From aac4cb48d9123ed03a9145bd5be63297100d768d Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 28 Dec 2025 20:02:28 +0000 Subject: [PATCH] add semi working authelia [ci skip] --- modules/kubernetes/authelia/main.tf | 301 ++-- modules/kubernetes/authelia/values.yaml | 1728 +---------------------- 2 files changed, 169 insertions(+), 1860 deletions(-) diff --git a/modules/kubernetes/authelia/main.tf b/modules/kubernetes/authelia/main.tf index 89363b3f..1bc69e2b 100644 --- a/modules/kubernetes/authelia/main.tf +++ b/modules/kubernetes/authelia/main.tf @@ -15,163 +15,164 @@ module "tls_secret" { tls_secret_name = var.tls_secret_name } -# resource "helm_release" "authelia" { -# namespace = "authelia" -# create_namespace = true -# name = "authelia" -# atomic = true +resource "helm_release" "authelia" { + namespace = "authelia" + name = "authelia" + atomic = true -# repository = "https://charts.authelia.com" -# chart = "authelia" -# version = "4.38.9" + repository = "https://charts.authelia.com" + chart = "authelia" + version = "0.10.49" -# values = [templatefile("${path.module}/values.yaml", {})] + depends_on = [kubernetes_namespace.authelia] + + values = [templatefile("${path.module}/values.yaml", {})] +} + +# resource "kubernetes_config_map" "configuration" { +# metadata { +# name = "configuration" +# namespace = "authelia" + +# labels = { +# app = "configuration" +# } +# annotations = { +# "reloader.stakater.com/match" = "true" +# } +# } + +# data = { +# # "configuration.yml" = yamldecode(file("${path.module}/configuration.yml")) +# "configuration.yml" = file("${path.module}/configuration.yml") +# "users_database.yml" = file("${path.module}/users_database.yml") +# } # } -resource "kubernetes_config_map" "configuration" { - metadata { - name = "configuration" - namespace = "authelia" - labels = { - app = "configuration" - } - annotations = { - "reloader.stakater.com/match" = "true" - } - } +# resource "kubernetes_deployment" "authelia" { +# metadata { +# name = "authelia" +# namespace = "authelia" +# labels = { +# app = "authelia" +# } +# annotations = { +# "reloader.stakater.com/search" = "true" +# } +# } +# spec { +# replicas = 1 +# selector { +# match_labels = { +# app = "authelia" +# } +# } +# template { +# metadata { +# labels = { +# app = "authelia" +# } +# } +# spec { +# container { +# image = "authelia/authelia:4.38" +# name = "authelia" +# # command = ["tail", "-f", "/etc/passwd"] - data = { - # "configuration.yml" = yamldecode(file("${path.module}/configuration.yml")) - "configuration.yml" = file("${path.module}/configuration.yml") - "users_database.yml" = file("${path.module}/users_database.yml") - } -} +# port { +# container_port = 9091 +# } +# port { +# container_port = 8080 +# } +# volume_mount { +# name = "config" +# # mount_path = "/etc/authelia/configuration.yml" +# mount_path = "/config/configuration.yml" +# sub_path = "configuration.yml" +# } +# volume_mount { +# name = "users-database" +# # mount_path = "/etc/authelia/users_database.yml" +# mount_path = "/config/users_database.yml" +# sub_path = "users_database.yml" +# } +# } +# volume { +# name = "config" +# config_map { +# name = "configuration" +# } +# } +# volume { +# name = "users-database" +# config_map { +# name = "configuration" +# } +# } +# } +# } +# } +# } +# resource "kubernetes_service" "authelia" { +# metadata { +# name = "authelia" +# namespace = "authelia" +# labels = { +# "app" = "authelia" +# } +# } -resource "kubernetes_deployment" "authelia" { - metadata { - name = "authelia" - namespace = "authelia" - labels = { - app = "authelia" - } - annotations = { - "reloader.stakater.com/search" = "true" - } - } - spec { - replicas = 1 - selector { - match_labels = { - app = "authelia" - } - } - template { - metadata { - labels = { - app = "authelia" - } - } - spec { - container { - image = "authelia/authelia:4.38" - name = "authelia" - # command = ["tail", "-f", "/etc/passwd"] +# spec { +# selector = { +# app = "authelia" +# } +# port { +# name = "http" +# port = 80 +# protocol = "TCP" +# # target_port = 8080 +# target_port = 9091 +# } +# } +# } - port { - container_port = 9091 - } - port { - container_port = 8080 - } - volume_mount { - name = "config" - # mount_path = "/etc/authelia/configuration.yml" - mount_path = "/config/configuration.yml" - sub_path = "configuration.yml" - } - volume_mount { - name = "users-database" - # mount_path = "/etc/authelia/users_database.yml" - mount_path = "/config/users_database.yml" - sub_path = "users_database.yml" - } - } - volume { - name = "config" - config_map { - name = "configuration" - } - } - volume { - name = "users-database" - config_map { - name = "configuration" - } - } - } - } - } -} +# resource "kubernetes_ingress_v1" "authelia" { +# metadata { +# name = "authelia" +# namespace = "authelia" +# annotations = { +# "kubernetes.io/ingress.class" = "nginx" +# # "nginx.ingress.kubernetes.io/affinity" = "cookie" +# # "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on" +# # "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret" +# # "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth" +# # "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" +# } +# } -resource "kubernetes_service" "authelia" { - metadata { - name = "authelia" - namespace = "authelia" - labels = { - "app" = "authelia" - } - } - - spec { - selector = { - app = "authelia" - } - port { - name = "http" - port = 80 - protocol = "TCP" - # target_port = 8080 - target_port = 9091 - } - } -} - -resource "kubernetes_ingress_v1" "authelia" { - metadata { - name = "authelia" - namespace = "authelia" - annotations = { - "kubernetes.io/ingress.class" = "nginx" - # "nginx.ingress.kubernetes.io/affinity" = "cookie" - # "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on" - # "nginx.ingress.kubernetes.io/auth-tls-secret" = "default/ca-secret" - # "nginx.ingress.kubernetes.io/auth-url" : "https://oauth2.viktorbarzin.me/oauth2/auth" - # "nginx.ingress.kubernetes.io/auth-signin" : "https://oauth2.viktorbarzin.me/oauth2/start?rd=/redirect/$http_host$escaped_request_uri" - } - } - - spec { - tls { - hosts = ["auth.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "auth.viktorbarzin.me" - http { - path { - path = "/" - backend { - service { - name = "authelia" - port { - number = 80 - } - } - } - } - } - } - } -} +# spec { +# tls { +# hosts = ["auth.viktorbarzin.me"] +# secret_name = var.tls_secret_name +# } +# rule { +# host = "auth.viktorbarzin.me" +# http { +# path { +# path = "/" +# backend { +# service { +# name = "authelia" +# port { +# number = 80 +# } +# } +# } +# } +# } +# } +# } +# } diff --git a/modules/kubernetes/authelia/values.yaml b/modules/kubernetes/authelia/values.yaml index 0394c383..d2b0afb1 100644 --- a/modules/kubernetes/authelia/values.yaml +++ b/modules/kubernetes/authelia/values.yaml @@ -1,1716 +1,24 @@ ---- -## @formatter:off -## values.yaml -## -## Repository: authelia https://charts.authelia.com -## Chart: authelia -## -## This values file is designed for full deployment, eventually for in production once the chart makes it to 1.0.0. -## It uses the following providers: -## - authentication: LDAP -## - storage: MySQL -## - session: redis - -## Version Override allows changing some chart characteristics that render only on specific versions. -## This does NOT affect the image used, please see the below image section instead for this. -## If this value is not specified, it's assumed the appVersion of the chart is the version. -## The format of this value is x.x.x, for example 4.100.0. -## -## Important Points: -## - No guarantees of support for prior versions is given. The chart is intended to