--- ## @formatter:off ## values.yaml ## ## Repository: authelia https://charts.authelia.com ## Chart: authelia ## ## This values file is designed for full deployment, eventually for in production once the chart makes it to 1.0.0. ## It uses the following providers: ## - authentication: LDAP ## - storage: MySQL ## - session: redis ## Version Override allows changing some chart characteristics that render only on specific versions. ## This does NOT affect the image used, please see the below image section instead for this. ## If this value is not specified, it's assumed the appVersion of the chart is the version. ## The format of this value is x.x.x, for example 4.100.0. ## ## Important Points: ## - No guarantees of support for prior versions is given. The chart is intended to be used with the AppVersion. ## - Does not and will not support any version prior to 4.30.0 due to a significant refactor of the configuration ## system. versionOverride: "" ## Image Parameters ## ref: https://hub.docker.com/r/authelia/authelia/tags/ ## image: # registry: docker.io registry: ghcr.io repository: authelia/authelia tag: "" pullPolicy: IfNotPresent pullSecrets: [] # pullSecrets: # - myPullSecretName # nameOverride: authelia-deployment-name # appNameOverride: authelia ## ## extra labels/annotations applied to all resources ## annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue ## ## RBAC Configuration. ## rbac: ## Enable RBAC. Turning this on associates Authelia with a service account. ## If the vault injector is enabled, then RBAC must be enabled. enabled: false annotations: {} labels: {} serviceAccountName: authelia ## Authelia Domain ## Should be the root domain you want to protect. ## For example if you have apps app1.example.com and app2.example.com it should be example.com ## This affects the ingress (partially sets the domain used) and configMap. ## Authelia must be served from the domain or a subdomain under it. domain: example.com service: annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue port: 80 # clusterIP: ingress: enabled: false annotations: {} # annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" labels: {} # labels: # myLabel: myValue certManager: false rewriteTarget: true ## The Ingress Class Name. # className: ingress-nginx ## Subdomain is the only thing required since we specify the domain as part of the root values of the chart. ## Example: To get Authelia to listen on https://auth.example.com specify 'auth' for ingress.subdomain, ## and specify example.com for the domain. subdomain: auth tls: enabled: true secret: authelia-tls # hostNameOverride: traefikCRD: enabled: false ## Use a standard Ingress object, not an IngressRoute. disableIngressRoute: false # matchOverride: Host(`auth.example.com`) && PathPrefix(`/`) entryPoints: [] # entryPoints: # - http # priority: 10 # weight: 10 sticky: false # stickyCookieNameOverride: authelia_traefik_lb # strategy: RoundRobin # responseForwardingFlushInterval: 100ms middlewares: auth: # nameOverride: authelia-auth authResponseHeaders: - Remote-User - Remote-Name - Remote-Email - Remote-Groups chains: auth: # nameOverride: authelia-auth-chain # List of Middlewares to apply before the forwardAuth Middleware in the authentication chain. before: [] # before: # - name: extra-middleware-name # namespace: default # List of Middlewares to apply after the forwardAuth Middleware in the authentication chain. after: [] # after: # - name: extra-middleware-name # namespace: default ingressRoute: # List of Middlewares to apply before the middleware in the IngressRoute chain. before: [] # before: # - name: extra-middleware-name # namespace: default # List of Middlewares to apply after the middleware in the IngressRoute chain. after: [] # after: # - name: extra-middleware-name # namespace: default # Specific options for the TraefikCRD TLS configuration. The above TLS section is still used. tls: ## Disables inclusion of the IngressRoute TLSOptions. disableTLSOptions: false # existingOptions: # name: default-traefik-options # namespace: default # certResolver: default # sans: # - *.example.com # options: # nameOverride: authelia-tls-options nameOverride: "" minVersion: VersionTLS12 maxVersion: VersionTLS13 sniStrict: false cipherSuites: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_RSA_WITH_AES_256_GCM_SHA384 curvePreferences: [] # curvePreferences: # - CurveP521 # - CurveP384 pod: # Must be Deployment, DaemonSet, or StatefulSet. kind: DaemonSet annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue replicas: 1 revisionHistoryLimit: 5 strategy: type: RollingUpdate # rollingUpdate: # partition: 1 # maxSurge: 25% # maxUnavailable: 25% securityContext: container: {} # container: # runAsUser: 2000 # runAsGroup: 2000 # fsGroup: 2000 pod: {} # pod: # readOnlyRootFilesystem: true # allowPrivilegeEscalation: false # privileged: false tolerations: [] # tolerations: # - key: key1 # operator: Equal # value: value1 # effect: NoSchedule # tolerationSeconds: 3600 selectors: # nodeName: worker-1 nodeSelector: {} # nodeSelector: # disktype: ssd # kubernetes.io/hostname: worker-1 affinity: nodeAffinity: {} # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # nodeSelectorTerms: # - matchExpressions: # - key: kubernetes.io/hostname # operator: In # values: # - worker-1 # - worker-2 # preferredDuringSchedulingIgnoredDuringExecution: # - weight: 1 # preference: # matchExpressions: # - key: node-label-key # operator: NotIn # values: # - not-this podAffinity: {} # podAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # - labelSelector: # matchExpressions: # - key: security # operator: In # values: # - S1 # topologyKey: topology.kubernetes.io/zone podAntiAffinity: {} # podAntiAffinity: # preferredDuringSchedulingIgnoredDuringExecution: # - weight: 100 # podAffinityTerm: # labelSelector: # matchExpressions: # - key: security # operator: In # values: # - S2 # topologyKey: topology.kubernetes.io/zone env: [] # env: # - name: TZ # value: Australia/Melbourne resources: limits: {} # limits: # cpu: "4.00" # memory: 125Mi requests: {} # requests: # cpu: "0.25" # memory: 50Mi probes: method: httpGet: path: /api/health port: http scheme: HTTP liveness: initialDelaySeconds: 0 periodSeconds: 30 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 readiness: initialDelaySeconds: 0 periodSeconds: 5 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 ## Note: Startup Probes are a Kubernetes feature gate which must be manually enabled pre-1.18. ## Ref: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ startup: initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 6 extraVolumeMounts: [] extraVolumes: [] ## ## Kubernetes Pod Disruption Budget ## podDisruptionBudget: enabled: false annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue # minAvailable: 1 # maxUnavailable: 1 ## ## Kubernetes Network Policy ## networkPolicy: enabled: false annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: authelia.com/network-policy: namespace - podSelector: matchLabels: authelia.com/network-policy: pod ports: - protocol: TCP port: 9091 ## ## Authelia Config Map Generator ## configMap: # Enable the configMap source for the Authelia config. # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config. enabled: true annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue key: configuration.yaml existingConfigMap: "" ## ## Server Configuration ## server: ## ## Port sets the configured port for the daemon, service, and the probes. ## Default is 9091 and should not need to be changed. ## port: 9091 ## Set the single level path Authelia listens on. ## Must be alphanumeric chars and should not contain any slashes. path: "" ## Set the path on disk to Authelia assets. ## Useful to allow overriding of specific static assets. # asset_path: /config/assets/ asset_path: "" ## Customize Authelia headers. headers: ## Read the Authelia docs before setting this advanced option. ## https://www.authelia.com/configuration/miscellaneous/server/#csp_template. csp_template: "" ## Server Buffers configuration. buffers: ## Read buffer. read: 4096 ## Write buffer. write: 4096 ## Server Timeouts configuration. timeouts: ## Read timeout. read: 6s ## Write timeout. write: 6s ## Idle timeout. idle: 30s log: ## Level of verbosity for logs: info, debug, trace. level: info ## Format the logs are written as: json, text. format: text ## TODO: Statefulness check should check if this is set, and the configMap should enable it. ## File path where the logs will be written. If not set logs are written to stdout. # file_path: /config/authelia.log file_path: "" ## ## Telemetry Configuration ## telemetry: ## ## Metrics Configuration ## metrics: ## Enable Metrics. enabled: false ## The port to listen on for metrics. This should be on a different port to the main server.port value. port: 9959 ## Metrics Server Buffers configuration. buffers: ## Read buffer. read: 4096 ## Write buffer. write: 4096 ## Metrics Server Timeouts configuration. timeouts: ## Read timeout. read: 6s ## Write timeout. write: 6s ## Idle timeout. idle: 30s serviceMonitor: enabled: false annotations: {} labels: {} ## Default redirection URL ## ## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end ## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use ## in such a case. ## ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication. ## Default is https://www. (value at the top of the values.yaml). default_redirection_url: "" # default_redirection_url: https://example.com ## Set the default 2FA method for new users and for when a user has a preferred method configured that has been ## disabled. This setting must be a method that is enabled. ## Options are totp, webauthn, mobile_push. default_2fa_method: "" theme: light ## ## TOTP Configuration ## ## Parameters used for TOTP generation. totp: ## Disable TOTP. disable: false ## The issuer name displayed in the Authenticator application of your choice. ## Defaults to . issuer: "" ## The TOTP algorithm to use. ## It is CRITICAL you read the documentation before changing this option: ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#algorithm algorithm: sha1 ## The number of digits a user has to input. Must either be 6 or 8. ## Changing this option only affects newly generated TOTP configurations. ## It is CRITICAL you read the documentation before changing this option: ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#digits digits: 6 ## The period in seconds a one-time password is valid for. ## Changing this option only affects newly generated TOTP configurations. period: 30 ## The skew controls number of one-time passwords either side of the current one that are valid. ## Warning: before changing skew read the docs link below. ## See: https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#input-validation to read the documentation. skew: 1 ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. secret_size: 