ingress: enabled: true certManager: true tls: enabled: true secret: "authelia-tls" pod: # Must be Deployment, DaemonSet, or StatefulSet. kind: "DaemonSet" replicas: 1 revisionHistoryLimit: 5 priorityClassName: "" strategy: type: "RollingUpdate" resources: limits: cpu: "4.00" memory: "2Gi" requests: cpu: "0.25" memory: "50Mi" probes: method: httpGet: path: "/api/health" port: "http" scheme: "HTTP" liveness: initialDelaySeconds: 0 periodSeconds: 30 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 readiness: initialDelaySeconds: 0 periodSeconds: 5 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 ## Note: Startup Probes are a Kubernetes feature gate which must be manually enabled pre-1.18. ## Ref: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ startup: initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 6 extraVolumeMounts: [] extraVolumes: [] ## ## Kubernetes Pod Disruption Budget ## podDisruptionBudget: enabled: false minAvailable: 0 maxUnavailable: 0 ## ## Authelia Config Map Generator ## configMap: # Enable the configMap source for the Authelia config. # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config. disabled: false key: "configuration.yaml" existingConfigMap: "" extraConfigs: [] # extraConfigs: # - '/configuration.oidc.yaml' filters: disabled: false ## ## Server Configuration ## server: ## ## Port sets the configured port for the daemon, service, and the probes. ## Default is 9091 and should not need to be changed. ## port: 9091 ## Set the single level path Authelia listens on. ## Must be alphanumeric chars and should not contain any slashes. path: "" ## Set the path on disk to Authelia assets. ## Useful to allow overriding of specific static assets. # asset_path: '/config/assets/' asset_path: "" ## Customize Authelia headers. headers: ## Read the Authelia docs before setting this advanced option. ## https://www.authelia.com/configuration/miscellaneous/server/#csp_template. csp_template: "" ## Server Buffers configuration. buffers: ## Read buffer. read: 4096 ## Write buffer. write: 4096 ## Server Timeouts configuration. timeouts: ## Read timeout. read: "6 seconds" ## Write timeout. write: "6 seconds" ## Idle timeout. idle: "30 seconds" endpoints: enable_pprof: false enable_expvars: false ## A list of automatically configured authz implementations if you don't wish to manually configure each one. ## Important Note: If you configure the 'authz' section this is completely ignored. automatic_authz_implementations: [] # automatic_authz_implementations: # - 'AuthRequest' # - 'ExtAuthz' # - 'ForwardAuth' authz: {} # authz: # auth-request: # implementation: 'AuthRequest' # authn_strategies: # - name: 'HeaderAuthRequestProxyAuthorization' # schemes: # - 'Basic' # - name: 'CookieSession' # ext-authz: # implementation: 'ExtAuthz' # authn_strategies: # - name: 'HeaderProxyAuthorization' # schemes: # - 'Basic' # - name: 'CookieSession' # forward-auth: # implementation: 'ForwardAuth' # authn_strategies: # - name: 'HeaderProxyAuthorization' # schemes: # - 'Basic' # - name: 'CookieSession' log: ## Level of verbosity for logs: info, debug, trace. level: "info" ## Format the logs are written as: json, text. format: "text" ## TODO: Statefulness check should check if this is set, and the configMap should enable it. ## File path where the logs will be written. If not set logs are written to stdout. # file_path: /config/authelia.log file_path: "" ## ## Telemetry Configuration ## telemetry: ## ## Metrics Configuration ## metrics: ## Enable Metrics. enabled: false ## The port to listen on for metrics. This should be on a different port to the main server.port value. port: 9959 ## Metrics Server Buffers configuration. buffers: ## Read buffer. read: 4096 ## Write buffer. write: 4096 ## Metrics Server Timeouts configuration. timeouts: ## Read timeout. read: "6 seconds" ## Write timeout. write: "6 seconds" ## Idle timeout. idle: "30 seconds" serviceMonitor: enabled: false annotations: {} labels: {} ## Set the default 2FA method for new users and for when a user has a preferred method configured that has been ## disabled. This setting must be a method that is enabled. ## Options are totp, webauthn, mobile_push. default_2fa_method: "" theme: "light" identity_validation: reset_password: jwt_lifespan: "5 minutes" jwt_algorithm: "HS256" secret: ## Disables this secret and leaves configuring it entirely up to you. disabled: false ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the ## secret_value option below. secret_name: ~ ## The value of a generated secret when using the ~ secret_name. value: "" ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. path: "identity_validation.reset_password.jwt.hmac.key" elevated_session: code_lifespan: "5 minutes" elevation_lifespan: "10 minutes" characters: 8 require_second_factor: false skip_second_factor: false ## ## TOTP Configuration ## ## Parameters used for TOTP generation. totp: ## Disable TOTP. disable: false ## The issuer name displayed in the Authenticator application of your choice. ## Defaults to 'Authelia'. issuer: "Authelia" ## The skew controls number of one-time passwords either side of the current one that are valid. ## Warning: before changing skew read the docs link below. ## See: https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#input-validation to read