namespace: default + + ingressRoute: + # List of Middlewares to apply before the middleware in the IngressRoute chain. + before: [] + # before: + # - name: extra-middleware-name + # namespace: default + + # List of Middlewares to apply after the middleware in the IngressRoute chain. + after: [] + # after: + # - name: extra-middleware-name + # namespace: default + + # Specific options for the TraefikCRD TLS configuration. The above TLS section is still used. + tls: + ## Disables inclusion of the IngressRoute TLSOptions. + disableTLSOptions: false + # existingOptions: + # name: default-traefik-options + # namespace: default + # certResolver: default + # sans: + # - *.example.com + # + options: + # nameOverride: authelia-tls-options + nameOverride: "" + + minVersion: VersionTLS12 + maxVersion: VersionTLS13 + sniStrict: false + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_RSA_WITH_AES_256_GCM_SHA384 + curvePreferences: [] + # curvePreferences: + # - CurveP521 + # - CurveP384 + +pod: + # Must be Deployment, DaemonSet, or StatefulSet. + # kind: DaemonSet + kind: Deployment + + annotations: {} + # annotations: + # myAnnotation: myValue + + labels: {} + # labels: + # myLabel: myValue + + replicas: 1 + revisionHistoryLimit: 5 + priorityClassName: "" + + strategy: + type: RollingUpdate + # rollingUpdate: + # partition: 1 + # maxSurge: 25% + # maxUnavailable: 25% + + securityContext: + container: {} + # container: + # runAsUser: 2000 + # runAsGroup: 2000 + # fsGroup: 2000 + pod: {} + # pod: + # readOnlyRootFilesystem: true + # allowPrivilegeEscalation: false + # privileged: false + + tolerations: [] + # tolerations: + # - key: key1 + # operator: Equal + # value: value1 + # effect: NoSchedule + # tolerationSeconds: 3600 + + selectors: + # nodeName: worker-1 + + nodeSelector: {} + # nodeSelector: + # disktype: ssd + # kubernetes.io/hostname: worker-1 + + affinity: + nodeAffinity: {} + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: kubernetes.io/hostname + # operator: In + # values: + # - worker-1 + # - worker-2 + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 1 + # preference: + # matchExpressions: + # - key: node-label-key + # operator: NotIn + # values: + # - not-this + podAffinity: {} + # podAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # - labelSelector: + # matchExpressions: + # - key: security + # operator: In + # values: + # - S1 + # topologyKey: topology.kubernetes.io/zone + podAntiAffinity: {} + # podAntiAffinity: + # preferredDuringSchedulingIgnoredDuringExecution: + # - weight: 100 + # podAffinityTerm: + # labelSelector: + # matchExpressions: + # - key: security + # operator: In + # values: + # - S2 + # topologyKey: topology.kubernetes.io/zone + + env: [] + # env: + # - name: TZ + # value: Australia/Melbourne + + resources: + limits: {} + # limits: + # cpu: "4.00" + # memory: 125Mi + requests: {} + # requests: + # cpu: "0.25" + # memory: 50Mi + + probes: + method: + httpGet: + path: /api/health + port: http + scheme: HTTP + + liveness: + initialDelaySeconds: 0 + periodSeconds: 30 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + + readiness: + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + + ## Note: Startup Probes are a Kubernetes feature gate which must be manually enabled pre-1.18. + ## Ref: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ + startup: + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + + extraVolumeMounts: [] + extraVolumes: [] + +## +## Kubernetes Pod Disruption Budget +## +podDisruptionBudget: + enabled: false + + annotations: {} + # annotations: + # myAnnotation: myValue + + labels: {} + # labels: + # myLabel: myValue + + minAvailable: 0 + maxUnavailable: 0 + +## +## Kubernetes Network Policy +## +networkPolicy: + enabled: false + + annotations: {} + # annotations: + # myAnnotation: myValue + + labels: {} + # labels: + # myLabel: myValue + + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + authelia.com/network-policy: namespace + - podSelector: + matchLabels: + authelia.com/network-policy: pod + ports: + - protocol: TCP + port: 9091 + +## +## Authelia Config Map Generator +## +configMap: + # Enable the configMap source for the Authelia config. + # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config. + enabled: true + + annotations: {} + # annotations: + # myAnnotation: myValue + + labels: {} + # labels: + # myLabel: myValue + + key: configuration.yaml + + existingConfigMap: "" + + ## + ## Server Configuration + ## + server: + ## + ## Port sets the configured port for the daemon, service, and the probes. + ## Default is 9091 and should not need to be changed. + ## + port: 9091 + + ## Set the single level path Authelia listens on. + ## Must be alphanumeric chars and should not contain any slashes. + path: "" + + ## Set the path on disk to Authelia assets. + ## Useful to allow overriding of specific static assets. + # asset_path: /config/assets/ + asset_path: "" + + ## Customize Authelia headers. + headers: + ## Read the Authelia docs before setting this advanced option. + ## https://www.authelia.com/configuration/miscellaneous/server/#csp_template. + csp_template: "" + + ## Server Buffers configuration. + buffers: + ## Read buffer. + read: 4096 + + ## Write buffer. + write: 4096 + + ## Server Timeouts configuration. + timeouts: + ## Read timeout. + read: 6s + + ## Write timeout. + write: 6s + + ## Idle timeout. + idle: 30s + + log: + ## Level of verbosity for logs: info, debug, trace. + level: info + + ## Format the logs are written as: json, text. + format: text + + ## TODO: Statefulness check should check if this is set, and the configMap should enable it. + ## File path where the logs will be written. If not set logs are written to stdout. + # file_path: /config/authelia.log + file_path: "" + + ## + ## Telemetry Configuration + ## + telemetry: + ## + ## Metrics Configuration + ## + metrics: + ## Enable Metrics. + # enabled: false + enabled: true + + ## The port to listen on for metrics. This should be on a different port to the main server.port value. + port: 9959 + + ## Metrics Server Buffers configuration. + buffers: + ## Read buffer. + read: 4096 + + ## Write buffer. + write: 