32 ## ## WebAuthn Configuration ## ## Parameters used for WebAuthn. webauthn: ## Disable Webauthn. disable: false ## Adjust the interaction timeout for Webauthn dialogues. timeout: 60s ## The display name the browser should show the user for when using Webauthn to login/register. display_name: Authelia ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. ## Options are none, indirect, direct. attestation_conveyance_preference: indirect ## User verification controls if the user must make a gesture or action to confirm they are present. ## Options are required, preferred, discouraged. user_verification: preferred ## ## NTP Configuration ## ## This is used to validate the servers time is accurate enough to validate TOTP. ntp: ## NTP server address. address: "time.cloudflare.com:123" ## NTP version. version: 4 ## Maximum allowed time offset between the host and the NTP server. max_desync: 3s ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you ## set this to true, and can operate in a truly offline mode. disable_startup_check: false ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup ## will continue regardless of results. disable_failure: false ## ## Duo Push API Configuration ## ## Parameters used to contact the Duo API. Those are generated when you protect an application of type ## "Partner Auth API" in the management panel. duo_api: enabled: false hostname: api-123456789.example.com integration_key: ABCDEF enable_self_enrollment: false ## ## Authentication Backend Provider Configuration ## ## Used for verifying user passwords and retrieve information such as email address and groups users belong to. ## ## The available providers are: `file`, `ldap`. You must use one and only one of these providers. authentication_backend: ## Password Reset Options. password_reset: ## Disable both the HTML element and the API for reset password functionality disable: false ## External reset password url that redirects the user to an external reset portal. This disables the internal reset ## functionality. custom_url: "" ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. ## See the below documentation for more information. ## Duration Notation docs: https://www.authelia.com/configuration/prologue/common/#duration-notation-format ## Refresh Interval docs: https://www.authelia.com/configuration/first-factor/ldap/#refresh-interval refresh_interval: 5m ## LDAP backend configuration. ## ## This backend allows Authelia to be scaled to more ## than one instance and therefore is recommended for ## production. ldap: ## Enable LDAP Backend. enabled: true ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. ## Acceptable options are as follows: ## - 'activedirectory' - For Microsoft Active Directory. ## - 'custom' - For custom specifications of attributes and filters. ## This currently defaults to 'custom' to maintain existing behaviour. ## ## Depending on the option here certain other values in this section have a default value, notably all of the ## attribute mappings have a default value that this config overrides, you can read more about these default values ## at https://www.authelia.com/reference/guides/ldap/#defaults implementation: activedirectory ## The url to the ldap server. Format: ://
[:]. ## Scheme can be ldap or ldaps in the format (port optional). url: ldap://openldap.default.svc.cluster.local ## Connection Timeout. timeout: 5s ## Use StartTLS with the LDAP connection. start_tls: false tls: ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host portion of the url option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: TLS1.2 ## Maximum TLS version for the connection. maximum_version: TLS1.3 ## The base dn for every LDAP query. base_dn: DC=example,DC=com ## The attribute holding the username of the user. This attribute is used to populate the username in the session ## information. It was introduced due to #561 to handle case insensitive search queries. For you information, ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database. ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt. username_attribute: "" ## An additional dn to define the scope to all users. additional_users_dn: OU=Users ## The users filter used in search queries to find the user profile based on input filled in login form. ## Various placeholders are available in the user filter: ## - {input} is a placeholder replaced by what the user inputs in the login form. ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`. ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later ## versions, so please don't use it. ## ## Recommended settings are as follows: ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) ## - OpenLDAP: ## - (&({username_attribute}={input})(objectClass=person)) ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) ## ## To allow sign in both with username and email, one can use a filter like ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) users_filter: "" ## An additional dn to define the scope of groups. additional_groups_dn: OU=Groups ## The groups filter used in search queries to find the groups of the user. ## - {input} is a placeholder replaced by what the user inputs in the login form. ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`). ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN. ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later ## versions, so please don't use it. ## - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in ## later version, so please don't use it. ## ## If your groups use the `groupOfUniqueNames` structure use this instead: ## (&(uniquemember={dn})(objectclass=groupOfUniqueNames)) groups_filter: "" ## The attribute holding the name of the group group_name_attribute: "" ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the ## first one returned by the LDAP server is used. mail_attribute: "" ## The attribute holding the display name of the user. This will be used to greet an authenticated user. display_name_attribute: "" ## Follow referrals returned by the server. ## This is especially useful for environments where read-only servers exist. Only implemented for write operations. permit_referrals: false ## WARNING: This option is strongly discouraged. Please consider disabling unauthenticated binding to your LDAP ## server and utilizing a service account. permit_unauthenticated_bind: false ## This option is strongly discouraged. If enabled it will ignore errors looking up the RootDSE for supported ## controls/extensions. permit_feature_detection_failure: false ## The username of the admin user. user: CN=Authelia,DC=example,DC=com ## ## File (Authentication Provider) ## ## With this backend, the users database is stored in a file which is updated when users reset their passwords. ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security ## implications it is highly recommended you leave the default values. Before considering changing these settings ## please read the docs page: https://www.authelia.com/reference/guides/passwords/#tuning ## ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ ## file: enabled: false path: /config/users_database.yml watch: true search: email: false case_insensitive: false password: algorithm: argon2 argon2: variant: argon2id iterations: 3 memory: 65536 parallelism: 4 key_length: 32 salt_length: 16 scrypt: iterations: 16 block_size: 8 parallelism: 1 key_length: 32 salt_length: 16 pbkdf2: variant: sha512 iterations: 310000 salt_length: 16 sha2crypt: variant: sha512 iterations: 50000 salt_length: 16 bcrypt: variant: standard cost: 12 ## ## Password Policy Configuration. ## password_policy: ## The standard policy allows you to tune individual settings manually. standard: enabled: false ## Require a minimum length for passwords. min_length: 8 ## Require a maximum length for passwords. max_length: 0 ## Require uppercase characters. require_uppercase: true ## Require lowercase characters. require_lowercase: true ## Require numeric characters. require_number: true ## Require special characters. require_special: true ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings. zxcvbn: enabled: false ## Configures the minimum score allowed. min_score: 0 ## ## Access Control Configuration ## ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users. ## ## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed ## to anyone. Otherwise restrictions follow the rules defined. ## ## Note: One can use the wildcard * to match any subdomain. ## It must stand at the beginning of the pattern. (example: *.mydomain.com) ## ## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct. ## ## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'. ## ## - 'domain' defines which domain or set of domains the rule applies to. ## ## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not ## provided. If provided, the parameter represents either a user or a group. It should be of the form ## 'user:' or 'group:'. ## ## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'. ## ## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter ## is optional and matches any resource if not provided. ## ## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies. access_control: ## Configure the ACL as a Secret instead of part of the ConfigMap. secret: ## Enables the ACL section being generated as a secret. enabled: false ## The key in the secret which contains the file to mount. key: configuration.acl.yaml ## An existingSecret name, if configured this will force the secret to be mounted using the key above. existingSecret: "" ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any ## resource if there is no policy to be applied to the user. default_policy: deny networks: [] # networks: # - name: private # networks: # - 10.0.0.0/8 # - 172.16.0.0/12 # - 192.168.0.0/16 # - name: vpn # networks: # - 10.9.0.0/16 rules: [] # rules: # - domain_regex: '^.*\.example.com$' # policy: bypass # - domain: public.example.com # policy: bypass # - domain: "*.example.com" # policy: bypass # methods: # - OPTIONS # - domain: secure.example.com # policy: one_factor # networks: # - private # - vpn # - 192.168.1.0/24 # - 10.0.0.1 # - domain: # - secure.example.com # - private.example.com # policy: two_factor # - domain: singlefactor.example.com # policy: one_factor # - domain: "mx2.mail.example.com" # subject: "group:admins" # policy: deny # - domain: "*.example.com" # subject: # - "group:admins" # - "group:moderators" # policy: two_factor # - domain: dev.example.com # resources: # - "^/groups/dev/.*$" # subject: "group:dev" # policy: two_factor # - domain: dev.example.com # resources: # - "^/users/john/.