DevOpsTools/K3S
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
225f77598a696120369a23d791f37daccb1e0a97
K3S/addons/authelia/role/chart/files/configuration.yml.tpl
Sergey Antropoff 225f77598a feat: добавить аддон authelia — SSO forward-auth и OIDC provider 
Helm chart + Ansible role для Authelia 4.38:
- Forward-auth для ingress-nginx через аннотации auth-url/auth-signin
- OIDC provider: Gitea, Grafana, ArgoCD, MinIO, Vault, Nextcloud
- SQLite default или PostgreSQL; опциональный Redis для сессий
- RSA ключ OIDC генерируется автоматически если не задан в vault
- ConfigMap authelia-forward-auth с готовыми аннотациями для любого сервиса
- README: install, users, protect service, OIDC per-service, debug, test
2026-04-26 18:18:46 +03:00

204 lines
5.4 KiB
Smarty
Raw Blame History

---
# Authelia configuration — rendered by Helm via tpl()
# Secrets (jwt, session, storage_encryption, oidc_hmac, oidc_private_key)
# are injected via AUTHELIA_*_FILE environment variables — not in this file.
server:
host: 0.0.0.0
port: 9091
path: ""
buffers:
read: 4096
write: 4096
timeouts:
read: 6s
write: 6s
idle: 30s
log:
level: info
format: text
theme: {{ .Values.theme | quote }}
totp:
disable: false
issuer: {{ .Values.totp.issuer | quote }}
algorithm: sha1
digits: 6
period: {{ .Values.totp.period }}
skew: {{ .Values.totp.skew }}
secret_size: 32
webauthn:
disable: false
display_name: {{ .Values.domain | quote }}
attestation_conveyance_preference: indirect
user_verification: preferred
timeout: 60s
authentication_backend:
password_reset:
disable: false
refresh_interval: 5m
file:
path: /config/users_database.yml
watch: false
password:
algorithm: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
session:
name: {{ .Values.session.name | quote }}
domain: {{ .Values.session.domain | quote }}
same_site: {{ .Values.session.sameSite | quote }}
expiration: {{ .Values.session.expiration | quote }}
inactivity: {{ .Values.session.inactivity | quote }}
remember_me_duration: {{ .Values.session.rememberMeDuration | quote }}
{{- if .Values.redis.enabled }}
redis:
host: {{ printf "%s-redis" (include "authelia.name" .) | quote }}
port: 6379
{{- end }}
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
storage:
{{- if eq .Values.storage.type "postgresql" }}
postgres:
host: {{ .Values.storage.postgresql.host | quote }}
port: {{ .Values.storage.postgresql.port }}
database: {{ .Values.storage.postgresql.database | quote }}
schema: {{ .Values.storage.postgresql.schema | quote }}
username: {{ .Values.storage.postgresql.username | quote }}
tls:
skip_verify: true
{{- else }}
local:
path: {{ .Values.storage.sqlite.path | quote }}
{{- end }}
notifier:
disable_startup_check: true
{{- if .Values.notifier.smtp.enabled }}
smtp:
host: {{ .Values.notifier.smtp.host | quote }}
port: {{ .Values.notifier.smtp.port }}
username: {{ .Values.notifier.smtp.username | quote }}
sender: {{ .Values.notifier.smtp.sender | quote }}
tls:
skip_verify: {{ .Values.notifier.smtp.tls.skipVerify }}
{{- else }}
filesystem:
filename: /data/notification.txt
{{- end }}
access_control:
default_policy: {{ .Values.accessControl.defaultPolicy | quote }}
rules:
# Authelia portal — always bypass (prevents auth loop)
- domain: {{ .Values.authHost | quote }}
policy: bypass
# Health check endpoints — bypass for monitoring
- domain: "*.{{ .Values.domain }}"
resources:
- "^/healthz(.*)$"
- "^/api/healthz(.*)$"
- "^/health$"
policy: bypass
{{- if .Values.accessControl.bypassDomains }}
# Public services — no authentication required
- domain:
{{- range .Values.accessControl.bypassDomains }}
- {{ . | quote }}
{{- end }}
policy: bypass
{{- end }}
{{- if .Values.accessControl.oidcDomains }}
# OIDC-enabled services — bypass forward-auth (OIDC handles authentication)
- domain:
{{- range .Values.accessControl.oidcDomains }}
- {{ . | quote }}
{{- end }}
policy: bypass
{{- end }}
{{- if .Values.accessControl.adminDomains }}
# Admin-only services — require 'admins' group
- domain:
{{- range .Values.accessControl.adminDomains }}
- {{ . | quote }}
{{- end }}
subject:
- "group:admins"
policy: {{ if .Values.twoFactor.enabled }}two_factor{{ else }}one_factor{{ end }}
{{- end }}
{{- if .Values.accessControl.protectedDomains }}
# Protected services — login required
- domain:
{{- range .Values.accessControl.protectedDomains }}
- {{ . | quote }}
{{- end }}
policy: {{ if .Values.twoFactor.enabled }}two_factor{{ else }}one_factor{{ end }}
{{- end }}
{{- if .Values.oidc.enabled }}
identity_providers:
oidc:
access_token_lifespan: {{ .Values.oidc.accessTokenLifespan | quote }}
authorize_code_lifespan: {{ .Values.oidc.authorizeCodeLifespan | quote }}
id_token_lifespan: {{ .Values.oidc.idTokenLifespan | quote }}
refresh_token_lifespan: {{ .Values.oidc.refreshTokenLifespan | quote }}
enable_client_debug_messages: false
minimum_parameter_entropy: 8
cors:
endpoints:
- authorization
- token
- revocation
- introspection
allowed_origins_from_client_redirect_uris: true
clients:
{{- range $name, $client := .Values.oidc.clients }}
{{- if $client.enabled }}
- id: {{ $client.id | quote }}
description: {{ $client.description | default $name | quote }}
# $plaintext$ prefix — Authelia 4.38+ plain-text client secret marker
secret: {{ printf "$plaintext$%s" $client.secret | quote }}
public: false
authorization_policy: one_factor
scopes:
{{- range $client.scopes }}
- {{ . | quote }}
{{- end }}
redirect_uris:
{{- range $client.redirectUris }}
- {{ . | quote }}
{{- end }}
grant_types:
{{- range $client.grantTypes }}
- {{ . | quote }}
{{- end }}
response_types:
- code
response_modes:
- form_post
- query
- fragment
userinfo_signing_algorithm: none
{{- end }}
{{- end }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink