---
## @formatter:off
## values.yaml
##
## Repository: authelia https://charts.authelia.com
## Chart: authelia
##
## This values file is designed for full deployment, eventually for in production once the chart makes it to 1.0.0.
## It uses the following providers:
## - authentication: LDAP
## - storage: MySQL
## - session: redis
## Version Override allows changing some chart characteristics that render only on specific versions.
## This does NOT affect the image used, please see the below image section instead for this.
## If this value is not specified, it's assumed the appVersion of the chart is the version.
## The format of this value is x.x.x, for example 4.100.0.
##
## Important Points:
## - No guarantees of support for prior versions is given. The chart is intended to be used with the AppVersion.
## - Does not and will not support any version prior to 4.30.0 due to a significant refactor of the configuration
## system.
versionOverride: ""
## Image Parameters
## ref: https://hub.docker.com/r/authelia/authelia/tags/
##
image:
# registry: docker.io
registry: ghcr.io
repository: authelia/authelia
tag: ""
pullPolicy: IfNotPresent
pullSecrets: []
# pullSecrets:
# - myPullSecretName
# nameOverride: authelia-deployment-name
# appNameOverride: authelia
##
## extra labels/annotations applied to all resources
##
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
##
## RBAC Configuration.
##
rbac:
## Enable RBAC. Turning this on associates Authelia with a service account.
## If the vault injector is enabled, then RBAC must be enabled.
enabled: false
annotations: {}
labels: {}
serviceAccountName: authelia
## Authelia Domain
## Should be the root domain you want to protect.
## For example if you have apps app1.example.com and app2.example.com it should be example.com
## This affects the ingress (partially sets the domain used) and configMap.
## Authelia must be served from the domain or a subdomain under it.
domain: kluster.moll.re
service:
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
port: 80
# clusterIP:
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: cloudflare-letsencrypt-prod
labels: {}
# labels:
# myLabel: myValue
certManager: false
rewriteTarget: true
## The Ingress Class Name.
# className: ingress-nginx
## Subdomain is the only thing required since we specify the domain as part of the root values of the chart.
## Example: To get Authelia to listen on https://auth.example.com specify 'auth' for ingress.subdomain,
## and specify example.com for the domain.
subdomain: auth
tls:
enabled: true
secretName: cloudflare-letsencrypt-issuer-account-key
hosts:
- auth.kluster.moll.re
# hostNameOverride:
traefikCRD:
enabled: false
## Use a standard Ingress object, not an IngressRoute.
disableIngressRoute: false
# matchOverride: Host(`auth.example.com`) && PathPrefix(`/`)
entryPoints: []
# entryPoints:
# - http
# priority: 10
# weight: 10
sticky: false
# stickyCookieNameOverride: authelia_traefik_lb
# strategy: RoundRobin
# responseForwardingFlushInterval: 100ms
middlewares:
auth:
# nameOverride: authelia-auth
authResponseHeaders:
- Remote-User
- Remote-Name
- Remote-Email
- Remote-Groups
chains:
auth:
# nameOverride: authelia-auth-chain
# List of Middlewares to apply before the forwardAuth Middleware in the authentication chain.
before: []
# before:
# - name: extra-middleware-name
# namespace: default
# List of Middlewares to apply after the forwardAuth Middleware in the authentication chain.
after: []
# after:
# - name: extra-middleware-name
# namespace: default
ingressRoute:
# List of Middlewares to apply before the middleware in the IngressRoute chain.
before: []
# before:
# - name: extra-middleware-name
# namespace: default
# List of Middlewares to apply after the middleware in the IngressRoute chain.
after: []
# after:
# - name: extra-middleware-name
# namespace: default
# Specific options for the TraefikCRD TLS configuration. The above TLS section is still used.
tls:
## Disables inclusion of the IngressRoute TLSOptions.
disableTLSOptions: false
# existingOptions:
# name: default-traefik-options
# namespace: default
# certResolver: default
# sans:
# - *.example.com
#
options:
# nameOverride: authelia-tls-options
nameOverride: ""
minVersion: VersionTLS12
maxVersion: VersionTLS13
sniStrict: false
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
curvePreferences: []
# curvePreferences:
# - CurveP521
# - CurveP384
pod:
# Must be Deployment, DaemonSet, or StatefulSet.
kind: DaemonSet
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
replicas: 1
revisionHistoryLimit: 5
strategy:
type: RollingUpdate
# rollingUpdate:
# partition: 1
# maxSurge: 25%
# maxUnavailable: 25%
securityContext:
container: {}
# container:
# runAsUser: 2000
# runAsGroup: 2000
# fsGroup: 2000
pod: {}
# pod:
# readOnlyRootFilesystem: true
# allowPrivilegeEscalation: false
# privileged: false
tolerations: []
# tolerations:
# - key: key1
# operator: Equal
# value: value1
# effect: NoSchedule
# tolerationSeconds: 3600
selectors:
# nodeName: worker-1
nodeSelector: {}
# nodeSelector:
# disktype: ssd
# kubernetes.io/hostname: worker-1
affinity:
nodeAffinity: {}
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: kubernetes.io/hostname
# operator: In
# values:
# - worker-1
# - worker-2
# preferredDuringSchedulingIgnoredDuringExecution:
# - weight: 1
# preference:
# matchExpressions:
# - key: node-label-key
# operator: NotIn
# values:
# - not-this
podAffinity: {}
# podAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# - labelSelector:
# matchExpressions:
# - key: security
# operator: In
# values:
# - S1
# topologyKey: topology.kubernetes.io/zone
podAntiAffinity: {}
# podAntiAffinity:
# preferredDuringSchedulingIgnoredDuringExecution:
# - weight: 100
# podAffinityTerm:
# labelSelector:
# matchExpressions:
# - key: security
# operator: In
# values:
# - S2
# topologyKey: topology.kubernetes.io/zone
env: []
# env:
# - name: TZ
# value: Australia/Melbourne
resources:
limits: {}
# limits:
# cpu: "4.00"
# memory: 125Mi
requests: {}
# requests:
# cpu: "0.25"
# memory: 50Mi
probes:
method:
httpGet:
path: /api/health
port: http
scheme: HTTP
liveness:
initialDelaySeconds: 0
periodSeconds: 30
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
readiness:
initialDelaySeconds: 0
periodSeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
## Note: Startup Probes are a Kubernetes feature gate which must be manually enabled pre-1.18.
## Ref: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
startup:
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
extraVolumeMounts: []
extraVolumes: []
##
## Authelia Config Map Generator
##
configMap:
# Enable the configMap source for the Authelia config.
# If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
enabled: true
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
key: configuration.yaml
existingConfigMap: ""
##
## Server Configuration
##
server:
##
## Port sets the configured port for the daemon, service, and the probes.
## Default is 9091 and should not need to be changed.
##
port: 9091
## Set the single level path Authelia listens on.
## Must be alphanumeric chars and should not contain any slashes.
path: ""
## Set the path on disk to Authelia assets.
## Useful to allow overriding of specific static assets.
# asset_path: /config/assets/
asset_path: ""
## Customize Authelia headers.
headers:
## Read the Authelia docs before setting this advanced option.
## https://www.authelia.com/configuration/miscellaneous/server/#csp_template.
csp_template: ""
## Buffers usually should be configured to be the same value.
## Explanation at https://www.authelia.com/configuration/miscellaneous/server/
## Read buffer size adjusts the server's max incoming request size in bytes.
## Write buffer size does the same for outgoing responses.
read_buffer_size: 4096
write_buffer_size: 4096
log:
## Level of verbosity for logs: info, debug, trace.
level: info
## Format the logs are written as: json, text.
format: text
## TODO: Statefulness check should check if this is set, and the configMap should enable it.
## File path where the logs will be written. If not set logs are written to stdout.
# file_path: /config/authelia.log
file_path: ""
##
## Telemetry Configuration
##
telemetry:
##
## Metrics Configuration
##
metrics:
## Enable Metrics.
enabled: false
## The port to listen on for metrics. This should be on a different port to the main server.port value.
port: 9959
serviceMonitor:
enabled: false
annotations: {}
labels: {}
## Default redirection URL
##
## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end
## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use
## in such a case.
##
## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
## Default is https://www.<domain> (value at the top of the values.yaml).
default_redirection_url: ""
# default_redirection_url: https://example.com
## Set the default 2FA method for new users and for when a user has a preferred method configured that has been
## disabled. This setting must be a method that is enabled.
## Options are totp, webauthn, mobile_push.
default_2fa_method: "totp"
theme: light
##
## TOTP Configuration
##
## Parameters used for TOTP generation.
totp:
## Disable TOTP.
disable: false
## The issuer name displayed in the Authenticator application of your choice.
## Defaults to <domain>.
issuer: ""
## The TOTP algorithm to use.
## It is CRITICAL you read the documentation before changing this option:
## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#algorithm
algorithm: sha1
## The number of digits a user has to input. Must either be 6 or 8.
## Changing this option only affects newly generated TOTP configurations.
## It is CRITICAL you read the documentation before changing this option:
## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#digits
digits: 6
## The period in seconds a one-time password is valid for.
## Changing this option only affects newly generated TOTP configurations.
period: 30
## The skew controls number of one-time passwords either side of the current one that are valid.
## Warning: before changing skew read the docs link below.
## See: https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#input-validation to read the documentation.
skew: 1
## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20.