the documentation. skew: 1 ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. secret_size: 32 ## The TOTP algorithm to use. ## It is CRITICAL you read the documentation before changing this option: ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#algorithm algorithm: "SHA1" ## The number of digits a user has to input. Must either be 6 or 8. ## Changing this option only affects newly generated TOTP configurations. ## It is CRITICAL you read the documentation before changing this option: ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#digits digits: 6 ## The period in seconds a one-time password is valid for. ## Changing this option only affects newly generated TOTP configurations. period: 30 allowed_algorithms: - "SHA1" allowed_digits: - 6 allowed_periods: - 30 ## ## WebAuthn Configuration ## ## Parameters used for WebAuthn. webauthn: ## Disable Webauthn. disable: false ## Adjust the interaction timeout for Webauthn dialogues. timeout: "60 seconds" ## The display name the browser should show the user for when using Webauthn to login/register. display_name: "Authelia" ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. ## Options are none, indirect, direct. attestation_conveyance_preference: "indirect" ## User verification controls if the user must make a gesture or action to confirm they are present. ## Options are required, preferred, discouraged. user_verification: "preferred" ## ## NTP Configuration ## ## This is used to validate the servers time is accurate enough to validate TOTP. ntp: ## NTP server address. address: "udp://time.cloudflare.com:123" ## NTP version. version: 4 ## Maximum allowed time offset between the host and the NTP server. max_desync: "3 seconds" ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you ## set this to true, and can operate in a truly offline mode. disable_startup_check: false ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup ## will continue regardless of results. disable_failure: false ## ## Duo Push API Configuration ## ## Parameters used to contact the Duo API. Those are generated when you protect an application of type ## 'Partner Auth API' in the management panel. duo_api: enabled: false hostname: "" integration_key: "" enable_self_enrollment: false secret: ## Disables this secret and leaves configuring it entirely up to you. disabled: false ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the ## secret_value option below. secret_name: ~ ## The value of a generated secret when using the ~ secret_name. value: "" ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. path: "duo.key" ## ## Authentication Backend Provider Configuration ## ## Used for verifying user passwords and retrieve information such as email address and groups users belong to. ## ## The available providers are: `file`, `ldap`. You must use one and only one of these providers. authentication_backend: ## Password Reset Options. password_reset: ## Disable both the HTML element and the API for reset password functionality disable: false ## External reset password url that redirects the user to an external reset portal. This disables the internal ## reset functionality. custom_url: "" ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. ## See the below documentation for more information. ## Duration Notation docs: https://www.authelia.com/configuration/prologue/common/#duration-notation-format ## Refresh Interval docs: https://www.authelia.com/configuration/first-factor/ldap/#refresh-interval refresh_interval: "5 minutes" ## LDAP backend configuration. ## ## This backend allows Authelia to be scaled to more ## than one instance and therefore is recommended for ## production. ldap: ## Enable LDAP Backend. enabled: false ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. ## Acceptable options are as follows: ## - 'activedirectory' - For Microsoft Active Directory. ## - 'custom' - For custom specifications of attributes and filters. ## This currently defaults to 'custom' to maintain existing behaviour. ## ## Depending on the option here certain other values in this section have a default value, notably all of the ## attribute mappings have a default value that this config overrides, you can read more about these default values ## at https://www.authelia.com/reference/guides/ldap/#defaults implementation: "activedirectory" ## The address for the ldap server. Format: ://
[:]. ## Scheme can be ldap or ldaps in the format (port optional). address: "ldap://openldap.default.svc.cluster.local" ## Connection Timeout. timeout: "5 seconds" ## Use StartTLS with the LDAP connection. start_tls: false tls: ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host portion of the url option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: "TLS1.2" ## Maximum TLS version for the connection. maximum_version: "TLS1.3" ## The base dn for every LDAP query. base_dn: "DC=example,DC=com" ## An additional dn to define the scope to all users. additional_users_dn: "OU=Users" ## The users filter used in search queries to find the user profile based on input filled in login form. ## Various placeholders are available in the user filter: ## - {input} is a placeholder replaced by what the user inputs in the login form. ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`. ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later ## versions, so please don't use it. ## ## Recommended settings are as follows: ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) ## - OpenLDAP: ## - (&({username_attribute}={input})(objectClass=person)) ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) ## ## To allow sign in both with username and email, one can use a filter like ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) users_filter: "" ## An additional dn to define the scope of groups. additional_groups_dn: "OU=Groups" ## The groups filter used in search queries to find the groups of the user. ## - {input} is a placeholder replaced by what the user inputs in the login form. ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`). ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN. ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later ## versions, so please don't use it. ## - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in ## later version, so please don't use it. ## ## If your groups use the `groupOfUniqueNames` structure use this instead: ## (&(uniquemember={dn})(objectclass=groupOfUniqueNames)) groups_filter: "" ## Follow referrals returned by the server. ## This is especially useful for environments where read-only servers exist. Only implemented for write operations. permit_referrals: false ## WARNING: This option is strongly discouraged. Please consider disabling unauthenticated binding to your LDAP ## server and utilizing a service account. permit_unauthenticated_bind: false ## This option is strongly discouraged. If enabled it will ignore errors looking up the RootDSE for supported ## controls/extensions. permit_feature_detection_failure: false ## The username of the admin user. user: "CN=Authelia,DC=example,DC=com" password: ## Disables this secret and leaves configuring it entirely up to you. disabled: false ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the ## secret_value option below. secret_name: ~ ## The value of a generated secret when using the ~ secret_name. value: "" ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. path: "authentication.ldap.password.txt" attributes: distinguished_name: "" ## The attribute holding the username of the user. This attribute is used to populate the username in the session ## information. It was introduced due to #561 to handle case insensitive search queries. For you information, ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database. ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt. username: "" ## The attribute holding the display name of the user. This will be used to greet an authenticated user. display_name: "" ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the ## first one returned by the LDAP server is used. mail: "" member_of: "" ## The attribute holding the name of the group group_name: "" ## ## File (Authentication Provider) ## ## With this backend, the users database is stored in a file which is updated when users reset their passwords. ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security ## implications it is highly recommended you leave the default values. Before considering changing these settings ## please read the docs page: https://www.authelia.com/reference/guides/passwords/#tuning ## ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ ## file: enabled: true path: "/config/users_database.yml" watch: false search: email: false case_insensitive: false password: algorithm: "argon2" argon2: variant: "argon2id" iterations: 3 memory: 65536 parallelism: 4 key_length: 32 salt_length: 16 scrypt: iterations: 16 block_size: 8 parallelism: 1 key_length: 32 salt_length: 16 pbkdf2: variant: "sha512" iterations: 310000 salt_length: 16 sha2crypt: variant: "sha512" iterations: 50000 salt_length: 16 bcrypt: variant: "standard" cost: 12 ## ## Password Policy Configuration. ## password_policy: ## The standard policy allows you to tune individual settings manually. standard: enabled: false ## Require a minimum length for passwords. min_length: 8 ## Require a maximum length for passwords. max_length: 0 ## Require uppercase characters. require_uppercase: false ## Require lowercase characters. require_lowercase: false ## Require numeric characters. require_number: false ## Require special characters. require_special: false ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings. zxcvbn: enabled: false ## Configures the minimum score allowed. min_score: 0 ## ## Access Control Configuration ## ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users. ## ## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed ## to anyone. Otherwise restrictions follow the rules defined. ## ## Note: One can use the wildcard * to match any subdomain. ## It must stand at the beginning of the pattern. (example: *.mydomain.com) ## ## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct. ## ## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'. ## ## - 'domain' defines which domain or set of domains the rule applies to. ## ## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not ## provided. If provided, the parameter represents either a user or a group. It should be of the form ## 'user:' or 'group:'. ## ## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'. ## ## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter ## is optional and