scale-catalog/premium/authelia/23.13.14/templates/_configmap.tpl
Julian Haseleu 5d1ab94342 cleanup
2024-07-14 21:54:53 +00:00

386 lines
15 KiB
Smarty

{{/* Define the configmap */}}
{{- define "authelia.configmap.paths" -}}
enabled: true
data:
AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
AUTHELIA_JWT_SECRET_FILE: "/secrets/JWT_TOKEN"
AUTHELIA_SESSION_SECRET_FILE: "/secrets/SESSION_ENCRYPTION_KEY"
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: "/secrets/ENCRYPTION_KEY"
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: "/secrets/STORAGE_PASSWORD"
{{- if .Values.authentication_backend.ldap.enabled }}
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE: "/secrets/LDAP_PASSWORD"
{{- end }}
{{- if .Values.notifier.smtp.enabled }}
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: "/secrets/SMTP_PASSWORD"
{{- end }}
AUTHELIA_SESSION_REDIS_PASSWORD_FILE: "/secrets/REDIS_PASSWORD"
{{- if .Values.redisProvider.high_availability.enabled }}
AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE: "/secrets/REDIS_SENTINEL_PASSWORD"
{{- end }}
{{- if .Values.duo_api.enabled }}
AUTHELIA_DUO_API_SECRET_KEY_FILE: "/secrets/DUO_API_KEY"
{{- end }}
{{- if .Values.identity_providers.oidc.enabled }}
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: "/secrets/OIDC_HMAC_SECRET"
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: "/secrets/OIDC_PRIVATE_KEY"
{{- end }}
{{- end -}}
{{- define "authelia.configmap.configfile" -}}
enabled: true
data:
configuration.yaml: |
---
theme: {{ .Values.theme | default "light" }}
default_redirection_url: {{ default (printf "https://www.%s" .Values.domain) .Values.default_redirection_url }}
ntp:
address: {{ .Values.ntp.address | default "time.cloudflare.com:123" }}
version: {{ .Values.ntp.version | default 4 }}
max_desync: {{ .Values.ntp.max_desync | default "3s" }}
disable_startup_check: {{ .Values.ntp.disable_startup_check | default false }}
disable_failure: {{ .Values.ntp.disable_failure | default true }}
server:
host: 0.0.0.0
port: {{ .Values.server.port | default 9091 }}
{{- if ne "" (.Values.server.path | default "") }}
path: {{ .Values.server.path }}
{{- end }}
buffers:
write: {{ .Values.server.write_buffer_size | default 4096 }}
read: {{ .Values.server.read_buffer_size | default 4096 }}
enable_pprof: {{ .Values.server.enable_pprof | default false }}
enable_expvars: {{ .Values.server.enable_expvars | default false }}
log:
level: {{ .Values.log.level | default "info" }}
format: {{ .Values.log.format | default "text" }}
{{- if ne "" (.Values.log.file_path | default "") }}
file_path: {{ .Values.log.file_path }}
keep_stdout: true
{{- end }}
totp:
issuer: {{ .Values.totp.issuer | default .Values.domain }}
period: {{ .Values.totp.period | default 30 }}
skew: {{ .Values.totp.skew | default 1 }}
{{- if .Values.password_policy.enabled }}
password_policy:
standard:
enabled: {{ .Values.password_policy.standard.enabled | default false }}
min_length: {{ .Values.password_policy.standard.min_length | default 8 }}
max_length: {{ .Values.password_policy.standard.max_length | default 0 }}
require_uppercase: {{ .Values.password_policy.standard.require_uppercase | default false }}
require_lowercase: {{ .Values.password_policy.standard.require_lowercase | default false }}
require_number: {{ .Values.password_policy.standard.require_number | default false }}
