├── .buildkite ├── README.md ├── chart_schema.yaml ├── cr.yaml ├── ct.version.yaml ├── ct.yaml ├── hooks │ ├── post-checkout │ └── pre-command ├── pipeline.yaml └── scripts │ └── pipeline.sh ├── .gitignore ├── .renovaterc ├── .yamllint.yaml ├── LICENSE ├── README.md └── charts └── authelia ├── .helmignore ├── BREAKING.md ├── Chart.yaml ├── LICENSE ├── README.md ├── files ├── configuration.acl.yaml ├── configuration.oidc.client.yaml ├── configuration.oidc.jwk.yaml └── configuration.server.endpoints.authz.yaml ├── templates ├── NOTES.txt ├── _authz.tpl ├── _capabilities.tpl ├── _hashes.tpl ├── _helpers.tpl ├── _ingress.tpl ├── _k8s.tpl ├── _misc.tpl ├── _oidc.tpl ├── _secrets.tpl ├── configMap.yaml ├── deployment.yaml ├── ingress.yaml ├── networkPolicy.yaml ├── persistentVolumeClaim.yaml ├── podDisruptionBudget.yaml ├── rbac │ └── serviceAccount.yaml ├── secret.yaml ├── secretACL.yaml ├── secretCertificates.yaml ├── service.yaml ├── serviceMonitor.yaml ├── traefikCRD │ ├── ingressRoute.yaml │ ├── middlewares.yaml │ └── tlsOption.yaml ├── validations.configMap.check.yaml ├── validations.general.check.yaml ├── validations.secrets.check.yaml └── validations.versions.check.yaml ├── values.local.yaml └── values.yaml /.buildkite/README.md: -------------------------------------------------------------------------------- 1 | # Buildkite 2 | 3 | This repository uses [Buildkite] for CI/CD. The flow for this pipeline works as follows: 4 | 5 | 1. Buildkite Cloud executes the command `.buildkite/scripts/pipeline.sh | buildkite-agent pipeline upload`. 6 | 1. The script detects various things about the commit and uses `envsubst` to fill `.buildkite/pipeline.yaml` with 7 | env vars. 8 | 2. The script outputs the yaml and pipes it to the `buildkite-agent pipeline upload` command. 9 | 10 | This process means that a majority of the pipeline is documented by existing in the repository. The only things not 11 | documented in this way are because they contain secret information. These things are configured by [hooks] documented 12 | below. 13 | 14 | ## Hooks 15 | 16 | There are two locations [hooks] can be located. Either on the individual agent home directories or in the repository. 17 | The [hooks] stored in the repository are all located in the 18 | [.buildkite/hooks](https://github.com/authelia/chartrepo/tree/master/.buildkite) directory. All [hooks] located locally 19 | on individual agents are documented below. 20 | 21 | ### environment 22 | 23 | The environment hook configures the environment using the below snippet. Where `abcdef0123456789` is a valid GitHub 24 | access token that has push access to the `gh-pages` branch of the repository, and access to publish releases for the 25 | repository. This file needs to be mounted in the ~/hooks directory (hooks directory inside the home of the user running 26 | the agent). 27 | 28 | ```console 29 | #!/usr/bin/env bash 30 | set -eu 31 | 32 | if [[ "${BUILDKITE_PIPELINE_NAME}" == "Charts" ]]; then 33 | if [[ "${BUILDKITE_STEP_KEY}" == "index" ]] || [[ "${BUILDKITE_STEP_KEY}" == "upload" ]]; then 34 | echo "--- :sparkles: Setting environment variables" 35 | 36 | export CR_TOKEN="abcdef0123456789" 37 | fi 38 | fi 39 | ``` 40 | 41 | ## Additional Information 42 | 43 | The following table lists files used in CI/CD and their purposes. 44 | 45 | |File |Purpose | 46 | |:----------------------------:|:-----------------------------------------------------:| 47 | |.yamllint.yaml |Configuration for linting the yaml aspects of charts | 48 | |.buildkite/cr.yaml |Configuration for Chart Releaser | 49 | |.buildkite/ct.yaml |Configuration for Chart Testing (linting tasks) | 50 | |.buildkite/ct.version.yaml |Configuration for Chart Testing (version check task) | 51 | |.buildkite/chart_schema.yaml |Configuration for checking the Chart.yaml schema | 52 | |.buildkite/pipeline.yaml |The Buildkite pipeline template which is envsubst'd | 53 | |.buildkite/scripts/pipeline.sh|The script to derive env vars to envsubst pipeline.yaml| 54 | |.buildkite/hooks/post-checkout|This hook does tasks directly after the checkout | 55 | |.buildkite/hooks/pre-command |This hook does tasks directly before the actual step | 56 | 57 | [hooks]: https://buildkite.com/docs/agent/v3/hooks 58 | 59 | [Buildkite]: https://buildkite.com -------------------------------------------------------------------------------- /.buildkite/chart_schema.yaml: -------------------------------------------------------------------------------- 1 | name: str() 2 | home: str(required=False) 3 | version: str() 4 | apiVersion: str() 5 | appVersion: any(str(), num(), required=False) 6 | description: str() 7 | keywords: list(str(), required=False) 8 | sources: list(str(), required=False) 9 | maintainers: list(include('maintainer'), required=False) 10 | dependencies: list(include('dependency'), required=False) 11 | icon: str(required=False) 12 | engine: str(required=False) 13 | condition: str(required=False) 14 | tags: str(required=False) 15 | deprecated: bool(required=False) 16 | kubeVersion: str(required=False) 17 | annotations: map(str(), str(), required=False) 18 | type: str(required=False) 19 | --- 20 | maintainer: 21 | name: str() 22 | email: str(required=False) 23 | url: str(required=False) 24 | --- 25 | dependency: 26 | name: str() 27 | version: str() 28 | repository: str() 29 | condition: str(required=False) 30 | tags: list(str(), required=False) 31 | enabled: bool(required=False) 32 | import-values: any(list(str()), list(include('import-value')), required=False) 33 | alias: str(required=False) 34 | --- 35 | import-value: 36 | child: str() 37 | parent: str() 38 | -------------------------------------------------------------------------------- /.buildkite/cr.yaml: -------------------------------------------------------------------------------- 1 | charts-repo: https://charts.authelia.com 2 | owner: authelia 3 | git-repo: chartrepo 4 | git-base-url: https://api.github.com 5 | git-upload-url: https://uploads.github.com 6 | index-path: .cr-index/index.yaml 7 | package-path: .cr-release-packages 8 | pages-branch: gh-pages 9 | release-name-template: "{{ .Name }}-{{ .Version }}" 10 | remote: origin 11 | sign: false -------------------------------------------------------------------------------- /.buildkite/ct.version.yaml: -------------------------------------------------------------------------------- 1 | chart-dirs: 2 | - charts 3 | chart-repos: 4 | - authelia=https://charts.authelia.com 5 | check-version-increment: true 6 | exclude-deprecated: true 7 | excluded-charts: [] 8 | remote: origin 9 | since: HEAD 10 | target-branch: master 11 | validate-chart-schema: false 12 | validate-maintainers: false 13 | validate-yaml: false -------------------------------------------------------------------------------- /.buildkite/ct.yaml: -------------------------------------------------------------------------------- 1 | chart-dirs: 2 | - charts 3 | chart-repos: 4 | - authelia=https://charts.authelia.com 5 | check-version-increment: false 6 | chart-yaml-schema: .buildkite/chart_schema.yaml 7 | exclude-deprecated: true 8 | excluded-charts: [] 9 | lint-conf: .yamllint.yaml 10 | remote: origin 11 | since: HEAD 12 | target-branch: master 13 | validate-chart-schema: true 14 | validate-maintainers: true 15 | validate-yaml: true -------------------------------------------------------------------------------- /.buildkite/hooks/post-checkout: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | if [[ "${BUILDKITE_STEP_KEY}" == "lint-version" ]] && [[ "${BUILDKITE_BRANCH}" != "master" ]] && [[ "${CHART_CHANGES}" == "true" ]]; then 4 | # Buildkite doesn't fetch the master branch when when the commit is not on master so we need to do this for CT. 5 | echo "--- :fork: Fetching repository branch master" 6 | 7 | git fetch --verbose --prune origin master 8 | fi 9 | 10 | if [[ "${BUILDKITE_STEP_KEY}" == "index" ]] && [[ "${BUILDKITE_BRANCH}" == "master" ]]; then 11 | # Buildkite doesn't fetch the gh-pages branch when when the commit is against master so we need to do this for CR. 12 | echo "--- :fork: Fetching repository branch gh-pages" 13 | 14 | git fetch --verbose --prune origin gh-pages 15 | fi 16 | 17 | if [[ "${BUILDKITE_STEP_KEY}" == "index" ]] || [[ "${BUILDKITE_STEP_KEY}" == "upload" ]]; then 18 | echo "--- :sparkles: Setting git remote" 19 | git remote set-url origin https://github.com/authelia/chartrepo.git 20 | fi 21 | -------------------------------------------------------------------------------- /.buildkite/hooks/pre-command: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -eu 4 | 5 | if [[ "${BUILDKITE_STEP_KEY}" == "index" ]]; then 6 | echo "--- :tada: Configuring git user" 7 | 8 | git config user.name "Authelia[bot]" 9 | git config user.email "autheliabot@users.noreply.github.com" 10 | fi 11 | 12 | if [[ "${BUILDKITE_STEP_KEY}" == "upload" ]] || [[ "${BUILDKITE_STEP_KEY}" == "index" ]]; then 13 | echo "--- :arrow_down: Downloading artifacts" 14 | 15 | rm -rf .cr-release-packages .cr-index 16 | mkdir -p .cr-release-packages .cr-index 17 | 18 | buildkite-agent artifact download .cr-release-packages/* .cr-release-packages 19 | fi -------------------------------------------------------------------------------- /.buildkite/pipeline.yaml: -------------------------------------------------------------------------------- 1 | env: 2 | CHART_CHANGES: ${CHART_CHANGES} 3 | 4 | steps: 5 | - command: "ct --config .buildkite/ct.version.yaml lint" 6 | key: "lint-version" 7 | label: ":helm: Chart Version (Chart Testing)" 8 | agents: 9 | charts: "true" 10 | if: build.branch != "gh-pages" && build.env("CHART_CHANGES") == "true" 11 | 12 | - command: "ct --config .buildkite/ct.yaml lint" 13 | key: "lint" 14 | label: ":helm: Linting (Chart Testing)" 15 | agents: 16 | charts: "true" 17 | if: build.branch != "gh-pages" && build.env("CHART_CHANGES") == "true" 18 | 19 | - command: "ct --config .buildkite/ct.yaml list-changed --since HEAD~1 | xargs -n1 cr --config .buildkite/cr.yaml package" 20 | key: "package-test" 21 | label: ":package: Package Chart (Chart Releaser)" 22 | artifact_paths: 23 | - ".cr-release-packages/*" 24 | agents: 25 | charts: "true" 26 | if: build.branch != "gh-pages" && build.branch != "master" && build.env("CHART_CHANGES") == "true" 27 | 28 | - wait: ~ 29 | continue_on_failure: true 30 | if: build.branch == "master" && build.env("CHART_CHANGES") == "true" 31 | 32 | - command: "ct --config .buildkite/ct.yaml list-changed --since HEAD~1 | xargs -n1 cr --config .buildkite/cr.yaml package" 33 | key: "package" 34 | label: ":package: Package Chart (Chart Releaser)" 35 | artifact_paths: 36 | - ".cr-release-packages/*" 37 | agents: 38 | charts: "true" 39 | if: build.branch == "master" && build.env("CHART_CHANGES") == "true" 40 | 41 | - command: "cr --config .buildkite/cr.yaml upload --auto-release" 42 | key: "upload" 43 | label: ":github: Deploy Artifacts (Chart Releaser)" 44 | agents: 45 | charts: "true" 46 | depends_on: 47 | - step: "package" 48 | if: build.branch == "master" && build.env("CHART_CHANGES") == "true" 49 | 50 | - command: "cr --config .buildkite/cr.yaml index --push" 51 | key: "index" 52 | label: ":k8s: Publish Chart Index (Chart Releaser)" 53 | agents: 54 | charts: "true" 55 | depends_on: 56 | - step: "upload" 57 | if: build.branch == "master" && build.env("CHART_CHANGES") == "true" 58 | -------------------------------------------------------------------------------- /.buildkite/scripts/pipeline.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | if [[ "${BUILDKITE_BRANCH}" == "master" ]]; then 4 | export CHART_CHANGES=$(git diff --name-only HEAD~1 | sed -rn '/^charts\/[a-zA-Z0-9-]+\/(templates\/.*|crds\/.*|Chart.yaml|values.yaml|values.schema.json|LICENSE|README.md)/{q1}' && echo false || echo true) 5 | else 6 | export CHART_CHANGES=$(git diff --name-only `git merge-base --fork-point origin/master` | sed -rn '/^charts\/[a-zA-Z0-9-]+\/(templates\/.*|crds\/.