*$" # subject: # - ["group:dev", "user:john"] # - "group:admins" # policy: two_factor # - domain: "{user}.example.com" # policy: bypass ## ## Session Provider Configuration ## ## The session cookies identify the user once logged in. ## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined. session: ## The name of the session cookie. (default: authelia_session). name: authelia_session ## Sets the Cookie SameSite value. Possible options are none, lax, or strict. ## Please read https://www.authelia.com/configuration/session/introduction/#same_site same_site: lax ## The time in seconds before the cookie expires and session is reset. expiration: 1h ## The inactivity time in seconds before the session is reset. inactivity: 5m ## The remember me duration. ## Value is in seconds, or duration notation. Value of 0 disables remember me. ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format ## Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to ## spy or attack. Currently the default is 1M or 1 month. remember_me_duration: 1M ## ## Redis Provider ## ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ ## ## The redis connection details redis: enabled: true enabledSecret: false host: redis.databases.svc.cluster.local port: 6379 ## Optional username to be used with authentication. # username: authelia username: "" ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc). database_index: 0 ## The maximum number of concurrent active connections to Redis. maximum_active_connections: 8 ## The target number of idle connections to have open ready for work. Useful when opening connections is slow. minimum_idle_connections: 0 ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s). tls: enabled: false ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: TLS1.2 ## Maximum TLS version for the connection. maximum_version: TLS1.3 ## The Redis HA configuration options. ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name). high_availability: enabled: false enabledSecret: false ## Sentinel Name / Master Name sentinel_name: mysentinel ## The Redis Sentinel-specific username. If supplied, authentication will be done via Redis 6+ ACL-based ## authentication. If left blank, authentication to sentinels will be done via `requirepass`. username: "" ## The additional nodes to pre-seed the redis provider with (for sentinel). ## If the host in the above section is defined, it will be combined with this list to connect to sentinel. ## For high availability to be used you must have either defined; the host above or at least one node below. nodes: [] # nodes: # - host: sentinel-0.databases.svc.cluster.local # port: 26379 # - host: sentinel-1.databases.svc.cluster.local # port: 26379 ## Choose the host with the lowest latency. route_by_latency: false ## Choose the host randomly. route_randomly: false ## ## Regulation Configuration ## ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are done ## in a short period of time. regulation: ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. max_retries: 3 ## The time range during which the user can attempt login before being banned. The user is banned if the ## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation. ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format find_time: 2m ## The length of time before a banned user can login again. Ban Time accepts duration notation. ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format ban_time: 5m ## ## Storage Provider Configuration ## ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. storage: ## ## Local (Storage Provider) ## ## This stores the data in a SQLite3 Database. ## This is only recommended for lightweight non-stateful installations. ## ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ ## local: enabled: false path: /config/db.sqlite3 ## ## MySQL (Storage Provider) ## ## Also supports MariaDB ## mysql: enabled: false host: mysql.databases.svc.cluster.local port: 3306 database: authelia username: authelia timeout: 5s tls: enabled: false ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: TLS1.2 ## Maximum TLS version for the connection. maximum_version: TLS1.3 ## ## PostgreSQL (Storage Provider) ## postgres: enabled: true host: postgres.databases.svc.cluster.local port: 5432 database: authelia schema: public username: authelia timeout: 5s tls: enabled: false ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: TLS1.2 ## Maximum TLS version for the connection. maximum_version: TLS1.3 ## ## Notification Provider ## ## ## Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration. ## The available providers are: filesystem, smtp. You must use one and only one of these providers. notifier: ## You can disable the notifier startup check by setting this to true. disable_startup_check: false ## ## File System (Notification Provider) ## ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ ## filesystem: enabled: false filename: /config/notification.txt ## ## SMTP (Notification Provider) ## ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate. ## [Security] By default Authelia will: ## - force all SMTP connections over TLS including unauthenticated connections ## - use the disable_require_tls boolean value to disable this requirement ## (only works for unauthenticated connections) ## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates ## (configure in tls section) smtp: enabled: true enabledSecret: false host: smtp.mail.svc.cluster.local port: 25 timeout: 5s username: test sender: admin@example.com ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost. identifier: localhost ## Subject configuration of the emails sent. ## {title} is replaced by the text from the notifier subject: "[Authelia] {title}" ## This address is used during the startup check to verify the email configuration is correct. ## It's not important what it is except if your email server only allows local delivery. startup_check_address: test@authelia.com ## Disables sending HTML formatted emails. disable_html_emails: false ## By default we require some form of TLS. This disables this check though is not advised. disable_require_tls: false ## Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when they in fact do not. For ## security reasons Authelia refuses to send messages to these servers. This option disables this measure and is ## enabled AT YOUR OWN RISK. It’s strongly recommended that instead of enabling this option you either fix the ## issue with the SMTP server’s configuration or have the administrators of the server fix it. If the issue can’t ## be fixed by configuration we recommend lodging an issue with the authors of the SMTP server. See [security] for ## more information. disable_starttls: false tls: ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: TLS1.2 ## Maximum TLS version for the connection. maximum_version: TLS1.3 identity_providers: oidc: ## Enables this in the config map. Currently in beta stage. ## See https://www.authelia.com/r/openid-connect/ enabled: false access_token_lifespan: 1h authorize_code_lifespan: 1m id_token_lifespan: 1h refresh_token_lifespan: 90m ## Adjusts the PKCE enforcement. Options are always, public_clients_only, never. ## For security reasons it's recommended this option is public_clients_only or always, however always is not ## compatible with all clients. enforce_pkce: public_clients_only ## Enables the plain PKCE challenge which is not recommended for security reasons but may be necessary for some clients. enable_pkce_plain_challenge: false ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for ## security reasons. minimum_parameter_entropy: 8 ## Enables additional debug messages. enable_client_debug_messages: false ## The issuer_certificate_chain is an optional PEM encoded certificate chain. It's used in conjunction with the ## issuer_private_key to sign JWT's. All certificates in the chain must be within the validity period, and every ## certificate included must be signed by the certificate immediately after it if provided. issuer_certificate_chain: "" # issuer_certificate_chain: | # -----BEGIN CERTIFICATE----- # MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP # ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q # /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6 # LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY # 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H # kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR # Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD # AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN # AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh # /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4 # lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq # wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg # OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i # ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE= # -----END CERTIFICATE----- # -----BEGIN CERTIFICATE----- # MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP # ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S # zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50 # 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou # kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7 # ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi # Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD # AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU # Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/ # kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf # 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ # HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB # D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj # 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b # qocikt3WAdU^invalid DO NOT USE= # -----END CERTIFICATE----- ## Cross-Origin Resource Sharing (CORS) settings. cors: ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. # endpoints: # - authorization # - token # - revocation # - introspection # - userinfo endpoints: [] ## List of allowed origins. ## Any origin with https is permitted unless this option is configured or the ## allowed_origins_from_client_redirect_uris option is enabled. # allowed_origins: # - https://example.com allowed_origins: [] ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, ## provided they have the scheme http or https and do not have the hostname of localhost. allowed_origins_from_client_redirect_uris: true clients: [] # clients: # - ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration. # id: myapp ## The description to show to users when they end up on the consent screen. Defaults to the ID above. # description: My Application ## The client secret is a shared secret between Authelia and the consumer of this client. # secret: apple123 ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not ## necessary. Read the documentation for more information. ## The subject identifier must be the host component of a URL, which is a domain name with an optional port. # sector_identifier: example.com ## Sets the client to public. This should typically not be set, please see the documentation for usage. # public: false ## The policy to require