require_special: {{ .Values.password_policy.standard.require_special | default false }}
zxcvbn:
enabled: {{ .Values.password_policy.zxcvbn.enabled | default false }}
min_score: {{ .Values.password_policy.zxcvbn.min_score | default 3 }}
{{- end -}}
{{- if .Values.duo_api.enabled }}
duo_api:
hostname: {{ .Values.duo_api.hostname }}
integration_key: {{ .Values.duo_api.integration_key }}
{{- end -}}
{{- with $auth := .Values.authentication_backend }}
authentication_backend:
password_reset:
disable: {{ $auth.disable_reset_password }}
{{- if $auth.file.enabled }}
file:
path: {{ $auth.file.path }}
password:
{{- $p := $auth.file.password -}}
{{- if $p.algorithm }}
algorithm: {{ $p.algorithm }}
{{- end -}}
{{- if $p.iterations }}
iterations: {{ $p.iterations }}
{{- end -}}
{{- if $p.key_length }}
key_length: {{ $p.key_length }}
{{- end -}}
{{- if $p.salt_length }}
salt_length: {{ $p.salt_length }}
{{- end -}}
{{- if $p.memory }}
memory: {{ $p.memory }}
{{- end -}}
{{- if $p.parallelism }}
parallelism: {{ $p.parallelism }}
{{- end -}}
{{- end -}}
{{- if $auth.ldap.enabled }}
ldap:
implementation: {{ $auth.ldap.implementation | default "custom" }}
url: {{ $auth.ldap.url }}
timeout: {{ $auth.ldap.timeout | default "5s" }}
start_tls: {{ $auth.ldap.start_tls }}
tls:
{{- if hasKey $auth.ldap.tls "server_name" }}
server_name: {{ $auth.ldap.tls.server_name | default $auth.ldap.host }}
{{- end }}
minimum_version: {{ $auth.ldap.tls.minimum_version | default "TLS1.2" }}
skip_verify: {{ $auth.ldap.tls.skip_verify | default false }}
{{- if $auth.ldap.base_dn }}
base_dn: {{ $auth.ldap.base_dn }}
{{- end -}}
{{- if $auth.ldap.username_attribute }}
username_attribute: {{ $auth.ldap.username_attribute }}
{{- end -}}
{{- if $auth.ldap.additional_users_dn }}
additional_users_dn: {{ $auth.ldap.additional_users_dn }}
{{- end -}}
{{- if $auth.ldap.users_filter }}
users_filter: {{ $auth.ldap.users_filter }}
{{- end -}}
{{- if $auth.ldap.additional_groups_dn }}
additional_groups_dn: {{ $auth.ldap.additional_groups_dn }}
{{- end -}}
{{- if $auth.ldap.groups_filter }}
groups_filter: {{ $auth.ldap.groups_filter }}
{{- end -}}
{{- if $auth.ldap.group_name_attribute }}
group_name_attribute: {{ $auth.ldap.group_name_attribute }}
{{- end -}}
{{- if $auth.ldap.mail_attribute }}
mail_attribute: {{ $auth.ldap.mail_attribute }}
{{- end -}}
{{- if $auth.ldap.display_name_attribute }}
display_name_attribute: {{ $auth.ldap.display_name_attribute }}
{{- end }}
user: {{ $auth.ldap.user }}
{{- end -}}
{{- end -}}
{{- with $session := .Values.session }}
session:
name: {{ $session.name | default "authelia_session" }}
domain: {{ required "A valid .Values.domain entry required!" $.Values.domain }}
same_site: {{ $session.same_site | default "lax" }}
expiration: {{ $session.expiration | default "1M" }}
inactivity: {{ $session.inactivity | default "5m" }}
remember_me_duration: {{ $session.remember_me_duration | default "1M" }}
{{- end }}
redis:
host: {{ .Values.redis.creds.plain }}
{{- with $redis := .Values.redisProvider }}
port: {{ $redis.port | default 6379 }}
{{- if not (eq $redis.username "") }}
username: {{ $redis.username }}
{{- end }}
maximum_active_connections: {{ $redis.maximum_active_connections | default 8 }}
minimum_idle_connections: {{ $redis.minimum_idle_connections | default 0 }}