matches any resource if not provided. ## ## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies. access_control: ## Configure the ACL as a Secret instead of part of the ConfigMap. secret: ## Enables the ACL section being generated as a secret. enabled: false ## The key in the secret which contains the file to mount. key: "configuration.acl.yaml" ## An existingSecret name, if configured this will force the secret to be mounted using the key above. existingSecret: "" ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any ## resource if there is no policy to be applied to the user. default_policy: "deny" networks: [] # networks: # - name: 'private' # networks: # - '10.0.0.0/8' # - '172.16.0.0/12' # - '192.168.0.0/16' # - name: 'vpn' # networks: # - '10.9.0.0/16' rules: [] # rules: # - domain_regex: '^.*\.example.com$' # policy: 'bypass' # - domain: 'public.example.com' # policy: 'bypass' # - domain: '*.example.com' # policy: 'bypass' # methods: # - 'OPTIONS' # - domain: 'secure.example.com' # policy: 'one_factor' # networks: # - 'private' # - 'vpn' # - '192.168.1.0/24' # - '10.0.0.1' # - domain: # - 'secure.example.com' # - 'private.example.com' # policy: 'two_factor' # - domain: 'singlefactor.example.com' # policy: 'one_factor' # - domain: 'mx2.mail.example.com' # subject: 'group:admins' # policy: 'deny' # - domain: '*.example.com' # subject: # - 'group:admins' # - 'group:moderators' # policy: 'two_factor' # - domain: 'dev.example.com' # resources: # - '^/groups/dev/.*$' # subject: 'group:dev' # policy: 'two_factor' # - domain: 'dev.example.com' # resources: # - '^/users/john/.*$' # subject: # - ['group:dev', 'user:john'] # - 'group:admins' # policy: 'two_factor' # - domain: '{user}.example.com' # policy: 'bypass' ## ## Session Provider Configuration ## ## The session cookies identify the user once logged in. ## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined. session: ## The name of the session cookie. (default: authelia_session). name: "authelia_session" ## Sets the Cookie SameSite value. Possible options are none, lax, or strict. ## Please read https://www.authelia.com/configuration/session/introduction/#same_site same_site: "lax" ## The time in seconds before the cookie expires and session is reset. expiration: "1 hour" ## The inactivity time in seconds before the session is reset. inactivity: "5 minutes" ## The remember me duration. ## Value is in seconds, or duration notation. Value of 0 disables remember me. ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format ## Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to ## spy or attack. Currently the default is 1M or 1 month. remember_me: "1 month" encryption_key: ## Disables this secret and leaves configuring it entirely up to you. disabled: false ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the ## secret_value option below. secret_name: ~ ## The value of a generated secret when using the ~ secret_name. value: "" ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. path: "session.encryption.key" cookies: - subdomain: "auth" domain: "nc.landry.land" # cookies: # - ## The subdomain to prefix the domain with. For example using `domain` value `example.com` and `subdomain` ## `auth` should yield the URL `https://auth.example.com`. This option does not affect the cookie domain. # subdomain: 'auth' ## The domain for cookie and to build the Authelia URL. # domain: '' ## The path to suffix the domain with. For example using `domain` value `example.com` and `subdomain` value ## `auth` and `path` value `auth` should yield the URL `https://auth.example.com/auth`. ## This option does not affect the cookie domain. # path: '' ## Default Redirection URL for this domain when there is no forwarding application. # default_redirection_url: '' ## Cookie Name override for this individual cookie. Otherwise, uses the default value above where ## more descriptive information about this value exists. # name: '' ## Cookie Same Site value override for this individual cookie. Otherwise, uses the default value above where ## more descriptive information about this value exists. # same_site: '' ## Cookie Expiration value override for this individual cookie. Otherwise, uses the default value above where ## more descriptive information about this value exists. # expiration: '' ## Cookie Inactivity value override for this individual cookie. Otherwise, uses the default value above where ## more descriptive information about this value exists. # inactivity: '' ## Cookie Remember Me value override for this individual cookie. Otherwise, uses the default value above where ## more descriptive information about this value exists. # inactivity: '' ## ## Redis Provider ## ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ ## ## The redis connection details redis: enabled: false deploy: false enabledSecret: false host: "redis.databases.svc.cluster.local" port: 6379 ## Optional username to be used with authentication. # username: authelia username: "" password: ## Disables this secret and leaves configuring it entirely up to you. disabled: false ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the ## secret_value option below. secret_name: ~ ## The value of a generated secret when using the ~ secret_name. value: "" ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. path: "session.redis.password.txt" ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc). database_index: 0 ## The maximum number of concurrent active connections to Redis. maximum_active_connections: 8 ## The target number of idle connections to have open ready for work. Useful when opening connections is slow. minimum_idle_connections: 0 ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s). tls: enabled: false ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: "TLS1.2" ## Maximum TLS version for the connection. maximum_version: "TLS1.3" ## The Redis HA configuration options. ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name). high_availability: enabled: false enabledSecret: false ## Sentinel Name / Master Name sentinel_name: "mysentinel" ## The Redis Sentinel-specific username. If supplied, authentication will be done via Redis 6+ ACL-based ## authentication. If left blank, authentication to sentinels will be done via `requirepass`. username: "" password: ## Disables this secret and leaves configuring it entirely up to you. disabled: false ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the ## secret_value option below. secret_name: ~ ## The value of a generated secret when using the ~ secret_name. value: "" ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. path: "session.redis.sentinel.password.txt" ## The additional nodes to pre-seed the redis provider with (for sentinel). ## If the host in the above section is defined, it will be combined with this list to connect to sentinel. ## For high availability to be used you must have either defined; the host above or at least one node below. nodes: [] # nodes: # - host: 'sentinel-0.databases.svc.cluster.local' # port: 26379 # - host: 'sentinel-1.databases.svc.cluster.local' # port: 26379 ## Choose the host with the lowest latency. route_by_latency: false ## Choose the host randomly. route_randomly: false ## ## Regulation Configuration ## ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are done ## in a short period of time. regulation: ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. max_retries: 3 ## The time range during which the user can attempt login before being banned. The user is banned if the ## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation. ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format find_time: "2 minutes" ## The length of time before a banned user can login again. Ban Time accepts duration notation. ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format ban_time: "5 minutes" ## ## Storage Provider Configuration ## ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. storage: encryption_key: ## Disables this secret and leaves configuring it entirely up to you. disabled: false ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the ## secret_value option below. secret_name: ~ ## The value of a generated secret when using the ~ secret_name. value: "" ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. path: "storage.encryption.key" ## ## Local (Storage Provider) ## ## This stores the data in a SQLite3 Database. ## This is only recommended for lightweight non-stateful installations. ## ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ ## local: enabled: false path: /config/db.sqlite3 ## ## MySQL (Storage Provider) ## ## Also supports MariaDB ## mysql: enabled: false deploy: false address: "tcp://mysql.databases.svc.cluster.local:3306" timeout: "5 seconds" database: "authelia" username: "authelia" password: ## Disables this secret and leaves configuring it entirely up to you. disabled: false ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the ## secret_value option below. secret_name: ~ ## The value of a generated secret when using the ~ secret_name. value: "" ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. path: "storage.mysql.password.txt" tls: enabled: false ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: "TLS1.2" ## Maximum TLS version for the connection. maximum_version: "TLS1.3" ## ## PostgreSQL (Storage Provider) ## postgres: enabled: false deploy: false address: "tcp://postgres.databases.svc.cluster.local:5432" timeout: "5 seconds" database: "authelia" schema: "public" username: "authelia" password: ## Disables this secret and leaves configuring it entirely up to you. disabled: false ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the ## secret_value option below. secret_name: ~ ## The value of a generated secret when using the ~ secret_name. value: "" ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. path: "storage.postgres.password.txt" tls: enabled: false ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: "TLS1.2" ## Maximum TLS version for the connection. maximum_version: "TLS1.3" ## ## Notification Provider ## ## ## Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration. ## The available providers are: filesystem, smtp. You must use one and only one of these providers. notifier: ## You can disable the notifier startup check by setting this to true. disable_startup_check: false ## ## File System (Notification Provider) ## ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ ## filesystem: enabled: true filename: "/config/notification.txt" ## ## SMTP (Notification Provider) ## ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate. ## [Security] By default