DevOpsTools/K3S
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
225f77598a696120369a23d791f37daccb1e0a97
K3S/addons/authelia/role/chart/templates/configmap-annotations.yaml
Sergey Antropoff 225f77598a feat: добавить аддон authelia — SSO forward-auth и OIDC provider 
Helm chart + Ansible role для Authelia 4.38:
- Forward-auth для ingress-nginx через аннотации auth-url/auth-signin
- OIDC provider: Gitea, Grafana, ArgoCD, MinIO, Vault, Nextcloud
- SQLite default или PostgreSQL; опциональный Redis для сессий
- RSA ключ OIDC генерируется автоматически если не задан в vault
- ConfigMap authelia-forward-auth с готовыми аннотациями для любого сервиса
- README: install, users, protect service, OIDC per-service, debug, test
2026-04-26 18:18:46 +03:00

44 lines
2.3 KiB
YAML
Raw Blame History

---
# Reference ConfigMap: forward-auth annotations for ingress-nginx.
# Copy-paste these annotations onto any Ingress you want to protect with Authelia.
# Usage: kubectl get cm authelia-forward-auth -n {{ .Release.Namespace }} -o yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "authelia.name" . }}-forward-auth
namespace: {{ .Release.Namespace }}
labels:
{{- include "authelia.labels" . | nindent 4 }}
data:
# ── Paste these onto protected Ingress resources ─────────────────────────────
annotations.yaml: |
# Required on EVERY protected Ingress:
nginx.ingress.kubernetes.io/auth-url: "{{ include "authelia.forwardAuthUrl" . }}"
nginx.ingress.kubernetes.io/auth-signin: "{{ include "authelia.signinUrl" . }}"
nginx.ingress.kubernetes.io/auth-response-headers: "Remote-User,Remote-Name,Remote-Groups,Remote-Email"
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Method $request_method;
# ── OIDC Issuer URL (for configuring OIDC clients) ────────────────────────────
oidc-issuer: |
{{ if .Values.ingress.tls.enabled }}https{{ else }}http{{ end }}://{{ .Values.authHost }}
# ── OIDC discovery endpoint ───────────────────────────────────────────────────
oidc-discovery: |
{{ if .Values.ingress.tls.enabled }}https{{ else }}http{{ end }}://{{ .Values.authHost }}/.well-known/openid-configuration
# ── Quick reference: protect a new service ────────────────────────────────────
howto: |
To protect myservice.home.local:
1. Add these annotations to the Service's Ingress:
nginx.ingress.kubernetes.io/auth-url: "{{ include "authelia.forwardAuthUrl" . }}"
nginx.ingress.kubernetes.io/auth-signin: "{{ include "authelia.signinUrl" . }}"
nginx.ingress.kubernetes.io/auth-response-headers: "Remote-User,Remote-Name,Remote-Groups,Remote-Email"
2. Add the domain to accessControl.protectedDomains in addons.yml and re-run:
make addon-authelia
3. Add to Technitium DNS (or /etc/hosts):
<kube-vip-IP> myservice.home.local
Reference in New Issue View Git Blame Copy Permalink