386 lines
15 KiB
Smarty
386 lines
15 KiB
Smarty
|
{{/* Define the configmap */}}
|
||
|
{{- define "authelia.configmap.paths" -}}
|
||
|
enabled: true
|
||
|
data:
|
||
|
AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
|
||
|
AUTHELIA_JWT_SECRET_FILE: "/secrets/JWT_TOKEN"
|
||
|
AUTHELIA_SESSION_SECRET_FILE: "/secrets/SESSION_ENCRYPTION_KEY"
|
||
|
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: "/secrets/ENCRYPTION_KEY"
|
||
|
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: "/secrets/STORAGE_PASSWORD"
|
||
|
{{- if .Values.authentication_backend.ldap.enabled }}
|
||
|
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE: "/secrets/LDAP_PASSWORD"
|
||
|
{{- end }}
|
||
|
{{- if .Values.notifier.smtp.enabled }}
|
||
|
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: "/secrets/SMTP_PASSWORD"
|
||
|
{{- end }}
|
||
|
AUTHELIA_SESSION_REDIS_PASSWORD_FILE: "/secrets/REDIS_PASSWORD"
|
||
|
{{- if .Values.redisProvider.high_availability.enabled }}
|
||
|
AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE: "/secrets/REDIS_SENTINEL_PASSWORD"
|
||
|
{{- end }}
|
||
|
{{- if .Values.duo_api.enabled }}
|
||
|
AUTHELIA_DUO_API_SECRET_KEY_FILE: "/secrets/DUO_API_KEY"
|
||
|
{{- end }}
|
||
|
{{- if .Values.identity_providers.oidc.enabled }}
|
||
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: "/secrets/OIDC_HMAC_SECRET"
|
||
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: "/secrets/OIDC_PRIVATE_KEY"
|
||
|
{{- end }}
|
||
|
|
||
|
{{- end -}}
|
||
|
|
||
|
{{- define "authelia.configmap.configfile" -}}
|
||
|
enabled: true
|
||
|
data:
|
||
|
configuration.yaml: |
|
||
|
---
|
||
|
theme: {{ .Values.theme | default "light" }}
|
||
|
default_redirection_url: {{ default (printf "https://www.%s" .Values.domain) .Values.default_redirection_url }}
|
||
|
ntp:
|
||
|
address: {{ .Values.ntp.address | default "time.cloudflare.com:123" }}
|
||
|
version: {{ .Values.ntp.version | default 4 }}
|
||
|
max_desync: {{ .Values.ntp.max_desync | default "3s" }}
|
||
|
disable_startup_check: {{ .Values.ntp.disable_startup_check | default false }}
|
||
|
disable_failure: {{ .Values.ntp.disable_failure | default true }}
|
||
|
server:
|
||
|
host: 0.0.0.0
|
||
|
port: {{ .Values.server.port | default 9091 }}
|
||
|
{{- if ne "" (.Values.server.path | default "") }}
|
||
|
path: {{ .Values.server.path }}
|
||
|
{{- end }}
|
||
|
buffers:
|
||
|
write: {{ .Values.server.write_buffer_size | default 4096 }}
|
||
|
read: {{ .Values.server.read_buffer_size | default 4096 }}
|
||
|
enable_pprof: {{ .Values.server.enable_pprof | default false }}
|
||
|
enable_expvars: {{ .Values.server.enable_expvars | default false }}
|
||
|
log:
|
||
|
level: {{ .Values.log.level | default "info" }}
|
||
|
format: {{ .Values.log.format | default "text" }}
|
||
|
{{- if ne "" (.Values.log.file_path | default "") }}
|
||
|
file_path: {{ .Values.log.file_path }}
|
||
|
keep_stdout: true
|
||
|
{{- end }}
|
||
|
totp:
|
||
|
issuer: {{ .Values.totp.issuer | default .Values.domain }}
|
||
|
period: {{ .Values.totp.period | default 30 }}
|
||
|
skew: {{ .Values.totp.skew | default 1 }}
|
||
|
{{- if .Values.password_policy.enabled }}