secret_size: 32
##
## WebAuthn Configuration
##
## Parameters used for WebAuthn.
webauthn:
## Disable Webauthn.
disable: false
## Adjust the interaction timeout for Webauthn dialogues.
timeout: 60s
## The display name the browser should show the user for when using Webauthn to login/register.
display_name: Authelia
## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
## Options are none, indirect, direct.
attestation_conveyance_preference: indirect
## User verification controls if the user must make a gesture or action to confirm they are present.
## Options are required, preferred, discouraged.
user_verification: preferred
##
## Authentication Backend Provider Configuration
##
## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
##
## The available providers are: `file`, `ldap`. You must use one and only one of these providers.
authentication_backend:
## Password Reset Options.
password_reset:
## Disable both the HTML element and the API for reset password functionality
disable: false
## External reset password url that redirects the user to an external reset portal. This disables the internal reset
## functionality.
custom_url: ""
## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
## See the below documentation for more information.
## Duration Notation docs: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
## Refresh Interval docs: https://www.authelia.com/configuration/first-factor/ldap/#refresh-interval
refresh_interval: 5m
## LDAP backend configuration.
##
## This backend allows Authelia to be scaled to more
## than one instance and therefore is recommended for
## production.
ldap:
enabled: false
## File (Authentication Provider)
##
## With this backend, the users database is stored in a file which is updated when users reset their passwords.
## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
## implications it is highly recommended you leave the default values. Before considering changing these settings
## please read the docs page: https://www.authelia.com/reference/guides/passwords/#tuning
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
##
file:
enabled: true
path: /config/users_database.yml
password:
algorithm: argon2id
iterations: 1
key_length: 32
salt_length: 16
memory: 1024
parallelism: 8
##
## Password Policy Configuration.
##
password_policy:
## The standard policy allows you to tune individual settings manually.
standard:
enabled: false
## Require a minimum length for passwords.
min_length: 8
## Require a maximum length for passwords.
max_length: 0
## Require uppercase characters.
require_uppercase: true
## Require lowercase characters.
require_lowercase: true
## Require numeric characters.
require_number: true
## Require special characters.
require_special: true
## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
zxcvbn:
enabled: false
## Configures the minimum score allowed.
min_score: 0
##
## Access Control Configuration
##
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
##
## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
## to anyone. Otherwise restrictions follow the rules defined.
##
## Note: One can use the wildcard * to match any subdomain.
## It must stand at the beginning of the pattern. (example: *.mydomain.com)
##
## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
##
## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
##
## - 'domain' defines which domain or set of domains the rule applies to.
##
## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
## provided. If provided, the parameter represents either a user or a group. It should be of the form
## 'user:<username>' or 'group:<groupname>'.
##
## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
##
## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
## is optional and matches any resource if not provided.
##
## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
access_control:
## Configure the ACL as a Secret instead of part of the ConfigMap.
secret:
## Enables the ACL section being generated as a secret.
enabled: false
## The key in the secret which contains the file to mount.
key: configuration.acl.yaml
## An existingSecret name, if configured this will force the secret to be mounted using the key above.
existingSecret: ""