Authelia will: ## - force all SMTP connections over TLS including unauthenticated connections ## - use the disable_require_tls boolean value to disable this requirement ## (only works for unauthenticated connections) ## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates ## (configure in tls section) smtp: enabled: false enabledSecret: false address: "submission://smtp.mail.svc.cluster.local:587" timeout: "5 seconds" sender: "Authelia " ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost. identifier: "localhost" ## Subject configuration of the emails sent. ## {title} is replaced by the text from the notifier subject: "[Authelia] {title}" ## This address is used during the startup check to verify the email configuration is correct. ## It's not important what it is except if your email server only allows local delivery. startup_check_address: "test@authelia.com" ## Disables sending HTML formatted emails. disable_html_emails: false ## By default we require some form of TLS. This disables this check though is not advised. disable_require_tls: false ## Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when they in fact do not. For ## security reasons Authelia refuses to send messages to these servers. This option disables this measure and is ## enabled AT YOUR OWN RISK. It’s strongly recommended that instead of enabling this option you either fix the ## issue with the SMTP server’s configuration or have the administrators of the server fix it. If the issue can’t ## be fixed by configuration we recommend lodging an issue with the authors of the SMTP server. See [security] for ## more information. disable_starttls: false username: "test" password: ## Disables this secret and leaves configuring it entirely up to you. disabled: false ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the ## secret_value option below. secret_name: ~ ## The value of a generated secret when using the ~ secret_name. value: "" ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. path: "notifier.smtp.password.txt" tls: ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: "TLS1.2" ## Maximum TLS version for the connection. maximum_version: "TLS1.3" identity_providers: oidc: ## Enables this in the config map. Currently in beta stage. ## See https://www.authelia.com/r/openid-connect/ enabled: false hmac_secret: ## Disables this secret and leaves configuring it entirely up to you. disabled: false ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the ## secret_value option below. secret_name: ~ ## The value of a generated secret when using the ~ secret_name. value: "" ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. path: "identity_providers.oidc.hmac.key" lifespans: access_token: "1 hour" authorize_code: "1 minute" id_token: "1 hour" refresh_token: "1 hour and 30 minutes" # custom: # lifespan_name: # access_token: '1 hour' # authorize_code: '1 minute' # id_token: '1 hour' # refresh_token: '1 hour and 30 minutes' # grants: # authorize_code: # access_token: '1 hour' # authorize_code: '1 minute' # id_token: '1 hour' # refresh_token: '1 hour and 30 minutes' # implicit: # access_token: '1 hour' # authorize_code: '1 minute' # id_token: '1 hour' # refresh_token: '1 hour and 30 minutes' # client_credentials: # access_token: '1 hour' # authorize_code: '1 minute' # id_token: '1 hour' # refresh_token: '1 hour and 30 minutes' # refresh_token: # access_token: '1 hour' # authorize_code: '1 minute' # id_token: '1 hour' # refresh_token: '1 hour and 30 minutes' # jwt_bearer: # access_token: '1 hour' # authorize_code: '1 minute' # id_token: '1 hour' # refresh_token: '1 hour and 30 minutes' ## Adjusts the PKCE enforcement. Options are always, public_clients_only, never. ## For security reasons it's recommended this option is public_clients_only or always, however always is not ## compatible with all clients. enforce_pkce: "public_clients_only" ## Enables the plain PKCE challenge which is not recommended for security reasons but may be necessary for some clients. enable_pkce_plain_challenge: false ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for ## security reasons. minimum_parameter_entropy: 8 ## Enables additional debug messages. enable_client_debug_messages: false pushed_authorizations: enforce: false context_lifespan: "5 minutes" authorization_policies: {} # authorization_policies: # policy_name: # default_policy: 'deny' # rules: # - policy: 'two_factor' # subject: 'user:abc' ## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's ## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key. jwks: [] # jwks: # - key_id: '' # algorithm: 'RS256' # use: 'sig' # key: # value: | # abc # 123 # path: '/secrets/oidc.jwk.RS256.pem' # certificate_chain: # path: '/secrets.oidc.jwk.RS256.crt' ## Cross-Origin Resource Sharing (CORS) settings. cors: ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. # endpoints: # - 'authorization' # - 'pushed-authorization-request' # - 'token' # - 'revocation' # - 'introspection' # - 'userinfo' endpoints: [] ## List of allowed origins. ## Any origin with https is permitted unless this option is configured or the ## allowed_origins_from_client_redirect_uris option is enabled. # allowed_origins: # - 'https://example.com' allowed_origins: [] ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, ## provided they have the