|
||
|
password_policy:
|
||
|
standard:
|
||
|
enabled: {{ .Values.password_policy.standard.enabled | default false }}
|
||
|
min_length: {{ .Values.password_policy.standard.min_length | default 8 }}
|
||
|
max_length: {{ .Values.password_policy.standard.max_length | default 0 }}
|
||
|
require_uppercase: {{ .Values.password_policy.standard.require_uppercase | default false }}
|
||
|
require_lowercase: {{ .Values.password_policy.standard.require_lowercase | default false }}
|
||
|
require_number: {{ .Values.password_policy.standard.require_number | default false }}
|
||
|
require_special: {{ .Values.password_policy.standard.require_special | default false }}
|
||
|
zxcvbn:
|
||
|
enabled: {{ .Values.password_policy.zxcvbn.enabled | default false }}
|
||
|
min_score: {{ .Values.password_policy.zxcvbn.min_score | default 3 }}
|
||
|
{{- end -}}
|
||
|
{{- if .Values.duo_api.enabled }}
|
||
|
duo_api:
|
||
|
hostname: {{ .Values.duo_api.hostname }}
|
||
|
integration_key: {{ .Values.duo_api.integration_key }}
|
||
|
{{- end -}}
|
||
|
{{- with $auth := .Values.authentication_backend }}
|
||
|
authentication_backend:
|
||
|
password_reset:
|
||
|
disable: {{ $auth.disable_reset_password }}
|
||
|
{{- if $auth.file.enabled }}
|
||
|
file:
|
||
|
path: {{ $auth.file.path }}
|
||
|
password:
|
||
|
{{- $p := $auth.file.password -}}
|
||
|
{{- if $p.algorithm }}
|
||
|
algorithm: {{ $p.algorithm }}
|
||
|
{{- end -}}
|
||
|
{{- if $p.iterations }}
|
||
|
iterations: {{ $p.iterations }}
|
||
|
{{- end -}}
|
||
|
{{- if $p.key_length }}
|
||
|
key_length: {{ $p.key_length }}
|
||
|
{{- end -}}
|
||
|
{{- if $p.salt_length }}
|
||
|
salt_length: {{ $p.salt_length }}
|
||
|
{{- end -}}
|
||
|
{{- if $p.memory }}
|
||
|
memory: {{ $p.memory }}
|
||
|
{{- end -}}
|
||
|
{{- if $p.parallelism }}
|
||
|
parallelism: {{ $p.parallelism }}
|
||
|
{{- end -}}
|
||
|
{{- end -}}
|
||
|
{{- if $auth.ldap.enabled }}
|
||
|
ldap:
|
||
|
implementation: {{ $auth.ldap.implementation | default "custom" }}
|
||
|
url: {{ $auth.ldap.url }}
|
||
|
timeout: {{ $auth.ldap.timeout | default "5s" }}
|
||
|
start_tls: {{ $auth.ldap.start_tls }}
|
||
|
tls:
|
||
|
{{- if hasKey $auth.ldap.tls "server_name" }}
|
||
|
server_name: {{ $auth.ldap.tls.server_name | default $auth.ldap.host }}
|
||
|
{{- end }}
|
||
|
minimum_version: {{ $auth.ldap.tls.minimum_version | default "TLS1.2" }}
|
||
|
skip_verify: {{ $auth.ldap.tls.skip_verify | default false }}
|
||
|
{{- if $auth.ldap.base_dn }}
|
||
|
base_dn: {{ $auth.ldap.base_dn }}
|
||
|
{{- end -}}
|
||
|
{{- if $auth.ldap.username_attribute }}
|
||
|
username_attribute: {{ $auth.ldap.username_attribute }}
|
||
|
{{- end -}}
|
||
|
{{- if $auth.ldap.additional_users_dn }}
|
||
|
additional_users_dn: {{ $auth.ldap.additional_users_dn }}
|
||
|
{{- end -}}
|
||
|
{{- if $auth.ldap.users_filter }}
|
||
|
users_filter: {{ $auth.ldap.users_filter }}
|
||
|
{{- end -}}
|
||
|
{{- if $auth.ldap.additional_groups_dn }}
|
||
|
additional_groups_dn: {{ $auth.ldap.additional_groups_dn }}
|
||
|
{{- end -}}
|
||
|
{{- if $auth.ldap.groups_filter }}
|
||
|
groups_filter: {{ $auth.ldap.groups_filter }}