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
## resource if there is no policy to be applied to the user.
default_policy: deny
networks: []
# networks:
# - name: private
# networks:
# - 10.0.0.0/8
# - 172.16.0.0/12
# - 192.168.0.0/16
# - name: vpn
# networks:
# - 10.9.0.0/16
rules: []
# rules:
# - domain_regex: '^.*\.example.com$'
# policy: bypass
# - domain: public.example.com
# policy: bypass
# - domain: "*.example.com"
# policy: bypass
# methods:
# - OPTIONS
# - domain: secure.example.com
# policy: one_factor
# networks:
# - private
# - vpn
# - 192.168.1.0/24
# - 10.0.0.1
# - domain:
# - secure.example.com
# - private.example.com
# policy: two_factor
# - domain: singlefactor.example.com
# policy: one_factor
# - domain: "mx2.mail.example.com"
# subject: "group:admins"
# policy: deny
# - domain: "*.example.com"
# subject:
# - "group:admins"
# - "group:moderators"
# policy: two_factor
# - domain: dev.example.com
# resources:
# - "^/groups/dev/.*$"
# subject: "group:dev"
# policy: two_factor
# - domain: dev.example.com
# resources:
# - "^/users/john/.*$"
# subject:
# - ["group:dev", "user:john"]
# - "group:admins"
# policy: two_factor
# - domain: "{user}.example.com"
# policy: bypass
##
## Session Provider Configuration
##
## The session cookies identify the user once logged in.
## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
session:
## The name of the session cookie. (default: authelia_session).
name: authelia_session
## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
## Please read https://www.authelia.com/configuration/session/introduction/#same_site
same_site: lax
## The time in seconds before the cookie expires and session is reset.
expiration: 1h
## The inactivity time in seconds before the session is reset.
inactivity: 5m
## The remember me duration.
## Value is in seconds, or duration notation. Value of 0 disables remember me.
## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
## Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to
## spy or attack. Currently the default is 1M or 1 month.
remember_me_duration: 1M
##
## Redis Provider
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
##
## The redis connection details
redis:
enabled: false
##
## Regulation Configuration
##
## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are done
## in a short period of time.
regulation:
## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
max_retries: 3
## The time range during which the user can attempt login before being banned. The user is banned if the
## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation.
## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
find_time: 2m
## The length of time before a banned user can login again. Ban Time accepts duration notation.
## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
ban_time: 5m
##
## Storage Provider Configuration
##
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
storage:
##
## Local (Storage Provider)
##
## This stores the data in a SQLite3 Database.
## This is only recommended for lightweight non-stateful installations.
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
##
local:
enabled: true
path: /config/db.sqlite3
##
## MySQL (Storage Provider)
##
## Also supports MariaDB
##
mysql:
enabled: false
##
## PostgreSQL (Storage Provider)
##
postgres:
enabled: false
##
## Notification Provider
##
##
## Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration.
## The available providers are: filesystem, smtp. You must use one and only one of these providers.
notifier:
## You can disable the notifier startup check by setting this to true.
disable_startup_check: false
##
## File System (Notification Provider)
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
##
filesystem:
enabled: true
filename: /config/notification.txt
##
## SMTP (Notification Provider)
##
## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate.
## [Security] By default Authelia will:
## - force all SMTP connections over TLS including unauthenticated connections
## - use the disable_require_tls boolean value to disable this requirement
## (only works for unauthenticated connections)
## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
## (configure in tls section)
smtp:
enabled: false
identity_providers:
oidc:
## Enables this in the config map. Currently in beta stage.
## See https://www.authelia.com/r/openid-connect/
enabled: false
access_token_lifespan: 1h
authorize_code_lifespan: 1m
id_token_lifespan: 1h
refresh_token_lifespan: 90m
## Adjusts the PKCE enforcement. Options are always, public_clients_only, never.
## For security reasons it's recommended this option is public_clients_only or always, however always is not
## compatible with all clients.
enforce_pkce: public_clients_only
## Enables the plain PKCE challenge which is not recommended for security reasons but may be necessary for some clients.
enable_pkce_plain_challenge: false
## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
## security reasons.
minimum_parameter_entropy: 8
## Enables additional debug messages.
enable_client_debug_messages: false
## Cross-Origin Resource Sharing (CORS) settings.
cors:
## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
# endpoints:
# - authorization
# - token
# - revocation
# - introspection
# - userinfo
endpoints: []
## List of allowed origins.
## Any origin with https is permitted unless this option is configured or the
## allowed_origins_from_client_redirect_uris option is enabled.
# allowed_origins:
# - https://example.com
allowed_origins: []
## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
## provided they have the scheme http or https and do not have the hostname of localhost.
allowed_origins_from_client_redirect_uris: true
clients: []