be used with the AppVersion. -## - Does not and will not support any version prior to 4.30.0 due to a significant refactor of the configuration -## system. -versionOverride: "" - -## Kubernetes Version Override allows forcibly overriding the detected KubeVersion for fallback capabilities assessment. -## The fallback capabilities assessment only occurs if the APIVersions Capabilities list does not include a known -## APIVersion for a manifest which occurs with some CI/CD tooling. This value will completely override the value -## detected by helm. -kubeVersionOverride: "" - -## Image Parameters -## ref: https://hub.docker.com/r/authelia/authelia/tags/ -## -image: - # registry: docker.io - registry: ghcr.io - repository: authelia/authelia - tag: "" - pullPolicy: IfNotPresent - pullSecrets: [] - # pullSecrets: - # - myPullSecretName - -# nameOverride: authelia-deployment-name -# appNameOverride: authelia - -## -## extra labels/annotations applied to all resources -## -annotations: {} -# annotations: -# myAnnotation: myValue - -labels: {} -# labels: -# myLabel: myValue - -## -## RBAC Configuration. -## -rbac: - ## Enable RBAC. Turning this on associates Authelia with a service account. - ## If the vault injector is enabled, then RBAC must be enabled. - enabled: false - - annotations: {} - labels: {} - - serviceAccountName: authelia - -## Authelia Domain -## Should be the root domain you want to protect. -## For example if you have apps app1.example.com and app2.example.com it should be example.com -## This affects the ingress (partially sets the domain used) and configMap. -## Authelia must be served from the domain or a subdomain under it. -domain: viktorbarzin.me - -service: - type: "ClusterIP" - annotations: {} - # annotations: - # myAnnotation: myValue - - labels: {} - # labels: - # myLabel: myValue - - port: 80 - #nodePort: 30091 - # clusterIP: - -ingress: - enabled: true - - annotations: {} - # annotations: - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - - labels: {} - # labels: - # myLabel: myValue - - certManager: false - rewriteTarget: true - - ## The Ingress Class Name. - # className: ingress-nginx - - ## Subdomain is the only thing required since we specify the domain as part of the root values of the chart. - ## Example: To get Authelia to listen on https://auth.example.com specify 'auth' for ingress.subdomain, - ## and specify example.com for the domain. - subdomain: auth - - tls: - enabled: true - # secret: authelia-tls - secret: tls-secret - - # hostNameOverride: - - traefikCRD: - enabled: false - - ## Use a standard Ingress object, not an IngressRoute. - disableIngressRoute: false - - # matchOverride: Host(`auth.example.com`) && PathPrefix(`/`) - - entryPoints: [] - # entryPoints: - # - http - - # priority: 10 - - # weight: 10 - - sticky: false - - # stickyCookieNameOverride: authelia_traefik_lb - - # strategy: RoundRobin - - # responseForwardingFlushInterval: 100ms - - middlewares: - auth: - # nameOverride: authelia-auth - authResponseHeaders: - - Remote-User - - Remote-Name - - Remote-Email - - Remote-Groups - - chains: - auth: - # nameOverride: authelia-auth-chain - - # List of Middlewares to apply before the forwardAuth Middleware in the authentication chain. - before: [] - # before: - # - name: extra-middleware-name - # namespace: default - - # List of Middlewares to apply after the forwardAuth Middleware in the authentication chain. - after: [] - # after: - # - name: extra-middleware-name - # namespace: default - - ingressRoute: - # List of Middlewares to apply before the middleware in the IngressRoute chain. - before: [] - # before: - # - name: extra-middleware-name - # namespace: default - - # List of Middlewares to apply after the middleware in the IngressRoute chain. - after: [] - # after: - # - name: extra-middleware-name - # namespace: default - - # Specific options for the TraefikCRD TLS configuration. The above TLS section is still used. - tls: - ## Disables inclusion of the IngressRoute TLSOptions. - disableTLSOptions: false - # existingOptions: - # name: default-traefik-options - # namespace: default - # certResolver: default - # sans: - # - *.example.com - # - options: - # nameOverride: authelia-tls-options - nameOverride: "" - - minVersion: VersionTLS12 - maxVersion: VersionTLS13 - sniStrict: false - cipherSuites: - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_RSA_WITH_AES_256_GCM_SHA384 - curvePreferences: [] - # curvePreferences: - # - CurveP521 - # - CurveP384 - -pod: - # Must be Deployment, DaemonSet, or StatefulSet. - # kind: DaemonSet - kind: Deployment - - annotations: {} - # annotations: - # myAnnotation: myValue - - labels: {} - # labels: - # myLabel: myValue - - replicas: 1 - revisionHistoryLimit: 5 - priorityClassName: "" - - strategy: - type: RollingUpdate - # rollingUpdate: - # partition: 1 - # maxSurge: 25% - # maxUnavailable: 25% - - securityContext: - container: {} - # container: - # runAsUser: 2000 - # runAsGroup: 2000 - # fsGroup: 2000 - pod: {} - # pod: - # readOnlyRootFilesystem: true - # allowPrivilegeEscalation: false - # privileged: false - - tolerations: [] - # tolerations: - # - key: key1 - # operator: Equal - # value: value1 - # effect: NoSchedule - # tolerationSeconds: 3600 - - selectors: - # nodeName: worker-1 - - nodeSelector: {} - # nodeSelector: - # disktype: ssd - # kubernetes.io/hostname: worker-1 - - affinity: - nodeAffinity: {} - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: kubernetes.io/hostname - # operator: In - # values: - # - worker-1 - # - worker-2 - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight: 1 - # preference: - # matchExpressions: - # - key: node-label-key - # operator: NotIn - # values: - # - not-this - podAffinity: {} - # podAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # - labelSelector: - # matchExpressions: - # - key: security - # operator: In - # values: - # - S1 - # topologyKey: topology.kubernetes.io/zone - podAntiAffinity: {} - # podAntiAffinity: - # preferredDuringSchedulingIgnoredDuringExecution: - # - weight: 100 - # podAffinityTerm: - # labelSelector: - # matchExpressions: - # - key: security - # operator: In - # values: - # - S2 - # topologyKey: topology.kubernetes.io/zone - - env: [] - # env: - # - name: TZ - # value: Australia/Melbourne - - resources: - limits: {} - # limits: - # cpu: "4.00" - # memory: 125Mi - requests: {} - # requests: - # cpu: "0.25" - # memory: 50Mi - - probes: - method: - httpGet: - path: /api/health - port: http - scheme: HTTP - - liveness: - initialDelaySeconds: 0 - periodSeconds: 30 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - - readiness: - initialDelaySeconds: 0 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 5 - - ## Note: Startup Probes are a Kubernetes feature gate which must be manually enabled pre-1.18. - ## Ref: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ - startup: - initialDelaySeconds: 10 - periodSeconds: 5 - timeoutSeconds: 5 - successThreshold: 1 - failureThreshold: 6 - - extraVolumeMounts: [] - extraVolumes: [] - -## -## Kubernetes Pod Disruption Budget -## -podDisruptionBudget: - enabled: false - - annotations: {} - # annotations: - # myAnnotation: myValue - - labels: {} - # labels: - # myLabel: myValue - - minAvailable: 0 - maxUnavailable: 0 - -## -## Kubernetes Network Policy -## -networkPolicy: - enabled: false - - annotations: {} - # annotations: - # myAnnotation: myValue - - labels: {} - # labels: - # myLabel: myValue - - policyTypes: - - Ingress - ingress: - - from: - - namespaceSelector: - matchLabels: - authelia.com/network-policy: namespace - - podSelector: - matchLabels: - authelia.com/network-policy: pod - ports: - - protocol: TCP - port: 9091 - -## -## Authelia Config Map Generator -## configMap: - # Enable the configMap source for the Authelia config. - # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config. - enabled: true + session: + cookies: + - domain: 'authelia.viktorbarzin.me' + authelia_url: 'https://authelia.viktorbarzin.me' - annotations: {} - # annotations: - # myAnnotation: myValue + storage: + local: + path: '/config/db.sqlite3' - labels: {} - # labels: - # myLabel: myValue - - key: configuration.yaml - - existingConfigMap: "" - - ## - ## Server Configuration - ## - server: - ## - ## Port sets the configured port for the daemon, service, and the probes. - ## Default is 9091 and should not need to be changed. - ## - port: 9091 - - ## Set the single level path Authelia listens on. - ## Must be alphanumeric chars and should not contain any slashes. - path: "" - - ## Set the path on disk to Authelia assets. - ## Useful to allow overriding of specific static assets. - # asset_path: /config/assets/ - asset_path: "" - - ## Customize Authelia headers. - headers: - ## Read the Authelia docs before setting this advanced option. - ## https://www.authelia.com/configuration/miscellaneous/server/#csp_template. - csp_template: "" - - ## Server Buffers configuration. - buffers: - ## Read buffer. - read: 4096 - - ## Write buffer. - write: 4096 - - ## Server Timeouts configuration. - timeouts: - ## Read timeout. - read: 6s - - ## Write timeout. - write: 6s - - ## Idle timeout. - idle: 30s - - log: - ## Level of verbosity for logs: info, debug, trace. - level: info - - ## Format the logs are written as: json, text. - format: text - - ## TODO: Statefulness check should check if this is set, and the configMap should enable it. - ## File path where the logs will be written. If not set logs are written to stdout. - # file_path: /config/authelia.log - file_path: "" - - ## - ## Telemetry Configuration - ## - telemetry: - ## - ## Metrics Configuration - ## - metrics: - ## Enable Metrics. - # enabled: false - enabled: true - - ## The port to listen on for metrics. This should be on a different port to the main server.port value. - port: 9959 - - ## Metrics Server Buffers configuration. - buffers: - ## Read buffer. - read: 4096 - - ## Write buffer. - write: 4096 - - ## Metrics Server Timeouts configuration. - timeouts: - ## Read timeout. - read: 6s - - ## Write timeout. - write: 6s - - ## Idle timeout. - idle: 30s - - serviceMonitor: - enabled: false - annotations: {} - labels: {} - - ## Default redirection URL - ## - ## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end - ## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use - ## in such a case. - ## - ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication. - ## Default is https://www. (value at the top of the values.yaml). - default_redirection_url: "" - # default_redirection_url: https://example.com - - ## Set the default 2FA method for new users and for when a user has a preferred method configured that has been - ## disabled. This setting must be a method that is enabled. - ## Options are totp, webauthn, mobile_push. - default_2fa_method: "" theme: light - - ## - ## TOTP Configuration - ## - ## Parameters used for TOTP generation. - totp: - ## Disable TOTP. - disable: false - - ## The issuer name displayed in the Authenticator application of your choice. - ## Defaults to . - issuer: "" - - ## The TOTP algorithm to use. - ## It is CRITICAL you read the documentation before changing this option: - ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#algorithm - algorithm: sha1 - - ## The number of digits a user has to input. Must either be 6 or 8. - ## Changing this option only affects newly generated TOTP configurations. - ## It is CRITICAL you read the documentation before changing this option: - ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#digits - digits: 6 - - ## The period in seconds a one-time password is valid for. - ## Changing this option only affects newly generated TOTP configurations. - period: 30 - - ## The skew controls number of one-time passwords either side of the current one that are valid. - ## Warning: before changing skew read the docs link below. - ## See: https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#input-validation to read the documentation. - skew: 1 - - ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. - secret_size: 32 - - ## - ## WebAuthn Configuration - ## - ## Parameters used for WebAuthn. - webauthn: - ## Disable Webauthn. - # disable: false - disable: true - - ## Adjust the interaction timeout for Webauthn dialogues. - timeout: 60s - - ## The display name the browser should show the user for when using Webauthn to login/register. - display_name: Authelia - - ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. - ## Options are none, indirect, direct. - attestation_conveyance_preference: indirect - - ## User verification controls if the user must make a gesture or action to confirm they are present. - ## Options are required, preferred, discouraged. - user_verification: preferred - - ## - ## NTP Configuration - ## - ## This is used to validate the servers time is accurate enough to validate TOTP. - ntp: - ## NTP server address. - address: "time.cloudflare.com:123" - - ## NTP version. - version: 4 - - ## Maximum allowed time offset between the host and the NTP server. - max_desync: 3s - - ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you - ## set this to true, and can operate in a truly offline mode. - disable_startup_check: false - - ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with - ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup - ## will continue regardless of results. - disable_failure: false - - ## - ## Duo Push API Configuration - ## - ## Parameters used to contact the Duo API. Those are generated when you protect an application of type - ## "Partner Auth API" in the management panel. - duo_api: - enabled: false - hostname: api-123456789.example.com - integration_key: ABCDEF - enable_self_enrollment: false - - ## - ## Authentication Backend Provider Configuration - ## - ## Used for verifying user passwords and retrieve information such as email address and groups users belong to. - ## - ## The available providers are: `file`, `ldap`. You must use one and only one of these providers. - authentication_backend: - ## Password Reset Options. - password_reset: - ## Disable both the HTML element and the API for reset password functionality - disable: false - - ## External reset password url that redirects the user to an external reset portal. This disables the internal reset - ## functionality. - custom_url: "" - - ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. - ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will - ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. - ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. - ## See the below documentation for more information. - ## Duration Notation docs: https://www.authelia.com/configuration/prologue/common/#duration-notation-format - ## Refresh Interval docs: https://www.authelia.com/configuration/first-factor/ldap/#refresh-interval - refresh_interval: 5m - - ## LDAP backend configuration. - ## - ## This backend allows Authelia to be scaled to more - ## than one instance and therefore is recommended for - ## production. - ldap: - ## Enable LDAP Backend. - # enabled: true - enabled: false - - ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. - ## Acceptable options are as follows: - ## - 'activedirectory' - For Microsoft Active Directory. - ## - 'custom' - For custom specifications of attributes and filters. - ## This currently defaults to 'custom' to maintain existing behaviour. - ## - ## Depending on the option here certain other values in this section have a default value, notably all of the - ## attribute mappings have a default value that this config overrides, you can read more about these default values - ## at https://www.authelia.com/reference/guides/ldap/#defaults - implementation: activedirectory - - ## The url to the ldap server. Format: ://
