diff --git a/README.md b/README.md index a16f88f..dcf2808 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ Note 2: Delete the plaintext resource after encrypting it. sops -e secret.yaml > secret.enc.yaml ``` -## 3. Create teh KSOPS kustomize generator +## 3. Create the KSOPS kustomize generator ``` # Create a local Kubernetes Secret diff --git a/apps/authelia/TODO.md b/apps/authelia/TODO.md new file mode 100644 index 0000000..83193e4 --- /dev/null +++ b/apps/authelia/TODO.md @@ -0,0 +1 @@ +Adjust to support stateless containers. See https://www.authelia.com/overview/authorization/statelessness/ diff --git a/apps/authelia/base/authelia.custom.yaml b/apps/authelia/base/authelia.custom.yaml new file mode 100644 index 0000000..9d8a00c --- /dev/null +++ b/apps/authelia/base/authelia.custom.yaml @@ -0,0 +1,353 @@ +--- +# Source: authelia/templates/configMap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: authelia + labels: + app.kubernetes.io/name: authelia + app.kubernetes.io/instance: authelia + app.kubernetes.io/version: 4.38.16 + app.kubernetes.io/managed-by: Helm + helm.sh/chart: authelia-0.9.9 +data: + configuration.yaml: | + --- + # yaml-language-server: $schema=https://www.authelia.com/schemas/v4.38/json-schema/configuration.json + theme: 'light' + default_2fa_method: '' + server: + address: 'tcp://0.0.0.0:9091/' + asset_path: '' + headers: + csp_template: '' + buffers: + read: 4096 + write: 4096 + timeouts: + read: '6 seconds' + write: '6 seconds' + idle: '30 seconds' + endpoints: + enable_pprof: false + enable_expvars: false + authz: + auth-request: + implementation: 'AuthRequest' + ext-authz: + implementation: 'ExtAuthz' + forward-auth: + implementation: 'ForwardAuth' + log: + level: 'info' + format: 'text' + file_path: '' + keep_stdout: true + telemetry: + metrics: + enabled: false + identity_validation: + elevated_session: + code_lifespan: '5 minutes' + elevation_lifespan: '10 minutes' + characters: 8 + require_second_factor: false + skip_second_factor: false + reset_password: + jwt_lifespan: '5 minutes' + jwt_algorithm: 'HS256' + totp: + disable: false + issuer: 'Authelia' + skew: 1 + secret_size: 32 + algorithm: 'SHA1' + digits: 6 + period: 30 + allowed_algorithms: + - 'SHA1' + allowed_digits: + - 6 + allowed_periods: + - 30 + webauthn: + disable: false + display_name: 'Authelia' + attestation_conveyance_preference: 'indirect' + user_verification: 'preferred' + timeout: '60 seconds' + ntp: + address: 'udp://time.cloudflare.com:123' + version: 4 + max_desync: '3 seconds' + disable_startup_check: false + disable_failure: false + authentication_backend: + password_reset: + disable: false + custom_url: '' + file: + path: '/config/users_database.yml' + watch: false + search: + email: false + case_insensitive: false + password: + algorithm: 'argon2' + argon2: + variant: 'argon2id' + iterations: 3 + memory: 65536 + parallelism: 4 + key_length: 32 + salt_length: 16 + scrypt: + iterations: 16 + block_size: 8 + parallelism: 1 + key_length: 32 + salt_length: 16 + pbkdf2: + variant: 'sha512' + iterations: 310000 + salt_length: 16 + sha2crypt: + variant: 'sha512' + iterations: 50000 + salt_length: 16 + bcrypt: + variant: 'standard' + cost: 12 + password_policy: + standard: + enabled: false + min_length: 8 + max_length: 0 + require_uppercase: false + require_lowercase: false + require_number: false + require_special: false + zxcvbn: + enabled: false + min_score: 0 + session: + name: 'authelia_session' + same_site: 'lax' + inactivity: '5 minutes' + expiration: '1 hour' + remember_me: '1 month' + cookies: + regulation: + max_retries: 3 + find_time: '2 minutes' + ban_time: '5 minutes' + storage: + notifier: + disable_startup_check: false + access_control: + default_policy: 'two_factor' + ... +--- +# Source: authelia/templates/persistentVolumeClaim.yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: authelia + labels: + app.kubernetes.io/name: authelia + app.kubernetes.io/instance: authelia + app.kubernetes.io/version: 4.38.16 + app.kubernetes.io/managed-by: Helm + helm.sh/chart: authelia-0.9.9 +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 100Mi +--- +# Source: authelia/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: authelia + labels: + app.kubernetes.io/name: authelia + app.kubernetes.io/instance: authelia + app.kubernetes.io/version: 4.38.16 + app.kubernetes.io/managed-by: Helm + helm.sh/chart: authelia-0.9.9 +spec: + type: ClusterIP + sessionAffinity: None + selector: + app.kubernetes.io/name: authelia + app.kubernetes.io/instance: authelia + ports: + - name: http + protocol: TCP + port: 80 + targetPort: http +--- +# Source: authelia/templates/deployment.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: authelia + labels: + app.kubernetes.io/name: authelia + app.kubernetes.io/instance: authelia + app.kubernetes.io/version: 4.38.16 + app.kubernetes.io/managed-by: Helm + helm.sh/chart: authelia-0.9.9 +spec: + selector: + matchLabels: + app.kubernetes.io/name: authelia + app.kubernetes.io/instance: authelia + revisionHistoryLimit: 5 + minReadySeconds: 0 + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + template: + metadata: + labels: + app.kubernetes.io/name: authelia + app.kubernetes.io/instance: authelia + app.kubernetes.io/version: 4.38.16 + app.kubernetes.io/managed-by: Helm + helm.sh/chart: authelia-0.9.9 + annotations: + authelia.com/checksum-config: 9c19d6aae755992be367bad3d6336c8a2932c355f96272a49539571a85af007a + + spec: + hostNetwork: false + hostPID: false + hostIPC: false + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: {} + enableServiceLinks: false + containers: + - name: authelia + image: ghcr.io/authelia/authelia:4.38.16 + imagePullPolicy: IfNotPresent + command: ["authelia"] + resources: + limits: + cpu: "4.00" + memory: 2Gi + requests: + cpu: "0.25" + memory: 50Mi + env: + - name: AUTHELIA_SERVER_DISABLE_HEALTHCHECK + value: "true" + - name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE + value: '/secrets/internal/identity_validation.reset_password.jwt.hmac.key' + - name: AUTHELIA_SESSION_SECRET_FILE + value: '/secrets/internal/session.encryption.key' + - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE + value: '/secrets/internal/storage.encryption.key' + - name: X_AUTHELIA_CONFIG + value: '/configuration.yaml' + - name: X_AUTHELIA_CONFIG_FILTERS + value: template + startupProbe: + failureThreshold: 6 + httpGet: + path: /api/health + port: http + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + livenessProbe: + failureThreshold: 5 + httpGet: + path: /api/health + port: http + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + failureThreshold: 5 + httpGet: + path: /api/health + port: http + scheme: HTTP + initialDelaySeconds: 0 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 5 + ports: + - name: http + containerPort: 9091 + protocol: TCP + volumeMounts: + - mountPath: /config + name: authelia + readOnly: false + - mountPath: /configuration.yaml + name: config + readOnly: true + subPath: configuration.yaml + - mountPath: /secrets/internal + name: secrets + readOnly: true + volumes: + - name: authelia + persistentVolumeClaim: + claimName: authelia + - name: config + configMap: + name: authelia + items: + - key: configuration.yaml + path: configuration.yaml + - name: secrets + secret: + secretName: authelia + items: + - key: identity_validation.reset_password.jwt.hmac.key + path: identity_validation.reset_password.jwt.hmac.key + - key: session.encryption.key + path: session.encryption.key + - key: storage.encryption.key + path: storage.encryption.key +--- +# Source: authelia/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: authelia + labels: + app.kubernetes.io/name: authelia + app.kubernetes.io/instance: authelia + app.kubernetes.io/version: 4.38.16 + app.kubernetes.io/managed-by: Helm + helm.sh/chart: authelia-0.9.9 + annotations: + kubernetes.io/tls-acme: "true" +spec: + rules: + - host: 'auth.nc.landry.land' + http: + paths: + - path: '/' + pathType: Prefix + backend: + service: + name: authelia + port: + number: 80 + tls: + - hosts: + - 'auth.nc.landry.land' + secretName: authelia-tls diff --git a/apps/authelia/base/daemonset.patch.yaml b/apps/authelia/base/daemonset.patch.yaml new file mode 100644 index 0000000..6e6c75a --- /dev/null +++ b/apps/authelia/base/daemonset.patch.yaml @@ -0,0 +1,38 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: authelia +spec: + template: + spec: + containers: + - name: authelia + env: + # prevents 431 request header too large + # https://www.authelia.com/reference/guides/log-messages/#request-header-too-large + - name: AUTHELIA_SERVER_BUFFERS_READ + value: 16384 + - name: AUTHELIA_SERVER_BUFFERS_WRITE + value: 16384 + - name: AUTHELIA_STORAGE_POSTGRES_HOST + valueFrom: + secretKeyRef: + name: pg-authelia-app + key: host + - name: AUTHELIA_STORAGE_POSTGRES_DATABASE + valueFrom: + secretKeyRef: + name: pg-authelia-app + key: dbname + - name: AUTHELIA_STORAGE_POSTGRES_USERNAME + valueFrom: + secretKeyRef: + name: pg-authelia-app + key: username + - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: pg-authelia-app + key: password + # - name: TZ + # value: ... diff --git a/apps/authelia/base/helm.patch.yaml b/apps/authelia/base/helm.patch.yaml new file mode 100644 index 0000000..bca9142 --- /dev/null +++ b/apps/authelia/base/helm.patch.yaml @@ -0,0 +1,5 @@ +- op: remove + path: /metadata/labels/app.kubernetes.io~1managed-by + +- op: remove + path: /metadata/labels/helm.sh~1chart diff --git a/apps/authelia/base/kustomization.yaml b/apps/authelia/base/kustomization.yaml new file mode 100644 index 0000000..7c4aec8 --- /dev/null +++ b/apps/authelia/base/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./pg.yaml + - ./authelia.custom.yaml + +patches: + - path: ./helm.patch.yaml + target: + labelSelector: app.kubernetes.io/managed-by=Helm + - path: daemonset.patch.yaml diff --git a/apps/authelia/base/namespace.yaml b/apps/authelia/base/namespace.yaml new file mode 100644 index 0000000..f88c11d --- /dev/null +++ b/apps/authelia/base/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: authelia-system diff --git a/apps/authelia/base/pg.yaml b/apps/authelia/base/pg.yaml new file mode 100644 index 0000000..9beb402 --- /dev/null +++ b/apps/authelia/base/pg.yaml @@ -0,0 +1,30 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: pg-authelia +spec: + instances: 1 + + storage: + size: 1Gi + + # Credentials in secret pg-authelia-app + # https://cloudnative-pg.io/documentation/1.24/applications/#secrets + + bootstrap: + initdb: + database: authelia + + # enableSuperuserAccess: true + + # resources: + # requests: + # memory: "512Mi" + # cpu: "1" + # limits: + # memory: "1Gi" + # cpu: "2" + + # affinity: + # enablePodAntiAffinity: true + # topologyKey: failure-domain.beta.kubernetes.io/zone diff --git a/apps/authelia/overlays/system/config.json b/apps/authelia/overlays/system/config.json new file mode 100644 index 0000000..88de384 --- /dev/null +++ b/apps/authelia/overlays/system/config.json @@ -0,0 +1,11 @@ +{ + "appName": "authelia", + "userGivenName": "authelia", + "destNamespace": "authelia-system", + "destServer": "https://kubernetes.default.svc", + "srcPath": "apps/authelia/overlays/system", + "srcRepoURL": "ssh://git@gitea-ssh.gitops.svc.cluster.local:2222/davad/argo.git", + "srcTargetRevision": "", + "labels": null, + "annotations": null +} diff --git a/apps/authelia/overlays/system/kustomization.yaml b/apps/authelia/overlays/system/kustomization.yaml new file mode 100644 index 0000000..a393399 --- /dev/null +++ b/apps/authelia/overlays/system/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ../../base + +generators: + - ./secret-generator.yaml diff --git a/apps/authelia/overlays/system/secret-generator.yaml b/apps/authelia/overlays/system/secret-generator.yaml new file mode 100644 index 0000000..7337707 --- /dev/null +++ b/apps/authelia/overlays/system/secret-generator.yaml @@ -0,0 +1,14 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + # Specify a name + name: authelia-secret-generator + annotations: + config.kubernetes.io/function: | + exec: + # if the binary is in your PATH, you can do + path: ksops + # otherwise, path should be relative to manifest files, like + # path: ../../../ksops +files: + - ./secret.enc.yaml diff --git a/apps/authelia/overlays/system/secret.enc.yaml b/apps/authelia/overlays/system/secret.enc.yaml new file mode 100644 index 0000000..3cce4bd --- /dev/null +++ b/apps/authelia/overlays/system/secret.enc.yaml @@ -0,0 +1,34 @@ +# Source: authelia/templates/secret.yaml +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: authelia + labels: + app.kubernetes.io/name: authelia + app.kubernetes.io/version: 4.38.16 +data: + identity_validation.reset_password.jwt.hmac.key: ENC[AES256_GCM,data:nd+F68f3PyWMKAw3tgRO7mtmiNaJVtRHmGbeUSbAZniOXRItXrJuB4GVaIttYI0B+EUet3poAwFrw2SybBBGKHVHF5OzOFh+fKoNlAwIa5Br8jO/49d722jxiL2sWPqJgJLY+M9mnvtWRBgTXWOIabAP8ZCadZyyAyKm0JITBhaDvUz6aqkQyhMtS5HcHtEHWtIX6cx9K9DLpl4VN9eCvwOFnUzQuIG1JuuogQ==,iv:pcKUgmWZ8j7XGn0DDvTXgVpIRaHYmiT83M0Lfeu6gMI=,tag:r5zmcWOHNthRdxOEDxNhQg==,type:str] + session.encryption.key: ENC[AES256_GCM,data:2HYKCXdVMwhDW0yByFuizMp0DGM81sPHEzjKrtmIqof1F5/izpDN6i/Vh46hBlgsiiAqcALFmfAZXR7KCtksMaIv/plViFvCoYIfprwyboYY2jMhm1zHSe9wTpi+PGX/0pO6OunLIoeECcXlbXG2xyY2nYBxbrowNzbgE/cMNTgENhKn+UdEgwUGYF2X7xyz4G661nYg8rbz70PfO3D6ymsemDxVcX0a4YsNow==,iv:w3MU/BIdNnfatBQPSOS6mMmXReA/nVYmZa3nZ5HZsoY=,tag:x+j5TchnmjXegTuhTEJCTw==,type:str] + storage.encryption.key: ENC[AES256_GCM,data:M9rgJx3clzISUr26zR2AQvVISqnCtugid3AEo1p0UlsKrkpWKF5qbqYxbvP7wiuuOx51fw08jwDKIgow6H2WFwSqIN2ZmUUPXKewxoseSqU5YFCKebgJ4GA6RQKIGfjJSwQ/qhw9OCTkPTD7HQxPJhV5YNXqrhDQDEvlFRzvq4YoZTBHek5PWfvVeuijMH4sPDSvQMz7j7QDdD07GVH94DhWfdWWTe+bIIX6fA==,iv:MojUB+hWex47aFl4gzndLDKpKj074ZC86/q+hKp9/vM=,tag:IfIFb5BT8kRtu8Rc0wo7vw==,type:str] + storage.postgres.password.txt: ENC[AES256_GCM,data:oLikQ+m2gJVf5h3bD+qCszQ8p/46PiCdzw3THXyanOQymDfsldsUMxngtfp5s3pm2zZrup0huDHJ0aiFkmijqNIg7YH8y+mHezGpNcnlBMBoyPiWJIDjpb+3cmQlUPNNw/JvPI7tkRtOkr4XZF+V77fqgHLaTxmgjXFfZ+CHiIobFHs/Cvk+hjRlnmka8GzyNAGSjB73bfCHXMymKAiASzISb1iZ7ca6I5aleA==,iv:w5EzV3NjRGY3E4dbcGYEkF48252Zy5/g6PPeop0AW7Q=,tag:wHWPOfFKDWWWFguSONSm3Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1y26vr5qt6th3wu92rnsgkqcpxxah3pqkqa4khcjjycm3kg40aqyqjgfzx9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOOC9CT1VwYmRISnFqd2xw + WG1ONG9qKzdQMUVQVkNybmJnOFhJYXZsZTNnCnUzMUwvTTBmbW5kRXRPVDMyM1hi + YjNxb1g2eHUxZk5aamE0Uy9CY2RPS2MKLS0tIGptOGNLU0xZREkyUkVXVkFvajdD + THk3d2h2bGtSaDRBSm5xejlNL0Y5TmcKgsYivnUfBodeXlRkStB/vJ41oaVZi7iE + OhGGmsTD0xNJYypTjlwl+e7qXClcC7mt1Lgg9mUCMVUvdT7RwJJobw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-09T19:27:37Z" + mac: ENC[AES256_GCM,data:zhimwhlc3IOChp3Ydwm9SneOw24hoqK4bswkG5Bq5mXNfX7UQjv072U6OuY44ynkaULfkh+o8cif9IkYEcel8rPHD/neFZ+GRjhL6SVXl2+//1iSBtUM2a8QKJIWn9zxlqZyVFhq77oyf9PKKIgSQN3KU8RDCc+j6desThOzXbU=,iv:D6Pg7b1Tz+Vzzyc7PXR2U4WOxnBzgMqfWAJLoifwKUQ=,tag:s3qRNhlL4Y2bo2FoXh+oxQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/apps/authelia/update-manifest-from-helm.sh b/apps/authelia/update-manifest-from-helm.sh new file mode 100755 index 0000000..01346ee --- /dev/null +++ b/apps/authelia/update-manifest-from-helm.