4096 + + ## Metrics Server Timeouts configuration. + timeouts: + ## Read timeout. + read: 6s + + ## Write timeout. + write: 6s + + ## Idle timeout. + idle: 30s + + serviceMonitor: + enabled: false + annotations: {} + labels: {} + + ## Default redirection URL + ## + ## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end + ## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use + ## in such a case. + ## + ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication. + ## Default is https://www. (value at the top of the values.yaml). + default_redirection_url: "" + # default_redirection_url: https://example.com + + ## Set the default 2FA method for new users and for when a user has a preferred method configured that has been + ## disabled. This setting must be a method that is enabled. + ## Options are totp, webauthn, mobile_push. + default_2fa_method: "" + + theme: light + + ## + ## TOTP Configuration + ## + ## Parameters used for TOTP generation. + totp: + ## Disable TOTP. + disable: false + + ## The issuer name displayed in the Authenticator application of your choice. + ## Defaults to . + issuer: "" + + ## The TOTP algorithm to use. + ## It is CRITICAL you read the documentation before changing this option: + ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#algorithm + algorithm: sha1 + + ## The number of digits a user has to input. Must either be 6 or 8. + ## Changing this option only affects newly generated TOTP configurations. + ## It is CRITICAL you read the documentation before changing this option: + ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#digits + digits: 6 + + ## The period in seconds a one-time password is valid for. + ## Changing this option only affects newly generated TOTP configurations. + period: 30 + + ## The skew controls number of one-time passwords either side of the current one that are valid. + ## Warning: before changing skew read the docs link below. + ## See: https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#input-validation to read the documentation. + skew: 1 + + ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. + secret_size: 32 + + ## + ## WebAuthn Configuration + ## + ## Parameters used for WebAuthn. + webauthn: + ## Disable Webauthn. + # disable: false + disable: true + + ## Adjust the interaction timeout for Webauthn dialogues. + timeout: 60s + + ## The display name the browser should show the user for when using Webauthn to login/register. + display_name: Authelia + + ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. + ## Options are none, indirect, direct. + attestation_conveyance_preference: indirect + + ## User verification controls if the user must make a gesture or action to confirm they are present. + ## Options are required, preferred, discouraged. + user_verification: preferred + + ## + ## NTP Configuration + ## + ## This is used to validate the servers time is accurate enough to validate TOTP. + ntp: + ## NTP server address. + address: "time.cloudflare.com:123" + + ## NTP version. + version: 4 + + ## Maximum allowed time offset between the host and the NTP server. + max_desync: 3s + + ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you + ## set this to true, and can operate in a truly offline mode. + disable_startup_check: false + + ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with + ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup + ## will continue regardless of results. + disable_failure: false + + ## + ## Duo Push API Configuration + ## + ## Parameters used to contact the Duo API. Those are generated when you protect an application of type + ## "Partner Auth API" in the management panel. + duo_api: + enabled: false + hostname: api-123456789.example.com + integration_key: ABCDEF + enable_self_enrollment: false + + ## + ## Authentication Backend Provider Configuration + ## + ## Used for verifying user passwords and retrieve information such as email address and groups users belong to. + ## + ## The available providers are: `file`, `ldap`. You must use one and only one of these providers. + authentication_backend: + ## Password Reset Options. + password_reset: + ## Disable both the HTML element and the API for reset password functionality + disable: false + + ## External reset password url that redirects the user to an external reset portal. This disables the internal reset + ## functionality. + custom_url: "" + + ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. + ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will + ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. + ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. + ## See the below documentation for more information. + ## Duration Notation docs: https://www.authelia.com/configuration/prologue/common/#duration-notation-format + ## Refresh Interval docs: https://www.authelia.com/configuration/first-factor/ldap/#refresh-interval + refresh_interval: 5m + + ## LDAP backend configuration. + ## + ## This backend allows Authelia to be scaled to more + ## than one instance and therefore is recommended for + ## production. + ldap: + ## Enable LDAP Backend. + # enabled: true + enabled: false + + ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. + ## Acceptable options are as follows: + ## - 'activedirectory' - For Microsoft Active Directory. + ## - 'custom' - For custom specifications of attributes and filters. + ## This currently defaults to 'custom' to maintain existing behaviour. + ## + ## Depending on the option here certain other values in this section have a default value, notably all of the + ## attribute mappings have a default value that this config overrides, you can read more about these default values + ## at https://www.authelia.com/reference/guides/ldap/#defaults + implementation: activedirectory + + ## The url to the ldap server. Format: ://