[:]. - ## Scheme can be ldap or ldaps in the format (port optional). - url: ldap://openldap.default.svc.cluster.local - - ## Connection Timeout. - timeout: 5s - - ## Use StartTLS with the LDAP connection. - start_tls: false - - tls: - ## The server subject name to check the servers certificate against during the validation process. - ## This option is not required if the certificate has a SAN which matches the host portion of the url option. - server_name: "" - - ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the - ## certificate or the certificate of the authority signing the certificate to the certificates directory which is - ## defined by the `certificates_directory` option at the top of the configuration. - ## It's important to note the public key should be added to the directory, not the private key. - ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not - ## important to the administrator. - skip_verify: false - - ## Minimum TLS version for the connection. - minimum_version: TLS1.2 - - ## Maximum TLS version for the connection. - maximum_version: TLS1.3 - - ## The base dn for every LDAP query. - base_dn: DC=example,DC=com - - ## The attribute holding the username of the user. This attribute is used to populate the username in the session - ## information. It was introduced due to #561 to handle case insensitive search queries. For you information, - ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this - ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database. - ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user - ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also - ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above - ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt. - username_attribute: "" - - ## An additional dn to define the scope to all users. - additional_users_dn: OU=Users - - ## The users filter used in search queries to find the user profile based on input filled in login form. - ## Various placeholders are available in the user filter: - ## - {input} is a placeholder replaced by what the user inputs in the login form. - ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`. - ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. - ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later - ## versions, so please don't use it. - ## - ## Recommended settings are as follows: - ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) - ## - OpenLDAP: - ## - (&({username_attribute}={input})(objectClass=person)) - ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) - ## - ## To allow sign in both with username and email, one can use a filter like - ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) - users_filter: "" - - ## An additional dn to define the scope of groups. - additional_groups_dn: OU=Groups - - ## The groups filter used in search queries to find the groups of the user. - ## - {input} is a placeholder replaced by what the user inputs in the login form. - ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`). - ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN. - ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. - ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. - ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later - ## versions, so please don't use it. - ## - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in - ## later version, so please don't use it. - ## - ## If your groups use the `groupOfUniqueNames` structure use this instead: - ## (&(uniquemember={dn})(objectclass=groupOfUniqueNames)) - groups_filter: "" - - ## The attribute holding the name of the group - group_name_attribute: "" - - ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the - ## first one returned by the LDAP server is used. - mail_attribute: "" - - ## The attribute holding the display name of the user. This will be used to greet an authenticated user. - display_name_attribute: "" - - ## Follow referrals returned by the server. - ## This is especially useful for environments where read-only servers exist. Only implemented for write operations. - permit_referrals: false - - ## WARNING: This option is strongly discouraged. Please consider disabling unauthenticated binding to your LDAP - ## server and utilizing a service account. - permit_unauthenticated_bind: false - - ## This option is strongly discouraged. If enabled it will ignore errors looking up the RootDSE for supported - ## controls/extensions. - permit_feature_detection_failure: false - - ## The username of the admin user. - user: CN=Authelia,DC=example,DC=com - - ## - ## File (Authentication Provider) - ## - ## With this backend, the users database is stored in a file which is updated when users reset their passwords. - ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia - ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security - ## implications it is highly recommended you leave the default values. Before considering changing these settings - ## please read the docs page: https://www.authelia.com/reference/guides/passwords/#tuning - ## - ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ - ## - file: - # enabled: false - enabled: true - path: /config/users_database.yml - watch: true - search: - email: false - case_insensitive: false - password: - algorithm: argon2 - argon2: - variant: argon2id - iterations: 3 - memory: 65536 - parallelism: 4 - key_length: 32 - salt_length: 16 - scrypt: - iterations: 16 - block_size: 8 - parallelism: 1 - key_length: 32 - salt_length: 16 - pbkdf2: - variant: sha512 - iterations: 310000 - salt_length: 16 - sha2crypt: - variant: sha512 - iterations: 50000 - salt_length: 16 - bcrypt: - variant: standard - cost: 12 - - ## - ## Password Policy Configuration. - ## - password_policy: - ## The standard policy allows you to tune individual settings manually. - standard: - enabled: false - - ## Require a minimum length for passwords. - min_length: 8 - - ## Require a maximum length for passwords. - max_length: 0 - - ## Require uppercase characters. - require_uppercase: true - - ## Require lowercase characters. - require_lowercase: true - - ## Require numeric characters. - require_number: true - - ## Require special characters. - require_special: true - - ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings. - zxcvbn: - enabled: false - - ## Configures the minimum score allowed. - min_score: 0 - - ## - ## Access Control Configuration - ## - ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users. - ## - ## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed - ## to anyone. Otherwise restrictions follow the rules defined. - ## - ## Note: One can use the wildcard * to match any subdomain. - ## It must stand at the beginning of the pattern. (example: *.mydomain.com) - ## - ## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct. - ## - ## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'. - ## - ## - 'domain' defines which domain or set of domains the rule applies to. - ## - ## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not - ## provided. If provided, the parameter represents either a user or a group. It should be of the form - ## 'user:' or 'group:'. - ## - ## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'. - ## - ## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter - ## is optional and matches any resource if not provided. - ## - ## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies. + # Error 1: access_control (The warning) access_control: - ## Configure the ACL as a Secret instead of part of the ConfigMap. - secret: - ## Enables the ACL section being generated as a secret. - enabled: false - - ## The key in the secret which contains the file to mount. - key: configuration.acl.yaml - - ## An existingSecret name, if configured this will force the secret to be mounted using the key above. - existingSecret: "" - - ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any - ## resource if there is no policy to be applied to the user. - default_policy: deny - - networks: [] - # networks: - # - name: private - # networks: - # - 10.0.0.0/8 - # - 172.16.0.0/12 - # - 192.168.0.0/16 - # - name: vpn - # networks: - # - 10.9.0.0/16 - - rules: [] - # rules: - # - domain_regex: '^.