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env sh + +helm repo add authelia https://charts.authelia.com --force-update +helm template \ + authelia authelia/authelia \ + --version 0.9.9 \ + -f values.yaml \ + > base/authelia.custom.yaml + + # Full documentation for helm values at + # https://artifacthub.io/packages/helm/cert-manager/cert-manager diff --git a/apps/authelia/values.yaml b/apps/authelia/values.yaml new file mode 100644 index 0000000..75a6083 --- /dev/null +++ b/apps/authelia/values.yaml @@ -0,0 +1,1568 @@ +ingress: + enabled: true + + certManager: true + + rulesOverride: + - host: auth.nc.landry.land + path: / + + tls: + enabled: true + hostnameOverride: auth.nc.landry.land + secret: "authelia-tls" + +pod: + # Must be Deployment, DaemonSet, or StatefulSet. + kind: "DaemonSet" + + replicas: 1 + revisionHistoryLimit: 5 + priorityClassName: "" + + strategy: + type: "RollingUpdate" + + resources: + limits: + cpu: "4.00" + memory: "2Gi" + requests: + cpu: "0.25" + memory: "50Mi" + + probes: + method: + httpGet: + path: "/api/health" + port: "http" + scheme: "HTTP" + + liveness: + initialDelaySeconds: 0 + periodSeconds: 30 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + + readiness: + initialDelaySeconds: 0 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 5 + + ## Note: Startup Probes are a Kubernetes feature gate which must be manually enabled pre-1.18. + ## Ref: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ + startup: + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + + extraVolumeMounts: [] + extraVolumes: [] + +## +## Kubernetes Pod Disruption Budget +## +podDisruptionBudget: + enabled: false + + minAvailable: 0 + maxUnavailable: 0 + +## +## Authelia Config Map Generator +## +configMap: + # Enable the configMap source for the Authelia config. + # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config. + disabled: false + + key: "configuration.yaml" + + existingConfigMap: "" + + extraConfigs: [] + # extraConfigs: + # - '/configuration.oidc.yaml' + + filters: + disabled: false + + ## + ## Server Configuration + ## + server: + ## + ## Port sets the configured port for the daemon, service, and the probes. + ## Default is 9091 and should not need to be changed. + ## + port: 9091 + + ## Set the single level path Authelia listens on. + ## Must be alphanumeric chars and should not contain any slashes. + path: "" + + ## Set the path on disk to Authelia assets. + ## Useful to allow overriding of specific static assets. + # asset_path: '/config/assets/' + asset_path: "" + + ## Customize Authelia headers. + headers: + ## Read the Authelia docs before setting this advanced option. + ## https://www.authelia.com/configuration/miscellaneous/server/#csp_template. + csp_template: "" + + ## Server Buffers configuration. + buffers: + ## Read buffer. + read: 4096 + + ## Write buffer. + write: 4096 + + ## Server Timeouts configuration. + timeouts: + ## Read timeout. + read: "6 seconds" + + ## Write timeout. + write: "6 seconds" + + ## Idle timeout. + idle: "30 seconds" + + endpoints: + enable_pprof: false + enable_expvars: false + + ## A list of automatically configured authz implementations if you don't wish to manually configure each one. + ## Important Note: If you configure the 'authz' section this is completely ignored. + automatic_authz_implementations: [] + # automatic_authz_implementations: + # - 'AuthRequest' + # - 'ExtAuthz' + # - 'ForwardAuth' + + authz: {} + # authz: + # auth-request: + # implementation: 'AuthRequest' + # authn_strategies: + # - name: 'HeaderAuthRequestProxyAuthorization' + # schemes: + # - 'Basic' + # - name: 'CookieSession' + # ext-authz: + # implementation: 'ExtAuthz' + # authn_strategies: + # - name: 'HeaderProxyAuthorization' + # schemes: + # - 'Basic' + # - name: 'CookieSession' + # forward-auth: + # implementation: 'ForwardAuth' + # authn_strategies: + # - name: 'HeaderProxyAuthorization' + # schemes: + # - 'Basic' + # - name: 'CookieSession' + + log: + ## Level of verbosity for logs: info, debug, trace. + level: "info" + + ## Format the logs are written as: json, text. + format: "text" + + ## TODO: Statefulness check should check if this is set, and the configMap should enable it. + ## File path where the logs will be written. If not set logs are written to stdout. + # file_path: /config/authelia.log + file_path: "" + + ## + ## Telemetry Configuration + ## + telemetry: + ## + ## Metrics Configuration + ## + metrics: + ## Enable Metrics. + enabled: false + + ## The port to listen on for metrics. This should be on a different port to the main server.port value. + port: 9959 + + ## Metrics Server Buffers configuration. + buffers: + ## Read buffer. + read: 4096 + + ## Write buffer. + write: 4096 + + ## Metrics Server Timeouts configuration. + timeouts: + ## Read timeout. + read: "6 seconds" + + ## Write timeout. + write: "6 seconds" + + ## Idle timeout. + idle: "30 seconds" + + serviceMonitor: + enabled: false + annotations: {} + labels: {} + + ## Set the default 2FA method for new users and for when a user has a preferred method configured that has been + ## disabled. This setting must be a method that is enabled. + ## Options are totp, webauthn, mobile_push. + default_2fa_method: "" + + theme: "light" + + identity_validation: + reset_password: + jwt_lifespan: "5 minutes" + jwt_algorithm: "HS256" + secret: + ## Disables this secret and leaves configuring it entirely up to you. + disabled: false + + ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the + ## secret_value option below. + secret_name: ~ + + ## The value of a generated secret when using the ~ secret_name. + value: "" + + ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise + ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' + ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. + path: "identity_validation.reset_password.jwt.hmac.key" + elevated_session: + code_lifespan: "5 minutes" + elevation_lifespan: "10 minutes" + characters: 8 + require_second_factor: false + skip_second_factor: false + + ## + ## TOTP Configuration + ## + ## Parameters used for TOTP generation. + totp: + ## Disable TOTP. + disable: false + + ## The issuer name displayed in the Authenticator application of your choice. + ## Defaults to 'Authelia'. + issuer: "Authelia" + + ## The skew controls number of one-time passwords either side of the current one that are valid. + ## Warning: before changing skew read the docs link below. + ## See: https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#input-validation to read the documentation. + skew: 1 + + ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. + secret_size: 32 + + ## The TOTP algorithm to use. + ## It is CRITICAL you read the documentation before changing this option: + ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#algorithm + algorithm: "SHA1" + + ## The number of digits a user has to input. Must either be 6 or 8. + ## Changing this option only affects newly generated TOTP configurations. + ## It is CRITICAL you read the documentation before changing this option: + ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#digits + digits: 6 + + ## The period in seconds a one-time password is valid for. + ## Changing this option only affects newly generated TOTP configurations. + period: 30 + + allowed_algorithms: + - "SHA1" + + allowed_digits: + - 6 + + allowed_periods: + - 30 + + ## + ## WebAuthn Configuration + ## + ## Parameters used for WebAuthn. + webauthn: + ## Disable Webauthn. + disable: false + + ## Adjust the interaction timeout for Webauthn dialogues. + timeout: "60 seconds" + + ## The display name the browser should show the user for when using Webauthn to login/register. + display_name: "Authelia" + + ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. + ## Options are none, indirect, direct. + attestation_conveyance_preference: "indirect" + + ## User verification controls if the user must make a gesture or action to confirm they are present. + ## Options are required, preferred, discouraged. + user_verification: "preferred" + + ## + ## NTP Configuration + ## + ## This is used to validate the servers time is accurate enough to validate TOTP. + ntp: + ## NTP server address. + address: "udp://time.cloudflare.com:123" + + ## NTP version. + version: 4 + + ## Maximum allowed time offset between the host and the NTP server. + max_desync: "3 seconds" + + ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you + ## set this to true, and can operate in a truly offline mode. + disable_startup_check: false + + ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with + ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup + ## will continue regardless of results. + disable_failure: false + + ## + ## Duo