scheme http or https and do not have the hostname of localhost. allowed_origins_from_client_redirect_uris: false clients: [] # clients: # - ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration. # client_id: 'myapp' ## The client secret is a shared secret between Authelia and the consumer of this client. # client_secret: # value: '$plaintext$apple123' # path: '/secrets/oidc.client.myapp.value' ## The description to show to users when they end up on the consent screen. Defaults to the ID above. # client_name: 'My Application' ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not ## necessary. Read the documentation for more information. ## The subject identifier must be the host component of a URL, which is a domain name with an optional port. # sector_identifier_uri: 'example.com' ## Sets the client to public. This should typically not be set, please see the documentation for usage. # public: false ## The policy to require for this client; one_factor or two_factor. # authorization_policy: 'two_factor' ## The consent mode controls how consent is obtained. # consent_mode: 'auto' ## This value controls the duration a consent on this client remains remembered when the consent mode is ## configured as 'auto' or 'pre-configured'. # pre_configured_consent_duration: '30 days' ## Audience this client is allowed to request. # audience: [] ## Scopes this client is allowed to request. # scopes: # - 'openid' # - 'profile' # - 'email' # - 'groups' ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. # redirect_uris: # - 'https://oidc.example.com/oauth2/callback' ## Request URI's specifies a list of valid case-sensitive URIs this client can ask Authelia to obtain a ## Request Object from. # request_uris: # - 'https://oidc.example.com/oauth2/request-object/authelia.jwk' ## Grant Types configures which grants this client can obtain. ## It's not recommended to configure this unless you know what you're doing. # grant_types: # - 'refresh_token' # - 'authorization_code' ## Response Types configures which responses this client can be sent. ## It's not recommended to configure this unless you know what you're doing. # response_types: # - 'code' ## Response Modes configures which response modes this client supports. ## It's not recommended to configure this unless you know what you're doing. # response_modes: # - 'form_post' # - 'query' # - 'fragment' # enforce_par: false # enforce_pkce: false # pkce_challenge_method: 'S256' # authorization_signed_response_alg: 'RS256' # authorization_signed_response_key_id: '' ## The algorithm of the issuer key used to sign ID Tokens for this client, must be one of the ## registered issuer key algorithms. # id_token_signed_response_alg: 'RS256' ## The key id of the issuer key used to sign ID Tokens for this client. # id_token_signed_response_key_id: '' ## The algorithm of the issuer key used to sign Access Tokens for this client, must be either none or one of ## the registered issuer key algorithms. # access_token_signed_response_alg: 'none' ## The key id of the issuer key used to sign Access Tokens for this client. # access_token_signed_response_key_id: '' ## The algorithm of the issuer key used to sign User Info Responses for this client, must be either none or ## one of the registered issuer key algorithms. # userinfo_signed_response_alg: 'none' ## The key id of the issuer key used to sign User Info Responses for this client. # userinfo_signed_response_key_id: '' ## The signing algorithm used for Introspection responses. An issuer JWK with a matching algorithm must be ## available when configured. Has no effect if introspection_signed_response_key_id is configured. # introspection_signed_response_alg: 'none' ## The signing key id used for Introspection responses. An issuer JWK with a matching key id must be available ## when configured. # introspection_signed_response_key_id: '' ## The algorithm the client must sign their request objects with, must either be empty or one of the ## registered client key algorithms. # request_object_signing_alg: '' ## The algorithm the client must sign the object when using the 'private_key_jwt' auth method, must either be ## empty or one of the registered client key algorithms. # token_endpoint_auth_signing_alg: 'RS256' ## The authentication method the client must use to authenticate. # token_endpoint_auth_method: 'client_secret_post' ## ## Authelia Secret Configuration. ## secret: disabled: false existingSecret: "authelia" # existingSecret: authelia mountPath: "/secrets" ## additionalSecrets contains a list of additional secrets to mount. ## They will all be mounted in the format of '/{mountPath}/{key}' where the '{mountPath}' is the value above and ## '{key}' is the key from the dictionary below (in our example we named it 'example'). If the items are specified ## then those options will be rendered in the volumes spec. See 'example-without-items' for an example that doesn't ## specify this. ## additionalSecrets: {} # additionalSecrets: # example: # items: # - key: 'key-example' # path: 'path-example' # example-without-items: {} certificates: existingSecret: "" # existingSecret: 'authelia' annotations: {} # annotations: # myAnnotation: 'myValue' labels: {} # labels: # myLabel: 'myValue' values: [] # values: # - name: 'Example_Com_Root_Certificate_Authority_B64.pem' # secretValue: 