# clients:
# -
## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
# id: myapp
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
# description: My Application
## The client secret is a shared secret between Authelia and the consumer of this client.
# secret: apple123
## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
## necessary. Read the documentation for more information.
## The subject identifier must be the host component of a URL, which is a domain name with an optional port.
# sector_identifier: example.com
## Sets the client to public. This should typically not be set, please see the documentation for usage.
# public: false
## The policy to require for this client; one_factor or two_factor.
# authorization_policy: two_factor
## By default users cannot remember pre-configured consents. Setting this value to a period of time using a
## duration notation will enable users to remember consent for this client. The time configured is the amount
## of time the pre-configured consent is valid for granting new authorizations to the user.
# pre_configured_consent_duration: 30d
## Audience this client is allowed to request.
# audience: []
## Scopes this client is allowed to request.
# scopes:
# - openid
# - profile
# - email
# - groups
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
# redirect_uris:
# - https://oidc.example.com/oauth2/callback
## Grant Types configures which grants this client can obtain.
## It's not recommended to configure this unless you know what you're doing.
# grant_types:
# - refresh_token
# - authorization_code
## Response Types configures which responses this client can be sent.
## It's not recommended to configure this unless you know what you're doing.
# response_types:
# - code
## Response Modes configures which response modes this client supports.
## It's not recommended to configure this unless you know what you're doing.
# response_modes:
# - form_post
# - query
# - fragment
## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
# userinfo_signing_algorithm: none
##
## Authelia Secret Generator.
##
## If both the values and existingSecret are not defined, this chart randomly generates a new secret on each
## install. It is recommended that you use something like sealed-secrets (https://github.com/bitnami-labs/sealed-secrets)
## and use the existingSecrets. All secrets can be stored in a single k8s secret if desired using the key option.
##
secret:
existingSecret: ""
# existingSecret: authelia
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
mountPath: /secrets
excludeVolumeAndMounts: false
## Secrets.
jwt:
key: JWT_TOKEN
value: ""
filename: JWT_TOKEN
ldap:
key: LDAP_PASSWORD
value: ""
filename: LDAP_PASSWORD
storage:
key: STORAGE_PASSWORD
value: ""
filename: STORAGE_PASSWORD
storageEncryptionKey:
key: STORAGE_ENCRYPTION_KEY
value: ""
filename: STORAGE_ENCRYPTION_KEY
session:
key: SESSION_ENCRYPTION_KEY
value: ""
filename: SESSION_ENCRYPTION_KEY
duo:
key: DUO_API_KEY
value: ""
filename: DUO_API_KEY
redis:
key: REDIS_PASSWORD
value: ""
filename: REDIS_PASSWORD
redisSentinel:
key: REDIS_SENTINEL_PASSWORD
value: ""
filename: REDIS_SENTINEL_PASSWORD
smtp:
key: SMTP_PASSWORD
value: ""
filename: SMTP_PASSWORD
oidcPrivateKey:
key: OIDC_PRIVATE_KEY
value: ""
filename: OIDC_PRIVATE_KEY
oidcHMACSecret:
key: OIDC_HMAC_SECRET
value: ""
filename: OIDC_HMAC_SECRET
## HashiCorp Vault Injector configuration.
vaultInjector:
## Enable the vault injector annotations. This will disable secret injection via other means.
## To see the annotations and what they do see: https://www.vaultproject.io/docs/platform/k8s/injector/annotations
## Annotations with a blank string do not get configured at all.
## Additional annotations can be configured via the secret.annotations: {} above.
## Secrets are by default rendered in the /secrets directory. Changing this can be done via editing the
## secret.mountPath value. You can alter the filenames with the secret.<secretName>.filename values.
## Secrets are loaded from vault path specified below with secrets.<secretName>.path values. Its format should be
## <SECRET_PATH>:<KEY_NAME>.
## Secrets are by default rendered by template suitable for vault KV v1 or database secrets engines. If other used,
## it can be overriden per each secret by specifying secrets.<secretName>.templateValue. For example for KV v2
## secrets engine would be '{{ with secret "<SECRET_PATH>" }}{{ .Data.data.<KEY_NAME> }}{{ end }}'.
enabled: false
## The vault role to assign via annotations.
## Annotation: vault.hashicorp.com/role
role: authelia
agent:
## Annotation: vault.hashicorp.com/agent-inject-status
status: update
## Annotation: vault.hashicorp.com/agent-configmap
configMap: ""
## Annotation: vault.hashicorp.com/agent-image
image: ""
## Annotation: vault.hashicorp.com/agent-init-first
initFirst: "false"
## Annotation: vault.hashicorp.com/agent-inject-command
command: "sh -c 'kill HUP $(pidof authelia)'"
## Annotation: vault.hashicorp.com/agent-run-as-same-user
runAsSameUser: "true"
secrets:
jwt:
## Vault Path to the Authelia JWT secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-jwt
path: secrets/authelia/jwt:token
## Vault template specific to JWT.
## Annotation: vault.hashicorp.com/agent-inject-template-jwt
templateValue: ""
## Vault after render command specific to JWT.
## Annotation: vault.hashicorp.com/agent-inject-command-jwt
command: ""
ldap:
## Vault Path to the Authelia LDAP secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-ldap
path: secrets/authelia/ldap:password
## Vault template specific to LDAP.
## Annotation: vault.hashicorp.com/agent-inject-template-ldap
templateValue: ""
## Vault after render command specific to LDAP.
## Annotation: vault.hashicorp.com/agent-inject-command-ldap
command: ""
storage:
## Vault Path to the Authelia storage password secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-storage
path: secrets/authelia/storage:password
## Vault template specific to the storage password.
## Annotation: vault.hashicorp.com/agent-inject-template-storage
templateValue: ""
## Vault after render command specific to the storage password.
## Annotation: vault.hashicorp.com/agent-inject-command-storage
command: ""
storageEncryptionKey:
## Vault Path to the Authelia storage encryption key secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-storage-encryption-key
path: secrets/authelia/storage:encryption_key
## Vault template specific to the storage encryption key.
## Annotation: vault.hashicorp.com/agent-inject-template-storage-encryption-key
templateValue: ""
## Vault after render command specific to the storage encryption key.
## Annotation: vault.hashicorp.com/agent-inject-command-storage-encryption-key
command: ""
session:
## Vault Path to the Authelia session secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-session
path: secrets/authelia/session:encryption_key
## Vault template specific to session.
## Annotation: vault.hashicorp.com/agent-inject-template-session
templateValue: ""
## Vault after render command specific to session.
## Annotation: vault.hashicorp.com/agent-inject-command-session
command: ""
duo:
## Vault Path to the Authelia duo secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-duo
path: secrets/authelia/duo:api_key
## Vault template specific to duo.
## Annotation: vault.hashicorp.com/agent-inject-template-duo
templateValue: ""
## Vault after render command specific to duo.
## Annotation: vault.hashicorp.com/agent-inject-command-duo
command: ""
redis:
## Vault Path to the Authelia redis secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-redis
path: secrets/authelia/redis:password
## Vault template specific to redis.
## Annotation: vault.hashicorp.com/agent-inject-template-redis
templateValue: ""
## Vault after render command specific to redis.
## Annotation: vault.hashicorp.com/agent-inject-command-redis
command: ""
redisSentinel:
## Vault Path to the Authelia redis sentinel secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-redis-sentinel
path: secrets/authelia/redis_sentinel:password
## Vault template specific to redis sentinel.
## Annotation: vault.hashicorp.com/agent-inject-template-redis-sentinel
templateValue: ""
## Vault after render command specific to redis sentinel.
## Annotation: vault.hashicorp.com/agent-inject-command-redis-sentinel
command: ""
smtp:
## Vault Path to the Authelia SMTP secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-smtp
path: secrets/authelia/smtp:password
## Vault template specific to SMTP.
## Annotation: vault.hashicorp.com/agent-inject-template-smtp
templateValue: ""
## Vault after render command specific to SMTP.
## Annotation: vault.hashicorp.com/agent-inject-command-smtp
command: ""
oidcPrivateKey:
## Vault Path to the Authelia OIDC private key secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-oidc-private-key
path: secrets/authelia/oidc:private_key
## Vault template specific to OIDC private key.
## Annotation: vault.hashicorp.com/agent-inject-template-oidc-private-key
templateValue: ""
## Vault after render command specific to OIDC private key.
## Annotation: vault.hashicorp.com/agent-inject-command-oidc-private-key
command: ""
oidcHMACSecret:
## Vault Path to the Authelia OIDC HMAC secret.
## Annotation: vault.hashicorp.com/agent-inject-secret-oidc-hmac-secret
path: secrets/authelia/oidc:hmac_secret
## Vault template specific to OIDC HMAC secret.
## Annotation: vault.hashicorp.com/agent-inject-template-oidc-hmac-secret
templateValue: ""
