K3S-HOME/security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
739ac544c7e39a90bffeb340e10bff47ee99bfb8
security/authelia/helm-values.yaml
Mayne0213 8f449666b5 CHORE(authelia): Remove immich OIDC client 
- Remove IMMICH_CLIENT_SECRET from extraVolumes/extraVolumeMounts
- Remove immich OIDC client configuration
- Immich application removed

CHORE(authelia): Remove IMMICH_CLIENT_SECRET from ExternalSecret
2026-01-09 21:45:16 +09:00

155 lines
4.0 KiB
YAML
Raw Blame History

# Authelia Helm Values
# Chart: https://charts.authelia.com
# Ingress - disabled, using manifests/ingress.yaml due to chart schema complexity
ingress:
enabled: false
# Pod configuration
pod:
resources:
requests:
cpu: 15m
memory: 256Mi
limits:
memory: 384Mi
extraVolumes:
- name: users-database
configMap:
name: authelia-config
- name: oidc-secrets
secret:
secretName: authelia-secrets
items:
- key: HEADLAMP_CLIENT_SECRET
path: HEADLAMP_CLIENT_SECRET
- key: VAULT_CLIENT_SECRET
path: VAULT_CLIENT_SECRET
- key: identity_providers.oidc.jwks.key
path: jwks.pem
extraVolumeMounts:
- name: users-database
mountPath: /config/users_database.yml
subPath: users_database.yml
readOnly: true
- name: oidc-secrets
mountPath: /secrets/HEADLAMP_CLIENT_SECRET
subPath: HEADLAMP_CLIENT_SECRET
readOnly: true
- name: oidc-secrets
mountPath: /secrets/VAULT_CLIENT_SECRET
subPath: VAULT_CLIENT_SECRET
readOnly: true
- name: oidc-secrets
mountPath: /secrets/jwks.pem
subPath: jwks.pem
readOnly: true
# ConfigMap configuration
configMap:
# Authentication backend - file-based users
authentication_backend:
file:
enabled: true
path: /config/users_database.yml
password:
algorithm: argon2
argon2:
variant: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
# Session configuration
session:
cookies:
- domain: kro.kr
subdomain: auth0213
# Storage - PostgreSQL (CNPG cluster)
storage:
postgres:
enabled: true
address: tcp://postgresql-rw.postgresql.svc.cluster.local:5432
database: authelia
username: bluemayne
timeout: 5s
# Access control rules
access_control:
default_policy: one_factor
# Notifier - filesystem (no email)
notifier:
filesystem:
enabled: true
filename: /data/notification.txt
# TOTP configuration
totp:
disable: false
issuer: mayne.kro.kr
# OIDC Identity Provider
identity_providers:
oidc:
enabled: true
jwks:
- key_id: 'main'
algorithm: 'RS256'
use: 'sig'
key:
path: /secrets/jwks.pem
cors:
endpoints:
- authorization
- token
- revocation
- introspection
- userinfo
allowed_origins_from_client_redirect_uris: true
clients:
- client_id: headlamp
client_name: Headlamp
client_secret:
path: /secrets/HEADLAMP_CLIENT_SECRET
public: false
authorization_policy: one_factor
redirect_uris:
- https://kubernetes0213.kro.kr/oidc-callback
scopes:
- openid
- profile
- email
- groups
token_endpoint_auth_method: client_secret_basic
- client_id: vault
client_name: Vault
client_secret:
path: /secrets/VAULT_CLIENT_SECRET
public: false
authorization_policy: one_factor
redirect_uris:
- https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback
- http://localhost:8250/oidc/callback
scopes:
- openid
- profile
- email
- groups
token_endpoint_auth_method: client_secret_post
# Secret configuration - use existing secret from Vault
secret:
existingSecret: authelia-secrets
# No persistence needed - using PostgreSQL
# Note: Authelia Helm chart does not support affinity configuration
# in values.yaml due to strict schema validation (beta chart).
# Replica count is set to 2 for HA, but soft anti-affinity cannot
# be configured via Helm values. Consider using post-render hooks
# or manual patching if node distribution is critical.
Reference in New Issue View Git Blame Copy Permalink