for this client; one_factor or two_factor. # authorization_policy: two_factor ## The consent mode controls how consent is obtained. # consent_mode: auto ## This value controls the duration a consent on this client remains remembered when the consent mode is ## configured as 'auto' or 'pre-configured'. # pre_configured_consent_duration: 30d ## Audience this client is allowed to request. # audience: [] ## Scopes this client is allowed to request. # scopes: # - openid # - profile # - email # - groups ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. # redirect_uris: # - https://oidc.example.com/oauth2/callback ## Grant Types configures which grants this client can obtain. ## It's not recommended to configure this unless you know what you're doing. # grant_types: # - refresh_token # - authorization_code ## Response Types configures which responses this client can be sent. ## It's not recommended to configure this unless you know what you're doing. # response_types: # - code ## Response Modes configures which response modes this client supports. ## It's not recommended to configure this unless you know what you're doing. # response_modes: # - form_post # - query # - fragment ## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256. # userinfo_signing_algorithm: none ## ## Authelia Secret Generator. ## ## If both the values and existingSecret are not defined, this chart randomly generates a new secret on each ## install. It is recommended that you use something like sealed-secrets (https://github.com/bitnami-labs/sealed-secrets) ## and use the existingSecrets. All secrets can be stored in a single k8s secret if desired using the key option. ## secret: existingSecret: "" # existingSecret: authelia annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue mountPath: /secrets excludeVolumeAndMounts: false ## Secrets. jwt: key: JWT_TOKEN value: "" filename: JWT_TOKEN ldap: key: LDAP_PASSWORD value: "" filename: LDAP_PASSWORD storage: key: STORAGE_PASSWORD value: "" filename: STORAGE_PASSWORD storageEncryptionKey: key: STORAGE_ENCRYPTION_KEY value: "" filename: STORAGE_ENCRYPTION_KEY session: key: SESSION_ENCRYPTION_KEY value: "" filename: SESSION_ENCRYPTION_KEY duo: key: DUO_API_KEY value: "" filename: DUO_API_KEY redis: key: REDIS_PASSWORD value: "" filename: REDIS_PASSWORD redisSentinel: key: REDIS_SENTINEL_PASSWORD value: "" filename: REDIS_SENTINEL_PASSWORD smtp: key: SMTP_PASSWORD value: "" filename: SMTP_PASSWORD oidcPrivateKey: key: OIDC_PRIVATE_KEY value: "" filename: OIDC_PRIVATE_KEY oidcHMACSecret: key: OIDC_HMAC_SECRET value: "" filename: OIDC_HMAC_SECRET ## HashiCorp Vault Injector configuration. vaultInjector: ## Enable the vault injector annotations. This will disable secret injection via other means. ## To see the annotations and what they do see: https://www.vaultproject.io/docs/platform/k8s/injector/annotations ## Annotations with a blank string do not get configured at all. ## Additional annotations can be configured via the secret.annotations: {} above. ## Secrets are by default rendered in the /secrets directory. Changing this can be done via editing the ## secret.mountPath value. You can alter the filenames with the secret..filename values. ## Secrets are loaded from vault path specified below with secrets..path values. Its format should be ## :. ## Secrets are by default rendered by template suitable for vault KV v1 or database secrets engines. If other used, ## it can be overriden per each secret by specifying secrets..templateValue. For example for KV v2 ## secrets engine would be '{{ with secret "" }}{{ .Data.data. }}{{ end }}'. enabled: false ## The vault role to assign via annotations. ## Annotation: vault.hashicorp.com/role role: authelia agent: ## Annotation: vault.hashicorp.com/agent-inject-status status: update ## Annotation: vault.hashicorp.com/agent-configmap configMap: "" ## Annotation: vault.hashicorp.com/agent-image image: "" ## Annotation: vault.hashicorp.com/agent-init-first initFirst: "false" ## Annotation: vault.hashicorp.com/agent-inject-command command: "sh -c 'kill HUP $(pidof authelia)'" ## Annotation: vault.hashicorp.com/agent-run-as-same-user runAsSameUser: "true" secrets: jwt: ## Vault Path to the Authelia JWT secret. ## Annotation: vault.hashicorp.com/agent-inject-secret-jwt path: secrets/authelia/jwt:token ## Vault template specific to JWT. ## Annotation: vault.hashicorp.com/agent-inject-template-jwt templateValue: "" ## Vault after render command specific to JWT. ## Annotation: vault.hashicorp.com/agent-inject-command-jwt command: "" ldap: ## Vault Path to the Authelia LDAP secret. ## Annotation: vault.hashicorp.com/agent-inject-secret-ldap path: secrets/authelia/ldap:password ## Vault template specific to LDAP. ## Annotation: vault.hashicorp.com/agent-inject-template-ldap templateValue: "" ## Vault after render command specific to LDAP. ## Annotation: vault.hashicorp.com/agent-inject-command-ldap command: "" storage: ## Vault Path to the Authelia storage password secret. ## Annotation: vault.hashicorp.com/agent-inject-secret-storage path: secrets/authelia/storage:password ## Vault template specific to the storage password. ## Annotation: vault.hashicorp.com/agent-inject-template-storage templateValue: "" ## Vault after render command specific to the storage password. ## Annotation: vault.hashicorp.com/agent-inject-command-storage command: "" storageEncryptionKey: ## Vault Path to the Authelia storage encryption key secret. ## Annotation: vault.hashicorp.com/agent-inject-secret-storage-encryption-key path: secrets/authelia/storage:encryption_key ## Vault template specific to the storage encryption key. ## Annotation: vault.hashicorp.com/agent-inject-template-storage-encryption-key templateValue: "" ## Vault after render command specific to the storage encryption key. ## Annotation: vault.hashicorp.com/agent-inject-command-storage-encryption-key command: "" session: ## Vault Path to the Authelia session secret. ## Annotation: vault.hashicorp.com/agent-inject-secret-session path: secrets/authelia/session:encryption_key ## Vault template specific to session. ## Annotation: vault.hashicorp.com/agent-inject-template-session templateValue: "" ## Vault after render command specific to session. ## Annotation: vault.hashicorp.com/agent-inject-command-session command: "" duo: ## Vault Path to the Authelia duo secret. ## Annotation: vault.hashicorp.com/agent-inject-secret-duo path: secrets/authelia/duo:api_key ## Vault template specific to duo. ## Annotation: vault.hashicorp.com/agent-inject-template-duo templateValue: "" ## Vault after render command specific to duo. ## Annotation: vault.hashicorp.com/agent-inject-command-duo command: "" redis: ## Vault Path to the Authelia redis secret. ## Annotation: vault.hashicorp.com/agent-inject-secret-redis path: secrets/authelia/redis:password ## Vault template specific to redis. ## Annotation: vault.hashicorp.com/agent-inject-template-redis templateValue: "" ## Vault after render command specific to redis. ## Annotation: vault.hashicorp.com/agent-inject-command-redis command: "" redisSentinel: ## Vault Path to the Authelia redis sentinel secret. ## Annotation: vault.hashicorp.com/agent-inject-secret-redis-sentinel path: secrets/authelia/redis_sentinel:password ## Vault template specific to redis sentinel. ## Annotation: vault.hashicorp.com/agent-inject-template-redis-sentinel templateValue: "" ## Vault after render command specific to redis sentinel. ## Annotation: vault.hashicorp.com/agent-inject-command-redis-sentinel command: "" smtp: ## Vault Path to the Authelia SMTP secret. ## Annotation: vault.hashicorp.com/agent-inject-secret-smtp path: secrets/authelia/smtp:password ## Vault template specific to SMTP. ## Annotation: vault.hashicorp.com/agent-inject-template-smtp templateValue: "" ## Vault after render command specific to SMTP. ## Annotation: vault.hashicorp.com/agent-inject-command-smtp command: "" oidcPrivateKey: ## Vault Path to the Authelia OIDC private key secret. ## Annotation: vault.hashicorp.com/agent-inject-secret-oidc-private-key path: secrets/authelia/oidc:private_key ## Vault template specific to OIDC private key. ## Annotation: vault.hashicorp.com/agent-inject-template-oidc-private-key templateValue: "" ## Vault after render command specific to OIDC private key. ## Annotation: vault.hashicorp.com/agent-inject-command-oidc-private-key command: "" oidcHMACSecret: ## Vault Path to the Authelia OIDC HMAC secret. ## Annotation: vault.hashicorp.com/agent-inject-secret-oidc-hmac-secret path: secrets/authelia/oidc:hmac_secret ## Vault template specific to OIDC HMAC secret. ## Annotation: vault.hashicorp.com/agent-inject-template-oidc-hmac-secret templateValue: "" ## Vault after render command specific to OIDC HMAC secret. ## Annotation: vault.hashicorp.com/agent-inject-command-oidc-hmac-secret command: "" certificates: existingSecret: "" # existingSecret: authelia annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue values: [] # values: # - name: Example_Com_Root_Certificate_Authority_B64.pem # secretValue: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lMQkFBQUFBQUJJVmhUQ0tJd0RRWUpLb1pJaHZjTkFRRUxCUUF3VERFZ01CNEcKQTFVRUN4TVhSMnh2WW1Gc1UybG5iaUJTYjI5MElFTkJJQzBnVWpNeEV6QVJCZ05WQkFvVENrZHNiMkpoYkZOcApaMjR4RXpBUkJnTlZCQU1UQ2tkc2IySmhiRk5wWjI0d0hoY05NRGt3TXpFNE1UQXdNREF3V2hjTk1qa3dNekU0Ck1UQXdNREF3V2pCTU1TQXdIZ1lEVlFRTEV4ZEhiRzlpWVd4VGFXZHVJRkp2YjNRZ1EwRWdMU0JTTXpFVE1CRUcKQTFVRUNoTUtSMnh2WW1Gc1UybG5iakVUTUJFR0ExVUVBeE1LUjJ4dlltRnNVMmxuYmpDQ0FTSXdEUVlKS29aSQpodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU13bGRwQjVCbmdpRnZYQWc3YUV5aWllL1FWMkVjV3RpSEw4ClJnSkR4N0tLblFSZkpNc3VTK0ZnZ2tiaFVxc01nVWR3Yk4xazBldjFMS01QZ2owTUs2NlgxN1lVaGhCNXV6c1QKZ0hlTUNPRkowbXBpTHg5ZStwWm8zNGtubFRpZkJ0Yyt5Y3NtV1ExejNyREk2U1lPZ3hYRzcxdUwwZ1JneWttbQpLUFpwTy9iTHlDaVI1WjJLWVZjM3JIUVUzSFRnT3U1eUx5NmMrOUM3di9VOUFPRUdNK2lDSzY1VHBqb1djNHpkClFRNGdPc0MwcDZIcHNrK1FMakpnNlZmTHVRU1NhR2psT0NaZ2RiS2ZkLytSRk8rdUlFbjhyVUFWU05FQ01XRVoKWHJpWDc2MTN0MlNhZXI5ZndSUHZtMkw3RFd6Z1ZHa1dxUVBhYnVtRGszRjJ4bW1GZ2hjQ0F3RUFBYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJL3dTMytvCkxrVWtyazFRK21PYWk5N2kzUnU4TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCTFFOdkFVS3IreUF6djk1WlUKUlVtN2xnQUpRYXl6RTRhR0tBY3p5bXZtZExtNkFDMnVwQXJUOWZIeEQ0cS9jMmRLZzhkRWUzamdyMjVzYndNcApqak01UmNPTzVMbFhiS3I4RXBic1U4WXQ1Q1JzdVpSais5eFRhR2RXUG9PNHp6VWh3OGxvL3M3YXdsT3F6SkNLCjZmQmRSb3lWM1hwWUtCb3ZIZDdOQURkQmorMUViZGRUS0pkKzgyY0VIaFhYaXBhMDA5NU1KNlJNRzNOemR2UVgKbWNJZmVnN2pMUWl0Q2h3cy96eXJWUTRQa1g0MjY4TlhTYjdoTGkxOFlJdkRRVkVUSTUzTzl6SnJsQUdvbWVjcwpNeDg2T3lYU2hrRE9PeXlHZU1saEx4UzY3dHRWYjkrRTdnVUpUYjBvMkhMTzAySlFaUjdya3BlRE1kbXp0Y3BICldEOWYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== # - name: Example_Com_Root_Certificate_Authority.pem # value: | # -----BEGIN CERTIFICATE----- # MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G # A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp # Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 # MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG # A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI # hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8 # RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT # gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm # KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd # QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ # XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw # DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o # LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU # RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp # jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK # 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX # mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs # Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH # WD9f # -----END CERTIFICATE----- ## ## Authelia Persistence Configuration. ## ## Useful in scenarios where you need persistent storage. ## Auth Provider Use Case: file; we recommend you use the ldap provider instead. ## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead. ## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false). ## persistence: enabled: false annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue readOnly: false subPath: "" existingClaim: "" # existingClaim: my-claim-name storageClass: "" # storageClass: "my-storage-class" accessModes: - ReadWriteOnce size: 100Mi selector: {} --- ## @formatter:off ## values.local.yaml ## ## Repository: authelia https://charts.authelia.com ## Chart: authelia ## ## This values file is designed for a StatefulSet deployment with a single pod. It is not intended for production environments ## It uses the following providers: ## - authentication: file (yaml) ## - storage: local (SQLite3) ## - session: memory ## - notification: filesystem (yaml) ## Version Override allows changing some chart characteristics that render only on specific versions. ## This does NOT affect the image used, please see the below image section instead for this. ## If this value is not specified, it's assumed the appVersion of the chart is the version. ## The format of this value is x.x.x, for example 4.100.0. ## ## Important Points: ## - No guarantees of support for prior versions is given. The chart is intended to be used with the AppVersion. ## - Does not and will not support any version prior to 4.30.0 due to a significant refactor of the configuration ## system. versionOverride: "" ## Image Parameters ## ref: https://hub.docker.com/r/authelia/authelia/tags/ ## image: # registry: docker.io registry: ghcr.io repository: authelia/authelia tag: "" pullPolicy: IfNotPresent pullSecrets: [] # pullSecrets: # - myPullSecretName # nameOverride: authelia-deployment-name # appNameOverride: authelia ## ## extra labels/annotations applied to all resources ## annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue ## ## RBAC Configuration. ## rbac: ## Enable RBAC. Turning this on associates Authelia with a service account. ## If the vault injector is enabled, then RBAC must be enabled. enabled: false annotations: {} labels: {} serviceAccountName: authelia ## Authelia Domain ## Should be the root domain you want to protect. ## For example if you have apps app1.example.com and app2.example.com it should be example.com ## This affects the ingress (partially sets the domain used) and configMap. ## Authelia must be served from the domain or a subdomain under it. domain: lino.cooking service: annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue port: 80 # clusterIP: ingress: enabled: false annotations: {} # annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" labels: {} # labels: # myLabel: myValue certManager: false rewriteTarget: true ## The Ingress Class Name. # className: ingress-nginx ## Subdomain is the only thing required since we specify the domain as part of the root values of the chart. ## Example: To get Authelia to listen on https://auth.example.com specify 'auth' for ingress.subdomain, ## and specify example.com for the domain. subdomain: authelia tls: enabled: true secret: authelia-tls # hostNameOverride: traefikCRD: enabled: false ## Use a standard Ingress object, not an IngressRoute. disableIngressRoute: false # matchOverride: Host(`auth.example.com`) && PathPrefix(`/`) entryPoints: [] # entryPoints: # - http # priority: 10 # weight: 10 sticky: false # stickyCookieNameOverride: authelia_traefik_lb # strategy: RoundRobin # responseForwardingFlushInterval: 100ms middlewares: auth: # nameOverride: authelia-auth authResponseHeaders: - Remote-User - Remote-Name - Remote-Email - Remote-Groups chains: auth: # nameOverride: authelia-auth-chain # List of Middlewares to apply before the forwardAuth Middleware in the authentication chain. before: [] # before: # - name: extra-middleware-name # namespace: default # List of Middlewares to apply after the forwardAuth Middleware in the authentication chain. after: [] # after: # - name: extra-middleware-name # namespace: default ingressRoute: # List of Middlewares to apply before the middleware in the IngressRoute chain. before: [] # before: # - name: extra-middleware-name # namespace: default # List of Middlewares to apply after the middleware in the IngressRoute chain. after: [] # after: # - name: extra-middleware-name # namespace: default # Specific options for the TraefikCRD TLS configuration. The above TLS section is still used. tls: ## Disables inclusion of the IngressRoute TLSOptions. disableTLSOptions: false # existingOptions: # name: default-traefik-options # namespace: default # certResolver: default # sans: # - *.example.com # options: # nameOverride: authelia-tls-options nameOverride: "" minVersion: VersionTLS12 maxVersion: VersionTLS13 sniStrict: false cipherSuites: - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_RSA_WITH_AES_256_GCM_SHA384 curvePreferences: [] # curvePreferences: # - CurveP521 # - CurveP384 pod: # Must be Deployment, DaemonSet, or StatefulSet. kind: StatefulSet annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue replicas: 1 revisionHistoryLimit: 5 strategy: type: RollingUpdate # rollingUpdate: # partition: 1 # maxSurge: 25% # maxUnavailable: 25% securityContext: container: {} # container: # runAsUser: 2000 # runAsGroup: 2000 # fsGroup: 2000 pod: {} # pod: # readOnlyRootFilesystem: true # allowPrivilegeEscalation: false # privileged: false tolerations: [] # tolerations: # - key: key1 # operator: Equal # value: value1 # effect: NoSchedule # tolerationSeconds: 3600 selectors: # nodeName: worker-1 nodeSelector: {} # nodeSelector: # disktype: ssd # kubernetes.io/hostname: worker-1 affinity: nodeAffinity: {} # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # nodeSelectorTerms: # - matchExpressions: # - key: kubernetes.io/hostname # operator: In # values: # - worker-1 # - worker-2 # preferredDuringSchedulingIgnoredDuringExecution: # - weight: 1 # preference: # matchExpressions: # - key: node-label-key # operator: NotIn # values: # - not-this podAffinity: {} # podAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # - labelSelector: # matchExpressions: # - key: security # operator: In # values: # - S1 # topologyKey: topology.kubernetes.io/zone podAntiAffinity: {} # podAntiAffinity: # preferredDuringSchedulingIgnoredDuringExecution: # - weight: 100 # podAffinityTerm: # labelSelector: # matchExpressions: # - key: security # operator: In # values: # - S2 # topologyKey: topology.kubernetes.io/zone env: [] # env: # - name: TZ # value: Australia/Melbourne resources: limits: {} # limits: # cpu: "4.00" # memory: 125Mi requests: {} # requests: # cpu: "0.25" # memory: 50Mi probes: method: httpGet: path: /api/health port: http scheme: HTTP liveness: initialDelaySeconds: 0 periodSeconds: 30 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 readiness: initialDelaySeconds: 0 periodSeconds: 5 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 5 ## Note: Startup Probes are a Kubernetes feature gate which must be manually enabled pre-1.18. ## Ref: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/ startup: initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 5 successThreshold: 1 failureThreshold: 6 extraVolumeMounts: [] extraVolumes: [] ## ## Kubernetes Pod Disruption Budget ## podDisruptionBudget: enabled: false annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue # minAvailable: 1 # maxUnavailable: 1 ## ## Kubernetes Network Policy ## networkPolicy: enabled: false annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: authelia.com/network-policy: namespace - podSelector: matchLabels: authelia.com/network-policy: pod ports: - protocol: TCP port: 9091 ## ## Authelia Config Map Generator ## configMap: # Enable the configMap source for the Authelia config. # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config. enabled: true annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue key: configuration.yaml existingConfigMap: "" ## ## Server Configuration ## server: ## ## Port sets the configured port for the daemon, service, and the probes. ## Default is 9091 and should not need to be changed. ## port: 9091 ## Set the single level path Authelia listens on. ## Must be alphanumeric chars and should not contain any slashes. path: "authelia" ## Set the path on disk to Authelia assets. ## Useful to allow overriding of specific static assets. # asset_path: /config/assets/ asset_path: "" ## Customize Authelia headers. headers: ## Read the Authelia docs before setting this advanced option. ## https://www.authelia.com/configuration/miscellaneous/server/#csp_template. csp_template: "" ## Server Buffers configuration. buffers: ## Read buffer. read: 4096 ## Write buffer. write: 4096 ## Server Timeouts configuration. timeouts: ## Read timeout. read: 6s ## Write timeout. write: 6s ## Idle timeout. idle: 30s log: ## Level of verbosity for logs: info, debug, trace. level: info ## Format the logs are written as: json, text. format: text ## TODO: Statefulness check should check if this is set, and the configMap should enable it. ## File path where the logs will be written. If not set logs are written to stdout. # file_path: /config/authelia.log file_path: "" ## ## Telemetry Configuration ## telemetry: ## ## Metrics Configuration ## metrics: ## Enable Metrics. enabled: false ## The port to listen on for metrics. This should be on a different port to the main server.port value. port: 9959 ## Metrics Server Buffers configuration. buffers: ## Read buffer. read: 4096 ## Write buffer. write: 4096 ## Metrics Server Timeouts configuration. timeouts: ## Read timeout. read: 6s ## Write timeout. write: 6s ## Idle timeout. idle: 30s serviceMonitor: enabled: false annotations: {} labels: {} ## Default redirection URL ## ## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end ## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use ## in such a case. ## ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication. ## Default is https://www. (value at the top of the values.yaml). default_redirection_url: "https://lino.cooking" # default_redirection_url: https://example.com ## Set the default 2FA method for new users and for when a user has a preferred method configured that has been ## disabled. This setting must be a method that is enabled. ## Options are totp, webauthn, mobile_push. default_2fa_method: "" theme: light ## ## TOTP Configuration ## ## Parameters used for TOTP generation. totp: ## Disable TOTP. disable: false ## The issuer name displayed in the Authenticator application of your choice. ## Defaults to . issuer: "authelia.com" ## The TOTP algorithm to use. ## It is CRITICAL you read the documentation before changing this option: ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#algorithm algorithm: sha1 ## The number of digits a user has to input. Must either be 6 or 8. ## Changing this option only affects newly generated TOTP configurations. ## It is CRITICAL you read the documentation before changing this option: ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#digits digits: 6 ## The period in seconds a one-time password is valid for. ## Changing this option only affects newly generated TOTP configurations. period: 30 ## The skew controls number of one-time passwords either side of the current one that are valid. ## Warning: before changing skew read the docs link below. ## See: https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#input-validation to read the documentation. skew: 1 ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. secret_size: 32 ## ## WebAuthn Configuration ## ## Parameters used for WebAuthn. webauthn: ## Disable Webauthn. disable: false ## Adjust the interaction timeout for Webauthn dialogues. timeout: 60s ## The display name the browser should show the user for when using Webauthn to login/register. display_name: Authelia ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. ## Options are none, indirect, direct. attestation_conveyance_preference: indirect ## User verification controls if the user must make a gesture or action to confirm they are present. ## Options are required, preferred, discouraged. user_verification: preferred ## ## NTP Configuration ## ## This is used to validate the servers time is accurate enough to validate TOTP. ntp: ## NTP server address. address: "time.cloudflare.com:123" ## NTP version. version: 4 ## Maximum allowed time offset between the host and the NTP server. max_desync: 3s ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you ## set this to true, and can operate in a truly offline mode. disable_startup_check: false ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup ## will continue regardless of results. disable_failure: false ## ## Duo Push API Configuration ## ## Parameters used to contact the Duo API. Those are generated when you protect an application of type ## "Partner Auth API" in the management panel. duo_api: enabled: true hostname: api-229a51d0.duosecurity.com integration_key: !vault | $ANSIBLE_VAULT;1.1;AES256 64376430336633666661663932386161393164343166613366666532633835633639396366356262 3661313032363032646265663238616331306235373033310a333839626430353730363037626331 39623965336434306461373062366566383934663030373463303636323734346432643432393938 3863346161393733660a656131343636626636383030366333303235636666373962666631633663 32623166383565316565653363366365613835666534386232626262393136356433 enable_self_enrollment: false ## ## Authentication Backend Provider Configuration ## ## Used for verifying user passwords and retrieve information such as email address and groups users belong to. ## ## The available providers are: `file`, `ldap`. You must use one and only one of these providers. authentication_backend: ## Password Reset Options. password_reset: ## Disable both the HTML element and the API for reset password functionality disable: false ## External reset password url that redirects the user to an external reset portal. This disables the internal reset ## functionality. custom_url: "" ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. ## See the below documentation for more information. ## Duration Notation docs: https://www.authelia.com/configuration/prologue/common/#duration-notation-format ## Refresh Interval docs: https://www.authelia.com/configuration/first-factor/ldap/#refresh-interval refresh_interval: 5m ## ## File (Authentication Provider) ## ## With this backend, the users database is stored in a file which is updated when users reset their passwords. ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security ## implications it is highly recommended you leave the default values. Before considering changing these settings ## please read the docs page below: ## https://www.authelia.com/reference/guides/passwords/#tuning ## ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ ## file: enabled: true path: /config/users_database.yml watch: true search: email: false case_insensitive: false password: algorithm: argon2 argon2: variant: argon2id iterations: 3 memory: 65536 parallelism: 4 key_length: 32 salt_length: 16 scrypt: iterations: 16 block_size: 8 parallelism: 1 key_length: 32 salt_length: 16 pbkdf2: variant: sha512 iterations: 310000 salt_length: 16 sha2crypt: variant: sha512 iterations: 50000 salt_length: 16 bcrypt: variant: standard cost: 12 ## ## Password Policy Configuration. ## password_policy: ## The standard policy allows you to tune individual settings manually. standard: enabled: false ## Require a minimum length for passwords. min_length: 8 ## Require a maximum length for passwords. max_length: 0 ## Require uppercase characters. require_uppercase: true ## Require lowercase characters. require_lowercase: true ## Require numeric characters. require_number: true ## Require special characters. require_special: true ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings. zxcvbn: enabled: false ## Configures the minimum score allowed. min_score: 0 ## ## Access Control Configuration ## ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users. ## ## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed ## to anyone. Otherwise restrictions follow the rules defined. ## ## Note: One can use the wildcard * to match any subdomain. ## It must stand at the beginning of the pattern. (example: *.mydomain.com) ## ## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct. ## ## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'. ## ## - 'domain' defines which domain or set of domains the rule applies to. ## ## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not ## provided. If provided, the parameter represents either a user or a group. It should be of the form ## 'user:' or 'group:'. ## ## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'. ## ## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter ## is optional and matches any resource if not provided. ## ## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies. access_control: ## Configure the ACL as a Secret instead of part of the ConfigMap. secret: ## Enables the ACL section being generated as a secret. enabled: false ## The key in the secret which contains the file to mount. key: configuration.acl.yaml ## An existingSecret name, if configured this will force the secret to be mounted using the key above. existingSecret: "" ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any ## resource if there is no policy to be applied to the user. default_policy: deny networks: [] # networks: # - name: private # networks: # - 10.0.0.0/8 # - 172.16.0.0/12 # - 192.168.0.0/16 # - name: vpn # networks: # - 10.9.0.0/16 rules: [] # rules: # - domain_regex: '^.*\.example.com$' # policy: bypass # - domain: public.example.com # policy: bypass # - domain: "*.example.com" # policy: bypass # methods: # - OPTIONS # - domain: secure.example.com # policy: one_factor # networks: # - private # - vpn # - 192.168.1.0/24 # - 10.0.0.1 # - domain: # - secure.example.com # - private.example.com # policy: two_factor # - domain: singlefactor.example.com # policy: one_factor # - domain: "mx2.mail.example.com" # subject: "group:admins" # policy: deny # - domain: "*.example.com" # subject: # - "group:admins" # - "group:moderators" # policy: two_factor # - domain: dev.example.com # resources: # - "^/groups/dev/.*$" # subject: "group:dev" # policy: two_factor # - domain: dev.example.com # resources: # - "^/users/john/.*$" # subject: # - ["group:dev", "user:john"] # - "group:admins" # policy: two_factor # - domain: "{user}.example.com" # policy: bypass ## ## Session Provider Configuration ## ## The session cookies identify the user once logged in. ## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined. session: ## The name of the session cookie. (default: authelia_session). name: authelia_session ## Sets the Cookie SameSite value. Possible options are none, lax, or strict. ## Please read https://www.authelia.com/configuration/session/introduction/#same_site same_site: lax ## The time in seconds before the cookie expires and session is reset. expiration: 1h ## The inactivity time in seconds before the session is reset. inactivity: 5m ## The remember me duration. ## Value is in seconds, or duration notation. Value of 0 disables remember me. ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format ## Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to ## spy or attack. Currently the default is 1M or 1 month. remember_me_duration: 1M ## ## Regulation Configuration ## ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are done ## in a short period of time. regulation: ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. max_retries: 3 ## The time range during which the user can attempt login before being banned. The user is banned if the ## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation. ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format find_time: 2m ## The length of time before a banned user can login again. Ban Time accepts duration notation. ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format ban_time: 5m ## ## Storage Provider Configuration ## ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. storage: ## ## Local (Storage Provider) ## ## This stores the data in a SQLite3 Database. ## This is only recommended for lightweight non-stateful installations. ## ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ ## local: enabled: true path: /config/db.sqlite3 ## ## MySQL (Storage Provider) ## ## Also supports MariaDB ## mysql: enabled: false host: mysql.databases.svc.cluster.local port: 3306 database: authelia username: authelia timeout: 5s tls: enabled: false ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: TLS1.2 ## Maximum TLS version for the connection. maximum_version: TLS1.3 ## ## PostgreSQL (Storage Provider) ## postgres: enabled: false host: postgres.databases.svc.cluster.local port: 5432 database: authelia schema: public username: authelia timeout: 5s tls: enabled: false ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: TLS1.2 ## Maximum TLS version for the connection. maximum_version: TLS1.3 ## ## Notification Provider ## ## ## Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration. ## The available providers are: filesystem, smtp. You must use one and only one of these providers. notifier: ## You can disable the notifier startup check by setting this to true. disable_startup_check: false ## ## File System (Notification Provider) ## ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/ ## filesystem: enabled: true filename: /config/notification.txt ## ## SMTP (Notification Provider) ## ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate. ## [Security] By default Authelia will: ## - force all SMTP connections over TLS including unauthenticated connections ## - use the disable_require_tls boolean value to disable this requirement ## (only works for unauthenticated connections) ## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates ## (configure in tls section) smtp: enabled: true enabledSecret: false host: smtp.gmail.com port: 25 timeout: 5s username: okulto@gmail.com sender: okulto@gmail.com ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost. identifier: localhost ## Subject configuration of the emails sent. ## {title} is replaced by the text from the notifier subject: "[Authelia] {title}" ## This address is used during the startup check to verify the email configuration is correct. ## It's not important what it is except if your email server only allows local delivery. startup_check_address: test@authelia.com ## Disables sending HTML formatted emails. disable_html_emails: false ## By default we require some form of TLS. This disables this check though is not advised. disable_require_tls: false ## Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when they in fact do not. For ## security reasons Authelia refuses to send messages to these servers. This option disables this measure and is ## enabled AT YOUR OWN RISK. It’s strongly recommended that instead of enabling this option you either fix the ## issue with the SMTP server’s configuration or have the administrators of the server fix it. If the issue can’t ## be fixed by configuration we recommend lodging an issue with the authors of the SMTP server. See [security] for ## more information. disable_starttls: false tls: ## The server subject name to check the servers certificate against during the validation process. ## This option is not required if the certificate has a SAN which matches the host option. server_name: "" ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the ## certificate or the certificate of the authority signing the certificate to the certificates directory which is ## defined by the `certificates_directory` option at the top of the configuration. ## It's important to note the public key should be added to the directory, not the private key. ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not ## important to the administrator. skip_verify: false ## Minimum TLS version for the connection. minimum_version: TLS1.2 ## Maximum TLS version for the connection. maximum_version: TLS1.3 identity_providers: oidc: ## Enables this in the config map. Currently in beta stage. ## See https://www.authelia.com/docs/configuration/identity-providers/oidc.html#roadmap enabled: false access_token_lifespan: 24h authorize_code_lifespan: 1m id_token_lifespan: 1h refresh_token_lifespan: 90m ## Adjusts the PKCE enforcement. Options are always, public_clients_only, never. ## For security reasons it's recommended this option is public_clients_only or always, however always is not ## compatible with all clients. enforce_pkce: public_clients_only ## Enables the plain PKCE challenge which is not recommended for security reasons but may be necessary for some clients. enable_pkce_plain_challenge: false ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for ## security reasons. minimum_parameter_entropy: 8 ## Enables additional debug messages. enable_client_debug_messages: false ## Cross-Origin Resource Sharing (CORS) settings. cors: ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. # endpoints: # - authorization # - token # - revocation # - introspection # - userinfo endpoints: [] ## List of allowed origins. ## Any origin with https is permitted unless this option is configured or the ## allowed_origins_from_client_redirect_uris option is enabled. # allowed_origins: # - https://example.com allowed_origins: [] ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, ## provided they have the scheme http or https and do not have the hostname of localhost. allowed_origins_from_client_redirect_uris: true clients: [] # clients: # - ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration. # id: myapp ## The description to show to users when they end up on the consent screen. Defaults to the ID above. # description: My Application ## The client secret is a shared secret between Authelia and the consumer of this client. # secret: apple123 ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not ## necessary. Read the documentation for more information. ## The subject identifier must be the host component of a URL, which is a domain name with an optional port. # sector_identifier: example.com ## Sets the client to public. This should typically not be set, please see the documentation for usage. # public: false ## The policy to require for this client; one_factor or two_factor. # authorization_policy: two_factor ## The consent mode controls how consent is obtained. # consent_mode: auto ## This value controls the duration a consent on this client remains remembered when the consent mode is ## configured as 'auto' or 'pre-configured'. # pre_configured_consent_duration: 30d ## Audience this client is allowed to request. # audience: [] ## Scopes this client is allowed to request. # scopes: # - openid # - profile # - email # - groups ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. # redirect_uris: # - https://oidc.example.com/oauth2/callback ## Grant Types configures which grants this client can obtain. ## It's not recommended to configure this unless you know what you're doing. # grant_types: # - refresh_token # - authorization_code ## Response Types configures which responses this client can be sent. ## It's not recommended to configure this unless you know what you're doing. # response_types: # - code ## Response Modes configures which response modes this client supports. ## It's not recommended to configure this unless you know what you're doing. # response_modes: # - form_post # - query # - fragment ## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256. # userinfo_signing_algorithm: none ## ## Authelia Secret Generator. ## ## If both the values and existingSecret are not defined, this chart randomly generates a new secret on each ## install. It is recommended that you use something like sealed-secrets (https://github.com/bitnami-labs/sealed-secrets) ## and use the existingSecrets. All secrets can be stored in a single k8s secret if desired using the key option. ## secret: existingSecret: "" # existingSecret: authelia annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue mountPath: /secrets excludeVolumeAndMounts: false ## Secrets. jwt: key: JWT_TOKEN value: !vault | $ANSIBLE_VAULT;1.1;AES256 66383231323534613333356162333861386461373364393931386135613463386366346339646637 3965343966396638353732373561633434353639363839350a623635373437306364366439653439 32316639316130343365306333386162663865616336306330666330376638386364343730333366 3939366233386364360a336166313938653338323765316437336361343566373766336566383431 33383438303230613034396438636662623633336166346262343436646164663763386632343635 62316435323430343138373939356138306630663737303566633632363834363765343734336638 346666656563383165643134353365636366 filename: JWT_TOKEN storage: key: STORAGE_PASSWORD value: "" filename: STORAGE_PASSWORD storageEncryptionKey: key: STORAGE_ENCRYPTION_KEY value: !vault | $ANSIBLE_VAULT;1.1;AES256 34616664666163636134663461313637313632653265643037303363333832623962323535393834 6136386263333161663431303761383961346532336133350a653465363238316565376233643231 32376537366134363139376433656538343338653839363333633239303538366436313039323433 6662316136393965620a323861376438613466346166396464383836626137653963373964333063 33363737616365373633333962333563616439666633376130653835326437343832303335393936 36373431353537313431643465626133623761346465346637396531653236623437303038633034 383233333036363134343539636337346163 filename: STORAGE_ENCRYPTION_KEY session: key: SESSION_ENCRYPTION_KEY value: !vault | $ANSIBLE_VAULT;1.1;AES256 39663033343632363637633361353535653864666137343631393736643564623630653030316336 3166336339386633366133356331633561383363343834390a633431373764653264653862396135 32376133343737363032303738616563326536313736656137353233643562393031343766623330 3239333939316438610a633932643233303236396233323737643531393630626230306532623661 64343335626335376335386562393930313239376363343636633434346236323132353165336235 65373863336166663239386131376134633139363065353230353331383363613437346338343333 336335616465376566326139396437623266 filename: SESSION_ENCRYPTION_KEY duo: key: DUO_API_KEY value: !vault | $ANSIBLE_VAULT;1.1;AES256 62396435646233313330393262346235323365353463396235363934623734626235353761613865 3931313331653736613562656132613230386232303061660a366566636434633338303336316133 31626465373135643437633535383739333539376264323032613361643362396638663463663931 6536613666376137390a343131623338316339613166353333343333393030633239383034643835 34663133373661366233343738636639343963396334653566653038656535363030343034343339 3230376136316562363362643962306136396263333463666565 filename: DUO_API_KEY smtp: key: SMTP_PASSWORD value: !vault | $ANSIBLE_VAULT;1.1;AES256 65623431383465396366306237376634326461313134386631666664383133653261333961393264 3833303965666665653664343434386662666332353733330a646533303430663631336164646136 62306163656534663366303362383564663130306663366338343433313338616338363639363137 6331306132363766300a663134616337656464653531616663356330613836356464326432386136 64343436393662323063616339323133373762306131313630333431316131626136 filename: SMTP_PASSWORD oidcPrivateKey: key: OIDC_PRIVATE_KEY value: !vault | $ANSIBLE_VAULT;1.1;AES256 39383635633232393536373832663933326664353964366133653766366536396338303830653361 6164363362333465643230336562373434613736316336320a343735656566643430353934316633 36353766383866393065643430626633633366303364636565646438363363333738383862653732 3562333235356632380a656464346165336633303863643563393762616232626461313830383134 64653831623365363532643632346231646635356337646537356236616130653933343035366438 32303130306462396537316566666262666262633261626135356133643636383663333737323831 30396630316634306133356664363765653831666230393731323830316561373231616638316462 33616638613035306665303064316532646539623566323062656534333631666136313664393964 38346634633332316438346162303365313431386364393635653432383538303366653364303764 61396634303534346331363438393931646536303439313331653239663533363638336365633032 33326439303038616566616437303536646662626337363766623034663032386166626332366366 62643738366434323666383065316237346663396161363837313030303161333437323363643032 30363465333861366635313337336437373830383937613639653465643261613831646631333561 32383763656562363366386165613563396433343661303264646537623762353338376265636362 64363066646638393364306162636134336332353235643331656333393361343562636535353039 32343331383364363162646639646564666639643664643238303861376166336133306534626564 34613230646432313262326539343765346236333464303030356331646163383464626464383362 37363233633138303262326539303138313933383234653566633739636466613633356430326632 32643033306334663331646632396435396664633966363362653333366361623739633761643934 65376633313635343465333038633962616436383866393566623138303864643464646461303032 30393034326434346465666261656539366336643166303736363864323739616631316238613432 65306462303862316434336462313463363139613333663835373563363835363333366465623937 66306636623061636562646635336565636263393166313136373836333066623133343163636334 36336438366138663434306239353465633664363033353562316364373466306435666265616166 31623961373266383639326538366166663637626431313538393237636434323865663530663831 37356136346462663762326132666331366632666230323932613135353733366632326638313265 34393837633538623261313936343166656634326562316531643164613761313537383738303836 65366335316234636163663939633732656237383962636339663334653166633435613463373439 38646633656363636138613836653039643935646233646166623662346438333863643732313339 37356638376532376664646231653433343031616133396136643839666237383331653138633065 35323962346435613166376639363935303535623137366131313635386265643361333666313837 63313566343936393063303739353933333466363633313661636134653831396361326239646635 36636431393661623165393964613465393464626235363638316130336232346531333064616164 63393733653734613430366565366634623262353437346331313965313463396531636138626133 35366366656631356430343231613765353237613039633534633536353262346434613264303463 64383462396537323366646664643339646436343938303931353938613130313338386634643466 64303631383338333334316266343765656163393962393464663164396531346630646431336537 37663036313966306564613138336263323362663739363931346134383563613362393338396332 36363437336237623539616133313466663364303066646232303537396662373937333631646163 37646233313337613830373232313039636365646162333733333664313739353066653632663033 33646232623834356639363437393036396234316261353864336535646162623937386463643265 34613439396266663738326532366234303633383438306437363731386263356333366337643537 30616561666233653730333138343065323863653430373764646265303438346531663738623065 66346362626336333537363862666162386166386631346138353237613164373565343363353139 63323539363530633334313830373031613438373638616134336261343565616461666136393562 35663462303863343163303830393430353733336661353464303839343437616633303939633438 31356131353035663431393535306364316234646630353666626239313963363437623036383334 36343762343732636638326632356535323137653062363638316637326331656432646338666537 63316537353236636537386566303232373134323836616361383433626163393938633239633536 30653731633134363433613566306538336630336566353734656432363632373430353333343832 63393936666636646165343762313631336332623362633961303936613666303536366662656438 37616332643030383665363862633138363264363665313536303933653936636534326261653566 34303737333064303136306335626533363734373635373432396563363335336366393036396366 33626237333866343234623031353838646531343061613738313535346134656530616233323335 36333531313862376664353362613832376333306632346465356534616461653261353739386534 65656265653362656239653861366130386166613431663066383636366536333565646531636439 64646231303334346136656631616135633062626631616565383835356564383864306263633535 33613562363065323262633061656432636265306564613731396630366538366636373235666538 64626433636166393638613261363436643463643831636363323561343533373637393532326232 35323437373734653737366631303834346436636562383665376235383861383763393964376431 35306138636435303636646631326339623136386636356338306366613738353462366139666265 62333864636234333566313537363965376466633139356462643962393966356336626436613931 32373963306435303639616666373664363238396164373434333137313464366535646138653730 32303530623139393561306363356666333966633661653431376434396436663733613139373131 32346434323137396266623064666130373465303236666363623862646234663965646662643063 31313736376461383731383863383435336365373938373032353137373764346539636365383334 39663839656465383435323736613264386636336134643866363436613734393439633361633039 35316630323661316263643565376336623930303036333064396161333935336463303463333964 39343137623138326630396138306432376239306135613966653661326130373639303762313966 36663431663063383730666263343532653264346532626334623039616434613032386366316464 34373864346632346438383664646332353839356130316634343263666533623138396232326131 38343264623837663832306566623331623334663965643661306238666138313937636336613662 64643437306431663762343339306337633361633838343439356331333134623135336463626266 34656438313235633531313230343161363737303538383735626662356464643835363164383537 36386437356637323063646338396236383566633061626534363035336535373932633636626266 33313537653032346266316362373234333638663532666530363535396237376332306631613039 37306633666165376263623965313965386430323533353138386239386637653336363431613739 38636530316538366535306461626636353364643764613561663937373766333961373166386330 30343066316663343639373334343135663866353633623338663238386232626361386563653065 38303338393833303738636630323665373333306462666562333963306239366365653132663261 63396465353831633566346561353139313932333534386263353730623035313234663264346636 62653665653334663430666235613566316365663965373031323663363830396366303735663137 33356564313239336635663834373065663538306532663238356164313036643333326638353362 61303863633463616465616366373134653431653330306435366662393639356331386662656462 39633134643463356539663366383465383538306462653530623565623266363463356561316234 37623134383435393531613836373461653162373931303565633335313232393832333563626530 323736633331326537633231376634343534 filename: OIDC_PRIVATE_KEY oidcHMACSecret: key: OIDC_HMAC_SECRET value: !vault | $ANSIBLE_VAULT;1.1;AES256 35656634383164386136366139656330316531626232656164636564363632343661303638656462 3937336531613536373832363862303564333832333438300a373666613339653362623263323962 62393363363330626536316635626164623565383136636462336564306130353232353736656632 3534333131386664620a633337376231613564333662393033353339363539393431313937386261 31363433333538346532636636356237393366383531616332626461353261663333333035643666 31396135643139396133666265393831333638313263636238663363396336343037396339653339 353662373063636362636331613432343338 filename: OIDC_HMAC_SECRET certificates: existingSecret: "" # existingSecret: authelia annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue values: [] # values: # - name: Example_Com_Root_Certificate_Authority_B64.pem # secretValue: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lMQkFBQUFBQUJJVmhUQ0tJd0RRWUpLb1pJaHZjTkFRRUxCUUF3VERFZ01CNEcKQTFVRUN4TVhSMnh2WW1Gc1UybG5iaUJTYjI5MElFTkJJQzBnVWpNeEV6QVJCZ05WQkFvVENrZHNiMkpoYkZOcApaMjR4RXpBUkJnTlZCQU1UQ2tkc2IySmhiRk5wWjI0d0hoY05NRGt3TXpFNE1UQXdNREF3V2hjTk1qa3dNekU0Ck1UQXdNREF3V2pCTU1TQXdIZ1lEVlFRTEV4ZEhiRzlpWVd4VGFXZHVJRkp2YjNRZ1EwRWdMU0JTTXpFVE1CRUcKQTFVRUNoTUtSMnh2WW1Gc1UybG5iakVUTUJFR0ExVUVBeE1LUjJ4dlltRnNVMmxuYmpDQ0FTSXdEUVlKS29aSQpodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU13bGRwQjVCbmdpRnZYQWc3YUV5aWllL1FWMkVjV3RpSEw4ClJnSkR4N0tLblFSZkpNc3VTK0ZnZ2tiaFVxc01nVWR3Yk4xazBldjFMS01QZ2owTUs2NlgxN1lVaGhCNXV6c1QKZ0hlTUNPRkowbXBpTHg5ZStwWm8zNGtubFRpZkJ0Yyt5Y3NtV1ExejNyREk2U1lPZ3hYRzcxdUwwZ1JneWttbQpLUFpwTy9iTHlDaVI1WjJLWVZjM3JIUVUzSFRnT3U1eUx5NmMrOUM3di9VOUFPRUdNK2lDSzY1VHBqb1djNHpkClFRNGdPc0MwcDZIcHNrK1FMakpnNlZmTHVRU1NhR2psT0NaZ2RiS2ZkLytSRk8rdUlFbjhyVUFWU05FQ01XRVoKWHJpWDc2MTN0MlNhZXI5ZndSUHZtMkw3RFd6Z1ZHa1dxUVBhYnVtRGszRjJ4bW1GZ2hjQ0F3RUFBYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJL3dTMytvCkxrVWtyazFRK21PYWk5N2kzUnU4TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCTFFOdkFVS3IreUF6djk1WlUKUlVtN2xnQUpRYXl6RTRhR0tBY3p5bXZtZExtNkFDMnVwQXJUOWZIeEQ0cS9jMmRLZzhkRWUzamdyMjVzYndNcApqak01UmNPTzVMbFhiS3I4RXBic1U4WXQ1Q1JzdVpSais5eFRhR2RXUG9PNHp6VWh3OGxvL3M3YXdsT3F6SkNLCjZmQmRSb3lWM1hwWUtCb3ZIZDdOQURkQmorMUViZGRUS0pkKzgyY0VIaFhYaXBhMDA5NU1KNlJNRzNOemR2UVgKbWNJZmVnN2pMUWl0Q2h3cy96eXJWUTRQa1g0MjY4TlhTYjdoTGkxOFlJdkRRVkVUSTUzTzl6SnJsQUdvbWVjcwpNeDg2T3lYU2hrRE9PeXlHZU1saEx4UzY3dHRWYjkrRTdnVUpUYjBvMkhMTzAySlFaUjdya3BlRE1kbXp0Y3BICldEOWYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== # - name: Example_Com_Root_Certificate_Authority.pem # value: | # -----BEGIN CERTIFICATE----- # MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G # A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp # Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 # MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG # A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI # hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8 # RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT # gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm # KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd # QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ # XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw # DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o # LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU # RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp # jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK # 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX # mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs # Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH # WD9f # -----END CERTIFICATE----- ## ## Authelia Persistence Configuration. ## ## Useful in scenarios where you need persistent storage. ## Auth Provider Use Case: file; we recommend you use the ldap provider instead. ## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead. ## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false). ## persistence: enabled: false annotations: {} # annotations: # myAnnotation: myValue labels: {} # labels: # myLabel: myValue readOnly: false subPath: "" existingClaim: "" # existingClaim: my-claim-name storageClass: "" # storageClass: "my-storage-class" accessModes: - ReadWriteOnce size: 100Mi selector: {}