*|Chart.yaml|values.yaml|values.schema.json|LICENSE|README.md)/{q1}' && echo false || echo true) 7 | fi 8 | 9 | envsubst < .buildkite/pipeline.yaml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # CI Paths 2 | .cr-index/ 3 | .cr-release-packages/ 4 | 5 | # Helm 6 | charts/*/charts 7 | charts/*/Chart.lock 8 | 9 | # IDE's 10 | .idea 11 | .vscode -------------------------------------------------------------------------------- /.renovaterc: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "automerge": false, 4 | "bumpVersion": "patch", 5 | "enabledManagers": [ 6 | "helmv3", 7 | "helm-values" 8 | ], 9 | "lockFileMaintenance": { 10 | "enabled": true 11 | }, 12 | "rebaseWhen": "auto" 13 | } -------------------------------------------------------------------------------- /.yamllint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | rules: 3 | braces: 4 | min-spaces-inside: 0 5 | max-spaces-inside: 0 6 | min-spaces-inside-empty: -1 7 | max-spaces-inside-empty: -1 8 | brackets: 9 | min-spaces-inside: 0 10 | max-spaces-inside: 0 11 | min-spaces-inside-empty: -1 12 | max-spaces-inside-empty: -1 13 | colons: 14 | max-spaces-before: 0 15 | max-spaces-after: 1 16 | commas: 17 | max-spaces-before: 0 18 | min-spaces-after: 1 19 | max-spaces-after: 1 20 | comments: 21 | require-starting-space: true 22 | min-spaces-from-content: 2 23 | document-end: disable 24 | document-start: disable # No --- to start a file 25 | empty-lines: 26 | max: 2 27 | max-start: 0 28 | max-end: 0 29 | hyphens: 30 | max-spaces-after: 1 31 | indentation: 32 | spaces: consistent 33 | indent-sequences: whatever # - list indentation will handle both indentation and without 34 | check-multi-line-strings: false 35 | key-duplicates: enable 36 | line-length: disable # Lines can be any length 37 | new-line-at-end-of-file: enable 38 | new-lines: 39 | type: unix 40 | trailing-spaces: enable 41 | truthy: 42 | level: warning 43 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Authelia Helm Chart Repository 2 | 3 | [![License](https://img.shields.io/github/license/authelia/chartrepo?style=for-the-badge)](https://opensource.org/licenses/Apache-2.0) 4 | [![Buildkite](https://img.shields.io/buildkite/883807cdeec091e05a9dd6dbbd1eb401f51f360d00e758f49a/master?style=for-the-badge)](https://buildkite.com/authelia/charts) 5 | [![GitHub issues](https://img.shields.io/github/issues-raw/authelia/chartrepo?style=for-the-badge)](https://github.com/authelia/chartrepo/issues?q=is%3Aopen+is%3Aissue) 6 | [![GitHub closed issues](https://img.shields.io/github/issues-closed-raw/authelia/chartrepo?style=for-the-badge)](https://github.com/authelia/chartrepo/issues?q=is%3Aissue+is%3Aclosed) 7 | [![GitHub pull requests](https://img.shields.io/github/issues-pr-raw/authelia/chartrepo?style=for-the-badge)](https://github.com/authelia/chartrepo/pulls?q=is%3Aopen+is%3Apr) 8 | [![GitHub closed pull requests](https://img.shields.io/github/issues-pr-closed-raw/authelia/chartrepo?style=for-the-badge)](https://github.com/authelia/chartrepo/pulls?q=is%3Apr+is%3Aclosed) 9 | [![Discord](https://img.shields.io/discord/707844280412012608?label=discord&style=for-the-badge)](https://discord.authelia.com) 10 | [![Matrix](https://img.shields.io/matrix/authelia-support:matrix.org?label=matrix&style=for-the-badge)](https://matrix.to/#/#authelia-support:matrix.org) 11 | 12 | This repository is for hosting Authelia specific helm charts. Currently we only host a single chart which is still in 13 | development. 14 | 15 | ## Getting Started 16 | 17 | Visit the [Helm Repository](https://charts.authelia.com) for instructions. 18 | -------------------------------------------------------------------------------- /charts/authelia/.helmignore: -------------------------------------------------------------------------------- 1 | # Common 2 | .DS_Store 3 | .git/ 4 | .gitignore 5 | .project 6 | .idea 7 | *.tmproj 8 | *.png 9 | docs/ 10 | screenshots/ 11 | scripts/ 12 | 13 | # Local 14 | values.personal.yaml 15 | -------------------------------------------------------------------------------- /charts/authelia/BREAKING.md: -------------------------------------------------------------------------------- 1 | # Breaking Changes 2 | 3 | During the beta we will generally not be documenting breaking chart changes but there are exceptions and they are noted 4 | below. 5 | 6 | ## 0.10.0 7 | 8 | This chart will be the required version for 4.39.0 and it will have a couple minor changes to the configuration. 