*\.example.com$' - # policy: bypass - # - domain: public.example.com - # policy: bypass - # - domain: "*.example.com" - # policy: bypass - # methods: - # - OPTIONS - # - domain: secure.example.com - # policy: one_factor - # networks: - # - private - # - vpn - # - 192.168.1.0/24 - # - 10.0.0.1 - # - domain: - # - secure.example.com - # - private.example.com - # policy: two_factor - # - domain: singlefactor.example.com - # policy: one_factor - # - domain: "mx2.mail.example.com" - # subject: "group:admins" - # policy: deny - # - domain: "*.example.com" - # subject: - # - "group:admins" - # - "group:moderators" - # policy: two_factor - # - domain: dev.example.com - # resources: - # - "^/groups/dev/.*$" - # subject: "group:dev" - # policy: two_factor - # - domain: dev.example.com - # resources: - # - "^/users/john/.*$" - # subject: - # - ["group:dev", "user:john"] - # - "group:admins" - # policy: two_factor - # - domain: "{user}.example.com" - # policy: bypass - - ## - ## Session Provider Configuration - ## - ## The session cookies identify the user once logged in. - ## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined. - session: - ## The name of the session cookie. (default: authelia_session). - name: authelia_session - - ## Sets the Cookie SameSite value. Possible options are none, lax, or strict. - ## Please read https://www.authelia.com/configuration/session/introduction/#same_site - same_site: lax - - ## The time in seconds before the cookie expires and session is reset. - expiration: 1h - - ## The inactivity time in seconds before the session is reset. - inactivity: 5m - - ## The remember me duration. - ## Value is in seconds, or duration notation. Value of 0 disables remember me. - ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format - ## Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to - ## spy or attack. Currently the default is 1M or 1 month. - remember_me_duration: 1M - - ## - ## Redis Provider - ## - ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ - ## - ## The redis connection details - redis: - enabled: true - enabledSecret: false - # host: redis.databases.svc.cluster.local - host: redis.redis.svc.cluster.local - port: 6379 - - ## Optional username to be used with authentication. - # username: authelia - username: "" - - ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc). - database_index: 0 - - ## The maximum number of concurrent active connections to Redis. - maximum_active_connections: 8 - - ## The target number of idle connections to have open ready for work. Useful when opening connections is slow. - minimum_idle_connections: 0 - - ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s). - tls: - enabled: false - - ## The server subject name to check the servers certificate against during the validation process. - ## This option is not required if the certificate has a SAN which matches the host option. - server_name: "" - - ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the - ## certificate or the certificate of the authority signing the certificate to the certificates directory which is - ## defined by the `certificates_directory` option at the top of the configuration. - ## It's important to note the public key should be added to the directory, not the private key. - ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not - ## important to the administrator. - skip_verify: false - - ## Minimum TLS version for the connection. - minimum_version: TLS1.2 - - ## Maximum TLS version for the connection. - maximum_version: TLS1.3 - - ## The Redis HA configuration options. - ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name). - high_availability: - enabled: false - enabledSecret: false - ## Sentinel Name / Master Name - sentinel_name: mysentinel - - ## The Redis Sentinel-specific username. If supplied, authentication will be done via Redis 6+ ACL-based - ## authentication. If left blank, authentication to sentinels will be done via `requirepass`. - username: "" - - ## The additional nodes to pre-seed the redis provider with (for sentinel). - ## If the host in the above section is defined, it will be combined with this list to connect to sentinel. - ## For high availability to be used you must have either defined; the host above or at least one node below. - nodes: [] - # nodes: - # - host: sentinel-0.databases.svc.cluster.local - # port: 26379 - # - host: sentinel-1.databases.svc.cluster.local - # port: 26379 - - ## Choose the host with the lowest latency. - route_by_latency: false - - ## Choose the host randomly. - route_randomly: false - - ## - ## Regulation Configuration - ## - ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are done - ## in a short period of time. - regulation: - ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. - max_retries: 3 - - ## The time range during which the user can attempt login before being banned. The user is banned if the - ## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation. - ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format - find_time: 2m - - ## The length of time before a banned user can login again. Ban Time accepts duration notation. - ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format - ban_time: 5m - - ## - ## Storage Provider Configuration - ## - ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. - storage: - ## - ## Local (Storage Provider) - ## - ## This stores the data in a SQLite3 Database. - ## This is only recommended for lightweight non-stateful installations. - ## - ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ - ## - local: - # enabled: false - enabled: true - path: /config/db.sqlite3 - - ## - ## MySQL (Storage Provider) - ## - ## Also supports MariaDB - ## - mysql: - enabled: false - host: mysql.databases.svc.cluster.local - port: 3306 - database: authelia - username: authelia - timeout: 5s - tls: - enabled: false - - ## The server subject name to check the servers certificate against during the validation process. - ## This option is not required if the certificate has a SAN which matches the host option. - server_name: "" - - ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the - ## certificate or the certificate of the authority signing the certificate to the certificates directory which is - ## defined by the `certificates_directory` option at the top of the configuration. - ## It's important to note the public key should be added to the directory, not the private key. - ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not - ## important to the administrator. - skip_verify: false - - ## Minimum TLS