# Authelia Helm Values # Chart: https://charts.authelia.com # Ingress - disabled, using manifests/ingress.yaml due to chart schema complexity ingress: enabled: false # Pod configuration pod: kind: DaemonSet # Resource settings (no CPU limit for stability) resources: requests: cpu: 15m memory: 100Mi limits: memory: 144Mi extraVolumes: - name: users-database configMap: name: authelia-config - name: oidc-secrets secret: secretName: authelia-secrets items: - key: HEADLAMP_CLIENT_SECRET path: HEADLAMP_CLIENT_SECRET - key: VAULT_CLIENT_SECRET path: VAULT_CLIENT_SECRET - key: ZOT_CLIENT_SECRET path: ZOT_CLIENT_SECRET - key: identity_providers.oidc.jwks.key path: jwks.pem extraVolumeMounts: - name: users-database mountPath: /config/users_database.yml subPath: users_database.yml readOnly: true - name: oidc-secrets mountPath: /secrets/HEADLAMP_CLIENT_SECRET subPath: HEADLAMP_CLIENT_SECRET readOnly: true - name: oidc-secrets mountPath: /secrets/VAULT_CLIENT_SECRET subPath: VAULT_CLIENT_SECRET readOnly: true - name: oidc-secrets mountPath: /secrets/ZOT_CLIENT_SECRET subPath: ZOT_CLIENT_SECRET readOnly: true - name: oidc-secrets mountPath: /secrets/jwks.pem subPath: jwks.pem readOnly: true # ConfigMap configuration configMap: # Authentication backend - file-based users authentication_backend: file: enabled: true path: /config/users_database.yml password: algorithm: argon2 argon2: variant: argon2id iterations: 3 memory: 65536 parallelism: 4 key_length: 32 salt_length: 16 # Session configuration session: cookies: - domain: kro.kr subdomain: auth0213 redis: enabled: true deploy: true host: authelia-redis-master.authelia.svc.cluster.local port: 6379 password: disabled: true # Storage - PostgreSQL (CNPG cluster) storage: postgres: enabled: true address: tcp://postgresql-rw.postgresql.svc.cluster.local:5432 database: authelia username: bluemayne timeout: 5s # Network definitions for access control definitions: network: internal: - 10.42.0.0/16 - 10.43.0.0/16 # Access control rules access_control: default_policy: one_factor rules: [] # Notifier - filesystem (no email) notifier: filesystem: enabled: true filename: /data/notification.txt # TOTP configuration totp: disable: false issuer: mayne.kro.kr # OIDC Identity Provider identity_providers: oidc: enabled: true jwks: - key_id: 'main' algorithm: 'RS256' use: 'sig' key: path: /secrets/jwks.pem claims_policies: default: id_token: - name - preferred_username - email cors: endpoints: - authorization - token - revocation - introspection - userinfo allowed_origins_from_client_redirect_uris: true clients: - client_id: headlamp client_name: Headlamp client_secret: path: /secrets/HEADLAMP_CLIENT_SECRET public: false authorization_policy: one_factor claims_policy: default redirect_uris: - https://kubernetes0213.kro.kr/oidc-callback scopes: - openid - profile - email token_endpoint_auth_method: client_secret_basic - client_id: vault client_name: Vault client_secret: path: /secrets/VAULT_CLIENT_SECRET public: false authorization_policy: one_factor redirect_uris: - https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback - http://localhost:8250/oidc/callback scopes: - openid - profile - email token_endpoint_auth_method: client_secret_post - client_id: zot client_name: Zot Registry client_secret: path: /secrets/ZOT_CLIENT_SECRET public: false authorization_policy: one_factor claims_policy: default redirect_uris: - https://zot0213.kro.kr/zot/auth/callback/oidc scopes: - openid - profile - email token_endpoint_auth_method: client_secret_post # Secret configuration - use existing secret from Vault secret: existingSecret: authelia-secrets # Redis for session storage (HA) redis: enabled: true architecture: standalone auth: enabled: false image: tag: latest master: # Resource settings (no CPU limit for stability) resources: requests: cpu: 22m memory: 100Mi limits: memory: 100Mi # No persistence needed - using PostgreSQL