## Vault after render command specific to OIDC HMAC secret.
## Annotation: vault.hashicorp.com/agent-inject-command-oidc-hmac-secret
command: ""
certificates:
existingSecret: ""
# existingSecret: authelia
annotations: {}
# annotations:
# myAnnotation: myValue
labels: {}
# labels:
# myLabel: myValue
values: []
# values:
# - name: Example_Com_Root_Certificate_Authority_B64.pem
# secretValue: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lMQkFBQUFBQUJJVmhUQ0tJd0RRWUpLb1pJaHZjTkFRRUxCUUF3VERFZ01CNEcKQTFVRUN4TVhSMnh2WW1Gc1UybG5iaUJTYjI5MElFTkJJQzBnVWpNeEV6QVJCZ05WQkFvVENrZHNiMkpoYkZOcApaMjR4RXpBUkJnTlZCQU1UQ2tkc2IySmhiRk5wWjI0d0hoY05NRGt3TXpFNE1UQXdNREF3V2hjTk1qa3dNekU0Ck1UQXdNREF3V2pCTU1TQXdIZ1lEVlFRTEV4ZEhiRzlpWVd4VGFXZHVJRkp2YjNRZ1EwRWdMU0JTTXpFVE1CRUcKQTFVRUNoTUtSMnh2WW1Gc1UybG5iakVUTUJFR0ExVUVBeE1LUjJ4dlltRnNVMmxuYmpDQ0FTSXdEUVlKS29aSQpodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU13bGRwQjVCbmdpRnZYQWc3YUV5aWllL1FWMkVjV3RpSEw4ClJnSkR4N0tLblFSZkpNc3VTK0ZnZ2tiaFVxc01nVWR3Yk4xazBldjFMS01QZ2owTUs2NlgxN1lVaGhCNXV6c1QKZ0hlTUNPRkowbXBpTHg5ZStwWm8zNGtubFRpZkJ0Yyt5Y3NtV1ExejNyREk2U1lPZ3hYRzcxdUwwZ1JneWttbQpLUFpwTy9iTHlDaVI1WjJLWVZjM3JIUVUzSFRnT3U1eUx5NmMrOUM3di9VOUFPRUdNK2lDSzY1VHBqb1djNHpkClFRNGdPc0MwcDZIcHNrK1FMakpnNlZmTHVRU1NhR2psT0NaZ2RiS2ZkLytSRk8rdUlFbjhyVUFWU05FQ01XRVoKWHJpWDc2MTN0MlNhZXI5ZndSUHZtMkw3RFd6Z1ZHa1dxUVBhYnVtRGszRjJ4bW1GZ2hjQ0F3RUFBYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJL3dTMytvCkxrVWtyazFRK21PYWk5N2kzUnU4TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCTFFOdkFVS3IreUF6djk1WlUKUlVtN2xnQUpRYXl6RTRhR0tBY3p5bXZtZExtNkFDMnVwQXJUOWZIeEQ0cS9jMmRLZzhkRWUzamdyMjVzYndNcApqak01UmNPTzVMbFhiS3I4RXBic1U4WXQ1Q1JzdVpSais5eFRhR2RXUG9PNHp6VWh3OGxvL3M3YXdsT3F6SkNLCjZmQmRSb3lWM1hwWUtCb3ZIZDdOQURkQmorMUViZGRUS0pkKzgyY0VIaFhYaXBhMDA5NU1KNlJNRzNOemR2UVgKbWNJZmVnN2pMUWl0Q2h3cy96eXJWUTRQa1g0MjY4TlhTYjdoTGkxOFlJdkRRVkVUSTUzTzl6SnJsQUdvbWVjcwpNeDg2T3lYU2hrRE9PeXlHZU1saEx4UzY3dHRWYjkrRTdnVUpUYjBvMkhMTzAySlFaUjdya3BlRE1kbXp0Y3BICldEOWYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
# - name: Example_Com_Root_Certificate_Authority.pem
# value: |
# -----BEGIN CERTIFICATE-----
# MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
# A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
# Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
# MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
# A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
# hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
# RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
# gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
# KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
# QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
# XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
# DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
# LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
# RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
# jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
# 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
# mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
# Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
# WD9f
# -----END CERTIFICATE-----
##
## Authelia Persistence Configuration.
##
## Useful in scenarios where you need persistent storage.
## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
##
persistence:
enabled: true
annotations: {}
# annotations:
readOnly: false
existingClaim: "authelia-config-nfs"
# existingClaim: my-claim-name
storageClass: ""
# storageClass: "my-storage-class"
accessModes:
- ReadWriteOnce