version for the connection. - minimum_version: TLS1.2 - - ## Maximum TLS version for the connection. - maximum_version: TLS1.3 - - ## - ## PostgreSQL (Storage Provider) - ## - postgres: - # enabled: true - enabled: false - host: postgres.databases.svc.cluster.local - port: 5432 - database: authelia - schema: public - username: authelia - timeout: 5s - tls: - enabled: false - - ## The server subject name to check the servers certificate against during the validation process. - ## This option is not required if the certificate has a SAN which matches the host option. - server_name: "" - - ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the - ## certificate or the certificate of the authority signing the certificate to the certificates directory which is - ## defined by the `certificates_directory` option at the top of the configuration. - ## It's important to note the public key should be added to the directory, not the private key. - ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not - ## important to the administrator. - skip_verify: false - - ## Minimum TLS version for the connection. - minimum_version: TLS1.2 - - ## Maximum TLS version for the connection. - maximum_version: TLS1.3 - - ## - ## Notification Provider - ## - ## - ## Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration. - ## The available providers are: filesystem, smtp. You must use one and only one of these providers. - notifier: - ## You can disable the notifier startup check by setting this to true. - disable_startup_check: false - - ## - ## File System (Notification Provider) - ## - ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ - ## - filesystem: - # enabled: false - enabled: true - filename: /config/notification.txt - - ## - ## SMTP (Notification Provider) - ## - ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate. - ## [Security] By default Authelia will: - ## - force all SMTP connections over TLS including unauthenticated connections - ## - use the disable_require_tls boolean value to disable this requirement - ## (only works for unauthenticated connections) - ## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates - ## (configure in tls section) - smtp: - # enabled: true - enabled: false - enabledSecret: false - host: smtp.mail.svc.cluster.local - port: 25 - timeout: 5s - username: test - sender: admin@example.com - ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost. - identifier: localhost - ## Subject configuration of the emails sent. - ## {title} is replaced by the text from the notifier - subject: "[Authelia] {title}" - ## This address is used during the startup check to verify the email configuration is correct. - ## It's not important what it is except if your email server only allows local delivery. - startup_check_address: test@authelia.com - - ## Disables sending HTML formatted emails. - disable_html_emails: false - - ## By default we require some form of TLS. This disables this check though is not advised. - disable_require_tls: false - - ## Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when they in fact do not. For - ## security reasons Authelia refuses to send messages to these servers. This option disables this measure and is - ## enabled AT YOUR OWN RISK. It’s strongly recommended that instead of enabling this option you either fix the - ## issue with the SMTP server’s configuration or have the administrators of the server fix it. If the issue can’t - ## be fixed by configuration we recommend lodging an issue with the authors of the SMTP server. See [security] for - ## more information. - disable_starttls: false - - tls: - ## The server subject name to check the servers certificate against during the validation process. - ## This option is not required if the certificate has a SAN which matches the host option. - server_name: "" - - ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the - ## certificate or the certificate of the authority signing the certificate to the certificates directory which is - ## defined by the `certificates_directory` option at the top of the configuration. - ## It's important to note the public key should be added to the directory, not the private key. - ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not - ## important to the administrator. - skip_verify: false - - ## Minimum TLS version for the connection. - minimum_version: TLS1.2 - - ## Maximum TLS version for the connection. - maximum_version: TLS1.3 - - identity_providers: - oidc: - ## Enables this in the config map. Currently in beta stage. - ## See https://www.authelia.com/r/openid-connect/ - enabled: false - # enabled: true - - access_token_lifespan: 1h - authorize_code_lifespan: 1m - id_token_lifespan: 1h - refresh_token_lifespan: 90m - - ## Adjusts the PKCE enforcement. Options are always, public_clients_only, never. - ## For security reasons it's recommended this option is public_clients_only or always, however always is not - ## compatible with all clients. - enforce_pkce: public_clients_only - - ## Enables the plain PKCE challenge which is not recommended for security reasons but may be necessary for some clients. - enable_pkce_plain_challenge: false - - ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for - ## security reasons. - minimum_parameter_entropy: 8 - - ## Enables additional debug messages. - enable_client_debug_messages: false - - ## The issuer_certificate_chain is an optional PEM encoded certificate chain. It's used in conjunction with the - ## issuer_private_key to sign JWT's. All certificates in the chain must be within the validity period, and every - ## certificate included must be signed by the certificate immediately after it if provided. - issuer_certificate_chain: "" - # issuer_certificate_chain: | - # -----BEGIN CERTIFICATE----- - # MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw - # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw - # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP - # ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q - # /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6 - # LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY - # 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H - # kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR - # Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD - # AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN - # AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh - # /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4 - # lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq - # wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg - # OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i - # ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE= - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw - # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw - # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP - # ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S - # zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50 - # 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou - # kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7 - # ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi - # Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD - # AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU - # Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/ - # kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf - # 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ - # HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB - # D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj - # 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b - # qocikt3WAdU^invalid DO NOT USE= - # -----END CERTIFICATE----- - - ## Cross-Origin Resource Sharing (CORS) settings. - cors: - ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. - # endpoints: - # - authorization - # - token - # - revocation - # - introspection - # - userinfo - endpoints: [] - - ## List of allowed origins. - ## Any origin with https is permitted unless this option is configured or the - ## allowed_origins_from_client_redirect_uris option is enabled. - # allowed_origins: - # - https://example.com - allowed_origins: [] - - ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, - ## provided they have the scheme http or https and do not have the hostname of localhost. - allowed_origins_from_client_redirect_uris: true - - clients: [] - # clients: - # - - ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration. - # id: myapp - - ## The description to show to users when they end up on the consent screen. Defaults to the ID above. - # description: My Application - - ## The client secret is a shared secret between Authelia and the consumer of this client. - # secret: apple123 - - ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not - ## necessary. Read the documentation for more information. - ## The subject identifier must be the host component of a URL, which is a domain name with an optional port. - # sector_identifier: example.com - - ## Sets the client to public. This should typically not be set, please see the documentation for usage. - # public: false - - ## The policy to require for this client; one_factor or two_factor. - # authorization_policy: two_factor - - ## The consent mode controls how consent is obtained. - # consent_mode: auto - - ## This value controls the duration a consent on this client remains remembered when the consent mode is - ## configured as 'auto' or 'pre-configured'. - # pre_configured_consent_duration: 30d - - ## Audience this client is allowed to request. - # audience: [] - - ## Scopes this client is allowed to request. - # scopes: - # - openid - # - profile - # - email - # - groups - - ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. - # redirect_uris: - # - https://oidc.example.com/oauth2/callback - - ## Grant Types configures which grants this client can obtain. - ## It's not recommended to configure this unless you know what you're doing. - # grant_types: - # - refresh_token - # - authorization_code - - ## Response Types configures which responses this client can be sent. - ## It's not recommended to configure this unless you know what you're doing. - # response_types: - # - code - - ## Response Modes configures which response modes this client supports. - ## It's not recommended to configure this unless you know what you're doing. - # response_modes: - # - form_post - # - query - # - fragment - - ## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256. - # userinfo_signing_algorithm: none - -## -## Authelia Secret Generator. -## -## If both the values and existingSecret are not defined, this chart randomly generates a new secret on each -## install. It is recommended that you use something like sealed-secrets (https://github.com/bitnami-labs/sealed-secrets) -## and use the existingSecrets. All secrets can be stored in a single k8s secret if desired using the key option. -## -secret: - existingSecret: "" - # existingSecret: authelia - - annotations: {} - # annotations: - # myAnnotation: myValue - - labels: {} - # labels: - # myLabel: myValue - - mountPath: /secrets - - excludeVolumeAndMounts: false - - ## Secrets. - jwt: - key: JWT_TOKEN - value: "" - filename: JWT_TOKEN - ldap: - key: LDAP_PASSWORD - value: "" - filename: LDAP_PASSWORD - storage: - key: STORAGE_PASSWORD - value: "" - filename: STORAGE_PASSWORD - storageEncryptionKey: - key: STORAGE_ENCRYPTION_KEY - value: "" - filename: STORAGE_ENCRYPTION_KEY - session: - key: SESSION_ENCRYPTION_KEY - value: "" - filename: SESSION_ENCRYPTION_KEY - duo: - key: DUO_API_KEY - value: "" - filename: DUO_API_KEY - redis: - key: REDIS_PASSWORD - value: "" - filename: REDIS_PASSWORD - redisSentinel: - key: REDIS_SENTINEL_PASSWORD - value: "" - filename: REDIS_SENTINEL_PASSWORD - smtp: - key: SMTP_PASSWORD - value: "" - filename: SMTP_PASSWORD - oidcPrivateKey: - key: OIDC_PRIVATE_KEY - value: "" - filename: OIDC_PRIVATE_KEY - oidcHMACSecret: - key: OIDC_HMAC_SECRET - value: "" - filename: OIDC_HMAC_SECRET - - ## HashiCorp Vault Injector configuration. - vaultInjector: - ## Enable the vault injector annotations. This will disable secret injection via other means. - ## To see the annotations and what they do see: https://www.vaultproject.io/docs/platform/k8s/injector/annotations - ## Annotations with a blank string do not get configured at all. - ## Additional annotations can be configured via the secret.annotations: {} above. - ## Secrets are by default rendered in the /secrets directory. Changing this can be done via editing the - ## secret.mountPath value. You can alter the filenames with the secret..filename values. - ## Secrets are loaded from vault path specified below with secrets..path values. Its format should be - ## :. - ## Secrets are by default rendered by template suitable for vault KV v1 or database secrets engines. If other used, - ## it can be overriden per each secret by specifying secrets..templateValue. For example for KV v2 - ## secrets engine would be '{{ with secret "" }}{{ .Data.data. }}{{ end }}'. - enabled: false - - ## The vault role to assign via annotations. - ## Annotation: vault.hashicorp.com/role - role: authelia - - agent: - ## Annotation: vault.hashicorp.com/agent-inject-status - status: update - - ## Annotation: vault.hashicorp.com/agent-configmap - configMap: "" - - ## Annotation: vault.hashicorp.com/agent-image - image: "" - - ## Annotation: vault.hashicorp.com/agent-init-first - initFirst: "false" - - ## Annotation: vault.hashicorp.com/agent-inject-command - command: "sh -c 'kill HUP $(pidof authelia)'" - - ## Annotation: vault.hashicorp.com/agent-run-as-same-user - runAsSameUser: "true" - - secrets: - jwt: - ## Vault Path to the Authelia JWT secret. - ## Annotation: vault.hashicorp.com/agent-inject-secret-jwt - path: secrets/authelia/jwt:token - - ## Vault template specific to JWT. - ## Annotation: vault.hashicorp.com/agent-inject-template-jwt - templateValue: "" - - ## Vault after render command specific to JWT. - ## Annotation: vault.hashicorp.com/agent-inject-command-jwt - command: "" - ldap: - ## Vault Path to the Authelia LDAP secret. - ## Annotation: vault.hashicorp.com/agent-inject-secret-ldap - path: secrets/authelia/ldap:password - - ## Vault template specific to LDAP. - ## Annotation: vault.hashicorp.com/agent-inject-template-ldap - templateValue: "" - - ## Vault after render command specific to LDAP. - ## Annotation: vault.hashicorp.com/agent-inject-command-ldap - command: "" - storage: - ## Vault Path to the Authelia storage password secret. - ## Annotation: vault.hashicorp.com/agent-inject-secret-storage - path: secrets/authelia/storage:password - - ## Vault template specific to the storage password. - ## Annotation: vault.hashicorp.com/agent-inject-template-storage - templateValue: "" - - ## Vault after render command specific to the storage password. - ## Annotation: vault.hashicorp.com/agent-inject-command-storage - command: "" - storageEncryptionKey: - ## Vault Path to the Authelia storage encryption key secret. - ## Annotation: vault.hashicorp.com/agent-inject-secret-storage-encryption-key - path: secrets/authelia/storage:encryption_key - - ## Vault template specific to the storage encryption key. - ## Annotation: vault.hashicorp.com/agent-inject-template-storage-encryption-key - templateValue: "" - - ## Vault after render command specific to the storage encryption key. - ## Annotation: vault.hashicorp.com/agent-inject-command-storage-encryption-key - command: "" - session: - ## Vault Path to the Authelia session secret. - ## Annotation: vault.hashicorp.com/agent-inject-secret-session - path: secrets/authelia/session:encryption_key - - ## Vault template specific to session. - ## Annotation: vault.hashicorp.com/agent-inject-template-session - templateValue: "" - - ## Vault after render command specific to session. - ## Annotation: vault.hashicorp.com/agent-inject-command-session - command: "" - duo: - ## Vault Path to the Authelia duo secret. - ## Annotation: vault.hashicorp.com/agent-inject-secret-duo - path: secrets/authelia/duo:api_key - - ## Vault template specific to duo. - ## Annotation: vault.hashicorp.com/agent-inject-template-duo - templateValue: "" - - ## Vault after render command specific to duo. - ## Annotation: vault.hashicorp.com/agent-inject-command-duo - command: "" - redis: - ## Vault Path to the Authelia redis secret. - ## Annotation: vault.hashicorp.com/agent-inject-secret-redis - path: secrets/authelia/redis:password - - ## Vault template specific to redis. - ## Annotation: vault.hashicorp.com/agent-inject-template-redis - templateValue: "" - - ## Vault after render command specific to redis. - ## Annotation: vault.hashicorp.com/agent-inject-command-redis - command: "" - redisSentinel: - ## Vault Path to the Authelia redis sentinel secret. - ## Annotation: vault.hashicorp.com/agent-inject-secret-redis-sentinel - path: secrets/authelia/redis_sentinel:password - - ## Vault template specific to redis sentinel. - ## Annotation: vault.hashicorp.com/agent-inject-template-redis-sentinel - templateValue: "" - - ## Vault after render command specific to redis sentinel. - ## Annotation: vault.hashicorp.com/agent-inject-command-redis-sentinel - command: "" - smtp: - ## Vault Path to the Authelia SMTP secret. - ## Annotation: vault.hashicorp.com/agent-inject-secret-smtp - path: secrets/authelia/smtp:password - - ## Vault template specific to SMTP. - ## Annotation: vault.hashicorp.com/agent-inject-template-smtp - templateValue: "" - - ## Vault after render command specific to SMTP. - ## Annotation: vault.hashicorp.com/agent-inject-command-smtp - command: "" - oidcPrivateKey: - ## Vault Path to the Authelia OIDC private key secret. - ## Annotation: vault.hashicorp.com/agent-inject-secret-oidc-private-key - path: secrets/authelia/oidc:private_key - - ## Vault template specific to OIDC private key. - ## Annotation: vault.hashicorp.com/agent-inject-template-oidc-private-key - templateValue: "" - - ## Vault after render command specific to OIDC private key. - ## Annotation: vault.hashicorp.com/agent-inject-command-oidc-private-key - command: "" - oidcHMACSecret: - ## Vault Path to the Authelia OIDC HMAC secret. - ## Annotation: vault.hashicorp.com/agent-inject-secret-oidc-hmac-secret - path: secrets/authelia/oidc:hmac_secret - - ## Vault template specific to OIDC HMAC secret. - ## Annotation: vault.hashicorp.com/agent-inject-template-oidc-hmac-secret - templateValue: "" - - ## Vault after render command specific to OIDC HMAC secret. - ## Annotation: vault.hashicorp.com/agent-inject-command-oidc-hmac-secret - command: "" - -certificates: - existingSecret: "" - # existingSecret: authelia - - annotations: {} - # annotations: - # myAnnotation: myValue - - labels: {} - # labels: - # myLabel: myValue - - values: [] - # values: - # - name: Example_Com_Root_Certificate_Authority_B64.pem - # secretValue: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lMQkFBQUFBQUJJVmhUQ0tJd0RRWUpLb1pJaHZjTkFRRUxCUUF3VERFZ01CNEcKQTFVRUN4TVhSMnh2WW1Gc1UybG5iaUJTYjI5MElFTkJJQzBnVWpNeEV6QVJCZ05WQkFvVENrZHNiMkpoYkZOcApaMjR4RXpBUkJnTlZCQU1UQ2tkc2IySmhiRk5wWjI0d0hoY05NRGt3TXpFNE1UQXdNREF3V2hjTk1qa3dNekU0Ck1UQXdNREF3V2pCTU1TQXdIZ1lEVlFRTEV4ZEhiRzlpWVd4VGFXZHVJRkp2YjNRZ1EwRWdMU0JTTXpFVE1CRUcKQTFVRUNoTUtSMnh2WW1Gc1UybG5iakVUTUJFR0ExVUVBeE1LUjJ4dlltRnNVMmxuYmpDQ0FTSXdEUVlKS29aSQpodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU13bGRwQjVCbmdpRnZYQWc3YUV5aWllL1FWMkVjV3RpSEw4ClJnSkR4N0tLblFSZkpNc3VTK0ZnZ2tiaFVxc01nVWR3Yk4xazBldjFMS01QZ2owTUs2NlgxN1lVaGhCNXV6c1QKZ0hlTUNPRkowbXBpTHg5ZStwWm8zNGtubFRpZkJ0Yyt5Y3NtV1ExejNyREk2U1lPZ3hYRzcxdUwwZ1JneWttbQpLUFpwTy9iTHlDaVI1WjJLWVZjM3JIUVUzSFRnT3U1eUx5NmMrOUM3di9VOUFPRUdNK2lDSzY1VHBqb1djNHpkClFRNGdPc0MwcDZIcHNrK1FMakpnNlZmTHVRU1NhR2psT0NaZ2RiS2ZkLytSRk8rdUlFbjhyVUFWU05FQ01XRVoKWHJpWDc2MTN0MlNhZXI5ZndSUHZtMkw3RFd6Z1ZHa1dxUVBhYnVtRGszRjJ4bW1GZ2hjQ0F3RUFBYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJL3dTMytvCkxrVWtyazFRK21PYWk5N2kzUnU4TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCTFFOdkFVS3IreUF6djk1WlUKUlVtN2xnQUpRYXl6RTRhR0tBY3p5bXZtZExtNkFDMnVwQXJUOWZIeEQ0cS9jMmRLZzhkRWUzamdyMjVzYndNcApqak01UmNPTzVMbFhiS3I4RXBic1U4WXQ1Q1JzdVpSais5eFRhR2RXUG9PNHp6VWh3OGxvL3M3YXdsT3F6SkNLCjZmQmRSb3lWM1hwWUtCb3ZIZDdOQURkQmorMUViZGRUS0pkKzgyY0VIaFhYaXBhMDA5NU1KNlJNRzNOemR2UVgKbWNJZmVnN2pMUWl0Q2h3cy96eXJWUTRQa1g0MjY4TlhTYjdoTGkxOFlJdkRRVkVUSTUzTzl6SnJsQUdvbWVjcwpNeDg2T3lYU2hrRE9PeXlHZU1saEx4UzY3dHRWYjkrRTdnVUpUYjBvMkhMTzAySlFaUjdya3BlRE1kbXp0Y3BICldEOWYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== - # - name: Example_Com_Root_Certificate_Authority.pem - # value: | - # -----BEGIN CERTIFICATE----- - # MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G - # A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp - # Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 - # MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG - # A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI - # hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8 - # RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT - # gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm - # KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd - # QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ - # XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw - # DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o - # LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU - # RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp - # jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK - # 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX - # mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs - # Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH - # WD9f - # -----END CERTIFICATE----- - -## -## Authelia Persistence Configuration. -## -## Useful in scenarios where you need persistent storage. -## Auth Provider Use Case: file; we recommend you use the ldap provider instead. -## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead. -## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false). -## -persistence: - enabled: false - - annotations: {} - # annotations: - # myAnnotation: myValue - - labels: {} - # labels: - # myLabel: myValue - - readOnly: false - subPath: "" - - existingClaim: "" - # existingClaim: my-claim-name - - storageClass: "" - # storageClass: "my-storage-class" - - ## Persistent Volume Name - ## Useful if Persistent Volumes have been provisioned in advance and you want to use a specific one - ## - volumeName: "" - - accessModes: - - ReadWriteOnce - - size: 100Mi - - selector: {} ---- - + default_policy: 'one_factor' # Change to 'two_factor' once you have 2FA set up + rules: + - domain: "*.viktorbarzin.me" + policy: one_factor + + # Error 2: authentication_backend (Where users are stored) + authentication_backend: + file: + path: /config/users.yml + \ No newline at end of file