# Authelia Helm Values # Chart: https://charts.authelia.com # Ingress - disabled, using manifests/ingress.yaml due to chart schema complexity ingress: enabled: false # Pod configuration pod: kind: DaemonSet tolerations: - key: node-role.kubernetes.io/control-plane operator: Exists effect: NoSchedule resources: requests: cpu: 15m memory: 256Mi limits: memory: 384Mi extraVolumes: - name: users-database configMap: name: authelia-config - name: oidc-secrets secret: secretName: authelia-secrets items: - key: HEADLAMP_CLIENT_SECRET path: HEADLAMP_CLIENT_SECRET - key: VAULT_CLIENT_SECRET path: VAULT_CLIENT_SECRET - key: identity_providers.oidc.jwks.key path: jwks.pem extraVolumeMounts: - name: users-database mountPath: /config/users_database.yml subPath: users_database.yml readOnly: true - name: oidc-secrets mountPath: /secrets/HEADLAMP_CLIENT_SECRET subPath: HEADLAMP_CLIENT_SECRET readOnly: true - name: oidc-secrets mountPath: /secrets/VAULT_CLIENT_SECRET subPath: VAULT_CLIENT_SECRET readOnly: true - name: oidc-secrets mountPath: /secrets/jwks.pem subPath: jwks.pem readOnly: true # ConfigMap configuration configMap: # Authentication backend - file-based users authentication_backend: file: enabled: true path: /config/users_database.yml password: algorithm: argon2 argon2: variant: argon2id iterations: 3 memory: 65536 parallelism: 4 key_length: 32 salt_length: 16 # Session configuration session: cookies: - domain: kro.kr subdomain: auth0213 redis: enabled: true deploy: true host: authelia-redis-master.authelia.svc.cluster.local port: 6379 password: disabled: true # Storage - PostgreSQL (CNPG cluster) storage: postgres: enabled: true address: tcp://postgresql-rw.postgresql.svc.cluster.local:5432 database: authelia username: bluemayne timeout: 5s # Access control rules access_control: default_policy: one_factor # Notifier - filesystem (no email) notifier: filesystem: enabled: true filename: /data/notification.txt # TOTP configuration totp: disable: false issuer: mayne.kro.kr # OIDC Identity Provider identity_providers: oidc: enabled: true jwks: - key_id: 'main' algorithm: 'RS256' use: 'sig' key: path: /secrets/jwks.pem cors: endpoints: - authorization - token - revocation - introspection - userinfo allowed_origins_from_client_redirect_uris: true clients: - client_id: headlamp client_name: Headlamp client_secret: path: /secrets/HEADLAMP_CLIENT_SECRET public: false authorization_policy: one_factor redirect_uris: - https://kubernetes0213.kro.kr/oidc-callback scopes: - openid - profile - email - groups token_endpoint_auth_method: client_secret_basic - client_id: vault client_name: Vault client_secret: path: /secrets/VAULT_CLIENT_SECRET public: false authorization_policy: one_factor redirect_uris: - https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback - http://localhost:8250/oidc/callback scopes: - openid - profile - email - groups token_endpoint_auth_method: client_secret_post # Secret configuration - use existing secret from Vault secret: existingSecret: authelia-secrets # Redis for session storage (HA) redis: enabled: true architecture: standalone auth: enabled: false image: tag: latest master: resources: requests: cpu: 10m memory: 64Mi limits: memory: 128Mi # No persistence needed - using PostgreSQL