9 | 10 | ### WebAuthn User Verification 11 | 12 | **_This change will cause an error when doing a `helm install` for 4.39.0 if you do not fix it._** 13 | 14 | A lot of additional options have been added to the helm chart in 4.39.0, this has resulted in a single option being 15 | reorganized. 16 | 17 | Before: 18 | 19 | ```yaml 20 | configMap: 21 | webauthn: 22 | user_verification: 'preferred' 23 | ``` 24 | 25 | After: 26 | 27 | ```yaml 28 | configMap: 29 | webauthn: 30 | selection_criteria: 31 | user_verification: 'preferred' 32 | ``` 33 | 34 | ### Access Control Networks 35 | 36 | **_This change will cause an error when doing a `helm install` for 4.39.0 if you do not fix it._** 37 | 38 | The networks section in access control has been moved to a definitions section where the networks can be reused in 39 | multiple places. While automatic mapping is available without the chart, the chart will require this adjustment for 40 | anyone running 4.39.0. 41 | 42 | Before: 43 | 44 | ```yaml 45 | configMap: 46 | access_control: 47 | networks: 48 | - name: 'example' 49 | networks: 50 | - '192.168.1.0/24' 51 | - '192.168.2.20' 52 | - '2001:db8::/32' 53 | - '2001:db8:1234:5678::1' 54 | ``` 55 | 56 | After: 57 | 58 | ```yaml 59 | configMap: 60 | definitions: 61 | network: 62 | example: 63 | - '192.168.1.0/24' 64 | - '192.168.2.20' 65 | - '2001:db8::/32' 66 | - '2001:db8:1234:5678::1' 67 | ``` 68 | 69 | ## 0.9.0 70 | 71 | While we have aimed to keep documented backwards compatability for previous versions of Authelia deployed with the chart 72 | we have to draw a line with this release. Due to the way the chart was designed and the introduction of multi-cookie 73 | domains and the new authz endpoints there is just too many scenarios to handle. We're therefore cutting off support for 74 | prior releases with this chart release as well as making several quality of life breaking changes. This was announced in 75 | several ways and we hope the message got across. 76 | 77 | It's difficult for users when we make breaking changes and this one is unfortunately quite substantial. We're hoping 78 | that both the documentation below will ease this transition and that we've made the best choices possible for any given 79 | scenario. 80 | 81 | If you spot any breaking change we've not listed please let us know respectfully. Unfortunately due to the gravity of 82 | the changes there may be breaking changes we have to add to this list. In addition if you were not aware of the upcoming 83 | breaking changes and had some constructive ideas that you think would have helped then please let us know. 84 | 85 | ### Validations 86 | 87 | Several validations have been added which will programmatically fail the chart installation if they are not satisfied. 88 | 89 | ### Miscellaneous 90 | 91 | The following miscellaneous changes have occurred. 92 | 93 | #### Value Key Renames 94 | 95 | The following keys have been renamed as part of the deprecations in the Authelia configuration. This is mainly to keep 96 | the configuration examples and values file as consistent as possible. 97 | 98 | | Old Value Key | New Value Key | 99 | |:----------------------------------------:|:-------------------------------:| 100 | | `configMap.session.remember_me_duration` | `configMap.session.remember_me` | 101 | 102 | #### Value Key Removals 103 | 104 | The following value keys have been removed with some notes. Most of these are just a more logical way to configure these 105 | values long term or compatability with the newest features available in v4.38.0. 106 | 107 | | Value Key | Note | 108 | |:-----------------------------------:|:---------------------------------------------------------------------:| 109 | | `domain` | Replaced with `configMap.session.cookies` and `ingress.rulesOverride` | 110 | | `configMap.default_redirection_url` | Replaced with `configMap.session.cookies` | 111 | 112 | #### Default Value Changes 113 | 114 | The following default values have changed. Most of these are just to make it easier for users to configure exactly 115 | the option they want rather than having to wrestle the chart into obedience. 