{{- if $redis.tls.enabled }}
tls:
server_name: {{ $redis.tls.server_name }}
minimum_version: {{ $redis.tls.minimum_version | default "TLS1.2" }}
skip_verify: {{ $redis.tls.skip_verify }}
{{- end }}
{{- if $redis.high_availability.enabled }}
high_availability:
sentinel_name: {{ $redis.high_availability.sentinel_name }}
{{- if $redis.high_availability.nodes }}
nodes:
{{- range $node := $redis.high_availability.nodes }}
- host: {{ $node.host }}
port: {{ $node.port | default 26379 }}
{{- end -}}
{{- end }}
route_by_latency: {{ $redis.high_availability.route_by_latency }}
route_randomly: {{ $redis.high_availability.route_randomly }}
{{- end }}
{{- end }}
regulation:
max_retries: {{ .Values.regulation.max_retries | default 3 }}
find_time: {{ .Values.regulation.find_time | default "1m" }}
ban_time: {{ .Values.regulation.ban_time | default "5m" }}
storage:
postgres:
host: {{ $.Values.cnpg.main.creds.host }}
{{- with $storage := .Values.storage }}
port: {{ $storage.postgres.port | default 5432 }}
database: {{ $storage.postgres.database | default "authelia" }}
username: {{ $storage.postgres.username | default "authelia" }}
timeout: {{ $storage.postgres.timeout | default "5s" }}
ssl:
mode: {{ $storage.postgres.sslmode | default "disable" }}
{{- end }}
{{- with $notifier := .Values.notifier }}
notifier:
disable_startup_check: {{ $.Values.notifier.disable_startup_check }}
{{- if $notifier.filesystem.enabled }}
filesystem:
filename: {{ $notifier.filesystem.filename }}
{{- end }}
{{- if $notifier.smtp.enabled }}
smtp:
host: {{ $notifier.smtp.host }}
port: {{ $notifier.smtp.port | default 25 }}
timeout: {{ $notifier.smtp.timeout | default "5s" }}
{{- with $notifier.smtp.username }}
username: {{ . }}
{{- end }}
sender: {{ $notifier.smtp.sender | quote }}
identifier: {{ $notifier.smtp.identifier | quote }}
subject: {{ $notifier.smtp.subject | quote }}
startup_check_address: {{ $notifier.smtp.startup_check_address | quote }}
disable_require_tls: {{ $notifier.smtp.disable_require_tls }}
disable_html_emails: {{ $notifier.smtp.disable_html_emails }}
tls:
server_name: {{ $notifier.smtp.tls.server_name | default $notifier.smtp.host }}
minimum_version: {{ $notifier.smtp.tls.minimum_version | default "TLS1.2" }}
skip_verify: {{ $notifier.smtp.tls.skip_verify | default false }}
{{- end }}
{{- end }}
{{- if .Values.identity_providers.oidc.enabled }}
identity_providers:
oidc:
access_token_lifespan: {{ .Values.identity_providers.oidc.access_token_lifespan | default "1h" }}
authorize_code_lifespan: {{ .Values.identity_providers.oidc.authorize_code_lifespan | default "1m" }}
id_token_lifespan: {{ .Values.identity_providers.oidc.id_token_lifespan | default "1h" }}
refresh_token_lifespan: {{ .Values.identity_providers.oidc.refresh_token_lifespan | default "90m" }}
enable_client_debug_messages: {{ .Values.identity_providers.oidc.enable_client_debug_messages | default false }}
minimum_parameter_entropy: {{ .Values.identity_providers.oidc.minimum_parameter_entropy | default 8 }}
{{- if .Values.identity_providers.oidc.clients }}
clients:
{{- range $client := .Values.identity_providers.oidc.clients }}
- id: {{ $client.id }}
description: {{ $client.description | default $client.id }}
secret: {{ $client.secret | default (randAlphaNum 128) }}
{{- if $client.public }}
public: {{ $client.public }}
{{- end }}