|
||
|
{{- end -}}
|
||
|
{{- if $auth.ldap.group_name_attribute }}
|
||
|
group_name_attribute: {{ $auth.ldap.group_name_attribute }}
|
||
|
{{- end -}}
|
||
|
{{- if $auth.ldap.mail_attribute }}
|
||
|
mail_attribute: {{ $auth.ldap.mail_attribute }}
|
||
|
{{- end -}}
|
||
|
{{- if $auth.ldap.display_name_attribute }}
|
||
|
display_name_attribute: {{ $auth.ldap.display_name_attribute }}
|
||
|
{{- end }}
|
||
|
user: {{ $auth.ldap.user }}
|
||
|
{{- end -}}
|
||
|
{{- end -}}
|
||
|
{{- with $session := .Values.session }}
|
||
|
session:
|
||
|
name: {{ $session.name | default "authelia_session" }}
|
||
|
domain: {{ required "A valid .Values.domain entry required!" $.Values.domain }}
|
||
|
same_site: {{ $session.same_site | default "lax" }}
|
||
|
expiration: {{ $session.expiration | default "1M" }}
|
||
|
inactivity: {{ $session.inactivity | default "5m" }}
|
||
|
remember_me_duration: {{ $session.remember_me_duration | default "1M" }}
|
||
|
{{- end }}
|
||
|
redis:
|
||
|
host: {{ .Values.redis.creds.plain }}
|
||
|
{{- with $redis := .Values.redisProvider }}
|
||
|
port: {{ $redis.port | default 6379 }}
|
||
|
{{- if not (eq $redis.username "") }}
|
||
|
username: {{ $redis.username }}
|
||
|
{{- end }}
|
||
|
maximum_active_connections: {{ $redis.maximum_active_connections | default 8 }}
|
||
|
minimum_idle_connections: {{ $redis.minimum_idle_connections | default 0 }}
|
||
|
{{- if $redis.tls.enabled }}
|
||
|
tls:
|
||
|
server_name: {{ $redis.tls.server_name }}
|
||
|
minimum_version: {{ $redis.tls.minimum_version | default "TLS1.2" }}
|
||
|
skip_verify: {{ $redis.tls.skip_verify }}
|
||
|
{{- end }}
|
||
|
{{- if $redis.high_availability.enabled }}
|
||
|
high_availability:
|
||
|
sentinel_name: {{ $redis.high_availability.sentinel_name }}
|
||
|
{{- if $redis.high_availability.nodes }}
|
||
|
nodes:
|
||
|
{{- range $node := $redis.high_availability.nodes }}
|
||
|
- host: {{ $node.host }}
|
||
|
port: {{ $node.port | default 26379 }}
|
||
|
{{- end -}}
|
||
|
{{- end }}
|
||
|
route_by_latency: {{ $redis.high_availability.route_by_latency }}
|
||
|
route_randomly: {{ $redis.high_availability.route_randomly }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
regulation:
|
||
|
max_retries: {{ .Values.regulation.max_retries | default 3 }}
|
||
|
find_time: {{ .Values.regulation.find_time | default "1m" }}
|
||
|
ban_time: {{ .Values.regulation.ban_time | default "5m" }}
|
||
|
storage:
|
||
|
postgres:
|
||
|
host: {{ $.Values.cnpg.main.creds.host }}
|
||
|
{{- with $storage := .Values.storage }}
|
||
|
port: {{ $storage.postgres.port | default 5432 }}
|
||
|
database: {{ $storage.postgres.database | default "authelia" }}
|
||
|
username: {{ $storage.postgres.username | default "authelia" }}
|
||
|
timeout: {{ $storage.postgres.timeout | default "5s" }}
|
||
|
ssl:
|
||
|
mode: {{ $storage.postgres.sslmode | default "disable" }}
|
||
|
{{- end }}
|
||
|
{{- with $notifier := .Values.notifier }}
|
||
|
notifier:
|
||
|
disable_startup_check: {{ $.Values.notifier.disable_startup_check }}
|
||
|
{{- if $notifier.filesystem.enabled }}
|
||
|
filesystem:
|
||
|
filename: {{ $notifier.filesystem.filename }}
|
||
|
{{- end }}
|
||
|
{{- if $notifier.smtp.enabled }}
|
||
|
smtp:
|
||
|
host: {{ $notifier.smtp.host }}
|
||
|
port: {{ $notifier.smtp.port | default 25 }}
|
||
|
timeout: {{ $notifier.smtp.timeout | default "5s" }}
|
||
|
{{- with $notifier.smtp.username }}
|
||
|
username: {{ . }}
|
||
|
{{- end }}
|
||
|
sender: {{ $notifier.smtp.sender | quote }}
|
||
|
identifier: {{ $notifier.smtp.identifier | quote }}
|
||
|
subject: {{ $notifier.smtp.subject | quote }}
|
||
|
startup_check_address: {{ $notifier.smtp.startup_check_address | quote }}
|
||
|
disable_require_tls: {{ $notifier.smtp.disable_require_tls }}
|
||
|
disable_html_emails: {{ $notifier.smtp.disable_html_emails }}
|
||
|
tls:
|
||
|
server_name: {{ $notifier.smtp.tls.server_name | default $notifier.smtp.host }}
|
||
|
minimum_version: {{ $notifier.smtp.tls.minimum_version | default "TLS1.2" }}
|
||
|
skip_verify: {{ $notifier.smtp.tls.skip_verify | default false }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- if .Values.identity_providers.oidc.enabled }}
|
||
|
identity_providers:
|
||
|
oidc:
|
||
|
access_token_lifespan: {{ .Values.identity_providers.oidc.access_token_lifespan | default "1h" }}
|
||
|
authorize_code_lifespan: {{ .Values.identity_providers.oidc.authorize_code_lifespan | default "1m" }}
|
||
|
id_token_lifespan: {{ .Values.identity_providers.oidc.id_token_lifespan | default "1h" }}
|
||
|
refresh_token_lifespan: {{ .Values.identity_providers.oidc.refresh_token_lifespan | default "90m" }}
|
||
|
enable_client_debug_messages: {{ .Values.identity_providers.oidc.enable_client_debug_messages | default false }}
|
||
|
minimum_parameter_entropy: {{ .Values.identity_providers.oidc.minimum_parameter_entropy | default 8 }}
|
||
|
{{- if .Values.identity_providers.oidc.clients }}
|
||
|
clients:
|
||
|
{{- range $client := .Values.identity_providers.oidc.clients }}
|
||
|
- id: {{ $client.id }}
|
||
|
description: {{ $client.description | default $client.id }}
|
||
|
secret: {{ $client.secret | default (randAlphaNum 128) }}
|
||
|
{{- if $client.public }}
|
||
|
public: {{ $client.public }}
|
||
|
{{- end }}
|
||
|
authorization_policy: {{ $client.authorization_policy | default "two_factor" }}
|
||
|
consent_mode: {{ $client.consent_mode | default "auto" }}
|
||
|
redirect_uris:
|
||
|
{{- range $client.redirect_uris }}
|
||
|
- {{ . }}
|
||
|
{{- end }}
|
||
|
{{- if $client.audience }}
|
||
|
audience:
|
||
|
{{- range $client.audience }}
|
||
|
- {{ . }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
scopes:
|
||
|
{{- range ($client.scopes | default (list "openid" "profile" "email" "groups")) }}
|
||
|
- {{ . }}
|
||
|
{{- end }}
|
||
|
grant_types:
|
||
|
{{- range ($client.grant_types | default (list "refresh_token" "authorization_code")) }}
|
||
|
- {{ . }}
|
||
|
{{- end }}
|
||
|
response_types:
|
||
|
{{- range ($client.response_types | default (list "code")) }}
|
||
|
- {{ . }}
|
||
|
{{- end }}
|
||
|
{{- if $client.response_modes }}
|
||
|
response_modes:
|
||
|
{{- range $client.response_modes }}
|
||
|
- {{ . }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- with $client.token_endpoint_auth_method }}
