K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
168193845baf599e36a8e54fb963541033243093
security/authelia/helm-values.yaml
Mayne0213 168193845b FIX(authelia): fix TOTP config for chart 0.10.x 
- Change enabled to disable for TOTP configuration
- Fix chart compatibility
2026-01-05 00:40:26 +09:00

171 lines
4.3 KiB
YAML
Raw Blame History

# Authelia Helm Values
# Chart: https://charts.authelia.com
# Ingress - disabled, using separate ingress.yaml
ingress:
enabled: false
# Pod configuration
pod:
replicas: 1
resources:
requests:
cpu: 25m
memory: 256Mi
limits:
memory: 512Mi
extraVolumes:
- name: users-database
configMap:
name: authelia-config
- name: oidc-secrets
secret:
secretName: authelia-secrets
items:
- key: HEADLAMP_CLIENT_SECRET
path: HEADLAMP_CLIENT_SECRET
- key: VAULT_CLIENT_SECRET
path: VAULT_CLIENT_SECRET
- key: IMMICH_CLIENT_SECRET
path: IMMICH_CLIENT_SECRET
- key: identity_providers.oidc.jwks.key
path: jwks.pem
extraVolumeMounts:
- name: users-database
mountPath: /config/users_database.yml
subPath: users_database.yml
readOnly: true
- name: oidc-secrets
mountPath: /secrets/HEADLAMP_CLIENT_SECRET
subPath: HEADLAMP_CLIENT_SECRET
readOnly: true
- name: oidc-secrets
mountPath: /secrets/VAULT_CLIENT_SECRET
subPath: VAULT_CLIENT_SECRET
readOnly: true
- name: oidc-secrets
mountPath: /secrets/IMMICH_CLIENT_SECRET
subPath: IMMICH_CLIENT_SECRET
readOnly: true
- name: oidc-secrets
mountPath: /secrets/jwks.pem
subPath: jwks.pem
readOnly: true
# ConfigMap configuration
configMap:
# Authentication backend - file-based users
authentication_backend:
file:
enabled: true
path: /config/users_database.yml
password:
algorithm: argon2
argon2:
variant: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
# Session configuration
session:
cookies:
- domain: kro.kr
subdomain: auth0213
# Storage - PostgreSQL (CNPG cluster)
storage:
postgres:
enabled: true
address: tcp://postgresql-rw.postgresql.svc.cluster.local:5432
database: authelia
username: bluemayne
timeout: 5s
# Access control rules
access_control:
default_policy: one_factor
# Notifier - filesystem (no email)
notifier:
filesystem:
enabled: true
filename: /data/notification.txt
# TOTP configuration
totp:
disable: false
issuer: mayne.kro.kr
# OIDC Identity Provider
identity_providers:
oidc:
enabled: true
jwks:
- key_id: 'main'
algorithm: 'RS256'
use: 'sig'
key:
path: /secrets/jwks.pem
cors:
endpoints:
- authorization
- token
- revocation
- introspection
- userinfo
allowed_origins_from_client_redirect_uris: true
clients:
- client_id: headlamp
client_name: Headlamp
client_secret:
path: /secrets/HEADLAMP_CLIENT_SECRET
public: false
authorization_policy: one_factor
redirect_uris:
- https://kubernetes0213.kro.kr/oidc-callback
scopes:
- openid
- profile
- email
- groups
token_endpoint_auth_method: client_secret_post
- client_id: vault
client_name: Vault
client_secret:
path: /secrets/VAULT_CLIENT_SECRET
public: false
authorization_policy: one_factor
redirect_uris:
- https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback
- http://localhost:8250/oidc/callback
scopes:
- openid
- profile
- email
- groups
token_endpoint_auth_method: client_secret_post
- client_id: immich
client_name: Immich
client_secret:
path: /secrets/IMMICH_CLIENT_SECRET
public: false
authorization_policy: one_factor
redirect_uris:
- https://immich0213.kro.kr/auth/login
- https://immich0213.kro.kr/user-settings
- app.immich:///oauth-callback
scopes:
- openid
- profile
- email
token_endpoint_auth_method: client_secret_post
# Secret configuration - use existing secret from Vault
secret:
existingSecret: authelia-secrets
# No persistence needed - using PostgreSQL
Reference in New Issue View Git Blame Copy Permalink