[:]. + ## Scheme can be ldap or ldaps in the format (port optional). + url: ldap://openldap.default.svc.cluster.local + + ## Connection Timeout. + timeout: 5s + + ## Use StartTLS with the LDAP connection. + start_tls: false + + tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host portion of the url option. + server_name: "" + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + skip_verify: false + + ## Minimum TLS version for the connection. + minimum_version: TLS1.2 + + ## Maximum TLS version for the connection. + maximum_version: TLS1.3 + + ## The base dn for every LDAP query. + base_dn: DC=example,DC=com + + ## The attribute holding the username of the user. This attribute is used to populate the username in the session + ## information. It was introduced due to #561 to handle case insensitive search queries. For you information, + ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this + ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database. + ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user + ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also + ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above + ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt. + username_attribute: "" + + ## An additional dn to define the scope to all users. + additional_users_dn: OU=Users + + ## The users filter used in search queries to find the user profile based on input filled in login form. + ## Various placeholders are available in the user filter: + ## - {input} is a placeholder replaced by what the user inputs in the login form. + ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`. + ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. + ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later + ## versions, so please don't use it. + ## + ## Recommended settings are as follows: + ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) + ## - OpenLDAP: + ## - (&({username_attribute}={input})(objectClass=person)) + ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) + ## + ## To allow sign in both with username and email, one can use a filter like + ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) + users_filter: "" + + ## An additional dn to define the scope of groups. + additional_groups_dn: OU=Groups + + ## The groups filter used in search queries to find the groups of the user. + ## - {input} is a placeholder replaced by what the user inputs in the login form. + ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`). + ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN. + ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. + ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. + ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later + ## versions, so please don't use it. + ## - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in + ## later version, so please don't use it. + ## + ## If your groups use the `groupOfUniqueNames` structure use this instead: + ## (&(uniquemember={dn})(objectclass=groupOfUniqueNames)) + groups_filter: "" + + ## The attribute holding the name of the group + group_name_attribute: "" + + ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the + ## first one returned by the LDAP server is used. + mail_attribute: "" + + ## The attribute holding the display name of the user. This will be used to greet an authenticated user. + display_name_attribute: "" + + ## Follow referrals returned by the server. + ## This is especially useful for environments where read-only servers exist. Only implemented for write operations. + permit_referrals: false + + ## WARNING: This option is strongly discouraged. Please consider disabling unauthenticated binding to your LDAP + ## server and utilizing a service account. + permit_unauthenticated_bind: false + + ## This option is strongly discouraged. If enabled it will ignore errors looking up the RootDSE for supported + ## controls/extensions. + permit_feature_detection_failure: false + + ## The username of the admin user. + user: CN=Authelia,DC=example,DC=com + + ## + ## File (Authentication Provider) + ## + ## With this backend, the users database is stored in a file which is updated when users reset their passwords. + ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia + ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security + ## implications it is highly recommended you leave the default values. Before considering changing these settings + ## please read the docs page: https://www.authelia.com/reference/guides/passwords/#tuning + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ + ## + file: + # enabled: false + enabled: true + path: /config/users_database.yml + watch: true + search: + email: false + case_insensitive: false + password: + algorithm: argon2 + argon2: + variant: argon2id + iterations: 3 + memory: 65536 + parallelism: 4 + key_length: 32 + salt_length: 16 + scrypt: + iterations: 16 + block_size: 8 + parallelism: 1 + key_length: 32 + salt_length: 16 + pbkdf2: + variant: sha512 + iterations: 310000 + salt_length: 16 + sha2crypt: + variant: sha512 + iterations: 50000 + salt_length: 16 + bcrypt: + variant: standard + cost: 12 + + ## + ## Password Policy Configuration. + ## + password_policy: + ## The standard policy allows you to tune individual settings manually. + standard: + enabled: false + + ## Require a minimum length for passwords. + min_length: 8 + + ## Require a maximum length for passwords. + max_length: 0 + + ## Require uppercase characters. + require_uppercase: true + + ## Require lowercase characters. + require_lowercase: true + + ## Require numeric characters. + require_number: true + + ## Require special characters. + require_special: true + + ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings. + zxcvbn: + enabled: false + + ## Configures the minimum score allowed. + min_score: 0 + + ## + ## Access Control Configuration + ## + ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users. + ## + ## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed + ## to anyone. Otherwise restrictions follow the rules defined. + ## + ## Note: One can use the wildcard * to match any subdomain. + ## It must stand at the beginning of the pattern. (example: *.mydomain.com) + ## + ## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct. + ## + ## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'. + ## + ## - 'domain' defines which domain or set of domains the rule applies to. + ## + ## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not + ## provided. If provided, the parameter represents either a user or a group. It should be of the form + ## 'user:' or 'group:'. + ## + ## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'. + ## + ## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter + ## is optional and matches any resource if not provided. + ## + ## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies. + access_control: + ## Configure the ACL as a Secret instead of part of the ConfigMap. + secret: + ## Enables the ACL section being generated as a secret. + enabled: false + + ## The key in the secret which contains the file to mount. + key: configuration.acl.yaml + + ## An existingSecret name, if configured this will force the secret to be mounted using the key above. + existingSecret: "" + + ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any + ## resource if there is no policy to be applied to the user. + default_policy: deny + + networks: [] + # networks: + # - name: private + # networks: + # - 10.0.0.0/8 + # - 172.16.0.0/12 + # - 192.168.0.0/16 + # - name: vpn + # networks: + # - 10.9.0.0/16 + + rules: [] + # rules: + # - domain_regex: '^.*\.example.com$' + # policy: bypass + # - domain: public.example.com + # policy: bypass + # - domain: "*.example.com" + # policy: bypass + # methods: + # - OPTIONS + # - domain: secure.example.com + # policy: one_factor + # networks: + # - private + # - vpn + # - 192.168.1.0/24 + # - 10.0.0.1 + # - domain: + # - secure.example.com + # - private.example.com + # policy: two_factor + # - domain: singlefactor.example.com + # policy: one_factor + # - domain: "mx2.mail.example.com" + # subject: "group:admins" + # policy: deny + # - domain: "*.example.com" + # subject: + # - "group:admins" + # - "group:moderators" + # policy: two_factor + # - domain: dev.example.com + # resources: + # - "^/groups/dev/.*$" + # subject: "group:dev" + # policy: two_factor + # - domain: dev.example.com + # resources: + # - "^/users/john/.*$" + # subject: + # - ["group:dev", "user:john"] + # - "group:admins" + # policy: two_factor + # - domain: "{user}.example.com" + # policy: bypass + + ## + ## Session Provider Configuration + ## + ## The session cookies identify the user once logged in. + ## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined. + session: + ## The name of the session cookie. (default: authelia_session). + name: authelia_session + + ## Sets the Cookie SameSite value. Possible options are none, lax, or strict. + ## Please read https://www.authelia.com/configuration/session/introduction/#same_site + same_site: lax + + ## The time in seconds before the cookie expires and session is reset. + expiration: 1h + + ## The inactivity time in seconds before the session is reset. + inactivity: 5m + + ## The remember me duration. + ## Value is in seconds, or duration notation. Value of 0 disables remember me. + ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format + ## Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to + ## spy or attack. Currently the default is 1M or 1 month. + remember_me_duration: 1M + + ## + ## Redis Provider + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ + ## + ## The redis connection details + redis: + enabled: true + enabledSecret: false + # host: redis.databases.svc.cluster.local + host: redis.redis.svc.cluster.local + port: 6379 + + ## Optional username to be used with authentication. + # username: authelia + username: "" + + ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc). + database_index: 0 + + ## The maximum number of concurrent active connections to Redis. + maximum_active_connections: 8 + + ## The target number of idle connections to have open ready for work. Useful when opening connections is slow. + minimum_idle_connections: 0 + + ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s). + tls: + enabled: false + + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host option. + server_name: "" + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + skip_verify: false + + ## Minimum TLS version for the connection. + minimum_version: TLS1.2 + + ## Maximum TLS version for the connection. + maximum_version: TLS1.3 + + ## The Redis HA configuration options. + ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name). + high_availability: + enabled: false + enabledSecret: false + ## Sentinel Name / Master Name + sentinel_name: mysentinel + + ## The Redis Sentinel-specific username. If supplied, authentication will be done via Redis 6+ ACL-based + ## authentication. If left blank, authentication to sentinels will be done via `requirepass`. + username: "" + + ## The additional nodes to pre-seed the redis provider with (for sentinel). + ## If the host in the above section is defined, it will be combined with this list to connect to sentinel. + ## For high availability to be used you must have either defined; the host above or at least one node below. + nodes: [] + # nodes: + # - host: sentinel-0.databases.svc.cluster.local + # port: 26379 + # - host: sentinel-1.databases.svc.cluster.local + # port: 26379 + + ## Choose the host with the lowest latency. + route_by_latency: false + + ## Choose the host randomly. + route_randomly: false + + ## + ## Regulation Configuration + ## + ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are done + ## in a short period of time. + regulation: + ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. + max_retries: 3 + + ## The time range during which the user can attempt login before being banned. The user is banned if the + ## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation. + ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format + find_time: 2m + + ## The length of time before a banned user can login again. Ban Time accepts duration notation. + ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format + ban_time: 5m + + ## + ## Storage Provider Configuration + ## + ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. + storage: + ## + ## Local (Storage Provider) + ## + ## This stores the data in a SQLite3 Database. + ## This is only recommended for lightweight non-stateful installations. + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ + ## + local: + # enabled: false + enabled: true + path: /config/db.sqlite3 + + ## + ## MySQL (Storage Provider) + ## + ## Also supports MariaDB + ## + mysql: + enabled: false + host: mysql.databases.svc.cluster.local + port: 3306 + database: authelia + username: authelia + timeout: 5s + tls: + enabled: false + + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host option. + server_name: "" + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + skip_verify: false + + ## Minimum TLS version for the connection. + minimum_version: TLS1.2 + + ## Maximum TLS version for the connection. + maximum_version: TLS1.3 + + ## + ## PostgreSQL (Storage Provider) + ## + postgres: + # enabled: true + enabled: false + host: postgres.databases.svc.cluster.local + port: 5432 + database: authelia + schema: public + username: authelia + timeout: 5s + tls: + enabled: false + + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host option. + server_name: "" + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + skip_verify: false + + ## Minimum TLS version for the connection. + minimum_version: TLS1.2 + + ## Maximum TLS version for the connection. + maximum_version: TLS1.3 + + ## + ## Notification Provider + ## + ## + ## Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration. + ## The available providers are: filesystem, smtp. You must use one and only one of these providers. + notifier: + ## You can disable the notifier startup check by setting this to true. + disable_startup_check: false + + ## + ## File System (Notification Provider) + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ + ## + filesystem: + # enabled: false + enabled: true + filename: /config/notification.txt + + ## + ## SMTP (Notification Provider) + ## + ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate. + ## [Security] By default Authelia will: + ## - force all SMTP connections over TLS including unauthenticated connections + ## - use the disable_require_tls boolean value to disable this requirement + ## (only works for unauthenticated connections) + ## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates + ## (configure in tls section) + smtp: + # enabled: true + enabled: false + enabledSecret: false + host: smtp.mail.svc.cluster.local + port: 25 + timeout: 5s + username: test + sender: admin@example.com + ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost. + identifier: localhost + ## Subject configuration of the emails sent. + ## {title} is replaced by the text from the notifier + subject: "[Authelia] {title}" + ## This address is used during the startup check to verify the email configuration is correct. + ## It's not important what it is except if your email server only allows local delivery. + startup_check_address: test@authelia.com + + ## Disables sending HTML formatted emails. + disable_html_emails: false + + ## By default we require some form of TLS. This disables this check though is not advised. + disable_require_tls: false + + ## Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when they in fact do not. For + ## security reasons Authelia refuses to send messages to these servers. This option disables this measure and is + ## enabled AT YOUR OWN RISK. It’s strongly recommended that instead of enabling this option you either fix the + ## issue with the SMTP server’s configuration or have the administrators of the server fix it. If the issue can’t + ## be fixed by configuration we recommend lodging an issue with the authors of the SMTP server. See [security] for + ## more information. + disable_starttls: false + + tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host option. + server_name: "" + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + skip_verify: false + + ## Minimum TLS version for the connection. + minimum_version: TLS1.2 + + ## Maximum TLS version for the connection. + maximum_version: TLS1.3 + + identity_providers: + oidc: + ## Enables this in the config map. Currently in beta stage. + ## See https://www.authelia.com/r/openid-connect/ + enabled: false + # enabled: true + + access_token_lifespan: 1h + authorize_code_lifespan: 1m + id_token_lifespan: 1h + refresh_token_lifespan: 90m + + ## Adjusts the PKCE enforcement. Options are always, public_clients_only, never. + ## For security reasons it's recommended this option is public_clients_only or always, however always is not + ## compatible with all clients. + enforce_pkce: public_clients_only + + ## Enables the plain PKCE challenge which is not recommended for security reasons but may be necessary for some clients. + enable_pkce_plain_challenge: false + + ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for + ## security reasons. + minimum_parameter_entropy: 8 + + ## Enables additional debug messages. + enable_client_debug_messages: false + + ## The issuer_certificate_chain is an optional PEM encoded certificate chain. It's used in conjunction with the + ## issuer_private_key to sign JWT's. All certificates in the chain must be within the validity period, and every + ## certificate included must be signed by the certificate immediately after it if provided. + issuer_certificate_chain: "" + # issuer_certificate_chain: | + # -----BEGIN CERTIFICATE----- + # MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw + # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw + # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP + # ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q + # /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6 + # LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY + # 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H + # kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR + # Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD + # AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN + # AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh + # /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4 + # lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq + # wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg + # OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i + # ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE= + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw + # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw + # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP + # ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S + # zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50 + # 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou + # kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7 + # ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi + # Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD + # AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU + # Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/ + # kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf + # 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ + # HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB + # D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj + # 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b + # qocikt3WAdU^invalid DO NOT USE= + # -----END CERTIFICATE----- + + ## Cross-Origin Resource Sharing (CORS) settings. + cors: + ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. + # endpoints: + # - authorization + # - token + # - revocation + # - introspection + # - userinfo + endpoints: [] + + ## List of allowed origins. + ## Any origin with https is permitted unless this option is configured or the + ## allowed_origins_from_client_redirect_uris option is enabled. + # allowed_origins: + # - https://example.com + allowed_origins: [] + + ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, + ## provided they have the scheme http or https and do not have the hostname of localhost. + allowed_origins_from_client_redirect_uris: true + + clients: [] + # clients: + # - + ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration. + # id: myapp + + ## The description to show to users when they end up on the consent screen. Defaults to the ID above. + # description: My Application + + ## The client secret is a shared secret between Authelia and the consumer of this client. + # secret: apple123 + + ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not + ## necessary. Read the documentation for more information. + ## The subject identifier must be the host component of a URL, which is a domain name with an optional port. + # sector_identifier: example.com + + ## Sets the client to public. This should typically not be set, please see the documentation for usage. + # public: false + + ## The policy to require for this client; one_factor or two_factor. + # authorization_policy: two_factor + + ## The consent mode controls how consent is obtained. + # consent_mode: auto + + ## This value controls the duration a consent on this client remains remembered when the consent mode is + ## configured as 'auto' or 'pre-configured'. + # pre_configured_consent_duration: 30d + + ## Audience this client is allowed to request. + # audience: [] + + ## Scopes this client is allowed to request. + # scopes: + # - openid + # - profile + # - email + # - groups + + ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. + # redirect_uris: + # - https://oidc.example.com/oauth2/callback + + ## Grant Types configures which grants this client can obtain. + ## It's not recommended to configure this unless you know what you're doing. + # grant_types: + # - refresh_token + # - authorization_code + + ## Response Types configures which responses this client can be sent. + ## It's not recommended to configure this unless you know what you're doing. + # response_types: + # - code + + ## Response Modes configures which response modes this client supports. + ## It's not recommended to configure this unless you know what you're doing. + # response_modes: + # - form_post + # - query + # - fragment + + ## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256. + # userinfo_signing_algorithm: none + +## +## Authelia Secret Generator. +## +## If both the values and existingSecret are not defined, this chart randomly generates a new secret on each +## install. It is recommended that you use something like sealed-secrets (https://github.com/bitnami-labs/sealed-secrets) +## and use the existingSecrets. All secrets can be stored in a single k8s secret if desired using the key option. +## +secret: + existingSecret: "" + # existingSecret: authelia + + annotations: {} + # annotations: + # myAnnotation: myValue + + labels: {} + # labels: + # myLabel: myValue + + mountPath: /secrets + + excludeVolumeAndMounts: false + + ## Secrets. + jwt: + key: JWT_TOKEN + value: "" + filename: JWT_TOKEN + ldap: + key: LDAP_PASSWORD + value: "" + filename: LDAP_PASSWORD + storage: + key: STORAGE_PASSWORD + value: "" + filename: STORAGE_PASSWORD + storageEncryptionKey: + key: STORAGE_ENCRYPTION_KEY + value: "" + filename: STORAGE_ENCRYPTION_KEY + session: + key: SESSION_ENCRYPTION_KEY + value: "" + filename: SESSION_ENCRYPTION_KEY + duo: + key: DUO_API_KEY + value: "" + filename: DUO_API_KEY + redis: + key: REDIS_PASSWORD + value: "" + filename: REDIS_PASSWORD + redisSentinel: + key: REDIS_SENTINEL_PASSWORD + value: "" + filename: REDIS_SENTINEL_PASSWORD + smtp: + key: SMTP_PASSWORD + value: "" + filename: SMTP_PASSWORD + oidcPrivateKey: + key: OIDC_PRIVATE_KEY + value: "" + filename: OIDC_PRIVATE_KEY + oidcHMACSecret: + key: OIDC_HMAC_SECRET + value: "" + filename: OIDC_HMAC_SECRET + + ## HashiCorp Vault Injector configuration. + vaultInjector: + ## Enable the vault injector annotations. This will disable secret injection via other means. + ## To see the annotations and what they do see: https://www.vaultproject.io/docs/platform/k8s/injector/annotations + ## Annotations with a blank string do not get configured at all. + ## Additional annotations can be configured via the secret.annotations: {} above. + ## Secrets are by default rendered in the /secrets directory. Changing this can be done via editing the + ## secret.mountPath value. You can alter the filenames with the secret..filename values. + ## Secrets are loaded from vault path specified below with secrets..path values. Its format should be + ## :. + ## Secrets are by default rendered by template suitable for vault KV v1 or database secrets engines. If other