security/authelia/helm-values.yaml

# Authelia Helm Values
# Chart: https://charts.authelia.com

# Ingress - disabled, using manifests/ingress.yaml due to chart schema complexity
ingress:
  enabled: false

# Pod configuration
pod:
  kind: DaemonSet
  # Resource settings (no CPU limit for stability)
  resources:
    requests:
      cpu: 15m
      memory: 100Mi
    limits:
      memory: 144Mi
  extraVolumes:
    - name: users-database
      configMap:
        name: authelia-config
    - name: oidc-secrets
      secret:
        secretName: authelia-secrets
        items:
          - key: HEADLAMP_CLIENT_SECRET
            path: HEADLAMP_CLIENT_SECRET
          - key: VAULT_CLIENT_SECRET
            path: VAULT_CLIENT_SECRET
          - key: ZOT_CLIENT_SECRET
            path: ZOT_CLIENT_SECRET
          - key: identity_providers.oidc.jwks.key
            path: jwks.pem
  extraVolumeMounts:
    - name: users-database
      mountPath: /config/users_database.yml
      subPath: users_database.yml
      readOnly: true
    - name: oidc-secrets
      mountPath: /secrets/HEADLAMP_CLIENT_SECRET
      subPath: HEADLAMP_CLIENT_SECRET
      readOnly: true
    - name: oidc-secrets
      mountPath: /secrets/VAULT_CLIENT_SECRET
      subPath: VAULT_CLIENT_SECRET
      readOnly: true
    - name: oidc-secrets
      mountPath: /secrets/ZOT_CLIENT_SECRET
      subPath: ZOT_CLIENT_SECRET
      readOnly: true
    - name: oidc-secrets
      mountPath: /secrets/jwks.pem
      subPath: jwks.pem
      readOnly: true

# ConfigMap configuration
configMap:
  # Authentication backend - file-based users
  authentication_backend:
    file:
      enabled: true
      path: /config/users_database.yml
      password:
        algorithm: argon2
        argon2:
          variant: argon2id
          iterations: 3
          memory: 65536
          parallelism: 4
          key_length: 32
          salt_length: 16

  # Session configuration
  session:
    cookies:
      - domain: kro.kr
        subdomain: auth0213
    redis:
      enabled: true
      deploy: true
      host: authelia-redis-master.authelia.svc.cluster.local
      port: 6379
      password:
        disabled: true

  # Storage - PostgreSQL (CNPG cluster)
  storage:
    postgres:
      enabled: true
      address: tcp://postgresql-rw.postgresql.svc.cluster.local:5432
      database: authelia
      username: bluemayne
      timeout: 5s

  # Network definitions for access control
  definitions:
    network:
      internal:
        - 10.42.0.0/16
        - 10.43.0.0/16

  # Access control rules
  access_control:
    default_policy: one_factor
    rules: []

  # Notifier - filesystem (no email)
  notifier:
    filesystem:
      enabled: true
      filename: /data/notification.txt

  # TOTP configuration
  totp:
    disable: false
    issuer: mayne.kro.kr

  # OIDC Identity Provider
  identity_providers:
    oidc:
      enabled: true
      jwks:
        - key_id: 'main'
          algorithm: 'RS256'
          use: 'sig'
          key:
            path: /secrets/jwks.pem
      claims_policies:
        default:
          id_token:
            - name
            - preferred_username
            - email
      cors:
        endpoints:
          - authorization
          - token
          - revocation
          - introspection
          - userinfo
        allowed_origins_from_client_redirect_uris: true
      clients:
        - client_id: headlamp
          client_name: Headlamp
          client_secret:
            path: /secrets/HEADLAMP_CLIENT_SECRET
          public: false
          authorization_policy: one_factor
          claims_policy: default
          redirect_uris:
            - https://kubernetes0213.kro.kr/oidc-callback
          scopes:
            - openid
            - profile
            - email
          token_endpoint_auth_method: client_secret_basic
        - client_id: vault
          client_name: Vault
          client_secret:
            path: /secrets/VAULT_CLIENT_SECRET
          public: false
          authorization_policy: one_factor
          redirect_uris:
            - https://vault0213.kro.kr/ui/vault/auth/oidc/oidc/callback
            - http://localhost:8250/oidc/callback
          scopes:
            - openid
            - profile
            - email
          token_endpoint_auth_method: client_secret_post
        - client_id: zot
          client_name: Zot Registry
          client_secret:
            path: /secrets/ZOT_CLIENT_SECRET
          public: false
          authorization_policy: one_factor
          claims_policy: default
          redirect_uris:
            - https://zot0213.kro.kr/zot/auth/callback/oidc
          scopes:
            - openid
            - profile
            - email
          token_endpoint_auth_method: client_secret_post

# Secret configuration - use existing secret from Vault
secret:
  existingSecret: authelia-secrets

# Redis for session storage (HA)
redis:
  enabled: true
  architecture: standalone
  auth:
    enabled: false
  image:
    tag: latest
  master:
    # Resource settings (no CPU limit for stability)
    resources:
      requests:
        cpu: 22m
        memory: 100Mi
      limits:
        memory: 100Mi

# No persistence needed - using PostgreSQL