Push API Configuration + ## + ## Parameters used to contact the Duo API. Those are generated when you protect an application of type + ## 'Partner Auth API' in the management panel. + duo_api: + enabled: false + hostname: "" + integration_key: "" + enable_self_enrollment: false + secret: + ## Disables this secret and leaves configuring it entirely up to you. + disabled: false + + ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the + ## secret_value option below. + secret_name: ~ + + ## The value of a generated secret when using the ~ secret_name. + value: "" + + ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise + ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' + ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. + path: "duo.key" + + ## + ## Authentication Backend Provider Configuration + ## + ## Used for verifying user passwords and retrieve information such as email address and groups users belong to. + ## + ## The available providers are: `file`, `ldap`. You must use one and only one of these providers. + authentication_backend: + ## Password Reset Options. + password_reset: + ## Disable both the HTML element and the API for reset password functionality + disable: false + + ## External reset password url that redirects the user to an external reset portal. This disables the internal + ## reset functionality. + custom_url: "" + + ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. + ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will + ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. + ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. + ## See the below documentation for more information. + ## Duration Notation docs: https://www.authelia.com/configuration/prologue/common/#duration-notation-format + ## Refresh Interval docs: https://www.authelia.com/configuration/first-factor/ldap/#refresh-interval + refresh_interval: "5 minutes" + + ## LDAP backend configuration. + ## + ## This backend allows Authelia to be scaled to more + ## than one instance and therefore is recommended for + ## production. + ldap: + ## Enable LDAP Backend. + enabled: false + + ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. + ## Acceptable options are as follows: + ## - 'activedirectory' - For Microsoft Active Directory. + ## - 'custom' - For custom specifications of attributes and filters. + ## This currently defaults to 'custom' to maintain existing behaviour. + ## + ## Depending on the option here certain other values in this section have a default value, notably all of the + ## attribute mappings have a default value that this config overrides, you can read more about these default values + ## at https://www.authelia.com/reference/guides/ldap/#defaults + implementation: "activedirectory" + + ## The address for the ldap server. Format: ://
[:]. + ## Scheme can be ldap or ldaps in the format (port optional). + address: "ldap://openldap.default.svc.cluster.local" + + ## Connection Timeout. + timeout: "5 seconds" + + ## Use StartTLS with the LDAP connection. + start_tls: false + + tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host portion of the url option. + server_name: "" + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + skip_verify: false + + ## Minimum TLS version for the connection. + minimum_version: "TLS1.2" + + ## Maximum TLS version for the connection. + maximum_version: "TLS1.3" + + ## The base dn for every LDAP query. + base_dn: "DC=example,DC=com" + + ## An additional dn to define the scope to all users. + additional_users_dn: "OU=Users" + + ## The users filter used in search queries to find the user profile based on input filled in login form. + ## Various placeholders are available in the user filter: + ## - {input} is a placeholder replaced by what the user inputs in the login form. + ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`. + ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. + ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later + ## versions, so please don't use it. + ## + ## Recommended settings are as follows: + ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) + ## - OpenLDAP: + ## - (&({username_attribute}={input})(objectClass=person)) + ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) + ## + ## To allow sign in both with username and email, one can use a filter like + ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) + users_filter: "" + + ## An additional dn to define the scope of groups. + additional_groups_dn: "OU=Groups" + + ## The groups filter used in search queries to find the groups of the user. + ## - {input} is a placeholder replaced by what the user inputs in the login form. + ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`). + ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN. + ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. + ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. + ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later + ## versions, so please don't use it. + ## - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in + ## later version, so please don't use it. + ## + ## If your groups use the `groupOfUniqueNames` structure use this instead: + ## (&(uniquemember={dn})(objectclass=groupOfUniqueNames)) + groups_filter: "" + + ## Follow referrals returned by the server. + ## This is especially useful for environments where read-only servers exist. Only implemented for write operations. + permit_referrals: false + + ## WARNING: This option is strongly discouraged. Please consider disabling unauthenticated binding to your LDAP + ## server and utilizing a service account. + permit_unauthenticated_bind: false + + ## This option is strongly discouraged. If enabled it will ignore errors looking up the RootDSE for supported + ## controls/extensions. + permit_feature_detection_failure: false + + ## The username of the admin user. + user: "CN=Authelia,DC=example,DC=com" + + password: + ## Disables this secret and leaves configuring it entirely up to you. + disabled: false + + ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the + ## secret_value option below. + secret_name: ~ + + ## The value of a generated secret when using the ~ secret_name. + value: "" + + ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise + ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' + ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. + path: "authentication.ldap.password.txt" + + attributes: + distinguished_name: "" + + ## The attribute holding the username of the user. This attribute is used to populate the username in the session + ## information. It was introduced due to #561 to handle case insensitive search queries. For you information, + ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this + ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database. + ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user + ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also + ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above + ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt. + username: "" + + ## The attribute holding the display name of the user. This will be used to greet an authenticated user. + display_name: "" + + ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the + ## first one returned by the LDAP server is used. + mail: "" + + member_of: "" + + ## The attribute holding the name of the group + group_name: "" + + ## + ## File (Authentication Provider) + ## + ## With this backend, the users database is stored in a file which is updated when users reset their passwords. + ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia + ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security + ## implications it is highly recommended you leave the default values. Before considering changing these settings + ## please read the docs page: https://www.authelia.com/reference/guides/passwords/#tuning + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ + ## + file: + enabled: true + path: "/config/users_database.yml" + watch: false + search: + email: false + case_insensitive: false + password: + algorithm: "argon2" + argon2: + variant: "argon2id" + iterations: 3 + memory: 65536 + parallelism: 4 + key_length: 32 + salt_length: 16 + scrypt: + iterations: 16 + block_size: 8 + parallelism: 1 + key_length: 32 + salt_length: 16 + pbkdf2: + variant: "sha512" + iterations: 310000 + salt_length: 16 + sha2crypt: + variant: "sha512" + iterations: 50000 + salt_length: 16 + bcrypt: + variant: "standard" + cost: 12 + + ## + ## Password Policy Configuration. + ## + password_policy: + ## The standard policy allows you to tune individual settings manually. + standard: + enabled: false + + ## Require a minimum length for passwords. + min_length: 8 + + ## Require a maximum length for passwords. + max_length: 0 + + ## Require uppercase characters. + require_uppercase: false + + ## Require lowercase characters. + require_lowercase: false + + ## Require numeric characters. + require_number: false + + ## Require special characters. + require_special: false + + ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings. + zxcvbn: + enabled: false + + ## Configures the minimum score allowed. + min_score: 0 + + ## + ## Access Control Configuration + ## + ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users. + ## + ## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed + ## to anyone. Otherwise restrictions follow the rules defined. + ## + ## Note: One can use the wildcard * to match any subdomain. + ## It must stand at the beginning of the pattern. (example: *.mydomain.com) + ## + ## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct. + ## + ## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'. + ## + ## - 'domain' defines which domain or set of domains the rule applies to. + ## + ## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not + ## provided. If provided, the parameter represents either a user or a group. It should be of the form + ## 'user:' or 'group:'. + ## + ## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'. + ## + ## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter + ## is optional and matches any resource if not provided. + ## + ## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies. + access_control: + ## Configure the ACL as a Secret instead of part of the ConfigMap. + secret: + ## Enables the ACL section being generated as a secret. + enabled: false + + ## The key in the secret which contains the file to mount. + key: "configuration.acl.yaml" + + ## An existingSecret name, if configured this will force the secret to be mounted using the key above. + existingSecret: "" + + ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any + ## resource if there is no policy to be applied to the user. + default_policy: "deny" + + networks: [] + # networks: + # - name: 'private' + # networks: + # - '10.0.0.0/8' + # - '172.16.0.0/12' + # - '192.168.0.0/16' + # - name: 'vpn' + # networks: + # - '10.9.0.0/16' + + rules: [] + # rules: + # - domain_regex: '^.*\.example.com$' + # policy: 'bypass' + # - domain: 'public.example.com' + # policy: 'bypass' + # - domain: '*.example.com' + # policy: 'bypass' + # methods: + # - 'OPTIONS' + # - domain: 'secure.example.com' + # policy: 'one_factor' + # networks: + # - 'private' + # - 'vpn' + # - '192.168.1.0/24' + # - '10.0.0.1' + # - domain: + # - 'secure.example.com' + # - 'private.example.com' + # policy: 'two_factor' + # - domain: 'singlefactor.example.com' + # policy: 'one_factor' + # - domain: 'mx2.mail.example.com' + # subject: 'group:admins' + # policy: 'deny' + # - domain: '*.example.com' + # subject: + # - 'group:admins' + # - 'group:moderators' + # policy: 'two_factor' + # - domain: 'dev.example.com' + # resources: + # - '^/groups/dev/.*$' + # subject: 'group:dev' + # policy: 'two_factor' + # - domain: 'dev.example.com' + # resources: + # - '^/users/john/.*$' + # subject: + # - ['group:dev', 'user:john'] + # - 'group:admins' + # policy: 'two_factor' + # - domain: '{user}.example.com' + # policy: 'bypass' + + ## + ## Session Provider Configuration + ## + ## The session cookies identify the user once logged in. + ## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined. + session: + ## The name of the session cookie. (default: authelia_session). + name: "authelia_session" + + ## Sets the Cookie SameSite value. Possible options are none, lax, or strict. + ## Please read https://www.authelia.com/configuration/session/introduction/#same_site + same_site: "lax" + + ## The time in seconds before the cookie expires and session is reset. + expiration: "1 hour" + + ## The inactivity time in seconds before the session is reset. + inactivity: "5 minutes" + + ## The remember me duration. + ## Value is in seconds, or duration notation. Value of 0 disables remember me. + ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format + ## Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to + ## spy or attack. Currently the default is 1M or 1 month. + remember_me: "1 month" + + encryption_key: + ## Disables this secret and leaves configuring it entirely up to you. + disabled: false + + ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the + ## secret_value option below. + secret_name: ~ + + ## The value of a generated secret when using the ~ secret_name. + value: "" + + ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise + ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' + ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. + path: "session.encryption.key" + + cookies: [] + # cookies: + # - + ## The subdomain to prefix the domain with. For example using `domain` value `example.com` and `subdomain` + ## `auth` should yield the URL `https://auth.example.com`. This option does not affect the cookie domain. + # subdomain: 'auth' + + ## The domain for cookie and to build the Authelia URL. + # domain: '' + + ## The path to suffix the domain with. For example using `domain` value `example.com` and `subdomain` value + ## `auth` and `path` value `auth` should yield the URL `https://auth.example.com/auth`. + ## This option does not affect the cookie domain. + # path: '' + + ## Default Redirection URL for this domain when there is no forwarding application. + # default_redirection_url: '' + + ## Cookie Name override for this individual cookie. Otherwise, uses the default value above where + ## more descriptive information about this value exists. + # name: '' + + ## Cookie Same Site value override for this individual cookie. Otherwise, uses the default value above where + ## more descriptive information about this value exists. + # same_site: '' + + ## Cookie Expiration value override for this individual cookie. Otherwise, uses the default value above where + ## more descriptive information about this value exists. + # expiration: '' + + ## Cookie Inactivity value override for this individual cookie. Otherwise, uses the default value above where + ## more descriptive information about this value exists. + # inactivity: '' + + ## Cookie Remember Me value override for this individual cookie. Otherwise, uses the default value above where + ## more descriptive information about this value exists. + # inactivity: '' + + ## + ## Redis Provider + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ + ## + ## The redis connection details + redis: + enabled: false + deploy: false + enabledSecret: false + host: "redis.databases.svc.cluster.local" + port: 6379 + + ## Optional username to be used with authentication. + # username: authelia + username: "" + + password: + ## Disables this secret and leaves configuring it entirely up to you. + disabled: false + + ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the + ## secret_value option below. + secret_name: ~ + + ## The value of a generated secret when using the ~ secret_name. + value: "" + + ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise + ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' + ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. + path: "session.redis.password.txt" + + ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc). + database_index: 0 + + ## The maximum number of concurrent active connections to Redis. + maximum_active_connections: 8 + + ## The target number of idle connections to have open ready for work. Useful when opening connections is slow. + minimum_idle_connections: 0 + + ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s). + tls: + enabled: false + + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host option. + server_name: "" + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + skip_verify: false + + ## Minimum TLS version for the connection. + minimum_version: "TLS1.2" + + ## Maximum TLS version for the connection. + maximum_version: "TLS1.3" + + ## The Redis HA configuration options. + ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name). + high_availability: + enabled: false + enabledSecret: false + ## Sentinel Name / Master Name + sentinel_name: "mysentinel" + + ## The Redis Sentinel-specific username. If supplied, authentication will be done via Redis 6+ ACL-based + ## authentication. If left blank, authentication to sentinels will be done via `requirepass`. + username: "" + + password: + ## Disables this secret and leaves configuring it entirely up to you. + disabled: false + + ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the + ## secret_value option below. + secret_name: ~ + + ## The value of a generated secret when using the ~ secret_name. + value: "" + + ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise + ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' + ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. + path: "session.redis.sentinel.password.txt" + + ## The additional nodes to pre-seed the redis provider with (for sentinel). + ## If the host in the above section is defined, it will be combined with this list to connect to sentinel. + ## For high availability to be used you must have either defined; the host above or at least one node below. + nodes: [] + # nodes: + # - host: 'sentinel-0.databases.svc.cluster.local' + # port: 26379 + # - host: 'sentinel-1.databases.svc.cluster.local' + # port: 26379 + + ## Choose the host with the lowest latency. + route_by_latency: false + + ## Choose the host randomly. + route_randomly: false + + ## + ## Regulation Configuration + ## + ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are done + ## in a short period of time. + regulation: + ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. + max_retries: 3 + + ## The time range during which the user can attempt login before being banned. The user is banned if the + ## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation. + ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format + find_time: "2 minutes" + + ## The length of time before a banned user can login again. Ban Time accepts duration notation. + ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format + ban_time: "5 minutes" + + ## + ## Storage Provider Configuration + ## + ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. + storage: + encryption_key: + ## Disables this secret and leaves configuring it entirely up to you. + disabled: false + + ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the + ## secret_value option below. + secret_name: ~ + + ## The value of a generated secret when using the ~ secret_name. + value: "" + + ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise + ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' + ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. + path: "storage.encryption.key" + + ## + ## Local (Storage Provider) + ## + ## This stores the data in a SQLite3 Database. + ## This is only recommended for lightweight non-stateful installations. + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ + ## + local: + enabled: false + path: /config/db.sqlite3 + + ## + ## MySQL (Storage Provider) + ## + ## Also supports MariaDB + ## + mysql: + enabled: false + deploy: false + address: "tcp://mysql.databases.svc.cluster.local:3306" + timeout: "5 seconds" + database: "authelia" + username: "authelia" + password: + ## Disables this secret and leaves configuring it entirely up to you. + disabled: false + + ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the + ## secret_value option below. + secret_name: ~ + + ## The value of a generated secret when using the ~ secret_name. + value: "" + + ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise + ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' + ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. + path: "storage.mysql.password.txt" + tls: + enabled: false + + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host option. + server_name: "" + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + skip_verify: false + + ## Minimum TLS version for the connection. + minimum_version: "TLS1.2" + + ## Maximum TLS version for the connection. + maximum_version: "TLS1.3" + + ## + ## PostgreSQL (Storage Provider) + ## + postgres: + enabled: false + deploy: false + address: "tcp://postgres.databases.svc.cluster.local:5432" + timeout: "5 seconds" + database: "authelia" + schema: "public" + username: "authelia" + password: + ## Disables this secret and leaves configuring it entirely up to you. + disabled: false + + ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the + ## secret_value option below. + secret_name: ~ + + ## The value of a generated secret when using the ~ secret_name. + value: "" + + ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise + ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' + ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. + path: "storage.postgres.password.txt" + tls: + enabled: false + + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host option. + server_name: "" + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + skip_verify: false + + ## Minimum TLS version for the connection. + minimum_version: "TLS1.2" + + ## Maximum TLS version for the connection. + maximum_version: "TLS1.3" + + ## + ## Notification Provider + ## + ## + ## Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration. + ## The available providers are: filesystem, smtp. You must use one and only one of these providers. + notifier: + ## You can disable the notifier startup check by setting this to true. + disable_startup_check: false + + ## + ## File System (Notification Provider) + ## + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ + ## + filesystem: + enabled: false + filename: "/config/notification.txt" + + ## + ## SMTP (Notification Provider) + ## + ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate. + ## [Security] By default Authelia will: + ## - force all SMTP connections over TLS including unauthenticated connections + ## - use the disable_require_tls boolean value to disable this requirement + ## (only works for unauthenticated connections) + ## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates + ## (configure in tls section) + smtp: + enabled: false + enabledSecret: false + address: "submission://smtp.mail.svc.cluster.local:587" + timeout: "5 seconds" + sender: "Authelia " + + ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost. + identifier: "localhost" + + ## Subject configuration of the emails sent. + ## {title} is replaced by the text from the notifier + subject: "[Authelia] {title}" + + ## This address is used during the startup check to verify the email configuration is correct. + ## It's not important what it is except if your email server only allows local delivery. + startup_check_address: "test@authelia.com" + + ## Disables sending HTML formatted emails. + disable_html_emails: false + + ## By default we require some form of TLS. This disables this check though is not advised. + disable_require_tls: false + + ## Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when they in fact do not. For + ## security reasons Authelia refuses