k3s-ansible/roles/authelia/templates/values.yml

---
## @formatter:off
## values.yaml
##
## Repository: authelia https://charts.authelia.com
## Chart: authelia
##
## This values file is designed for full deployment, eventually for in production once the chart makes it to 1.0.0.
## It uses the following providers:
##   - authentication: LDAP
##   - storage: MySQL
##   - session: redis

## Version Override allows changing some chart characteristics that render only on specific versions.
## This does NOT affect the image used, please see the below image section instead for this.
## If this value is not specified, it's assumed the appVersion of the chart is the version.
## The format of this value  is x.x.x, for example 4.100.0.
##
## Important Points:
##   - No guarantees of support for prior versions is given. The chart is intended to be used with the AppVersion.
##   - Does not and will not support any version prior to 4.30.0 due to a significant refactor of the configuration
##     system.
versionOverride: ""

## Image Parameters
## ref: https://hub.docker.com/r/authelia/authelia/tags/
##
image:
  # registry: docker.io
  registry: ghcr.io
  repository: authelia/authelia
  tag: ""
  pullPolicy: IfNotPresent
  pullSecrets: []
  # pullSecrets:
  #   - myPullSecretName

# nameOverride: authelia-deployment-name
# appNameOverride: authelia

##
## extra labels/annotations applied to all resources
##
annotations: {}
# annotations:
#   myAnnotation: myValue

labels: {}
# labels:
#   myLabel: myValue

##
## RBAC Configuration.
##
rbac:
  ## Enable RBAC. Turning this on associates Authelia with a service account.
  ## If the vault injector is enabled, then RBAC must be enabled.
  enabled: false

  annotations: {}
  labels: {}

  serviceAccountName: authelia

## Authelia Domain
## Should be the root domain you want to protect.
## For example if you have apps app1.example.com and app2.example.com it should be example.com
## This affects the ingress (partially sets the domain used) and configMap.
## Authelia must be served from the domain or a subdomain under it.
domain: example.com

service:
  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  port: 80

  # clusterIP:

ingress:
  enabled: false

  annotations: {}
  # annotations:
  #   kubernetes.io/ingress.class: nginx
  #   kubernetes.io/tls-acme: "true"

  labels: {}
  # labels:
  #   myLabel: myValue

  certManager: false
  rewriteTarget: true

  ## The Ingress Class Name.
  # className: ingress-nginx

  ## Subdomain is the only thing required since we specify the domain as part of the root values of the chart.
  ## Example: To get Authelia to listen on https://auth.example.com specify 'auth' for ingress.subdomain,
  ## and specify example.com for the domain.
  subdomain: auth

  tls:
    enabled: true
    secret: authelia-tls

    # hostNameOverride:

  traefikCRD:
    enabled: false

    ## Use a standard Ingress object, not an IngressRoute.
    disableIngressRoute: false

    # matchOverride: Host(`auth.example.com`) && PathPrefix(`/`)

    entryPoints: []
    # entryPoints:
    # - http

    # priority: 10

    # weight: 10

    sticky: false

    # stickyCookieNameOverride: authelia_traefik_lb

    # strategy: RoundRobin

    # responseForwardingFlushInterval: 100ms

    middlewares:
      auth:
        # nameOverride: authelia-auth
        authResponseHeaders:
          - Remote-User
          - Remote-Name
          - Remote-Email
          - Remote-Groups

      chains:
        auth:
          # nameOverride: authelia-auth-chain

          # List of Middlewares to apply before the forwardAuth Middleware in the authentication chain.
          before: []
          # before:
          # - name: extra-middleware-name
          #   namespace: default

          # List of Middlewares to apply after the forwardAuth Middleware in the authentication chain.
          after: []
          # after:
          # - name: extra-middleware-name
          #   namespace: default

        ingressRoute:
          # List of Middlewares to apply before the middleware in the IngressRoute chain.
          before: []
          # before:
          # - name: extra-middleware-name
          #   namespace: default

          # List of Middlewares to apply after the middleware in the IngressRoute chain.
          after: []
          # after:
          # - name: extra-middleware-name
          #   namespace: default

    # Specific options for the TraefikCRD TLS configuration. The above TLS section is still used.
    tls:
      ## Disables inclusion of the IngressRoute TLSOptions.
      disableTLSOptions: false
      #   existingOptions:
      #     name: default-traefik-options
      #     namespace: default
      #   certResolver: default
      #   sans:
      #     - *.example.com
      #
      options:
        # nameOverride: authelia-tls-options
        nameOverride: ""

        minVersion: VersionTLS12
        maxVersion: VersionTLS13
        sniStrict: false
        cipherSuites:
          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          - TLS_RSA_WITH_AES_256_GCM_SHA384
        curvePreferences: []
        # curvePreferences:
        # - CurveP521
        # - CurveP384

pod:
  # Must be Deployment, DaemonSet, or StatefulSet.
  kind: DaemonSet

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  replicas: 1
  revisionHistoryLimit: 5

  strategy:
    type: RollingUpdate
    # rollingUpdate:
    #   partition: 1
    #   maxSurge: 25%
    #   maxUnavailable: 25%

  securityContext:
    container: {}
    # container:
    #   runAsUser: 2000
    #   runAsGroup: 2000
    #   fsGroup: 2000
    pod: {}
    # pod:
    #   readOnlyRootFilesystem: true
    #   allowPrivilegeEscalation: false
    #   privileged: false

  tolerations: []
  # tolerations:
  # - key: key1
  #   operator: Equal
  #   value: value1
  #   effect: NoSchedule
  #   tolerationSeconds: 3600

  selectors:
    #   nodeName: worker-1

    nodeSelector: {}
    # nodeSelector:
    #   disktype: ssd
    #   kubernetes.io/hostname: worker-1

    affinity:
      nodeAffinity: {}
      # nodeAffinity:
      #   requiredDuringSchedulingIgnoredDuringExecution:
      #     nodeSelectorTerms:
      #     - matchExpressions:
      #       - key: kubernetes.io/hostname
      #         operator: In
      #         values:
      #         - worker-1
      #         - worker-2
      #   preferredDuringSchedulingIgnoredDuringExecution:
      #   - weight: 1
      #     preference:
      #       matchExpressions:
      #       - key: node-label-key
      #         operator: NotIn
      #         values:
      #         - not-this
      podAffinity: {}
      # podAffinity:
      #   requiredDuringSchedulingIgnoredDuringExecution:
      #   - labelSelector:
      #       matchExpressions:
      #       - key: security
      #         operator: In
      #         values:
      #         - S1
      #     topologyKey: topology.kubernetes.io/zone
      podAntiAffinity: {}
      # podAntiAffinity:
      #     preferredDuringSchedulingIgnoredDuringExecution:
      #     - weight: 100
      #       podAffinityTerm:
      #         labelSelector:
      #           matchExpressions:
      #           - key: security
      #             operator: In
      #             values:
      #             - S2
      #         topologyKey: topology.kubernetes.io/zone

  env: []
  # env:
  # - name: TZ
  #   value: Australia/Melbourne

  resources:
    limits: {}
    # limits:
    #   cpu: "4.00"
    #   memory: 125Mi
    requests: {}
    # requests:
    #   cpu: "0.25"
    #   memory: 50Mi

  probes:
    method:
      httpGet:
        path: /api/health
        port: http
        scheme: HTTP

    liveness:
      initialDelaySeconds: 0
      periodSeconds: 30
      timeoutSeconds: 5
      successThreshold: 1
      failureThreshold: 5

    readiness:
      initialDelaySeconds: 0
      periodSeconds: 5
      timeoutSeconds: 5
      successThreshold: 1
      failureThreshold: 5

    ## Note: Startup Probes are a Kubernetes feature gate which must be manually enabled pre-1.18.
    ## Ref: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
    startup:
      initialDelaySeconds: 10
      periodSeconds: 5
      timeoutSeconds: 5
      successThreshold: 1
      failureThreshold: 6

  extraVolumeMounts: []
  extraVolumes: []

##
## Kubernetes Pod Disruption Budget
##
podDisruptionBudget:
  enabled: false

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  # minAvailable: 1
  # maxUnavailable: 1

##
## Kubernetes Network Policy
##
networkPolicy:
  enabled: false

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              authelia.com/network-policy: namespace
        - podSelector:
            matchLabels:
              authelia.com/network-policy: pod
      ports:
        - protocol: TCP
          port: 9091

##
## Authelia Config Map Generator
##
configMap:
  # Enable the configMap source for the Authelia config.
  # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
  enabled: true

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  key: configuration.yaml

  existingConfigMap: ""

  ##
  ## Server Configuration
  ##
  server:
    ##
    ## Port sets the configured port for the daemon, service, and the probes.
    ## Default is 9091 and should not need to be changed.
    ##
    port: 9091

    ## Set the single level path Authelia listens on.
    ## Must be alphanumeric chars and should not contain any slashes.
    path: ""

    ## Set the path on disk to Authelia assets.
    ## Useful to allow overriding of specific static assets.
    # asset_path: /config/assets/
    asset_path: ""

    ## Customize Authelia headers.
    headers:
      ## Read the Authelia docs before setting this advanced option.
      ## https://www.authelia.com/configuration/miscellaneous/server/#csp_template.
      csp_template: ""

    ## Server Buffers configuration.
    buffers:
      ## Read buffer.
      read: 4096

      ## Write buffer.
      write: 4096

    ## Server Timeouts configuration.
    timeouts:
      ## Read timeout.
      read: 6s

      ## Write timeout.
      write: 6s

      ## Idle timeout.
      idle: 30s

  log:
    ## Level of verbosity for logs: info, debug, trace.
    level: info

    ## Format the logs are written as: json, text.
    format: text

    ## TODO: Statefulness check should check if this is set, and the configMap should enable it.
    ## File path where the logs will be written. If not set logs are written to stdout.
    # file_path: /config/authelia.log
    file_path: ""

  ##
  ## Telemetry Configuration
  ##
  telemetry:
    ##
    ## Metrics Configuration
    ##
    metrics:
      ## Enable Metrics.
      enabled: false

      ## The port to listen on for metrics. This should be on a different port to the main server.port value.
      port: 9959

      ## Metrics Server Buffers configuration.
      buffers:
        ## Read buffer.
        read: 4096

        ## Write buffer.
        write: 4096

      ## Metrics Server Timeouts configuration.
      timeouts:
        ## Read timeout.
        read: 6s

        ## Write timeout.
        write: 6s

        ## Idle timeout.
        idle: 30s

      serviceMonitor:
        enabled: false
        annotations: {}
        labels: {}

  ## Default redirection URL
  ##
  ## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end
  ## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use
  ## in such a case.
  ##
  ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
  ## Default is https://www.<domain> (value at the top of the values.yaml).
  default_redirection_url: ""
  # default_redirection_url: https://example.com

  ## Set the default 2FA method for new users and for when a user has a preferred method configured that has been
  ## disabled. This setting must be a method that is enabled.
  ## Options are totp, webauthn, mobile_push.
  default_2fa_method: ""

  theme: light

  ##
  ## TOTP Configuration
  ##
  ## Parameters used for TOTP generation.
  totp:
    ## Disable TOTP.
    disable: false

    ## The issuer name displayed in the Authenticator application of your choice.
    ## Defaults to <domain>.
    issuer: ""

    ## The TOTP algorithm to use.
    ## It is CRITICAL you read the documentation before changing this option:
    ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#algorithm
    algorithm: sha1

    ## The number of digits a user has to input. Must either be 6 or 8.
    ## Changing this option only affects newly generated TOTP configurations.
    ## It is CRITICAL you read the documentation before changing this option:
    ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#digits
    digits: 6

    ## The period in seconds a one-time password is valid for.
    ## Changing this option only affects newly generated TOTP configurations.
    period: 30

    ## The skew controls number of one-time passwords either side of the current one that are valid.
    ## Warning: before changing skew read the docs link below.
    ## See: https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#input-validation to read the documentation.
    skew: 1

    ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20.
    secret_size: 32

  ##
  ## WebAuthn Configuration
  ##
  ## Parameters used for WebAuthn.
  webauthn:
    ## Disable Webauthn.
    disable: false

    ## Adjust the interaction timeout for Webauthn dialogues.
    timeout: 60s

    ## The display name the browser should show the user for when using Webauthn to login/register.
    display_name: Authelia

    ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
    ## Options are none, indirect, direct.
    attestation_conveyance_preference: indirect

    ## User verification controls if the user must make a gesture or action to confirm they are present.
    ## Options are required, preferred, discouraged.
    user_verification: preferred

  ##
  ## NTP Configuration
  ##
  ## This is used to validate the servers time is accurate enough to validate TOTP.
  ntp:
    ## NTP server address.
    address: "time.cloudflare.com:123"

    ## NTP version.
    version: 4

    ## Maximum allowed time offset between the host and the NTP server.
    max_desync: 3s

    ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
    ## set this to true, and can operate in a truly offline mode.
    disable_startup_check: false

    ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
    ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
    ## will continue regardless of results.
    disable_failure: false

  ##
  ## Duo Push API Configuration
  ##
  ## Parameters used to contact the Duo API. Those are generated when you protect an application of type
  ## "Partner Auth API" in the management panel.
  duo_api:
    enabled: false
    hostname: api-123456789.example.com
    integration_key: ABCDEF
    enable_self_enrollment: false

  ##
  ## Authentication Backend Provider Configuration
  ##
  ## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
  ##
  ## The available providers are: `file`, `ldap`. You must use one and only one of these providers.
  authentication_backend:
    ## Password Reset Options.
    password_reset:
      ## Disable both the HTML element and the API for reset password functionality
      disable: false

      ## External reset password url that redirects the user to an external reset portal. This disables the internal reset
      ## functionality.
      custom_url: ""

    ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
    ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
    ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
    ## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
    ## See the below documentation for more information.
    ## Duration Notation docs:  https://www.authelia.com/configuration/prologue/common/#duration-notation-format
    ## Refresh Interval docs: https://www.authelia.com/configuration/first-factor/ldap/#refresh-interval
    refresh_interval: 5m

    ## LDAP backend configuration.
    ##
    ## This backend allows Authelia to be scaled to more
    ## than one instance and therefore is recommended for
    ## production.
    ldap:
      ## Enable LDAP Backend.
      enabled: true

      ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
      ## Acceptable options are as follows:
      ## - 'activedirectory' - For Microsoft Active Directory.
      ## - 'custom' - For custom specifications of attributes and filters.
      ## This currently defaults to 'custom' to maintain existing behaviour.
      ##
      ## Depending on the option here certain other values in this section have a default value, notably all of the
      ## attribute mappings have a default value that this config overrides, you can read more about these default values
      ## at https://www.authelia.com/reference/guides/ldap/#defaults
      implementation: activedirectory

      ## The url to the ldap server. Format: <scheme>://<address>[:<port>].
      ## Scheme can be ldap or ldaps in the format (port optional).
      url: ldap://openldap.default.svc.cluster.local

      ## Connection Timeout.
      timeout: 5s

      ## Use StartTLS with the LDAP connection.
      start_tls: false

      tls:
        ## The server subject name to check the servers certificate against during the validation process.
        ## This option is not required if the certificate has a SAN which matches the host portion of the url option.
        server_name: ""

        ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
        ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
        ## defined by the `certificates_directory` option at the top of the configuration.
        ## It's important to note the public key should be added to the directory, not the private key.
        ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
        ## important to the administrator.
        skip_verify: false

        ## Minimum TLS version for the connection.
        minimum_version: TLS1.2

        ## Maximum TLS version for the connection.
        maximum_version: TLS1.3

      ## The base dn for every LDAP query.
      base_dn: DC=example,DC=com

      ## The attribute holding the username of the user. This attribute is used to populate the username in the session
      ## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
      ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this
      ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database.
      ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user
      ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also
      ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above
      ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt.
      username_attribute: ""

      ## An additional dn to define the scope to all users.
      additional_users_dn: OU=Users

      ## The users filter used in search queries to find the user profile based on input filled in login form.
      ## Various placeholders are available in the user filter:
      ## - {input} is a placeholder replaced by what the user inputs in the login form.
      ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`.
      ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
      ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later
      ##   versions, so please don't use it.
      ##
      ## Recommended settings are as follows:
      ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
      ## - OpenLDAP:
      ##   - (&({username_attribute}={input})(objectClass=person))
      ##   - (&({username_attribute}={input})(objectClass=inetOrgPerson))
      ##
      ## To allow sign in both with username and email, one can use a filter like
      ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
      users_filter: ""

      ## An additional dn to define the scope of groups.
      additional_groups_dn: OU=Groups

      ## The groups filter used in search queries to find the groups of the user.
      ## - {input} is a placeholder replaced by what the user inputs in the login form.
      ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`).
      ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN.
      ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`.
      ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`.
      ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later
      ##   versions, so please don't use it.
      ## - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in
      ##   later version, so please don't use it.
      ##
      ## If your groups use the `groupOfUniqueNames` structure use this instead:
      ##    (&(uniquemember={dn})(objectclass=groupOfUniqueNames))
      groups_filter: ""

      ## The attribute holding the name of the group
      group_name_attribute: ""

      ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
      ## first one returned by the LDAP server is used.
      mail_attribute: ""

      ## The attribute holding the display name of the user. This will be used to greet an authenticated user.
      display_name_attribute: ""

      ## Follow referrals returned by the server.
      ## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
      permit_referrals: false

      ## WARNING: This option is strongly discouraged. Please consider disabling unauthenticated binding to your LDAP
      ## server and utilizing a service account.
      permit_unauthenticated_bind: false

      ## This option is strongly discouraged. If enabled it will ignore errors looking up the RootDSE for supported
      ## controls/extensions.
      permit_feature_detection_failure: false

      ## The username of the admin user.
      user: CN=Authelia,DC=example,DC=com

    ##
    ## File (Authentication Provider)
    ##
    ## With this backend, the users database is stored in a file which is updated when users reset their passwords.
    ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
    ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
    ## implications it is highly recommended you leave the default values. Before considering changing these settings
    ## please read the docs page: https://www.authelia.com/reference/guides/passwords/#tuning
    ##
    ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
    ##
    file:
      enabled: false
      path: /config/users_database.yml
      watch: true
      search:
        email: false
        case_insensitive: false
      password:
        algorithm: argon2
        argon2:
          variant: argon2id
          iterations: 3
          memory: 65536
          parallelism: 4
          key_length: 32
          salt_length: 16
        scrypt:
          iterations: 16
          block_size: 8
          parallelism: 1
          key_length: 32
          salt_length: 16
        pbkdf2:
          variant: sha512
          iterations: 310000
          salt_length: 16
        sha2crypt:
          variant: sha512
          iterations: 50000
          salt_length: 16
        bcrypt:
          variant: standard
          cost: 12

  ##
  ## Password Policy Configuration.
  ##
  password_policy:
    ## The standard policy allows you to tune individual settings manually.
    standard:
      enabled: false

      ## Require a minimum length for passwords.
      min_length: 8

      ## Require a maximum length for passwords.
      max_length: 0

      ## Require uppercase characters.
      require_uppercase: true

      ## Require lowercase characters.
      require_lowercase: true

      ## Require numeric characters.
      require_number: true

      ## Require special characters.
      require_special: true

    ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
    zxcvbn:
      enabled: false

      ## Configures the minimum score allowed.
      min_score: 0

  ##
  ## Access Control Configuration
  ##
  ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
  ##
  ## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
  ## to anyone. Otherwise restrictions follow the rules defined.
  ##
  ## Note: One can use the wildcard * to match any subdomain.
  ## It must stand at the beginning of the pattern. (example: *.mydomain.com)
  ##
  ## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
  ##
  ## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
  ##
  ## - 'domain' defines which domain or set of domains the rule applies to.
  ##
  ## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
  ##    provided. If provided, the parameter represents either a user or a group. It should be of the form
  ##    'user:<username>' or 'group:<groupname>'.
  ##
  ## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
  ##
  ## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
  ##   is optional and matches any resource if not provided.
  ##
  ## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
  access_control:
    ## Configure the ACL as a Secret instead of part of the ConfigMap.
    secret:
      ## Enables the ACL section being generated as a secret.
      enabled: false

      ## The key in the secret which contains the file to mount.
      key: configuration.acl.yaml

      ## An existingSecret name, if configured this will force the secret to be mounted using the key above.
      existingSecret: ""

    ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
    ## resource if there is no policy to be applied to the user.
    default_policy: deny

    networks: []
    # networks:
    # - name: private
    #   networks:
    #   - 10.0.0.0/8
    #   - 172.16.0.0/12
    #   - 192.168.0.0/16
    # - name: vpn
    #   networks:
    #   - 10.9.0.0/16

    rules: []
    # rules:
    # - domain_regex: '^.*\.example.com$'
    #   policy: bypass
    # - domain: public.example.com
    #   policy: bypass
    # - domain: "*.example.com"
    #   policy: bypass
    #   methods:
    #   - OPTIONS
    # - domain: secure.example.com
    #   policy: one_factor
    #   networks:
    #   - private
    #   - vpn
    #   - 192.168.1.0/24
    #   - 10.0.0.1
    # - domain:
    #   - secure.example.com
    #   - private.example.com
    #   policy: two_factor
    # - domain: singlefactor.example.com
    #   policy: one_factor
    # - domain: "mx2.mail.example.com"
    #   subject: "group:admins"
    #   policy: deny
    # - domain: "*.example.com"
    #   subject:
    #   - "group:admins"
    #   - "group:moderators"
    #   policy: two_factor
    # - domain: dev.example.com
    #   resources:
    #   - "^/groups/dev/.*$"
    #   subject: "group:dev"
    #   policy: two_factor
    # - domain: dev.example.com
    #   resources:
    #   - "^/users/john/.*$"
    #   subject:
    #   - ["group:dev", "user:john"]
    #   - "group:admins"
    #   policy: two_factor
    # - domain: "{user}.example.com"
    #   policy: bypass

  ##
  ## Session Provider Configuration
  ##
  ## The session cookies identify the user once logged in.
  ## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
  session:
    ## The name of the session cookie. (default: authelia_session).
    name: authelia_session

    ## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
    ## Please read https://www.authelia.com/configuration/session/introduction/#same_site
    same_site: lax

    ## The time in seconds before the cookie expires and session is reset.
    expiration: 1h

    ## The inactivity time in seconds before the session is reset.
    inactivity: 5m

    ## The remember me duration.
    ## Value is in seconds, or duration notation. Value of 0 disables remember me.
    ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
    ## Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to
    ## spy or attack. Currently the default is 1M or 1 month.
    remember_me_duration: 1M

    ##
    ## Redis Provider
    ##
    ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
    ##
    ## The redis connection details
    redis:
      enabled: true
      enabledSecret: false
      host: redis.databases.svc.cluster.local
      port: 6379

      ## Optional username to be used with authentication.
      # username: authelia
      username: ""

      ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
      database_index: 0

      ## The maximum number of concurrent active connections to Redis.
      maximum_active_connections: 8

      ## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
      minimum_idle_connections: 0

      ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
      tls:
        enabled: false

        ## The server subject name to check the servers certificate against during the validation process.
        ## This option is not required if the certificate has a SAN which matches the host option.
        server_name: ""

        ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
        ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
        ## defined by the `certificates_directory` option at the top of the configuration.
        ## It's important to note the public key should be added to the directory, not the private key.
        ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
        ## important to the administrator.
        skip_verify: false

        ## Minimum TLS version for the connection.
        minimum_version: TLS1.2

        ## Maximum TLS version for the connection.
        maximum_version: TLS1.3

      ## The Redis HA configuration options.
      ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
      high_availability:
        enabled: false
        enabledSecret: false
        ## Sentinel Name / Master Name
        sentinel_name: mysentinel

        ## The Redis Sentinel-specific username. If supplied, authentication will be done via Redis 6+ ACL-based
        ## authentication. If left blank, authentication to sentinels will be done via `requirepass`.
        username: ""

        ## The additional nodes to pre-seed the redis provider with (for sentinel).
        ## If the host in the above section is defined, it will be combined with this list to connect to sentinel.
        ## For high availability to be used you must have either defined; the host above or at least one node below.
        nodes: []
        # nodes:
        #   - host: sentinel-0.databases.svc.cluster.local
        #     port: 26379
        #   - host: sentinel-1.databases.svc.cluster.local
        #     port: 26379

        ## Choose the host with the lowest latency.
        route_by_latency: false

        ## Choose the host randomly.
        route_randomly: false

  ##
  ## Regulation Configuration
  ##
  ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are done
  ## in a short period of time.
  regulation:
    ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
    max_retries: 3

    ## The time range during which the user can attempt login before being banned. The user is banned if the
    ## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation.
    ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
    find_time: 2m

    ## The length of time before a banned user can login again. Ban Time accepts duration notation.
    ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
    ban_time: 5m

  ##
  ## Storage Provider Configuration
  ##
  ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
  storage:
    ##
    ## Local (Storage Provider)
    ##
    ## This stores the data in a SQLite3 Database.
    ## This is only recommended for lightweight non-stateful installations.
    ##
    ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
    ##
    local:
      enabled: false
      path: /config/db.sqlite3

    ##
    ## MySQL (Storage Provider)
    ##
    ## Also supports MariaDB
    ##
    mysql:
      enabled: false
      host: mysql.databases.svc.cluster.local
      port: 3306
      database: authelia
      username: authelia
      timeout: 5s
      tls:
        enabled: false

        ## The server subject name to check the servers certificate against during the validation process.
        ## This option is not required if the certificate has a SAN which matches the host option.
        server_name: ""

        ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
        ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
        ## defined by the `certificates_directory` option at the top of the configuration.
        ## It's important to note the public key should be added to the directory, not the private key.
        ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
        ## important to the administrator.
        skip_verify: false

        ## Minimum TLS version for the connection.
        minimum_version: TLS1.2

        ## Maximum TLS version for the connection.
        maximum_version: TLS1.3

    ##
    ## PostgreSQL (Storage Provider)
    ##
    postgres:
      enabled: true
      host: postgres.databases.svc.cluster.local
      port: 5432
      database: authelia
      schema: public
      username: authelia
      timeout: 5s
      tls:
        enabled: false

        ## The server subject name to check the servers certificate against during the validation process.
        ## This option is not required if the certificate has a SAN which matches the host option.
        server_name: ""

        ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
        ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
        ## defined by the `certificates_directory` option at the top of the configuration.
        ## It's important to note the public key should be added to the directory, not the private key.
        ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
        ## important to the administrator.
        skip_verify: false

        ## Minimum TLS version for the connection.
        minimum_version: TLS1.2

        ## Maximum TLS version for the connection.
        maximum_version: TLS1.3

  ##
  ## Notification Provider
  ##
  ##
  ## Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration.
  ## The available providers are: filesystem, smtp. You must use one and only one of these providers.
  notifier:
    ## You can disable the notifier startup check by setting this to true.
    disable_startup_check: false

    ##
    ## File System (Notification Provider)
    ##
    ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
    ##
    filesystem:
      enabled: false
      filename: /config/notification.txt

    ##
    ## SMTP (Notification Provider)
    ##
    ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate.
    ## [Security] By default Authelia will:
    ##   - force all SMTP connections over TLS including unauthenticated connections
    ##      - use the disable_require_tls boolean value to disable this requirement
    ##        (only works for unauthenticated connections)
    ##   - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
    ##     (configure in tls section)
    smtp:
      enabled: true
      enabledSecret: false
      host: smtp.mail.svc.cluster.local
      port: 25
      timeout: 5s
      username: test
      sender: admin@example.com
      ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
      identifier: localhost
      ## Subject configuration of the emails sent.
      ## {title} is replaced by the text from the notifier
      subject: "[Authelia] {title}"
      ## This address is used during the startup check to verify the email configuration is correct.
      ## It's not important what it is except if your email server only allows local delivery.
      startup_check_address: test@authelia.com

      ## Disables sending HTML formatted emails.
      disable_html_emails: false

      ## By default we require some form of TLS. This disables this check though is not advised.
      disable_require_tls: false

      ## Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when they in fact do not. For
      ## security reasons Authelia refuses to send messages to these servers. This option disables this measure and is
      ## enabled AT YOUR OWN RISK. It’s strongly recommended that instead of enabling this option you either fix the
      ## issue with the SMTP server’s configuration or have the administrators of the server fix it. If the issue can’t
      ## be fixed by configuration we recommend lodging an issue with the authors of the SMTP server. See [security] for
      ## more information.
      disable_starttls: false

      tls:
        ## The server subject name to check the servers certificate against during the validation process.
        ## This option is not required if the certificate has a SAN which matches the host option.
        server_name: ""

        ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
        ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
        ## defined by the `certificates_directory` option at the top of the configuration.
        ## It's important to note the public key should be added to the directory, not the private key.
        ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
        ## important to the administrator.
        skip_verify: false

        ## Minimum TLS version for the connection.
        minimum_version: TLS1.2

        ## Maximum TLS version for the connection.
        maximum_version: TLS1.3

  identity_providers:
    oidc:
      ## Enables this in the config map. Currently in beta stage.
      ## See https://www.authelia.com/r/openid-connect/
      enabled: false

      access_token_lifespan: 1h
      authorize_code_lifespan: 1m
      id_token_lifespan: 1h
      refresh_token_lifespan: 90m

      ## Adjusts the PKCE enforcement. Options are always, public_clients_only, never.
      ## For security reasons it's recommended this option is public_clients_only or always, however always is not
      ## compatible with all clients.
      enforce_pkce: public_clients_only

      ## Enables the plain PKCE challenge which is not recommended for security reasons but may be necessary for some clients.
      enable_pkce_plain_challenge: false

      ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
      ## security reasons.
      minimum_parameter_entropy: 8

      ## Enables additional debug messages.
      enable_client_debug_messages: false

      ## The issuer_certificate_chain is an optional PEM encoded certificate chain. It's used in conjunction with the
      ## issuer_private_key to sign JWT's. All certificates in the chain must be within the validity period, and every
      ## certificate included must be signed by the certificate immediately after it if provided.
      issuer_certificate_chain: ""
      # issuer_certificate_chain: |
      #   -----BEGIN CERTIFICATE-----
      #   MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
      #   EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
      #   MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
      #   ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
      #   /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
      #   LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
      #   91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
      #   kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
      #   Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
      #   AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
      #   AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
      #   /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
      #   lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
      #   wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
      #   OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
      #   ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
      #   -----END CERTIFICATE-----
      #   -----BEGIN CERTIFICATE-----
      #   MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
      #   EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
      #   MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
      #   ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
      #   zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
      #   5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
      #   kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
      #   ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
      #   Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
      #   AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
      #   Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
      #   kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
      #   71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
      #   HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
      #   D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
      #   2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
      #   qocikt3WAdU^invalid DO NOT USE=
      #   -----END CERTIFICATE-----

      ## Cross-Origin Resource Sharing (CORS) settings.
      cors:
        ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
        # endpoints:
        #    - authorization
        #    - token
        #    - revocation
        #    - introspection
        #    - userinfo
        endpoints: []

        ## List of allowed origins.
        ## Any origin with https is permitted unless this option is configured or the
        ## allowed_origins_from_client_redirect_uris option is enabled.
        # allowed_origins:
        #   - https://example.com
        allowed_origins: []

        ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
        ## provided they have the scheme http or https and do not have the hostname of localhost.
        allowed_origins_from_client_redirect_uris: true

      clients: []
      # clients:
      # -
      ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
      # id: myapp

      ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
      # description: My Application

      ## The client secret is a shared secret between Authelia and the consumer of this client.
      # secret: apple123

      ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
      ## necessary. Read the documentation for more information.
      ## The subject identifier must be the host component of a URL, which is a domain name with an optional port.
      # sector_identifier: example.com

      ## Sets the client to public. This should typically not be set, please see the documentation for usage.
      # public: false

      ## The policy to require for this client; one_factor or two_factor.
      # authorization_policy: two_factor

      ## The consent mode controls how consent is obtained.
      # consent_mode: auto

      ## This value controls the duration a consent on this client remains remembered when the consent mode is
      ## configured as 'auto' or 'pre-configured'.
      # pre_configured_consent_duration: 30d

      ## Audience this client is allowed to request.
      # audience: []

      ## Scopes this client is allowed to request.
      # scopes:
      #   - openid
      #   - profile
      #   - email
      #   - groups

      ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
      # redirect_uris:
      #   - https://oidc.example.com/oauth2/callback

      ## Grant Types configures which grants this client can obtain.
      ## It's not recommended to configure this unless you know what you're doing.
      # grant_types:
      #   - refresh_token
      #   - authorization_code

      ## Response Types configures which responses this client can be sent.
      ## It's not recommended to configure this unless you know what you're doing.
      # response_types:
      #   - code

      ## Response Modes configures which response modes this client supports.
      ## It's not recommended to configure this unless you know what you're doing.
      # response_modes:
      #   - form_post
      #   - query
      #   - fragment

      ## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
      # userinfo_signing_algorithm: none

##
## Authelia Secret Generator.
##
## If both the values and existingSecret are not defined, this chart randomly generates a new secret on each
## install. It is recommended that you use something like sealed-secrets (https://github.com/bitnami-labs/sealed-secrets)
## and use the existingSecrets. All secrets can be stored in a single k8s secret if desired using the key option.
##
secret:
  existingSecret: ""
  # existingSecret: authelia

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  mountPath: /secrets

  excludeVolumeAndMounts: false

  ## Secrets.
  jwt:
    key: JWT_TOKEN
    value: ""
    filename: JWT_TOKEN
  ldap:
    key: LDAP_PASSWORD
    value: ""
    filename: LDAP_PASSWORD
  storage:
    key: STORAGE_PASSWORD
    value: ""
    filename: STORAGE_PASSWORD
  storageEncryptionKey:
    key: STORAGE_ENCRYPTION_KEY
    value: ""
    filename: STORAGE_ENCRYPTION_KEY
  session:
    key: SESSION_ENCRYPTION_KEY
    value: ""
    filename: SESSION_ENCRYPTION_KEY
  duo:
    key: DUO_API_KEY
    value: ""
    filename: DUO_API_KEY
  redis:
    key: REDIS_PASSWORD
    value: ""
    filename: REDIS_PASSWORD
  redisSentinel:
    key: REDIS_SENTINEL_PASSWORD
    value: ""
    filename: REDIS_SENTINEL_PASSWORD
  smtp:
    key: SMTP_PASSWORD
    value: ""
    filename: SMTP_PASSWORD
  oidcPrivateKey:
    key: OIDC_PRIVATE_KEY
    value: ""
    filename: OIDC_PRIVATE_KEY
  oidcHMACSecret:
    key: OIDC_HMAC_SECRET
    value: ""
    filename: OIDC_HMAC_SECRET

  ## HashiCorp Vault Injector configuration.
  vaultInjector:
    ## Enable the vault injector annotations. This will disable secret injection via other means.
    ## To see the annotations and what they do see: https://www.vaultproject.io/docs/platform/k8s/injector/annotations
    ## Annotations with a blank string do not get configured at all.
    ## Additional annotations can be configured via the secret.annotations: {} above.
    ## Secrets are by default rendered in the /secrets directory. Changing this can be done via editing the
    ## secret.mountPath value. You can alter the filenames with the secret.<secretName>.filename values.
    ## Secrets are loaded from vault path specified below with secrets.<secretName>.path values. Its format should be
    ## <SECRET_PATH>:<KEY_NAME>.
    ## Secrets are by default rendered by template suitable for vault KV v1 or database secrets engines. If other used,
    ## it can be overriden per each secret by specifying secrets.<secretName>.templateValue. For example for KV v2
    ## secrets engine would be '{{ with secret "<SECRET_PATH>" }}{{ .Data.data.<KEY_NAME> }}{{ end }}'.
    enabled: false

    ## The vault role to assign via annotations.
    ## Annotation: vault.hashicorp.com/role
    role: authelia

    agent:
      ## Annotation: vault.hashicorp.com/agent-inject-status
      status: update

      ## Annotation: vault.hashicorp.com/agent-configmap
      configMap: ""

      ## Annotation: vault.hashicorp.com/agent-image
      image: ""

      ## Annotation: vault.hashicorp.com/agent-init-first
      initFirst: "false"

      ## Annotation: vault.hashicorp.com/agent-inject-command
      command: "sh -c 'kill HUP $(pidof authelia)'"

      ## Annotation: vault.hashicorp.com/agent-run-as-same-user
      runAsSameUser: "true"

    secrets:
      jwt:
        ## Vault Path to the Authelia JWT secret.
        ## Annotation: vault.hashicorp.com/agent-inject-secret-jwt
        path: secrets/authelia/jwt:token

        ## Vault template specific to JWT.
        ## Annotation: vault.hashicorp.com/agent-inject-template-jwt
        templateValue: ""

        ## Vault after render command specific to JWT.
        ## Annotation: vault.hashicorp.com/agent-inject-command-jwt
        command: ""
      ldap:
        ## Vault Path to the Authelia LDAP secret.
        ## Annotation: vault.hashicorp.com/agent-inject-secret-ldap
        path: secrets/authelia/ldap:password

        ## Vault template specific to LDAP.
        ## Annotation: vault.hashicorp.com/agent-inject-template-ldap
        templateValue: ""

        ## Vault after render command specific to LDAP.
        ## Annotation: vault.hashicorp.com/agent-inject-command-ldap
        command: ""
      storage:
        ## Vault Path to the Authelia storage password secret.
        ## Annotation: vault.hashicorp.com/agent-inject-secret-storage
        path: secrets/authelia/storage:password

        ## Vault template specific to the storage password.
        ## Annotation: vault.hashicorp.com/agent-inject-template-storage
        templateValue: ""

        ## Vault after render command specific to the storage password.
        ## Annotation: vault.hashicorp.com/agent-inject-command-storage
        command: ""
      storageEncryptionKey:
        ## Vault Path to the Authelia storage encryption key secret.
        ## Annotation: vault.hashicorp.com/agent-inject-secret-storage-encryption-key
        path: secrets/authelia/storage:encryption_key

        ## Vault template specific to the storage encryption key.
        ## Annotation: vault.hashicorp.com/agent-inject-template-storage-encryption-key
        templateValue: ""

        ## Vault after render command specific to the storage encryption key.
        ## Annotation: vault.hashicorp.com/agent-inject-command-storage-encryption-key
        command: ""
      session:
        ## Vault Path to the Authelia session secret.
        ## Annotation: vault.hashicorp.com/agent-inject-secret-session
        path: secrets/authelia/session:encryption_key

        ## Vault template specific to session.
        ## Annotation: vault.hashicorp.com/agent-inject-template-session
        templateValue: ""

        ## Vault after render command specific to session.
        ## Annotation: vault.hashicorp.com/agent-inject-command-session
        command: ""
      duo:
        ## Vault Path to the Authelia duo secret.
        ## Annotation: vault.hashicorp.com/agent-inject-secret-duo
        path: secrets/authelia/duo:api_key

        ## Vault template specific to duo.
        ## Annotation: vault.hashicorp.com/agent-inject-template-duo
        templateValue: ""

        ## Vault after render command specific to duo.
        ## Annotation: vault.hashicorp.com/agent-inject-command-duo
        command: ""
      redis:
        ## Vault Path to the Authelia redis secret.
        ## Annotation: vault.hashicorp.com/agent-inject-secret-redis
        path: secrets/authelia/redis:password

        ## Vault template specific to redis.
        ## Annotation: vault.hashicorp.com/agent-inject-template-redis
        templateValue: ""

        ## Vault after render command specific to redis.
        ## Annotation: vault.hashicorp.com/agent-inject-command-redis
        command: ""
      redisSentinel:
        ## Vault Path to the Authelia redis sentinel secret.
        ## Annotation: vault.hashicorp.com/agent-inject-secret-redis-sentinel
        path: secrets/authelia/redis_sentinel:password

        ## Vault template specific to redis sentinel.
        ## Annotation: vault.hashicorp.com/agent-inject-template-redis-sentinel
        templateValue: ""

        ## Vault after render command specific to redis sentinel.
        ## Annotation: vault.hashicorp.com/agent-inject-command-redis-sentinel
        command: ""
      smtp:
        ## Vault Path to the Authelia SMTP secret.
        ## Annotation: vault.hashicorp.com/agent-inject-secret-smtp
        path: secrets/authelia/smtp:password

        ## Vault template specific to SMTP.
        ## Annotation: vault.hashicorp.com/agent-inject-template-smtp
        templateValue: ""

        ## Vault after render command specific to SMTP.
        ## Annotation: vault.hashicorp.com/agent-inject-command-smtp
        command: ""
      oidcPrivateKey:
        ## Vault Path to the Authelia OIDC private key secret.
        ## Annotation: vault.hashicorp.com/agent-inject-secret-oidc-private-key
        path: secrets/authelia/oidc:private_key

        ## Vault template specific to OIDC private key.
        ## Annotation: vault.hashicorp.com/agent-inject-template-oidc-private-key
        templateValue: ""

        ## Vault after render command specific to OIDC private key.
        ## Annotation: vault.hashicorp.com/agent-inject-command-oidc-private-key
        command: ""
      oidcHMACSecret:
        ## Vault Path to the Authelia OIDC HMAC secret.
        ## Annotation: vault.hashicorp.com/agent-inject-secret-oidc-hmac-secret
        path: secrets/authelia/oidc:hmac_secret

        ## Vault template specific to OIDC HMAC secret.
        ## Annotation: vault.hashicorp.com/agent-inject-template-oidc-hmac-secret
        templateValue: ""

        ## Vault after render command specific to OIDC HMAC secret.
        ## Annotation: vault.hashicorp.com/agent-inject-command-oidc-hmac-secret
        command: ""

certificates:
  existingSecret: ""
  # existingSecret: authelia

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  values: []
  # values:
  # - name: Example_Com_Root_Certificate_Authority_B64.pem
  #   secretValue: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lMQkFBQUFBQUJJVmhUQ0tJd0RRWUpLb1pJaHZjTkFRRUxCUUF3VERFZ01CNEcKQTFVRUN4TVhSMnh2WW1Gc1UybG5iaUJTYjI5MElFTkJJQzBnVWpNeEV6QVJCZ05WQkFvVENrZHNiMkpoYkZOcApaMjR4RXpBUkJnTlZCQU1UQ2tkc2IySmhiRk5wWjI0d0hoY05NRGt3TXpFNE1UQXdNREF3V2hjTk1qa3dNekU0Ck1UQXdNREF3V2pCTU1TQXdIZ1lEVlFRTEV4ZEhiRzlpWVd4VGFXZHVJRkp2YjNRZ1EwRWdMU0JTTXpFVE1CRUcKQTFVRUNoTUtSMnh2WW1Gc1UybG5iakVUTUJFR0ExVUVBeE1LUjJ4dlltRnNVMmxuYmpDQ0FTSXdEUVlKS29aSQpodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU13bGRwQjVCbmdpRnZYQWc3YUV5aWllL1FWMkVjV3RpSEw4ClJnSkR4N0tLblFSZkpNc3VTK0ZnZ2tiaFVxc01nVWR3Yk4xazBldjFMS01QZ2owTUs2NlgxN1lVaGhCNXV6c1QKZ0hlTUNPRkowbXBpTHg5ZStwWm8zNGtubFRpZkJ0Yyt5Y3NtV1ExejNyREk2U1lPZ3hYRzcxdUwwZ1JneWttbQpLUFpwTy9iTHlDaVI1WjJLWVZjM3JIUVUzSFRnT3U1eUx5NmMrOUM3di9VOUFPRUdNK2lDSzY1VHBqb1djNHpkClFRNGdPc0MwcDZIcHNrK1FMakpnNlZmTHVRU1NhR2psT0NaZ2RiS2ZkLytSRk8rdUlFbjhyVUFWU05FQ01XRVoKWHJpWDc2MTN0MlNhZXI5ZndSUHZtMkw3RFd6Z1ZHa1dxUVBhYnVtRGszRjJ4bW1GZ2hjQ0F3RUFBYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJL3dTMytvCkxrVWtyazFRK21PYWk5N2kzUnU4TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCTFFOdkFVS3IreUF6djk1WlUKUlVtN2xnQUpRYXl6RTRhR0tBY3p5bXZtZExtNkFDMnVwQXJUOWZIeEQ0cS9jMmRLZzhkRWUzamdyMjVzYndNcApqak01UmNPTzVMbFhiS3I4RXBic1U4WXQ1Q1JzdVpSais5eFRhR2RXUG9PNHp6VWh3OGxvL3M3YXdsT3F6SkNLCjZmQmRSb3lWM1hwWUtCb3ZIZDdOQURkQmorMUViZGRUS0pkKzgyY0VIaFhYaXBhMDA5NU1KNlJNRzNOemR2UVgKbWNJZmVnN2pMUWl0Q2h3cy96eXJWUTRQa1g0MjY4TlhTYjdoTGkxOFlJdkRRVkVUSTUzTzl6SnJsQUdvbWVjcwpNeDg2T3lYU2hrRE9PeXlHZU1saEx4UzY3dHRWYjkrRTdnVUpUYjBvMkhMTzAySlFaUjdya3BlRE1kbXp0Y3BICldEOWYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
  # - name: Example_Com_Root_Certificate_Authority.pem
  #   value: |
  #     -----BEGIN CERTIFICATE-----
  #     MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
  #     A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
  #     Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
  #     MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
  #     A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
  #     hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
  #     RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
  #     gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
  #     KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
  #     QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
  #     XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
  #     DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
  #     LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
  #     RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
  #     jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
  #     6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
  #     mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
  #     Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
  #     WD9f
  #     -----END CERTIFICATE-----

##
## Authelia Persistence Configuration.
##
## Useful in scenarios where you need persistent storage.
## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
##
persistence:
  enabled: false

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  readOnly: false
  subPath: ""

  existingClaim: ""
  # existingClaim: my-claim-name

  storageClass: ""
  # storageClass: "my-storage-class"

  accessModes:
    - ReadWriteOnce

  size: 100Mi

  selector: {}
---
## @formatter:off
## values.local.yaml
##
## Repository: authelia https://charts.authelia.com
## Chart: authelia
##
## This values file is designed for a StatefulSet deployment with a single pod. It is not intended for production environments
## It uses the following providers:
##   - authentication: file (yaml)
##   - storage: local (SQLite3)
##   - session: memory
##   - notification: filesystem (yaml)

## Version Override allows changing some chart characteristics that render only on specific versions.
## This does NOT affect the image used, please see the below image section instead for this.
## If this value is not specified, it's assumed the appVersion of the chart is the version.
## The format of this value  is x.x.x, for example 4.100.0.
##
## Important Points:
##   - No guarantees of support for prior versions is given. The chart is intended to be used with the AppVersion.
##   - Does not and will not support any version prior to 4.30.0 due to a significant refactor of the configuration
##     system.
versionOverride: ""

## Image Parameters
## ref: https://hub.docker.com/r/authelia/authelia/tags/
##
image:
  # registry: docker.io
  registry: ghcr.io
  repository: authelia/authelia
  tag: ""
  pullPolicy: IfNotPresent
  pullSecrets: []
  # pullSecrets:
  #   - myPullSecretName

# nameOverride: authelia-deployment-name
# appNameOverride: authelia

##
## extra labels/annotations applied to all resources
##
annotations: {}
# annotations:
#   myAnnotation: myValue

labels: {}
# labels:
#   myLabel: myValue

##
## RBAC Configuration.
##
rbac:
  ## Enable RBAC. Turning this on associates Authelia with a service account.
  ## If the vault injector is enabled, then RBAC must be enabled.
  enabled: false

  annotations: {}
  labels: {}

  serviceAccountName: authelia

## Authelia Domain
## Should be the root domain you want to protect.
## For example if you have apps app1.example.com and app2.example.com it should be example.com
## This affects the ingress (partially sets the domain used) and configMap.
## Authelia must be served from the domain or a subdomain under it.
domain: lino.cooking

service:
  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  port: 80

  # clusterIP:

ingress:
  enabled: false

  annotations: {}
  # annotations:
  #   kubernetes.io/ingress.class: nginx
  #   kubernetes.io/tls-acme: "true"

  labels: {}
  # labels:
  #   myLabel: myValue

  certManager: false
  rewriteTarget: true

  ## The Ingress Class Name.
  # className: ingress-nginx

  ## Subdomain is the only thing required since we specify the domain as part of the root values of the chart.
  ## Example: To get Authelia to listen on https://auth.example.com specify 'auth' for ingress.subdomain,
  ## and specify example.com for the domain.
  subdomain: authelia

  tls:
    enabled: true
    secret: authelia-tls

    # hostNameOverride:

  traefikCRD:
    enabled: false

    ## Use a standard Ingress object, not an IngressRoute.
    disableIngressRoute: false

    # matchOverride: Host(`auth.example.com`) && PathPrefix(`/`)

    entryPoints: []
    # entryPoints:
    # - http

    # priority: 10

    # weight: 10

    sticky: false

    # stickyCookieNameOverride: authelia_traefik_lb

    # strategy: RoundRobin

    # responseForwardingFlushInterval: 100ms

    middlewares:
      auth:
        # nameOverride: authelia-auth
        authResponseHeaders:
          - Remote-User
          - Remote-Name
          - Remote-Email
          - Remote-Groups

      chains:
        auth:
          # nameOverride: authelia-auth-chain

          # List of Middlewares to apply before the forwardAuth Middleware in the authentication chain.
          before: []
          # before:
          # - name: extra-middleware-name
          #   namespace: default

          # List of Middlewares to apply after the forwardAuth Middleware in the authentication chain.
          after: []
          # after:
          # - name: extra-middleware-name
          #   namespace: default

        ingressRoute:
          # List of Middlewares to apply before the middleware in the IngressRoute chain.
          before: []
          # before:
          # - name: extra-middleware-name
          #   namespace: default

          # List of Middlewares to apply after the middleware in the IngressRoute chain.
          after: []
          # after:
          # - name: extra-middleware-name
          #   namespace: default

    # Specific options for the TraefikCRD TLS configuration. The above TLS section is still used.
    tls:
      ## Disables inclusion of the IngressRoute TLSOptions.
      disableTLSOptions: false
      #   existingOptions:
      #     name: default-traefik-options
      #     namespace: default
      #   certResolver: default
      #   sans:
      #     - *.example.com
      #
      options:
        # nameOverride: authelia-tls-options
        nameOverride: ""

        minVersion: VersionTLS12
        maxVersion: VersionTLS13
        sniStrict: false
        cipherSuites:
          - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
          - TLS_RSA_WITH_AES_256_GCM_SHA384
        curvePreferences: []
        # curvePreferences:
        # - CurveP521
        # - CurveP384

pod:
  # Must be Deployment, DaemonSet, or StatefulSet.
  kind: StatefulSet

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  replicas: 1
  revisionHistoryLimit: 5

  strategy:
    type: RollingUpdate
    # rollingUpdate:
    #   partition: 1
    #   maxSurge: 25%
    #   maxUnavailable: 25%

  securityContext:
    container: {}
    # container:
    #   runAsUser: 2000
    #   runAsGroup: 2000
    #   fsGroup: 2000
    pod: {}
    # pod:
    #   readOnlyRootFilesystem: true
    #   allowPrivilegeEscalation: false
    #   privileged: false

  tolerations: []
  # tolerations:
  # - key: key1
  #   operator: Equal
  #   value: value1
  #   effect: NoSchedule
  #   tolerationSeconds: 3600

  selectors:
    #   nodeName: worker-1

    nodeSelector: {}
    # nodeSelector:
    #   disktype: ssd
    #   kubernetes.io/hostname: worker-1

    affinity:
      nodeAffinity: {}
      # nodeAffinity:
      #   requiredDuringSchedulingIgnoredDuringExecution:
      #     nodeSelectorTerms:
      #     - matchExpressions:
      #       - key: kubernetes.io/hostname
      #         operator: In
      #         values:
      #         - worker-1
      #         - worker-2
      #   preferredDuringSchedulingIgnoredDuringExecution:
      #   - weight: 1
      #     preference:
      #       matchExpressions:
      #       - key: node-label-key
      #         operator: NotIn
      #         values:
      #         - not-this
      podAffinity: {}
      # podAffinity:
      #   requiredDuringSchedulingIgnoredDuringExecution:
      #   - labelSelector:
      #       matchExpressions:
      #       - key: security
      #         operator: In
      #         values:
      #         - S1
      #     topologyKey: topology.kubernetes.io/zone
      podAntiAffinity: {}
      # podAntiAffinity:
      #     preferredDuringSchedulingIgnoredDuringExecution:
      #     - weight: 100
      #       podAffinityTerm:
      #         labelSelector:
      #           matchExpressions:
      #           - key: security
      #             operator: In
      #             values:
      #             - S2
      #         topologyKey: topology.kubernetes.io/zone

  env: []
  # env:
  # - name: TZ
  #   value: Australia/Melbourne

  resources:
    limits: {}
    # limits:
    #   cpu: "4.00"
    #   memory: 125Mi
    requests: {}
    # requests:
    #   cpu: "0.25"
    #   memory: 50Mi

  probes:
    method:
      httpGet:
        path: /api/health
        port: http
        scheme: HTTP

    liveness:
      initialDelaySeconds: 0
      periodSeconds: 30
      timeoutSeconds: 5
      successThreshold: 1
      failureThreshold: 5

    readiness:
      initialDelaySeconds: 0
      periodSeconds: 5
      timeoutSeconds: 5
      successThreshold: 1
      failureThreshold: 5

    ## Note: Startup Probes are a Kubernetes feature gate which must be manually enabled pre-1.18.
    ## Ref: https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/
    startup:
      initialDelaySeconds: 10
      periodSeconds: 5
      timeoutSeconds: 5
      successThreshold: 1
      failureThreshold: 6

  extraVolumeMounts: []
  extraVolumes: []

##
## Kubernetes Pod Disruption Budget
##
podDisruptionBudget:
  enabled: false

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  # minAvailable: 1
  # maxUnavailable: 1

##
## Kubernetes Network Policy
##
networkPolicy:
  enabled: false

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              authelia.com/network-policy: namespace
        - podSelector:
            matchLabels:
              authelia.com/network-policy: pod
      ports:
        - protocol: TCP
          port: 9091

##
## Authelia Config Map Generator
##
configMap:
  # Enable the configMap source for the Authelia config.
  # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
  enabled: true

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  key: configuration.yaml

  existingConfigMap: ""

  ##
  ## Server Configuration
  ##
  server:
    ##
    ## Port sets the configured port for the daemon, service, and the probes.
    ## Default is 9091 and should not need to be changed.
    ##
    port: 9091

    ## Set the single level path Authelia listens on.
    ## Must be alphanumeric chars and should not contain any slashes.
    path: "authelia"

    ## Set the path on disk to Authelia assets.
    ## Useful to allow overriding of specific static assets.
    # asset_path: /config/assets/
    asset_path: ""

    ## Customize Authelia headers.
    headers:
      ## Read the Authelia docs before setting this advanced option.
      ## https://www.authelia.com/configuration/miscellaneous/server/#csp_template.
      csp_template: ""

    ## Server Buffers configuration.
    buffers:
      ## Read buffer.
      read: 4096

      ## Write buffer.
      write: 4096

    ## Server Timeouts configuration.
    timeouts:
      ## Read timeout.
      read: 6s

      ## Write timeout.
      write: 6s

      ## Idle timeout.
      idle: 30s

  log:
    ## Level of verbosity for logs: info, debug, trace.
    level: info

    ## Format the logs are written as: json, text.
    format: text

    ## TODO: Statefulness check should check if this is set, and the configMap should enable it.
    ## File path where the logs will be written. If not set logs are written to stdout.
    # file_path: /config/authelia.log
    file_path: ""

  ##
  ## Telemetry Configuration
  ##
  telemetry:
    ##
    ## Metrics Configuration
    ##
    metrics:
      ## Enable Metrics.
      enabled: false

      ## The port to listen on for metrics. This should be on a different port to the main server.port value.
      port: 9959

      ## Metrics Server Buffers configuration.
      buffers:
        ## Read buffer.
        read: 4096

        ## Write buffer.
        write: 4096

      ## Metrics Server Timeouts configuration.
      timeouts:
        ## Read timeout.
        read: 6s

        ## Write timeout.
        write: 6s

        ## Idle timeout.
        idle: 30s

      serviceMonitor:
        enabled: false
        annotations: {}
        labels: {}

  ## Default redirection URL
  ##
  ## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end
  ## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use
  ## in such a case.
  ##
  ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
  ## Default is https://www.<domain> (value at the top of the values.yaml).
  default_redirection_url: "https://lino.cooking"
  # default_redirection_url: https://example.com

  ## Set the default 2FA method for new users and for when a user has a preferred method configured that has been
  ## disabled. This setting must be a method that is enabled.
  ## Options are totp, webauthn, mobile_push.
  default_2fa_method: ""

  theme: light

  ##
  ## TOTP Configuration
  ##
  ## Parameters used for TOTP generation.
  totp:
    ## Disable TOTP.
    disable: false

    ## The issuer name displayed in the Authenticator application of your choice.
    ## Defaults to <domain>.
    issuer: "authelia.com"

    ## The TOTP algorithm to use.
    ## It is CRITICAL you read the documentation before changing this option:
    ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#algorithm
    algorithm: sha1

    ## The number of digits a user has to input. Must either be 6 or 8.
    ## Changing this option only affects newly generated TOTP configurations.
    ## It is CRITICAL you read the documentation before changing this option:
    ## https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#digits
    digits: 6

    ## The period in seconds a one-time password is valid for.
    ## Changing this option only affects newly generated TOTP configurations.
    period: 30

    ## The skew controls number of one-time passwords either side of the current one that are valid.
    ## Warning: before changing skew read the docs link below.
    ## See: https://www.authelia.com/configuration/second-factor/time-based-one-time-password/#input-validation to read the documentation.
    skew: 1

    ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20.
    secret_size: 32

  ##
  ## WebAuthn Configuration
  ##
  ## Parameters used for WebAuthn.
  webauthn:
    ## Disable Webauthn.
    disable: false

    ## Adjust the interaction timeout for Webauthn dialogues.
    timeout: 60s

    ## The display name the browser should show the user for when using Webauthn to login/register.
    display_name: Authelia

    ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device.
    ## Options are none, indirect, direct.
    attestation_conveyance_preference: indirect

    ## User verification controls if the user must make a gesture or action to confirm they are present.
    ## Options are required, preferred, discouraged.
    user_verification: preferred

  ##
  ## NTP Configuration
  ##
  ## This is used to validate the servers time is accurate enough to validate TOTP.
  ntp:
    ## NTP server address.
    address: "time.cloudflare.com:123"

    ## NTP version.
    version: 4

    ## Maximum allowed time offset between the host and the NTP server.
    max_desync: 3s

    ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
    ## set this to true, and can operate in a truly offline mode.
    disable_startup_check: false

    ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
    ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
    ## will continue regardless of results.
    disable_failure: false

  ##
  ## Duo Push API Configuration
  ##
  ## Parameters used to contact the Duo API. Those are generated when you protect an application of type
  ## "Partner Auth API" in the management panel.
  duo_api:
    enabled: true
    hostname: api-229a51d0.duosecurity.com
    integration_key: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      64376430336633666661663932386161393164343166613366666532633835633639396366356262
      3661313032363032646265663238616331306235373033310a333839626430353730363037626331
      39623965336434306461373062366566383934663030373463303636323734346432643432393938
      3863346161393733660a656131343636626636383030366333303235636666373962666631633663
      32623166383565316565653363366365613835666534386232626262393136356433

    enable_self_enrollment: false

  ##
  ## Authentication Backend Provider Configuration
  ##
  ## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
  ##
  ## The available providers are: `file`, `ldap`. You must use one and only one of these providers.
  authentication_backend:
    ## Password Reset Options.
    password_reset:
      ## Disable both the HTML element and the API for reset password functionality
      disable: false

      ## External reset password url that redirects the user to an external reset portal. This disables the internal reset
      ## functionality.
      custom_url: ""

    ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
    ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
    ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
    ## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
    ## See the below documentation for more information.
    ## Duration Notation docs:  https://www.authelia.com/configuration/prologue/common/#duration-notation-format
    ## Refresh Interval docs: https://www.authelia.com/configuration/first-factor/ldap/#refresh-interval
    refresh_interval: 5m

    ##
    ## File (Authentication Provider)
    ##
    ## With this backend, the users database is stored in a file which is updated when users reset their passwords.
    ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
    ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
    ## implications it is highly recommended you leave the default values. Before considering changing these settings
    ## please read the docs page below:
    ## https://www.authelia.com/reference/guides/passwords/#tuning
    ##
    ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
    ##
    file:
      enabled: true
      path: /config/users_database.yml
      watch: true
      search:
        email: false
        case_insensitive: false
      password:
        algorithm: argon2
        argon2:
          variant: argon2id
          iterations: 3
          memory: 65536
          parallelism: 4
          key_length: 32
          salt_length: 16
        scrypt:
          iterations: 16
          block_size: 8
          parallelism: 1
          key_length: 32
          salt_length: 16
        pbkdf2:
          variant: sha512
          iterations: 310000
          salt_length: 16
        sha2crypt:
          variant: sha512
          iterations: 50000
          salt_length: 16
        bcrypt:
          variant: standard
          cost: 12

  ##
  ## Password Policy Configuration.
  ##
  password_policy:
    ## The standard policy allows you to tune individual settings manually.
    standard:
      enabled: false

      ## Require a minimum length for passwords.
      min_length: 8

      ## Require a maximum length for passwords.
      max_length: 0

      ## Require uppercase characters.
      require_uppercase: true

      ## Require lowercase characters.
      require_lowercase: true

      ## Require numeric characters.
      require_number: true

      ## Require special characters.
      require_special: true

    ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings.
    zxcvbn:
      enabled: false

      ## Configures the minimum score allowed.
      min_score: 0

  ##
  ## Access Control Configuration
  ##
  ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
  ##
  ## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
  ## to anyone. Otherwise restrictions follow the rules defined.
  ##
  ## Note: One can use the wildcard * to match any subdomain.
  ## It must stand at the beginning of the pattern. (example: *.mydomain.com)
  ##
  ## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
  ##
  ## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
  ##
  ## - 'domain' defines which domain or set of domains the rule applies to.
  ##
  ## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
  ##    provided. If provided, the parameter represents either a user or a group. It should be of the form
  ##    'user:<username>' or 'group:<groupname>'.
  ##
  ## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
  ##
  ## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
  ##   is optional and matches any resource if not provided.
  ##
  ## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
  access_control:
    ## Configure the ACL as a Secret instead of part of the ConfigMap.
    secret:
      ## Enables the ACL section being generated as a secret.
      enabled: false

      ## The key in the secret which contains the file to mount.
      key: configuration.acl.yaml

      ## An existingSecret name, if configured this will force the secret to be mounted using the key above.
      existingSecret: ""

    ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
    ## resource if there is no policy to be applied to the user.
    default_policy: deny

    networks: []
    # networks:
    # - name: private
    #   networks:
    #   - 10.0.0.0/8
    #   - 172.16.0.0/12
    #   - 192.168.0.0/16
    # - name: vpn
    #   networks:
    #   - 10.9.0.0/16

    rules: []
    # rules:
    # - domain_regex: '^.*\.example.com$'
    #   policy: bypass
    # - domain: public.example.com
    #   policy: bypass
    # - domain: "*.example.com"
    #   policy: bypass
    #   methods:
    #   - OPTIONS
    # - domain: secure.example.com
    #   policy: one_factor
    #   networks:
    #   - private
    #   - vpn
    #   - 192.168.1.0/24
    #   - 10.0.0.1
    # - domain:
    #   - secure.example.com
    #   - private.example.com
    #   policy: two_factor
    # - domain: singlefactor.example.com
    #   policy: one_factor
    # - domain: "mx2.mail.example.com"
    #   subject: "group:admins"
    #   policy: deny
    # - domain: "*.example.com"
    #   subject:
    #   - "group:admins"
    #   - "group:moderators"
    #   policy: two_factor
    # - domain: dev.example.com
    #   resources:
    #   - "^/groups/dev/.*$"
    #   subject: "group:dev"
    #   policy: two_factor
    # - domain: dev.example.com
    #   resources:
    #   - "^/users/john/.*$"
    #   subject:
    #   - ["group:dev", "user:john"]
    #   - "group:admins"
    #   policy: two_factor
    # - domain: "{user}.example.com"
    #   policy: bypass

  ##
  ## Session Provider Configuration
  ##
  ## The session cookies identify the user once logged in.
  ## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
  session:
    ## The name of the session cookie. (default: authelia_session).
    name: authelia_session

    ## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
    ## Please read https://www.authelia.com/configuration/session/introduction/#same_site
    same_site: lax

    ## The time in seconds before the cookie expires and session is reset.
    expiration: 1h

    ## The inactivity time in seconds before the session is reset.
    inactivity: 5m

    ## The remember me duration.
    ## Value is in seconds, or duration notation. Value of 0 disables remember me.
    ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
    ## Longer periods are considered less secure because a stolen cookie will last longer giving attackers more time to
    ## spy or attack. Currently the default is 1M or 1 month.
    remember_me_duration: 1M

  ##
  ## Regulation Configuration
  ##
  ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are done
  ## in a short period of time.
  regulation:
    ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
    max_retries: 3

    ## The time range during which the user can attempt login before being banned. The user is banned if the
    ## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation.
    ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
    find_time: 2m

    ## The length of time before a banned user can login again. Ban Time accepts duration notation.
    ## See: https://www.authelia.com/configuration/prologue/common/#duration-notation-format
    ban_time: 5m

  ##
  ## Storage Provider Configuration
  ##
  ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
  storage:
    ##
    ## Local (Storage Provider)
    ##
    ## This stores the data in a SQLite3 Database.
    ## This is only recommended for lightweight non-stateful installations.
    ##
    ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
    ##
    local:
      enabled: true
      path: /config/db.sqlite3

    ##
    ## MySQL (Storage Provider)
    ##
    ## Also supports MariaDB
    ##
    mysql:
      enabled: false
      host: mysql.databases.svc.cluster.local
      port: 3306
      database: authelia
      username: authelia
      timeout: 5s
      tls:
        enabled: false

        ## The server subject name to check the servers certificate against during the validation process.
        ## This option is not required if the certificate has a SAN which matches the host option.
        server_name: ""

        ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
        ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
        ## defined by the `certificates_directory` option at the top of the configuration.
        ## It's important to note the public key should be added to the directory, not the private key.
        ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
        ## important to the administrator.
        skip_verify: false

        ## Minimum TLS version for the connection.
        minimum_version: TLS1.2

        ## Maximum TLS version for the connection.
        maximum_version: TLS1.3

    ##
    ## PostgreSQL (Storage Provider)
    ##
    postgres:
      enabled: false
      host: postgres.databases.svc.cluster.local
      port: 5432
      database: authelia
      schema: public
      username: authelia
      timeout: 5s
      tls:
        enabled: false

        ## The server subject name to check the servers certificate against during the validation process.
        ## This option is not required if the certificate has a SAN which matches the host option.
        server_name: ""

        ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
        ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
        ## defined by the `certificates_directory` option at the top of the configuration.
        ## It's important to note the public key should be added to the directory, not the private key.
        ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
        ## important to the administrator.
        skip_verify: false

        ## Minimum TLS version for the connection.
        minimum_version: TLS1.2

        ## Maximum TLS version for the connection.
        maximum_version: TLS1.3

  ##
  ## Notification Provider
  ##
  ##
  ## Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration.
  ## The available providers are: filesystem, smtp. You must use one and only one of these providers.
  notifier:
    ## You can disable the notifier startup check by setting this to true.
    disable_startup_check: false

    ##
    ## File System (Notification Provider)
    ##
    ## Important: Kubernetes (or HA) users must read https://www.authelia.com/overview/authorization/statelessness/
    ##
    filesystem:
      enabled: true
      filename: /config/notification.txt

    ##
    ## SMTP (Notification Provider)
    ##
    ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate.
    ## [Security] By default Authelia will:
    ##   - force all SMTP connections over TLS including unauthenticated connections
    ##      - use the disable_require_tls boolean value to disable this requirement
    ##        (only works for unauthenticated connections)
    ##   - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
    ##     (configure in tls section)
    smtp:
      enabled: true
      enabledSecret: false
      host: smtp.gmail.com
      port: 25
      timeout: 5s
      username: okulto@gmail.com
      sender: okulto@gmail.com
      ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
      identifier: localhost
      ## Subject configuration of the emails sent.
      ## {title} is replaced by the text from the notifier
      subject: "[Authelia] {title}"
      ## This address is used during the startup check to verify the email configuration is correct.
      ## It's not important what it is except if your email server only allows local delivery.
      startup_check_address: test@authelia.com

      ## Disables sending HTML formatted emails.
      disable_html_emails: false

      ## By default we require some form of TLS. This disables this check though is not advised.
      disable_require_tls: false

      ## Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when they in fact do not. For
      ## security reasons Authelia refuses to send messages to these servers. This option disables this measure and is
      ## enabled AT YOUR OWN RISK. It’s strongly recommended that instead of enabling this option you either fix the
      ## issue with the SMTP server’s configuration or have the administrators of the server fix it. If the issue can’t
      ## be fixed by configuration we recommend lodging an issue with the authors of the SMTP server. See [security] for
      ## more information.
      disable_starttls: false

      tls:
        ## The server subject name to check the servers certificate against during the validation process.
        ## This option is not required if the certificate has a SAN which matches the host option.
        server_name: ""

        ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
        ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
        ## defined by the `certificates_directory` option at the top of the configuration.
        ## It's important to note the public key should be added to the directory, not the private key.
        ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
        ## important to the administrator.
        skip_verify: false

        ## Minimum TLS version for the connection.
        minimum_version: TLS1.2

        ## Maximum TLS version for the connection.
        maximum_version: TLS1.3

  identity_providers:
    oidc:
      ## Enables this in the config map. Currently in beta stage.
      ## See https://www.authelia.com/docs/configuration/identity-providers/oidc.html#roadmap
      enabled: false

      access_token_lifespan: 24h
      authorize_code_lifespan: 1m
      id_token_lifespan: 1h
      refresh_token_lifespan: 90m

      ## Adjusts the PKCE enforcement. Options are always, public_clients_only, never.
      ## For security reasons it's recommended this option is public_clients_only or always, however always is not
      ## compatible with all clients.
      enforce_pkce: public_clients_only

      ## Enables the plain PKCE challenge which is not recommended for security reasons but may be necessary for some clients.
      enable_pkce_plain_challenge: false

      ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
      ## security reasons.
      minimum_parameter_entropy: 8

      ## Enables additional debug messages.
      enable_client_debug_messages: false

      ## Cross-Origin Resource Sharing (CORS) settings.
      cors:
        ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
        # endpoints:
        #    - authorization
        #    - token
        #    - revocation
        #    - introspection
        #    - userinfo
        endpoints: []

        ## List of allowed origins.
        ## Any origin with https is permitted unless this option is configured or the
        ## allowed_origins_from_client_redirect_uris option is enabled.
        # allowed_origins:
        #   - https://example.com
        allowed_origins: []

        ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
        ## provided they have the scheme http or https and do not have the hostname of localhost.
        allowed_origins_from_client_redirect_uris: true

      clients: []
      # clients:
      # -
      ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
      # id: myapp

      ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
      # description: My Application

      ## The client secret is a shared secret between Authelia and the consumer of this client.
      # secret: apple123

      ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
      ## necessary. Read the documentation for more information.
      ## The subject identifier must be the host component of a URL, which is a domain name with an optional port.
      # sector_identifier: example.com

      ## Sets the client to public. This should typically not be set, please see the documentation for usage.
      # public: false

      ## The policy to require for this client; one_factor or two_factor.
      # authorization_policy: two_factor

      ## The consent mode controls how consent is obtained.
      # consent_mode: auto

      ## This value controls the duration a consent on this client remains remembered when the consent mode is
      ## configured as 'auto' or 'pre-configured'.
      # pre_configured_consent_duration: 30d

      ## Audience this client is allowed to request.
      # audience: []

      ## Scopes this client is allowed to request.
      # scopes:
      #   - openid
      #   - profile
      #   - email
      #   - groups

      ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
      # redirect_uris:
      # - https://oidc.example.com/oauth2/callback

      ## Grant Types configures which grants this client can obtain.
      ## It's not recommended to configure this unless you know what you're doing.
      # grant_types:
      #   - refresh_token
      #   - authorization_code

      ## Response Types configures which responses this client can be sent.
      ## It's not recommended to configure this unless you know what you're doing.
      # response_types:
      #   - code

      ## Response Modes configures which response modes this client supports.
      ## It's not recommended to configure this unless you know what you're doing.
      # response_modes:
      #   - form_post
      #   - query
      #   - fragment

      ## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
      # userinfo_signing_algorithm: none

##
## Authelia Secret Generator.
##
## If both the values and existingSecret are not defined, this chart randomly generates a new secret on each
## install. It is recommended that you use something like sealed-secrets (https://github.com/bitnami-labs/sealed-secrets)
## and use the existingSecrets. All secrets can be stored in a single k8s secret if desired using the key option.
##
secret:
  existingSecret: ""
  # existingSecret: authelia

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  mountPath: /secrets

  excludeVolumeAndMounts: false

  ## Secrets.
  jwt:
    key: JWT_TOKEN
    value: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      66383231323534613333356162333861386461373364393931386135613463386366346339646637
      3965343966396638353732373561633434353639363839350a623635373437306364366439653439
      32316639316130343365306333386162663865616336306330666330376638386364343730333366
      3939366233386364360a336166313938653338323765316437336361343566373766336566383431
      33383438303230613034396438636662623633336166346262343436646164663763386632343635
      62316435323430343138373939356138306630663737303566633632363834363765343734336638
      346666656563383165643134353365636366
    filename: JWT_TOKEN
  storage:
    key: STORAGE_PASSWORD
    value: ""
    filename: STORAGE_PASSWORD
  storageEncryptionKey:
    key: STORAGE_ENCRYPTION_KEY
    value: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      34616664666163636134663461313637313632653265643037303363333832623962323535393834
      6136386263333161663431303761383961346532336133350a653465363238316565376233643231
      32376537366134363139376433656538343338653839363333633239303538366436313039323433
      6662316136393965620a323861376438613466346166396464383836626137653963373964333063
      33363737616365373633333962333563616439666633376130653835326437343832303335393936
      36373431353537313431643465626133623761346465346637396531653236623437303038633034
      383233333036363134343539636337346163
    filename: STORAGE_ENCRYPTION_KEY
  session:
    key: SESSION_ENCRYPTION_KEY
    value: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      39663033343632363637633361353535653864666137343631393736643564623630653030316336
      3166336339386633366133356331633561383363343834390a633431373764653264653862396135
      32376133343737363032303738616563326536313736656137353233643562393031343766623330
      3239333939316438610a633932643233303236396233323737643531393630626230306532623661
      64343335626335376335386562393930313239376363343636633434346236323132353165336235
      65373863336166663239386131376134633139363065353230353331383363613437346338343333
      336335616465376566326139396437623266
    filename: SESSION_ENCRYPTION_KEY
  duo:
    key: DUO_API_KEY
    value: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      62396435646233313330393262346235323365353463396235363934623734626235353761613865
      3931313331653736613562656132613230386232303061660a366566636434633338303336316133
      31626465373135643437633535383739333539376264323032613361643362396638663463663931
      6536613666376137390a343131623338316339613166353333343333393030633239383034643835
      34663133373661366233343738636639343963396334653566653038656535363030343034343339
      3230376136316562363362643962306136396263333463666565
    filename: DUO_API_KEY
  smtp:
    key: SMTP_PASSWORD
    value: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      65623431383465396366306237376634326461313134386631666664383133653261333961393264
      3833303965666665653664343434386662666332353733330a646533303430663631336164646136
      62306163656534663366303362383564663130306663366338343433313338616338363639363137
      6331306132363766300a663134616337656464653531616663356330613836356464326432386136
      64343436393662323063616339323133373762306131313630333431316131626136
    filename: SMTP_PASSWORD
  oidcPrivateKey:
    key: OIDC_PRIVATE_KEY
    value: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      39383635633232393536373832663933326664353964366133653766366536396338303830653361
      6164363362333465643230336562373434613736316336320a343735656566643430353934316633
      36353766383866393065643430626633633366303364636565646438363363333738383862653732
      3562333235356632380a656464346165336633303863643563393762616232626461313830383134
      64653831623365363532643632346231646635356337646537356236616130653933343035366438
      32303130306462396537316566666262666262633261626135356133643636383663333737323831
      30396630316634306133356664363765653831666230393731323830316561373231616638316462
      33616638613035306665303064316532646539623566323062656534333631666136313664393964
      38346634633332316438346162303365313431386364393635653432383538303366653364303764
      61396634303534346331363438393931646536303439313331653239663533363638336365633032
      33326439303038616566616437303536646662626337363766623034663032386166626332366366
      62643738366434323666383065316237346663396161363837313030303161333437323363643032
      30363465333861366635313337336437373830383937613639653465643261613831646631333561
      32383763656562363366386165613563396433343661303264646537623762353338376265636362
      64363066646638393364306162636134336332353235643331656333393361343562636535353039
      32343331383364363162646639646564666639643664643238303861376166336133306534626564
      34613230646432313262326539343765346236333464303030356331646163383464626464383362
      37363233633138303262326539303138313933383234653566633739636466613633356430326632
      32643033306334663331646632396435396664633966363362653333366361623739633761643934
      65376633313635343465333038633962616436383866393566623138303864643464646461303032
      30393034326434346465666261656539366336643166303736363864323739616631316238613432
      65306462303862316434336462313463363139613333663835373563363835363333366465623937
      66306636623061636562646635336565636263393166313136373836333066623133343163636334
      36336438366138663434306239353465633664363033353562316364373466306435666265616166
      31623961373266383639326538366166663637626431313538393237636434323865663530663831
      37356136346462663762326132666331366632666230323932613135353733366632326638313265
      34393837633538623261313936343166656634326562316531643164613761313537383738303836
      65366335316234636163663939633732656237383962636339663334653166633435613463373439
      38646633656363636138613836653039643935646233646166623662346438333863643732313339
      37356638376532376664646231653433343031616133396136643839666237383331653138633065
      35323962346435613166376639363935303535623137366131313635386265643361333666313837
      63313566343936393063303739353933333466363633313661636134653831396361326239646635
      36636431393661623165393964613465393464626235363638316130336232346531333064616164
      63393733653734613430366565366634623262353437346331313965313463396531636138626133
      35366366656631356430343231613765353237613039633534633536353262346434613264303463
      64383462396537323366646664643339646436343938303931353938613130313338386634643466
      64303631383338333334316266343765656163393962393464663164396531346630646431336537
      37663036313966306564613138336263323362663739363931346134383563613362393338396332
      36363437336237623539616133313466663364303066646232303537396662373937333631646163
      37646233313337613830373232313039636365646162333733333664313739353066653632663033
      33646232623834356639363437393036396234316261353864336535646162623937386463643265
      34613439396266663738326532366234303633383438306437363731386263356333366337643537
      30616561666233653730333138343065323863653430373764646265303438346531663738623065
      66346362626336333537363862666162386166386631346138353237613164373565343363353139
      63323539363530633334313830373031613438373638616134336261343565616461666136393562
      35663462303863343163303830393430353733336661353464303839343437616633303939633438
      31356131353035663431393535306364316234646630353666626239313963363437623036383334
      36343762343732636638326632356535323137653062363638316637326331656432646338666537
      63316537353236636537386566303232373134323836616361383433626163393938633239633536
      30653731633134363433613566306538336630336566353734656432363632373430353333343832
      63393936666636646165343762313631336332623362633961303936613666303536366662656438
      37616332643030383665363862633138363264363665313536303933653936636534326261653566
      34303737333064303136306335626533363734373635373432396563363335336366393036396366
      33626237333866343234623031353838646531343061613738313535346134656530616233323335
      36333531313862376664353362613832376333306632346465356534616461653261353739386534
      65656265653362656239653861366130386166613431663066383636366536333565646531636439
      64646231303334346136656631616135633062626631616565383835356564383864306263633535
      33613562363065323262633061656432636265306564613731396630366538366636373235666538
      64626433636166393638613261363436643463643831636363323561343533373637393532326232
      35323437373734653737366631303834346436636562383665376235383861383763393964376431
      35306138636435303636646631326339623136386636356338306366613738353462366139666265
      62333864636234333566313537363965376466633139356462643962393966356336626436613931
      32373963306435303639616666373664363238396164373434333137313464366535646138653730
      32303530623139393561306363356666333966633661653431376434396436663733613139373131
      32346434323137396266623064666130373465303236666363623862646234663965646662643063
      31313736376461383731383863383435336365373938373032353137373764346539636365383334
      39663839656465383435323736613264386636336134643866363436613734393439633361633039
      35316630323661316263643565376336623930303036333064396161333935336463303463333964
      39343137623138326630396138306432376239306135613966653661326130373639303762313966
      36663431663063383730666263343532653264346532626334623039616434613032386366316464
      34373864346632346438383664646332353839356130316634343263666533623138396232326131
      38343264623837663832306566623331623334663965643661306238666138313937636336613662
      64643437306431663762343339306337633361633838343439356331333134623135336463626266
      34656438313235633531313230343161363737303538383735626662356464643835363164383537
      36386437356637323063646338396236383566633061626534363035336535373932633636626266
      33313537653032346266316362373234333638663532666530363535396237376332306631613039
      37306633666165376263623965313965386430323533353138386239386637653336363431613739
      38636530316538366535306461626636353364643764613561663937373766333961373166386330
      30343066316663343639373334343135663866353633623338663238386232626361386563653065
      38303338393833303738636630323665373333306462666562333963306239366365653132663261
      63396465353831633566346561353139313932333534386263353730623035313234663264346636
      62653665653334663430666235613566316365663965373031323663363830396366303735663137
      33356564313239336635663834373065663538306532663238356164313036643333326638353362
      61303863633463616465616366373134653431653330306435366662393639356331386662656462
      39633134643463356539663366383465383538306462653530623565623266363463356561316234
      37623134383435393531613836373461653162373931303565633335313232393832333563626530
      323736633331326537633231376634343534
    filename: OIDC_PRIVATE_KEY
  oidcHMACSecret:
    key: OIDC_HMAC_SECRET
    value: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      35656634383164386136366139656330316531626232656164636564363632343661303638656462
      3937336531613536373832363862303564333832333438300a373666613339653362623263323962
      62393363363330626536316635626164623565383136636462336564306130353232353736656632
      3534333131386664620a633337376231613564333662393033353339363539393431313937386261
      31363433333538346532636636356237393366383531616332626461353261663333333035643666
      31396135643139396133666265393831333638313263636238663363396336343037396339653339
      353662373063636362636331613432343338
    filename: OIDC_HMAC_SECRET

certificates:
  existingSecret: ""
  # existingSecret: authelia

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  values: []
  # values:
  # - name: Example_Com_Root_Certificate_Authority_B64.pem
  #   secretValue: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURYekNDQWtlZ0F3SUJBZ0lMQkFBQUFBQUJJVmhUQ0tJd0RRWUpLb1pJaHZjTkFRRUxCUUF3VERFZ01CNEcKQTFVRUN4TVhSMnh2WW1Gc1UybG5iaUJTYjI5MElFTkJJQzBnVWpNeEV6QVJCZ05WQkFvVENrZHNiMkpoYkZOcApaMjR4RXpBUkJnTlZCQU1UQ2tkc2IySmhiRk5wWjI0d0hoY05NRGt3TXpFNE1UQXdNREF3V2hjTk1qa3dNekU0Ck1UQXdNREF3V2pCTU1TQXdIZ1lEVlFRTEV4ZEhiRzlpWVd4VGFXZHVJRkp2YjNRZ1EwRWdMU0JTTXpFVE1CRUcKQTFVRUNoTUtSMnh2WW1Gc1UybG5iakVUTUJFR0ExVUVBeE1LUjJ4dlltRnNVMmxuYmpDQ0FTSXdEUVlKS29aSQpodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU13bGRwQjVCbmdpRnZYQWc3YUV5aWllL1FWMkVjV3RpSEw4ClJnSkR4N0tLblFSZkpNc3VTK0ZnZ2tiaFVxc01nVWR3Yk4xazBldjFMS01QZ2owTUs2NlgxN1lVaGhCNXV6c1QKZ0hlTUNPRkowbXBpTHg5ZStwWm8zNGtubFRpZkJ0Yyt5Y3NtV1ExejNyREk2U1lPZ3hYRzcxdUwwZ1JneWttbQpLUFpwTy9iTHlDaVI1WjJLWVZjM3JIUVUzSFRnT3U1eUx5NmMrOUM3di9VOUFPRUdNK2lDSzY1VHBqb1djNHpkClFRNGdPc0MwcDZIcHNrK1FMakpnNlZmTHVRU1NhR2psT0NaZ2RiS2ZkLytSRk8rdUlFbjhyVUFWU05FQ01XRVoKWHJpWDc2MTN0MlNhZXI5ZndSUHZtMkw3RFd6Z1ZHa1dxUVBhYnVtRGszRjJ4bW1GZ2hjQ0F3RUFBYU5DTUVBdwpEZ1lEVlIwUEFRSC9CQVFEQWdFR01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJL3dTMytvCkxrVWtyazFRK21PYWk5N2kzUnU4TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCTFFOdkFVS3IreUF6djk1WlUKUlVtN2xnQUpRYXl6RTRhR0tBY3p5bXZtZExtNkFDMnVwQXJUOWZIeEQ0cS9jMmRLZzhkRWUzamdyMjVzYndNcApqak01UmNPTzVMbFhiS3I4RXBic1U4WXQ1Q1JzdVpSais5eFRhR2RXUG9PNHp6VWh3OGxvL3M3YXdsT3F6SkNLCjZmQmRSb3lWM1hwWUtCb3ZIZDdOQURkQmorMUViZGRUS0pkKzgyY0VIaFhYaXBhMDA5NU1KNlJNRzNOemR2UVgKbWNJZmVnN2pMUWl0Q2h3cy96eXJWUTRQa1g0MjY4TlhTYjdoTGkxOFlJdkRRVkVUSTUzTzl6SnJsQUdvbWVjcwpNeDg2T3lYU2hrRE9PeXlHZU1saEx4UzY3dHRWYjkrRTdnVUpUYjBvMkhMTzAySlFaUjdya3BlRE1kbXp0Y3BICldEOWYKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
  # - name: Example_Com_Root_Certificate_Authority.pem
  #   value: |
  #     -----BEGIN CERTIFICATE-----
  #     MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G
  #     A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp
  #     Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4
  #     MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG
  #     A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
  #     hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8
  #     RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT
  #     gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm
  #     KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd
  #     QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ
  #     XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw
  #     DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o
  #     LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU
  #     RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp
  #     jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK
  #     6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX
  #     mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs
  #     Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH
  #     WD9f
  #     -----END CERTIFICATE-----

##
## Authelia Persistence Configuration.
##
## Useful in scenarios where you need persistent storage.
## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
##
persistence:
  enabled: false

  annotations: {}
  # annotations:
  #   myAnnotation: myValue

  labels: {}
  # labels:
  #   myLabel: myValue

  readOnly: false
  subPath: ""

  existingClaim: ""
  # existingClaim: my-claim-name

  storageClass: ""
  # storageClass: "my-storage-class"

  accessModes:
    - ReadWriteOnce

  size: 100Mi

  selector: {}