116 | 117 | | Value Key | Old Default Value | New Default Value | 118 | |:-----------------------------------------------:|:-----------------:|:-----------------:| 119 | | `configMap.session.redis.enabled` | `true` | `false` | 120 | | `configMap.notifier.smtp.enabled` | `true` | `false` | 121 | | `configMap.authentication_backend.ldap.enabled` | `true` | `false` | 122 | | `configMap.storage.postgres.enabled` | `true` | `false` | 123 | 124 | ### Secrets 125 | 126 | As originally planned we've overhauled the secrets configuration. In part to adapt to the new changes and also to make 127 | the feature much easier to understand. 128 | 129 | These changes are separated into two distinct elements: 130 | 131 | 1. The secrets are now local to where they're used in the configuration instead of in a single location. 132 | 1. This has the advantage of if you're for example configuring PostgreSQL that you configure the username and 133 | password at the same time. 134 | 2. The implementation specifics have been adjusted so the syntax for all secrets is generally the same. 135 | 3. You're able to include varied secrets instead of the single secret like before. 136 | 137 | The following section shows a before and after look at the secret generation method. 138 | 139 | Before: 140 | 141 | ```yaml 142 | name: 143 | key: 'KEY_NAME' 144 | value: "" 145 | filename: 'FILE_NAME' 146 | ``` 147 | 148 | After: 149 | 150 | ```yaml 151 | secret: 152 | ## Disables this secret allowing you to handle it yourself in any way you see fit. 153 | disabled: false 154 | 155 | ## Sets the name of the secret to use. The ~ value indicates the internal secret. Value will be mounted into the 156 | ## '/secrets//' location, where secret_name for ~ is 'internal'. 157 | secret_name: ~ 158 | 159 | ## When using the internal secret this allows setting the value arbitrarily. Only required on the first `helm install` 160 | ## or `helm upgrade`, after which it's only required to overwrite it. 161 | value: '' 162 | 163 | ## Key name within the secret which is the mounted location. 164 | path: 'FILE_NAME' 165 | ``` 166 | 167 | The chart itself is now capable of both generating multiple secrets and utilizing a mix of existing secrets and 168 | generated ones. These settings are configured on a per configuration section basis specifically in the configMap 169 | section. Above is an example of the way a secret is loaded into the Authelia config, and an example usage can be seen 170 | with `.configMap.storage.postgres.password`. 171 | 172 | The HashiCorp Vault Injector options have been removed as they should be configurable via the relevant 173 | labels/annotations. If it's unclear how to achieve a specific chart output value that you need for this purpose please 174 | let us know the specific output you're after in a [discussion](https://github.com/authelia/authelia/discussions) (we are 175 | not experts at HashiCorp Vault, so if you're unsure of the specific output you need you can still ask but we may just 176 | not be able to help). 177 | 178 | In addition you may manually add secrets as you see fit to use with the new templates filter. 179 | 180 | The following example should allow turning any option into a secret and dynamically adding the multiline formatting 181 | (in the example we use an indent of 2): 182 | 183 | ```yaml 184 | configMap: 185 | exampleValue: '{{ secret "/secrets/path.file" | mindent 2 "|" | msquote }}' 186 | ``` 187 | 188 | ### Sessions and Domains 189 | 190 | Several breaking changes have occurred to the domains and sessions configuration. We have no plans to support both the 191 | single cookie domain variation and the multi cookie domain variation going forward with Authelia, the former is left as 192 | a means to prevent a breaking change. As such we're making the hard change now for chart users. 193 | 194 | #### Domain, Default Redirection URL, and Subdomain 195 | 196 | The domain value has been removed and is now part of the session section. Each cookie domain configuration here will 197 | generate relevant manifests such as ingresses. This is so we can properly facilitate the multi-cookie domain 198 | configurations. This also affects the default redirection URL which is no longer supported on 4.38.0 helm installations. 199 | 200 | See below for representations of the YAML changes. 201 | 202 | Before: 203 | 204 | ```yaml 205 | domain: 'example.com' 206 | ingress: 207 | subdomain: 'authelia' 208 | configMap: 209 | default_redirection_url: 'https://www.example.com' 210 | ``` 211 | 212 | After: 213 | 214 | ```yaml 215 | configMap: 216 | session: 217 | cookies: 218 | - domain: 'example.com' 219 | subdomain: 'authelia' 220 | default_redirection_url: 'https://www.example.com' 221 | ``` 222 | 223 | ### OpenID Connect 1.0 Changes 224 | 225 | Several OpenID Connect 1.0 changes have occurred which will not be automatically detected if you're using old values and 226 | may cause an error if you're still using them. 227 | 228 | #### Client Option: id and secret 229 | 230 | Client options `id` and `secret` have been renamed to `client_id` and `client_secert` respectively to closely match the 231 | specification. In addition the `client_secret` must use one of the hash formats (even if it's the `$plaintext$` format). 232 | 233 | Before: 234 | 235 | ```yaml 236 | configMap: 237 | identity_providers: 238 | oidc: 239 | clients: 240 | - id: 'myid' 241 | secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' 242 | ``` 243 | 244 | After: 245 | 246 | ```yaml 247 | configMap: 248 | identity_providers: 249 | oidc: 250 | clients: 251 | - client_id: 'myid' 252 | client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' 253 | ``` 254 | 255 | #### Client Option: token_endpoint_auth_method 256 | 257 | Clients will be forced to use a specific authentication method. By default all clients will use `client_secret_post` 258 | however this can be changed using the `token_endpoint_auth_method` parameter for each client. This is probably the most 259 | impactful change as you'll need to consult the documentation for the third party application to determine what method 260 | it utilizes. Generally speaking the `client_secret_post` (also known as in form/body) should work, otherwise it's likely 261 | `client_secret_basic` (also known as header or in header). 262 | 263 | Example: 264 | 265 | ```yaml 266 | configMap: 267 | identity_providers: 268 | oidc: 269 | clients: 270 | - client_id: 'myid' 271 | token_endpoint_auth_method: 'client_secret_basic' 272 | ``` 273 | 274 | #### Client Option: secret 275 | 276 | The secret must now be prefixed with a hashing prefix. You may choose to prefix it with `$plaintext$` but we're strongly 277 | urging users to use a proper hash as this option will not be permitted in the near future except for clients using the 278 | `client_secret_jwt` authentication method for the `token_endpoint_auth_method` option. 279 | 280 | In addition client secrets can now be specified via a path which you've mounted into the Pods. This option is backwards 281 | compatible and allows either specifying it directly as a value or using the dictionary structure. Example with commented 282 | alternatives below. 283 | 284 | ```yaml 285 | configMap: 286 | identity_providers: 287 | oidc: 288 | clients: 289 | - client_id: 'example' 290 | # secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. 291 | client_secret: 292 | # value: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'. 293 | path: '/path/to/secret' 294 | ``` 295 | 296 | #### Client Option: userinfo_signing_algorithm 297 | 298 | #### Issuer Keys 299 | 300 | The issuer keys have been removed from secrets. The new method of configuring them in a secrets-like fashion is to 301 | enable the template filter and add the relevant template values. This is because we now support multiple issuer keys 302 | with varying algorithms. See below for representations of the new YAML values format. 303 | 304 | Important Notes: 305 | 306 | - Usage of the path feature requires that the `configMap.filters.enableTemplating` value is set to true which is 307 | considered experimental (however has proven to be very robust). 