'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lMQkFBQUFBQUJJVmhUQ0tJd0RRWUpLb1pJaHZjTkFRRUxCUUF3VERFZ01CNEcKQTFVRUN4TVhSMnh2WW1Gc1UybG5iaUJTYjI5MElFTkJJQzBnVWpNeEV6QVJCZ05WQkFvVENrZHNiMkpoYkZOcApaMjR4RXpBUkJnTlZCQU1UQ2tkc2IySmhiRk5wWjI0d0hoY05NRGt3TXpFNE1UQXdNREF3V2hjTk1qa3dNekU0Ck1UQXdNREF3V2pCTU1TQXdIZ1lEVlFRTEV4ZEhiRzlpWVd4VGFXZHVJRkp2YjNRZ1EwRWdMU0JTTXpFVE1CRUcKQTFVRUNoTUtSMnh2WW1Gc1UybG5iakVUTUJFR0ExVUVBeE1LUjJ4dlltRnNVMmxuYmpDQ0FTSXdEUVlKS29aSQpodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU13bGRwQjVCbmdpRnZYQWc3YUV5aWllL1FWMkVjV3RpSEw4ClJnSkR4N0tLblFSZkpNc3VTK0ZnZ2tiaFVxc01nVWR3Yk4xazBldjFMS01QZ2owTUs2NlgxN1lVaGhCNXV6c1QKZ0hlTUNPRkowbXBpTHg5ZStwWm8zNGtubFRpZkJ0Yyt5Y3NtV1ExejNyREk2U1lPZ3hYRzcxdUwwZ1JneWttbQpLUFpwTy9iTHlDaVI1WjJLWVZjM3JIUVUzSFRnT3U1eUx5NmMrOUM3di9VOUFPRUdNK2lDSzY1VHBqb1djNHpkClFRNGdPc0MwcDZIcHNrK1FMakpnNlZmTHVRU1NhR2psT0NaZ2RiS2ZkLytSRk8rdUlFbjhyVUFWU05FQ01XRVoKWHJpWDc2MTN0MlNhZXI5ZndSUHZtMkw3RFd6Z1ZHa1dxUVBhYnVtRGszRjJ4bW1GZ2hjQ0F3RUFBYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJL3dTMytvCkxrVWtyazFRK21PYWk5N2kzUnU4TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCTFFOdkFVS3IreUF6djk1WlUKUlVtN2xnQUpRYXl6RTRhR0tBY3p5bXZtZExtNkFDMnVwQXJUOWZIeEQ0cS9jMmRLZzhkRWUzamdyMjVzYndNcApqak01UmNPTzVMbFhiS3I4RXBic1U4WXQ1Q1JzdVpSais5eFRhR2RXUG9PNHp6VWh3OGxvL3M3YXdsT3F6SkNLCjZmQmRSb3lWM1hwWUtCb3ZIZDdOQURkQmorMUViZGRUS0pkKzgyY0VIaFhYaXBhMDA5NU1KNlJNRzNOemR2UVgKbWNJZmVnN2pMUWl0Q2h3cy96eXJWUTRQa1g0MjY4TlhTYjdoTGkxOFlJdkRRVkVUSTUzTzl6SnJsQUdvbWVjcwpNeDg2T3lYU2hrRE9PeXlHZU1saEx4UzY3dHRWYjkrRTdnVUpUYjBvMkhMTzAySlFaUjdya3BlRE1kbXp0Y3BICldEOWYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==' # - name: 'Example_Com_Root_Certificate_Authority.pem' # value: | # -----BEGIN CERTIFICATE----- # MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G # A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp # Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 # MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG # A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI # hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8 # RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT # gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm # KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd # QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ # XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw # DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o # LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU # RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp # jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK # 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX # mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs # Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH # WD9f # -----END CERTIFICATE----- ## ## Authelia Persistence Configuration. ## ## Useful in scenarios where you need persistent storage. ## Auth Provider Use Case: file; we recommend you use the ldap provider instead. ## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead. ## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false). ## persistence: enabled: true annotations: {} # annotations: # myAnnotation: 'myValue' labels: {} # labels: # myLabel: 'myValue' readOnly: false subPath: "" existingClaim: "" # existingClaim: 'my-claim-name' storageClass: "" # storageClass: 'my-storage-class' ## Persistent Volume Name ## Useful if Persistent Volumes have been provisioned in advance and you want to use a specific one ## volumeName: "" accessModes: - "ReadWriteOnce" size: "100Mi" selector: {} # -- Configure mariadb database subchart under this key. # This will be deployed when storage.mysql.deploy is set to true # Currently settings need to be manually copied from here to the storage.mysql section # For more options see [mariadb chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/mariadb) mariadb: architecture: standalone auth: database: authelia username: authelia password: authelia rootPassword: authelia primary: resources: {} persistence: enabled: false size: 1Gi # storageClass: "" # -- Configure postgresql database subchart under this key. # This will be deployed when storage.postgres.deploy is set to true # Currently settings need to be manually copied from here to the storage.postgres section # For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) postgresql: auth: postgresPassword: authelia username: authelia password: authelia database: authelia primary: persistence: enabled: false # storageClass: "" size: 1Gi resources: {} # -- Configure redis database subchart under this key. # This will be deployed when session.redis.deploy is set to true # Currently settings need to be manually copied from here to the session.redis section # For more options see [redis chart documentation](https://github.com/bitnami/charts/tree/main/bitnami/redis) redis: architecture: standalone auth: enabled: false sentinel: true password: "redis" existingSecret: "" existingSecretPasswordKey: "" usePasswordFiles: false master: resources: {} priorityClassName: "" persistence: enabled: false # storageClass: "" accessModes: - ReadWriteOnce size: 1Gi replica: replicaCount: 3 resources: {} priorityClassName: "" persistence: enabled: false # storageClass: "" accessModes: - ReadWriteOnce size: 1Gi