to send messages to these servers. This option disables this measure and is + ## enabled AT YOUR OWN RISK. It’s strongly recommended that instead of enabling this option you either fix the + ## issue with the SMTP server’s configuration or have the administrators of the server fix it. If the issue can’t + ## be fixed by configuration we recommend lodging an issue with the authors of the SMTP server. See [security] for + ## more information. + disable_starttls: false + + username: "test" + password: + ## Disables this secret and leaves configuring it entirely up to you. + disabled: false + + ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the + ## secret_value option below. + secret_name: ~ + + ## The value of a generated secret when using the ~ secret_name. + value: "" + + ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise + ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' + ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. + path: "notifier.smtp.password.txt" + + tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host option. + server_name: "" + + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + skip_verify: false + + ## Minimum TLS version for the connection. + minimum_version: "TLS1.2" + + ## Maximum TLS version for the connection. + maximum_version: "TLS1.3" + + identity_providers: + oidc: + ## Enables this in the config map. Currently in beta stage. + ## See https://www.authelia.com/r/openid-connect/ + enabled: false + + hmac_secret: + ## Disables this secret and leaves configuring it entirely up to you. + disabled: false + + ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the + ## secret_value option below. + secret_name: ~ + + ## The value of a generated secret when using the ~ secret_name. + value: "" + + ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise + ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' + ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. + path: "identity_providers.oidc.hmac.key" + + lifespans: + access_token: "1 hour" + authorize_code: "1 minute" + id_token: "1 hour" + refresh_token: "1 hour and 30 minutes" + # custom: + # lifespan_name: + # access_token: '1 hour' + # authorize_code: '1 minute' + # id_token: '1 hour' + # refresh_token: '1 hour and 30 minutes' + # grants: + # authorize_code: + # access_token: '1 hour' + # authorize_code: '1 minute' + # id_token: '1 hour' + # refresh_token: '1 hour and 30 minutes' + # implicit: + # access_token: '1 hour' + # authorize_code: '1 minute' + # id_token: '1 hour' + # refresh_token: '1 hour and 30 minutes' + # client_credentials: + # access_token: '1 hour' + # authorize_code: '1 minute' + # id_token: '1 hour' + # refresh_token: '1 hour and 30 minutes' + # refresh_token: + # access_token: '1 hour' + # authorize_code: '1 minute' + # id_token: '1 hour' + # refresh_token: '1 hour and 30 minutes' + # jwt_bearer: + # access_token: '1 hour' + # authorize_code: '1 minute' + # id_token: '1 hour' + # refresh_token: '1 hour and 30 minutes' + + ## Adjusts the PKCE enforcement. Options are always, public_clients_only, never. + ## For security reasons it's recommended this option is public_clients_only or always, however always is not + ## compatible with all clients. + enforce_pkce: "public_clients_only" + + ## Enables the plain PKCE challenge which is not recommended for security reasons but may be necessary for some clients. + enable_pkce_plain_challenge: false + + ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for + ## security reasons. + minimum_parameter_entropy: 8 + + ## Enables additional debug messages. + enable_client_debug_messages: false + + pushed_authorizations: + enforce: false + context_lifespan: "5 minutes" + + authorization_policies: {} + + # authorization_policies: + # policy_name: + # default_policy: 'deny' + # rules: + # - policy: 'two_factor' + # subject: 'user:abc' + + ## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's + ## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key. + jwks: [] + + # jwks: + # - key_id: '' + # algorithm: 'RS256' + # use: 'sig' + # key: + # value: | + # abc + # 123 + # path: '/secrets/oidc.jwk.RS256.pem' + # certificate_chain: + # path: '/secrets.oidc.jwk.RS256.crt' + + ## Cross-Origin Resource Sharing (CORS) settings. + cors: + ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. + # endpoints: + # - 'authorization' + # - 'pushed-authorization-request' + # - 'token' + # - 'revocation' + # - 'introspection' + # - 'userinfo' + endpoints: [] + + ## List of allowed origins. + ## Any origin with https is permitted unless this option is configured or the + ## allowed_origins_from_client_redirect_uris option is enabled. + # allowed_origins: + # - 'https://example.com' + allowed_origins: [] + + ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, + ## provided they have the scheme http or https and do not have the hostname of localhost. + allowed_origins_from_client_redirect_uris: false + + clients: [] + + # clients: + # - + ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration. + # client_id: 'myapp' + + ## The client secret is a shared secret between Authelia and the consumer of this client. + # client_secret: + # value: '$plaintext$apple123' + # path: '/secrets/oidc.client.myapp.value' + + ## The description to show to users when they end up on the consent screen. Defaults to the ID above. + # client_name: 'My Application' + + ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not + ## necessary. Read the documentation for more information. + ## The subject identifier must be the host component of a URL, which is a domain name with an optional port. + # sector_identifier_uri: 'example.com' + + ## Sets the client to public. This should typically not be set, please see the documentation for usage. + # public: false + + ## The policy to require for this client; one_factor or two_factor. + # authorization_policy: 'two_factor' + + ## The consent mode controls how consent is obtained. + # consent_mode: 'auto' + + ## This value controls the duration a consent on this client remains remembered when the consent mode is + ## configured as 'auto' or 'pre-configured'. + # pre_configured_consent_duration: '30 days' + + ## Audience this client is allowed to request. + # audience: [] + + ## Scopes this client is allowed to request. + # scopes: + # - 'openid' + # - 'profile' + # - 'email' + # - 'groups' + + ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. + # redirect_uris: + # - 'https://oidc.example.com/oauth2/callback' + + ## Request URI's specifies a list of valid case-sensitive URIs this client can ask Authelia to obtain a + ## Request Object from. + # request_uris: + # - 'https://oidc.example.com/oauth2/request-object/authelia.jwk' + + ## Grant Types configures which grants this client can obtain. + ## It's not recommended to configure this unless you know what you're doing. + # grant_types: + # - 'refresh_token' + # - 'authorization_code' + + ## Response Types configures which responses this client can be sent. + ## It's not recommended to configure this unless you know what you're doing. + # response_types: + # - 'code' + + ## Response Modes configures which response modes this client supports. + ## It's not recommended to configure this unless you know what you're doing. + # response_modes: + # - 'form_post' + # - 'query' + # - 'fragment' + + # enforce_par: false + # enforce_pkce: false + # pkce_challenge_method: 'S256' + # authorization_signed_response_alg: 'RS256' + # authorization_signed_response_key_id: '' + + ## The algorithm of the issuer key used to sign ID Tokens for this client, must be one of the + ## registered issuer key algorithms. + # id_token_signed_response_alg: 'RS256' + + ## The key id of the issuer key used to sign ID Tokens for this client. + # id_token_signed_response_key_id: '' + + ## The algorithm of the issuer key used to sign Access Tokens for this client, must be either none or one of + ## the registered issuer key algorithms. + # access_token_signed_response_alg: 