used, + ## it can be overriden per each secret by specifying secrets..templateValue. For example for KV v2 + ## secrets engine would be '{{ with secret "" }}{{ .Data.data. }}{{ end }}'. + enabled: false + + ## The vault role to assign via annotations. + ## Annotation: vault.hashicorp.com/role + role: authelia + + agent: + ## Annotation: vault.hashicorp.com/agent-inject-status + status: update + + ## Annotation: vault.hashicorp.com/agent-configmap + configMap: "" + + ## Annotation: vault.hashicorp.com/agent-image + image: "" + + ## Annotation: vault.hashicorp.com/agent-init-first + initFirst: "false" + + ## Annotation: vault.hashicorp.com/agent-inject-command + command: "sh -c 'kill HUP $(pidof authelia)'" + + ## Annotation: vault.hashicorp.com/agent-run-as-same-user + runAsSameUser: "true" + + secrets: + jwt: + ## Vault Path to the Authelia JWT secret. + ## Annotation: vault.hashicorp.com/agent-inject-secret-jwt + path: secrets/authelia/jwt:token + + ## Vault template specific to JWT. + ## Annotation: vault.hashicorp.com/agent-inject-template-jwt + templateValue: "" + + ## Vault after render command specific to JWT. + ## Annotation: vault.hashicorp.com/agent-inject-command-jwt + command: "" + ldap: + ## Vault Path to the Authelia LDAP secret. + ## Annotation: vault.hashicorp.com/agent-inject-secret-ldap + path: secrets/authelia/ldap:password + + ## Vault template specific to LDAP. + ## Annotation: vault.hashicorp.com/agent-inject-template-ldap + templateValue: "" + + ## Vault after render command specific to LDAP. + ## Annotation: vault.hashicorp.com/agent-inject-command-ldap + command: "" + storage: + ## Vault Path to the Authelia storage password secret. + ## Annotation: vault.hashicorp.com/agent-inject-secret-storage + path: secrets/authelia/storage:password + + ## Vault template specific to the storage password. + ## Annotation: vault.hashicorp.com/agent-inject-template-storage + templateValue: "" + + ## Vault after render command specific to the storage password. + ## Annotation: vault.hashicorp.com/agent-inject-command-storage + command: "" + storageEncryptionKey: + ## Vault Path to the Authelia storage encryption key secret. + ## Annotation: vault.hashicorp.com/agent-inject-secret-storage-encryption-key + path: secrets/authelia/storage:encryption_key + + ## Vault template specific to the storage encryption key. + ## Annotation: vault.hashicorp.com/agent-inject-template-storage-encryption-key + templateValue: "" + + ## Vault after render command specific to the storage encryption key. + ## Annotation: vault.hashicorp.com/agent-inject-command-storage-encryption-key + command: "" + session: + ## Vault Path to the Authelia session secret. + ## Annotation: vault.hashicorp.com/agent-inject-secret-session + path: secrets/authelia/session:encryption_key + + ## Vault template specific to session. + ## Annotation: vault.hashicorp.com/agent-inject-template-session + templateValue: "" + + ## Vault after render command specific to session. + ## Annotation: vault.hashicorp.com/agent-inject-command-session + command: "" + duo: + ## Vault Path to the Authelia duo secret. + ## Annotation: vault.hashicorp.com/agent-inject-secret-duo + path: secrets/authelia/duo:api_key + + ## Vault template specific to duo. + ## Annotation: vault.hashicorp.com/agent-inject-template-duo + templateValue: "" + + ## Vault after render command specific to duo. + ## Annotation: vault.hashicorp.com/agent-inject-command-duo + command: "" + redis: + ## Vault Path to the Authelia redis secret. + ## Annotation: vault.hashicorp.com/agent-inject-secret-redis + path: secrets/authelia/redis:password + + ## Vault template specific to redis. + ## Annotation: vault.hashicorp.com/agent-inject-template-redis + templateValue: "" + + ## Vault after render command specific to redis. + ## Annotation: vault.hashicorp.com/agent-inject-command-redis + command: "" + redisSentinel: + ## Vault Path to the Authelia redis sentinel secret. + ## Annotation: vault.hashicorp.com/agent-inject-secret-redis-sentinel + path: secrets/authelia/redis_sentinel:password + + ## Vault template specific to redis sentinel. + ## Annotation: vault.hashicorp.com/agent-inject-template-redis-sentinel + templateValue: "" + + ## Vault after render command specific to redis sentinel. + ## Annotation: vault.hashicorp.com/agent-inject-command-redis-sentinel + command: "" + smtp: + ## Vault Path to the Authelia SMTP secret. + ## Annotation: vault.hashicorp.com/agent-inject-secret-smtp + path: secrets/authelia/smtp:password + + ## Vault template specific to SMTP. + ## Annotation: vault.hashicorp.com/agent-inject-template-smtp + templateValue: "" + + ## Vault after render command specific to SMTP. + ## Annotation: vault.hashicorp.com/agent-inject-command-smtp + command: "" + oidcPrivateKey: + ## Vault Path to the Authelia OIDC private key secret. + ## Annotation: vault.hashicorp.com/agent-inject-secret-oidc-private-key + path: secrets/authelia/oidc:private_key + + ## Vault template specific to OIDC private key. + ## Annotation: vault.hashicorp.com/agent-inject-template-oidc-private-key + templateValue: "" + + ## Vault after render command specific to OIDC private key. + ## Annotation: vault.hashicorp.com/agent-inject-command-oidc-private-key + command: "" + oidcHMACSecret: + ## Vault Path to the Authelia OIDC HMAC secret. + ## Annotation: vault.hashicorp.com/agent-inject-secret-oidc-hmac-secret + path: secrets/authelia/oidc:hmac_secret + + ## Vault template specific to OIDC HMAC secret. + ## Annotation: vault.hashicorp.com/agent-inject-template-oidc-hmac-secret + templateValue: "" + + ## Vault after render command specific to OIDC HMAC secret. + ## Annotation: vault.hashicorp.com/agent-inject-command-oidc-hmac-secret + command: "" + +certificates: + existingSecret: "" + # existingSecret: authelia + + annotations: {} + # annotations: + # myAnnotation: myValue + + labels: {} + # labels: + # myLabel: myValue + + values: [] + # values: + # - name: Example_Com_Root_Certificate_Authority_B64.pem + # secretValue: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lMQkFBQUFBQUJJVmhUQ0tJd0RRWUpLb1pJaHZjTkFRRUxCUUF3VERFZ01CNEcKQTFVRUN4TVhSMnh2WW1Gc1UybG5iaUJTYjI5MElFTkJJQzBnVWpNeEV6QVJCZ05WQkFvVENrZHNiMkpoYkZOcApaMjR4RXpBUkJnTlZCQU1UQ2tkc2IySmhiRk5wWjI0d0hoY05NRGt3TXpFNE1UQXdNREF3V2hjTk1qa3dNekU0Ck1UQXdNREF3V2pCTU1TQXdIZ1lEVlFRTEV4ZEhiRzlpWVd4VGFXZHVJRkp2YjNRZ1EwRWdMU0JTTXpFVE1CRUcKQTFVRUNoTUtSMnh2WW1Gc1UybG5iakVUTUJFR0ExVUVBeE1LUjJ4dlltRnNVMmxuYmpDQ0FTSXdEUVlKS29aSQpodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU13bGRwQjVCbmdpRnZYQWc3YUV5aWllL1FWMkVjV3RpSEw4ClJnSkR4N0tLblFSZkpNc3VTK0ZnZ2tiaFVxc01nVWR3Yk4xazBldjFMS01QZ2owTUs2NlgxN1lVaGhCNXV6c1QKZ0hlTUNPRkowbXBpTHg5ZStwWm8zNGtubFRpZkJ0Yyt5Y3NtV1ExejNyREk2U1lPZ3hYRzcxdUwwZ1JneWttbQpLUFpwTy9iTHlDaVI1WjJLWVZjM3JIUVUzSFRnT3U1eUx5NmMrOUM3di9VOUFPRUdNK2lDSzY1VHBqb1djNHpkClFRNGdPc0MwcDZIcHNrK1FMakpnNlZmTHVRU1NhR2psT0NaZ2RiS2ZkLytSRk8rdUlFbjhyVUFWU05FQ01XRVoKWHJpWDc2MTN0MlNhZXI5ZndSUHZtMkw3RFd6Z1ZHa1dxUVBhYnVtRGszRjJ4bW1GZ2hjQ0F3RUFBYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJL3dTMytvCkxrVWtyazFRK21PYWk5N2kzUnU4TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCTFFOdkFVS3IreUF6djk1WlUKUlVtN2xnQUpRYXl6RTRhR0tBY3p5bXZtZExtNkFDMnVwQXJUOWZIeEQ0cS9jMmRLZzhkRWUzamdyMjVzYndNcApqak01UmNPTzVMbFhiS3I4RXBic1U4WXQ1Q1JzdVpSais5eFRhR2RXUG9PNHp6VWh3OGxvL3M3YXdsT3F6SkNLCjZmQmRSb3lWM1hwWUtCb3ZIZDdOQURkQmorMUViZGRUS0pkKzgyY0VIaFhYaXBhMDA5NU1KNlJNRzNOemR2UVgKbWNJZmVnN2pMUWl0Q2h3cy96eXJWUTRQa1g0MjY4TlhTYjdoTGkxOFlJdkRRVkVUSTUzTzl6SnJsQUdvbWVjcwpNeDg2T3lYU2hrRE9PeXlHZU1saEx4UzY3dHRWYjkrRTdnVUpUYjBvMkhMTzAySlFaUjdya3BlRE1kbXp0Y3BICldEOWYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + # - name: Example_Com_Root_Certificate_Authority.pem + # value: | + # -----BEGIN CERTIFICATE----- + # MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G + # A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp + # Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 + # MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG + # A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI + # hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8 + # RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT + # gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm + # KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd + # QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ + # XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw + # DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o + # LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU + # RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp + # jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK + # 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX + # mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs + # Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH + # WD9f + # -----END CERTIFICATE----- + +## +## Authelia Persistence Configuration. +## +## Useful in scenarios where you need persistent storage. +## Auth Provider Use Case: file; we recommend you use the ldap provider instead. +## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead. +## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false). +## +persistence: + enabled: false + + annotations: {} + # annotations: + # myAnnotation: myValue + + labels: {} + # labels: + # myLabel: myValue + + readOnly: false + subPath: "" + + existingClaim: "" + # existingClaim: my-claim-name + + storageClass: "" + # storageClass: "my-storage-class" + + ## Persistent Volume Name + ## Useful if Persistent Volumes have been provisioned in advance and you want to use a specific one + ## + volumeName: "" + + accessModes: + - ReadWriteOnce + + size: 100Mi + + selector: {} +--- + diff --git a/modules/kubernetes/discount-bandit/main.tf b/modules/kubernetes/discount-bandit/main.tf new file mode 100644 index 00000000..8d6bc658 --- /dev/null +++ b/modules/kubernetes/discount-bandit/main.tf @@ -0,0 +1,132 @@ +variable "tls_secret_name" {} + +resource "kubernetes_namespace" "discount-bandit" { + metadata { + name = "discount-bandit" + # labels = { + # "istio-injection" : "enabled" + # } + } +} + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = "discount-bandit" + tls_secret_name = var.tls_secret_name +} + +resource "kubernetes_deployment" "discount-bandit" { + metadata { + name = "discount-bandit" + namespace = "discount-bandit" + labels = { + app = "discount-bandit" + } + annotations = { + "reloader.stakater.com/search" = "true" + } + } + spec { + replicas = 1 + strategy { + type = "Recreate" + } + selector { + match_labels = { + app = "discount-bandit" + } + } + template { + metadata { + labels = { + app = "discount-bandit" + } + } + spec { + container { + image = "cybrarist/discount-bandit:latest-amd64" + name = "discount-bandit" + env { + name = "DB_HOST" + value = "mysql.dbaas" + } + env { + name = "DB_DATABASE" + value = "discountbandit" + } + env { + name = "DB_USERNAME" + value = "discountbandit" + } + env { + name = "DB_PASSWORD" + value = "" + } + env { + name = "APP_URL" + value = "http://discount.viktorbarzin.me:80" + } + + port { + container_port = 80 + } + } + } + } + } +} + +resource "kubernetes_service" "discount-bandit" { + metadata { + name = "discount-bandit" + namespace = "discount-bandit" + labels = { + "app" = "discount-bandit" + } + } + + spec { + selector = { + app = "discount-bandit" + } + port { + name = "http" + target_port = 80 + port = 80 + protocol = "TCP" + } + } +} + +resource "kubernetes_ingress_v1" "discount-bandit" { + metadata { + name = "discount-bandit" + namespace = "discount-bandit" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + } + } + + spec { + tls { + hosts = ["discount.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "discount.viktorbarzin.me" + http { + path { + path = "/" + backend { + service { + name = "discount-bandit" + port { + number = 80 + } + } + } + } + } + } + } +} diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 2a98fe10..49406edd 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -419,3 +419,13 @@ module "istio" { source = "./istio" tls_secret_name = var.tls_secret_name } + +# module "authelia" { +# source = "./authelia" +# tls_secret_name = var.tls_secret_name +# } + +# module "discount-bandit" { +# source = "./discount-bandit" +# tls_secret_name = var.tls_secret_name +# }