DevOpsTools/K3S
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
225f77598a696120369a23d791f37daccb1e0a97
K3S/addons/authelia/role/chart/values.yaml
Sergey Antropoff 225f77598a feat: добавить аддон authelia — SSO forward-auth и OIDC provider 
Helm chart + Ansible role для Authelia 4.38:
- Forward-auth для ingress-nginx через аннотации auth-url/auth-signin
- OIDC provider: Gitea, Grafana, ArgoCD, MinIO, Vault, Nextcloud
- SQLite default или PostgreSQL; опциональный Redis для сессий
- RSA ключ OIDC генерируется автоматически если не задан в vault
- ConfigMap authelia-forward-auth с готовыми аннотациями для любого сервиса
- README: install, users, protect service, OIDC per-service, debug, test
2026-04-26 18:18:46 +03:00

230 lines
8.5 KiB
YAML
Raw Blame History

# Authelia — SSO + Forward Auth
# Configure via: group_vars/all/addons.yml → authelia_* variables
# Secrets in: group_vars/all/vault.yml → authelia_* secrets
image:
repository: authelia/authelia
tag: "4.38.17"
pullPolicy: IfNotPresent
# ── Domain ────────────────────────────────────────────────────────────────────
# Base domain and public hostname for the Authelia portal
domain: "home.local"
authHost: "auth.home.local"
# ── Theme / UX ────────────────────────────────────────────────────────────────
theme: dark # light | dark | grey | auto
# ── Secrets (all provided via Ansible vault, never hardcoded here) ────────────
# These are placed in a dedicated K8s Secret and mounted as files.
# Authelia reads them via AUTHELIA_*_FILE environment variables.
secrets:
jwtSecret: "" # min 64 chars — `openssl rand -base64 64`
sessionSecret: "" # min 64 chars — `openssl rand -base64 64`
storageEncryptionKey: "" # min 20 chars — `openssl rand -base64 32`
oidcHmacSecret: "" # min 32 chars — `openssl rand -base64 48`
oidcPrivateKey: "" # RSA-4096 PEM — auto-generated during deploy
dbPassword: "" # only if storage.type=postgresql
smtpPassword: "" # only if notifier.smtp.enabled
# ── Users (file-based auth backend) ──────────────────────────────────────────
# Passwords must be Argon2id hashes.
# Generate: docker run authelia/authelia:latest authelia hash-password 'yourpassword'
# Or: authelia hash-password 'yourpassword' (if installed locally)
users:
admin:
disabled: false
displayname: "Administrator"
password: "" # set in vault: authelia_user_admin_password_hash (argon2id)
email: "admin@home.local"
groups:
- admins
- users
# ── TOTP ──────────────────────────────────────────────────────────────────────
totp:
issuer: "home.local"
period: 30
skew: 1
# ── 2FA policy ────────────────────────────────────────────────────────────────
# false = one_factor (password only) for protected/admin domains
# true = two_factor (password + TOTP/WebAuthn) for protected/admin domains
twoFactor:
enabled: false
# ── Session ───────────────────────────────────────────────────────────────────
session:
name: authelia_session
domain: "home.local"
sameSite: lax
expiration: 1h
inactivity: 5m
rememberMeDuration: 1M
# ── Storage ───────────────────────────────────────────────────────────────────
storage:
type: sqlite # sqlite | postgresql
size: 1Gi
storageClassName: ""
sqlite:
path: /data/db.sqlite3
postgresql:
host: "postgresql.postgresql.svc.cluster.local"
port: 5432
database: authelia
username: authelia
schema: public
# ── Redis (built-in, optional) ────────────────────────────────────────────────
# When enabled, deploys a Redis sidecar for persistent session storage.
# Recommended for production; not required for homelab.
redis:
enabled: false
image: "redis:7-alpine"
resources:
requests:
cpu: 20m
memory: 32Mi
limits:
cpu: 100m
memory: 64Mi
# ── Notifier ──────────────────────────────────────────────────────────────────
notifier:
# SMTP — for password reset and 2FA enrollment emails
smtp:
enabled: false
host: ""
port: 587
username: ""
sender: "authelia@home.local"
tls:
skipVerify: false
# Filesystem — fallback: writes to /data/notification.txt (no email)
filesystem:
enabled: true
# ── Access Control ────────────────────────────────────────────────────────────
# Rules evaluated top-to-bottom. First match wins.
accessControl:
defaultPolicy: deny
# Public services — no authentication required
bypassDomains: []
# - plex.home.local
# OIDC-enabled services — bypass forward-auth (OIDC handles its own auth)
oidcDomains:
- gitea.home.local
- grafana.home.local
- minio.home.local
# Services requiring admin group membership
adminDomains:
- argocd.home.local
- vault.home.local
- harbor.home.local
- kubernetes-dashboard.home.local
# Services requiring login (one_factor or two_factor per twoFactor.enabled)
protectedDomains:
- sonarr.home.local
- radarr.home.local
- lidarr.home.local
- bazarr.home.local
- prowlarr.home.local
- pgadmin.home.local
- phpmyadmin.home.local
# ── OIDC Provider ─────────────────────────────────────────────────────────────
oidc:
enabled: true
accessTokenLifespan: 1h
authorizeCodeLifespan: 1m
idTokenLifespan: 1h
refreshTokenLifespan: 90m
clients:
gitea:
enabled: true
id: gitea
secret: "" # set in vault: authelia_oidc_secret_gitea
description: "Gitea"
redirectUris:
- https://gitea.home.local/user/oauth2/Authelia/callback
scopes: [openid, profile, email, groups]
grantTypes: [refresh_token, authorization_code]
grafana:
enabled: true
id: grafana
secret: "" # set in vault: authelia_oidc_secret_grafana
description: "Grafana"
redirectUris:
- https://grafana.home.local/login/generic_oauth
scopes: [openid, profile, email, groups]
grantTypes: [refresh_token, authorization_code]
argocd:
enabled: false
id: argocd
secret: "" # set in vault: authelia_oidc_secret_argocd
description: "ArgoCD"
redirectUris:
- https://argocd.home.local/auth/callback
scopes: [openid, profile, email, groups]
grantTypes: [refresh_token, authorization_code]
minio:
enabled: false
id: minio
secret: "" # set in vault: authelia_oidc_secret_minio
description: "MinIO"
redirectUris:
- https://minio.home.local/oauth_callback
scopes: [openid, profile, email]
grantTypes: [authorization_code]
vault:
enabled: false
id: vault
secret: "" # set in vault: authelia_oidc_secret_vault
description: "Vault"
redirectUris:
- https://vault.home.local/ui/vault/auth/oidc/oidc/callback
- https://vault.home.local/oidc/callback
scopes: [openid, profile, email, groups]
grantTypes: [refresh_token, authorization_code]
nextcloud:
enabled: false
id: nextcloud
secret: "" # set in vault: authelia_oidc_secret_nextcloud
description: "Nextcloud"
redirectUris:
- https://nextcloud.home.local/apps/user_oidc/code
scopes: [openid, profile, email, groups]
grantTypes: [refresh_token, authorization_code]
# ── Ingress ───────────────────────────────────────────────────────────────────
ingress:
enabled: true
ingressClass: nginx
tls:
enabled: false
secretName: ""
certManager:
enabled: false
issuer: ""
issuerKind: ClusterIssuer
# ── Resources ─────────────────────────────────────────────────────────────────
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 256Mi
Reference in New Issue View Git Blame Copy Permalink