'none' + + ## The key id of the issuer key used to sign Access Tokens for this client. + # access_token_signed_response_key_id: '' + + ## The algorithm of the issuer key used to sign User Info Responses for this client, must be either none or + ## one of the registered issuer key algorithms. + # userinfo_signed_response_alg: 'none' + + ## The key id of the issuer key used to sign User Info Responses for this client. + # userinfo_signed_response_key_id: '' + + ## The signing algorithm used for Introspection responses. An issuer JWK with a matching algorithm must be + ## available when configured. Has no effect if introspection_signed_response_key_id is configured. + # introspection_signed_response_alg: 'none' + + ## The signing key id used for Introspection responses. An issuer JWK with a matching key id must be available + ## when configured. + # introspection_signed_response_key_id: '' + + ## The algorithm the client must sign their request objects with, must either be empty or one of the + ## registered client key algorithms. + # request_object_signing_alg: '' + + ## The algorithm the client must sign the object when using the 'private_key_jwt' auth method, must either be + ## empty or one of the registered client key algorithms. + # token_endpoint_auth_signing_alg: 'RS256' + + ## The authentication method the client must use to authenticate. + # token_endpoint_auth_method: 'client_secret_post' + +## +## Authelia Secret Configuration. +## +secret: + disabled: false + + existingSecret: "authelia" + # existingSecret: authelia + + mountPath: "/secrets" + + ## additionalSecrets contains a list of additional secrets to mount. + ## They will all be mounted in the format of '/{mountPath}/{key}' where the '{mountPath}' is the value above and + ## '{key}' is the key from the dictionary below (in our example we named it 'example'). If the items are specified + ## then those options will be rendered in the volumes spec. See 'example-without-items' for an example that doesn't + ## specify this. + ## + additionalSecrets: {} + # additionalSecrets: + # example: + # items: + # - key: 'key-example' + # path: 'path-example' + # example-without-items: {} + +certificates: + existingSecret: "" + # existingSecret: 'authelia' + + annotations: {} + # annotations: + # myAnnotation: 'myValue' + + labels: {} + # labels: + # myLabel: 'myValue' + + values: [] + # values: + # - name: 'Example_Com_Root_Certificate_Authority_B64.pem' + # secretValue: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lMQkFBQUFBQUJJVmhUQ0tJd0RRWUpLb1pJaHZjTkFRRUxCUUF3VERFZ01CNEcKQTFVRUN4TVhSMnh2WW1Gc1UybG5iaUJTYjI5MElFTkJJQzBnVWpNeEV6QVJCZ05WQkFvVENrZHNiMkpoYkZOcApaMjR4RXpBUkJnTlZCQU1UQ2tkc2IySmhiRk5wWjI0d0hoY05NRGt3TXpFNE1UQXdNREF3V2hjTk1qa3dNekU0Ck1UQXdNREF3V2pCTU1TQXdIZ1lEVlFRTEV4ZEhiRzlpWVd4VGFXZHVJRkp2YjNRZ1EwRWdMU0JTTXpFVE1CRUcKQTFVRUNoTUtSMnh2WW1Gc1UybG5iakVUTUJFR0ExVUVBeE1LUjJ4dlltRnNVMmxuYmpDQ0FTSXdEUVlKS29aSQpodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU13bGRwQjVCbmdpRnZYQWc3YUV5aWllL1FWMkVjV3RpSEw4ClJnSkR4N0tLblFSZkpNc3VTK0ZnZ2tiaFVxc01nVWR3Yk4xazBldjFMS01QZ2owTUs2NlgxN1lVaGhCNXV6c1QKZ0hlTUNPRkowbXBpTHg5ZStwWm8zNGtubFRpZkJ0Yyt5Y3NtV1ExejNyREk2U1lPZ3hYRzcxdUwwZ1JneWttbQpLUFpwTy9iTHlDaVI1WjJLWVZjM3JIUVUzSFRnT3U1eUx5NmMrOUM3di9VOUFPRUdNK2lDSzY1VHBqb1djNHpkClFRNGdPc0MwcDZIcHNrK1FMakpnNlZmTHVRU1NhR2psT0NaZ2RiS2ZkLytSRk8rdUlFbjhyVUFWU05FQ01XRVoKWHJpWDc2MTN0MlNhZXI5ZndSUHZtMkw3RFd6Z1ZHa1dxUVBhYnVtRGszRjJ4bW1GZ2hjQ0F3RUFBYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJL3dTMytvCkxrVWtyazFRK21PYWk5N2kzUnU4TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCTFFOdkFVS3IreUF6djk1WlUKUlVtN2xnQUpRYXl6RTRhR0tBY3p5bXZtZExtNkFDMnVwQXJUOWZIeEQ0cS9jMmRLZzhkRWUzamdyMjVzYndNcApqak01UmNPTzVMbFhiS3I4RXBic1U4WXQ1Q1JzdVpSais5eFRhR2RXUG9PNHp6VWh3OGxvL3M3YXdsT3F6SkNLCjZmQmRSb3lWM1hwWUtCb3ZIZDdOQURkQmorMUViZGRUS0pkKzgyY0VIaFhYaXBhMDA5NU1KNlJNRzNOemR2UVgKbWNJZmVnN2pMUWl0Q2h3cy96eXJWUTRQa1g0MjY4TlhTYjdoTGkxOFlJdkRRVkVUSTUzTzl6SnJsQUdvbWVjcwpNeDg2T3lYU2hrRE9PeXlHZU1saEx4UzY3dHRWYjkrRTdnVUpUYjBvMkhMTzAySlFaUjdya3BlRE1kbXp0Y3BICldEOWYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==' + # - name: 'Example_Com_Root_Certificate_Authority.pem' + # value: | + # -----BEGIN CERTIFICATE----- + # MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G + # A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp + # Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 + # MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG + # A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI + # hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8 + # RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT + # gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm + # KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd + # QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ + # XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw + # DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o + # LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU + # RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp + # jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK + # 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX + # mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs + # Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH + # WD9f + # -----END CERTIFICATE----- + +## +## Authelia Persistence Configuration. +## +## Useful in scenarios where you need persistent storage. +## Auth Provider Use Case: file; we recommend you use the ldap provider instead. +## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead. +## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false). +## +persistence: + enabled: true + + annotations: {} + # annotations: + # myAnnotation: 'myValue' + + labels: {} + # labels: + # myLabel: 'myValue' + + readOnly: false + subPath: "" + + existingClaim: "" + # existingClaim: 'my-claim-name' + + storageClass: "" + # storageClass: 'my-storage-class' + + ## Persistent Volume Name + ## Useful if Persistent Volumes have been provisioned in advance and you want to use a specific one + ## + volumeName: "" + + accessModes: + - "ReadWriteOnce" + + size: "100Mi" + + selector: {} + +# -- Configure mariadb database subchart under this key. +# This will be deployed when storage.mysql.deploy is set to true +# Currently settings need to be manually copied from here to the storage.mysql section +# For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) +mariadb: + architecture: standalone + auth: + database: authelia + username: authelia + password: authelia + rootPassword: authelia + primary: + resources: {} + persistence: + enabled: false + size: 1Gi + # storageClass: "" + +# -- Configure postgresql database subchart under this key. +# This will be deployed when storage.postgres.deploy is set to true +# Currently settings need to be manually copied from here to the storage.postgres section +# For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) +postgresql: + auth: + postgresPassword: authelia + username: authelia + password: authelia + database: authelia + primary: + persistence: + enabled: false + # storageClass: "" + size: 1Gi + resources: {} + +# -- Configure redis database subchart under this key. +# This will be deployed when session.redis.deploy is set to true +# Currently settings need to be manually copied from here to the session.redis section +# For more options see [redis chart documentation](https://github.com/bitnami/charts/tree/main/bitnami/redis) +redis: + architecture: standalone + auth: + enabled: false + sentinel: true + password: "redis" + existingSecret: "" + existingSecretPasswordKey: "" + usePasswordFiles: false + master: + resources: {} + priorityClassName: "" + persistence: + enabled: false + # storageClass: "" + accessModes: + - ReadWriteOnce + size: 1Gi + replica: + replicaCount: 3 + resources: {} + priorityClassName: "" + persistence: + enabled: false + # storageClass: "" + accessModes: + - ReadWriteOnce + size: 1Gi