Mayne0213
e4fb804b3d
- with headlamp client - Add OIDC identity provider configuration - Add Headlamp as OIDC client - Update ExternalSecret for OIDC secrets (HMAC, JWKS, Headlamp client secret)
106 lines
2.3 KiB
YAML
106 lines
2.3 KiB
YAML
# Authelia Helm Values
|
|
# Chart: https://charts.authelia.com
|
|
|
|
# Ingress - disabled, using separate ingress.yaml
|
|
ingress:
|
|
enabled: false
|
|
|
|
# Pod configuration
|
|
pod:
|
|
replicas: 1
|
|
resources:
|
|
requests:
|
|
cpu: 25m
|
|
memory: 64Mi
|
|
limits:
|
|
memory: 128Mi
|
|
extraVolumes:
|
|
- name: users-database
|
|
configMap:
|
|
name: authelia-config
|
|
extraVolumeMounts:
|
|
- name: users-database
|
|
mountPath: /config/users_database.yml
|
|
subPath: users_database.yml
|
|
readOnly: true
|
|
|
|
# ConfigMap configuration
|
|
configMap:
|
|
# Authentication backend - file-based users
|
|
authentication_backend:
|
|
file:
|
|
enabled: true
|
|
path: /config/users_database.yml
|
|
password:
|
|
algorithm: argon2
|
|
argon2:
|
|
variant: argon2id
|
|
iterations: 3
|
|
memory: 65536
|
|
parallelism: 4
|
|
key_length: 32
|
|
salt_length: 16
|
|
|
|
# Session configuration
|
|
session:
|
|
cookies:
|
|
- domain: kro.kr
|
|
subdomain: auth0213
|
|
|
|
# Storage - PostgreSQL (CNPG cluster)
|
|
storage:
|
|
postgres:
|
|
enabled: true
|
|
address: tcp://postgresql-rw.postgresql.svc.cluster.local:5432
|
|
database: authelia
|
|
username: bluemayne
|
|
timeout: 5s
|
|
|
|
# Access control rules
|
|
access_control:
|
|
default_policy: one_factor
|
|
|
|
# Notifier - filesystem (no email)
|
|
notifier:
|
|
filesystem:
|
|
enabled: true
|
|
filename: /data/notification.txt
|
|
|
|
# TOTP configuration
|
|
totp:
|
|
enabled: true
|
|
issuer: mayne.kro.kr
|
|
|
|
# OIDC Identity Provider
|
|
identity_providers:
|
|
oidc:
|
|
enabled: true
|
|
cors:
|
|
endpoints:
|
|
- authorization
|
|
- token
|
|
- revocation
|
|
- introspection
|
|
- userinfo
|
|
allowed_origins_from_client_redirect_uris: true
|
|
clients:
|
|
- client_id: headlamp
|
|
client_name: Headlamp
|
|
client_secret: '$plaintext${{ secret "HEADLAMP_CLIENT_SECRET" }}'
|
|
public: false
|
|
authorization_policy: one_factor
|
|
redirect_uris:
|
|
- https://kubernetes0213.kro.kr/oidc-callback
|
|
scopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
- groups
|
|
token_endpoint_auth_method: client_secret_post
|
|
|
|
# Secret configuration - use existing secret from Vault
|
|
secret:
|
|
existingSecret: authelia-secrets
|
|
|
|
# No persistence needed - using PostgreSQL
|