|
||
|
token_endpoint_auth_method: {{ . }}
|
||
|
{{- end }}
|
||
|
userinfo_signing_algorithm: {{ $client.userinfo_signing_algorithm | default "none" }}
|
||
|
{{- if $client.require_pkce }}
|
||
|
require_pkce: {{ $client.require_pkce }}
|
||
|
{{- end }}
|
||
|
{{- if $client.pkce_challange_method }}
|
||
|
pkce_challenge_method: {{ $client.pkce_challange_method | default "S256" }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
access_control:
|
||
|
{{- if not .Values.access_control.rules }}
|
||
|
{{- if (eq .Values.access_control.default_policy "bypass") }}
|
||
|
default_policy: one_factor
|
||
|
{{- else if (eq .Values.access_control.default_policy "deny") }}
|
||
|
default_policy: two_factor
|
||
|
{{- else }}
|
||
|
default_policy: {{ .Values.access_control.default_policy }}
|
||
|
{{- end }}
|
||
|
{{- else }}
|
||
|
default_policy: {{ .Values.access_control.default_policy }}
|
||
|
{{- end }}
|
||
|
|
||
|
{{- if and .Values.access_control.networks (not .Values.access_control.networks_access_control) -}}
|
||
|
{{- fail "Please change [.Values.access_control.networks] to [.Values.access_control.networks_access_control]" -}}
|
||
|
{{- end -}}
|
||
|
{{- if not .Values.access_control.networks_access_control }}
|
||
|
networks: []
|
||
|
{{- else }}
|
||
|
networks:
|
||
|
{{- range $net := .Values.access_control.networks_access_control }}
|
||
|
- name: {{ $net.name }}
|
||
|
networks:
|
||
|
{{- range $net.networks }}
|
||
|
- {{ . | squote }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
|
||
|
{{- if not .Values.access_control.rules }}
|
||
|
rules: []
|
||
|
{{- else }}
|
||
|
rules:
|
||
|
{{- range $rule := .Values.access_control.rules }}
|
||
|
{{- if $rule.domain }}
|
||
|
- domain:
|
||
|
{{- if kindIs "string" $rule.domain }}
|
||
|
- {{ $rule.domain | squote }}
|
||
|
{{- else -}}
|
||
|
{{- range $rule.domain }}
|
||
|
- {{ . | squote }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- end -}}
|
||
|
{{- if $rule.domain_regex }}
|
||
|
domain_regex:
|
||
|
{{- if kindIs "string" $rule.domain_regex }}
|
||
|
- {{ $rule.domain_regex | squote }}
|
||
|
{{- else -}}
|
||
|
{{- range $rule.domain_regex }}
|
||
|
- {{ . | squote }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- with $rule.policy }}
|
||
|
policy: {{ . }}
|
||
|
{{- end -}}
|
||
|
{{- if $rule.networks }}
|
||
|
networks:
|
||
|
{{- if kindIs "string" $rule.networks }}
|
||
|
- {{ $rule.networks | squote }}
|
||
|
{{- else -}}
|
||
|
{{- range $rule.networks }}
|
||
|
- {{ . | squote }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- if $rule.subject }}
|
||
|
subject:
|
||
|
{{- if kindIs "string" $rule.subject }}
|
||
|
- {{ $rule.subject | squote }}
|
||
|
{{- else -}}
|
||
|
{{- range $rule.subject }}
|
||
|
- {{ . | squote }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- if $rule.resources }}
|
||
|
resources:
|
||
|
{{- if kindIs "string" $rule.resources }}
|
||
|
- {{ $rule.resources | squote }}
|
||
|
{{- else -}}
|
||
|
{{- range $rule.resources }}
|
||
|
- {{ . | squote }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
{{- end }}
|
||
|
...
|
||
|
{{- end -}}
|