authorization_policy: {{ $client.authorization_policy | default "two_factor" }}
consent_mode: {{ $client.consent_mode | default "auto" }}
redirect_uris:
{{- range $client.redirect_uris }}
- {{ . }}
{{- end }}
{{- if $client.audience }}
audience:
{{- range $client.audience }}
- {{ . }}
{{- end }}
{{- end }}
scopes:
{{- range ($client.scopes | default (list "openid" "profile" "email" "groups")) }}
- {{ . }}
{{- end }}
grant_types:
{{- range ($client.grant_types | default (list "refresh_token" "authorization_code")) }}
- {{ . }}
{{- end }}
response_types:
{{- range ($client.response_types | default (list "code")) }}
- {{ . }}
{{- end }}
{{- if $client.response_modes }}
response_modes:
{{- range $client.response_modes }}
- {{ . }}
{{- end }}
{{- end }}
{{- with $client.token_endpoint_auth_method }}
token_endpoint_auth_method: {{ . }}
{{- end }}
userinfo_signing_algorithm: {{ $client.userinfo_signing_algorithm | default "none" }}
{{- if $client.require_pkce }}
require_pkce: {{ $client.require_pkce }}
{{- end }}
{{- if $client.pkce_challange_method }}
pkce_challenge_method: {{ $client.pkce_challange_method | default "S256" }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
access_control:
{{- if not .Values.access_control.rules }}
{{- if (eq .Values.access_control.default_policy "bypass") }}
default_policy: one_factor
{{- else if (eq .Values.access_control.default_policy "deny") }}
default_policy: two_factor
{{- else }}
default_policy: {{ .Values.access_control.default_policy }}
{{- end }}
{{- else }}
default_policy: {{ .Values.access_control.default_policy }}
{{- end }}
{{- if and .Values.access_control.networks (not .Values.access_control.networks_access_control) -}}
{{- fail "Please change [.Values.access_control.networks] to [.Values.access_control.networks_access_control]" -}}
{{- end -}}
{{- if not .Values.access_control.networks_access_control }}
networks: []
{{- else }}
networks:
{{- range $net := .Values.access_control.networks_access_control }}
- name: {{ $net.name }}
networks:
{{- range $net.networks }}
- {{ . | squote }}
{{- end }}
{{- end }}
{{- end }}
{{- if not .Values.access_control.rules }}
rules: []
{{- else }}
rules:
{{- range $rule := .Values.access_control.rules }}
{{- if $rule.domain }}
- domain:
{{- if kindIs "string" $rule.domain }}
- {{ $rule.domain | squote }}
{{- else -}}
{{- range $rule.domain }}
- {{ . | squote }}
{{- end }}
{{- end }}
{{- end -}}
{{- if $rule.domain_regex }}
domain_regex:
{{- if kindIs "string" $rule.domain_regex }}
- {{ $rule.domain_regex | squote }}
{{- else -}}
{{- range $rule.domain_regex }}
- {{ . | squote }}
{{- end }}
{{- end }}
{{- end }}
{{- with $rule.policy }}
policy: {{ . }}
{{- end -}}
{{- if $rule.networks }}
networks:
{{- if kindIs "string" $rule.networks }}
- {{ $rule.networks | squote }}
{{- else -}}
{{- range $rule.networks }}
- {{ . | squote }}
{{- end }}
{{- end }}
{{- end }}
{{- if $rule.subject }}
subject:
{{- if kindIs "string" $rule.subject }}
- {{ $rule.subject | squote }}
{{- else -}}
{{- range $rule.subject }}
- {{ . | squote }}
{{- end }}
{{- end }}
{{- end }}
{{- if $rule.resources }}
resources:
{{- if kindIs "string" $rule.resources }}
- {{ $rule.resources | squote }}
{{- else -}}
{{- range $rule.resources }}
- {{ . | squote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
...
{{- end -}}