308 | - You can now define these values via raw values but it's not recommended. 309 | 310 | ```yaml 311 | configMap: 312 | filters: 313 | enableTemplating: true 314 | identity_providers: 315 | oidc: 316 | issuer_private_keys: 317 | - key_id: '' 318 | algorithm: 'RS256' 319 | use: 'sig' 320 | key: 321 | path: '/secrets/oidc.issuer_key.rsa256.pem' 322 | # value: | 323 | # -----BEGIN PRIVATE KEY----- 324 | # .... 325 | # -----END PRIVATE KEY----- 326 | certificate_chain: 327 | path: '/secrets/oidc.issuer_key.rsa256.crt' 328 | # value: | 329 | # -----BEGIN CERTIFICATE----- 330 | # ..... 331 | # -----END CERTIFICATE----- 332 | ``` 333 | 334 | #### Lifespans 335 | 336 | The lifespans configuration has drastically changed. See below for representations of the YAML changes (before and after 337 | respectively). 338 | 339 | ```yaml 340 | configMap: 341 | identity_providers: 342 | oidc: 343 | access_token_lifespan: 1h 344 | authorize_code_lifespan: 1m 345 | id_token_lifespan: 1h 346 | refresh_token_lifespan: 90m 347 | ``` 348 | 349 | ```yaml 350 | configMap: 351 | identity_providers: 352 | oidc: 353 | lifespans: 354 | access_token: 1h 355 | authorize_code: 1m 356 | id_token: 1h 357 | refresh_token: 90m 358 | ``` 359 | 360 | ## 0.5.0 361 | 362 | - Does not support Authelia versions lower than 4.30.0 363 | - Had several changes to the values.yaml file, specifically: 364 | - configMap.port is now configMap.server.port 365 | - configMap.log_level is now configMap.log.level 366 | - configMap.log_format is now configMap.log.format 367 | - configMap.log_file_path is now configMap.log.file_path 368 | 369 | See the [official migration documentation](https://www.authelia.com/configuration/prologue/migration/#4300) 370 | (not specific to Kubernetes) for more information. 371 | -------------------------------------------------------------------------------- /charts/authelia/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: authelia 3 | version: 0.10.10 4 | kubeVersion: ">= 1.13.0-0" 5 | description: Authelia is a Single Sign-On Multi-Factor portal for web apps 6 | type: application 7 | keywords: 8 | - SSO 9 | - Authentication 10 | - Security 11 | - Two-Factor 12 | - YubiKey 13 | - Webauthn 14 | - Duo 15 | - TOTP 16 | - Time-based One Time Password 17 | - Push Notifications 18 | - LDAP 19 | home: https://www.authelia.com 20 | sources: 21 | - https://github.com/authelia/chartrepo/tree/master/charts/authelia 22 | - https://www.github.com/authelia/authelia 23 | dependencies: 24 | - name: postgresql 25 | version: ~15.5.11 26 | repository: https://charts.bitnami.com/bitnami 27 | condition: configMap.storage.postgres.deploy 28 | - name: mariadb 29 | version: ~18.2.4 30 | repository: https://charts.bitnami.com/bitnami 31 | condition: configMap.storage.mysql.deploy 32 | - name: redis 33 | version: ~19.6.0 34 | repository: https://charts.bitnami.com/bitnami 35 | condition: configMap.session.redis.deploy 36 | maintainers: 37 | - name: james-d-elliott 38 | email: james-d-elliott@users.noreply.github.com 39 | url: https://github.com/james-d-elliott 40 | icon: https://avatars2.githubusercontent.com/u/59122411?s=200&v=4 41 | appVersion: 4.39.3 42 | deprecated: false 43 | annotations: {} 44 | -------------------------------------------------------------------------------- /charts/authelia/LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright 2020 Authelia 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /charts/authelia/README.md: -------------------------------------------------------------------------------- 1 | # Authelia Chart 2 | 3 | **NOTICE:** This chart is currently a beta. Until it reaches version 1.0.0 it may have regular breaking changes. It is 4 | not recommended at this stage for production environments without manual intervention to check the templated manifests 5 | match your desired state. 6 | 7 | This chart uses api version 2 which is only supported by helm v3+. This chart includes optional Bitnami subcharts to deploy `redis`, `postgresql`, and/or `mariadb`. 8 | 9 | # Breaking Changes 10 | 11 | Breaking changes with this chart should be expected during the v0.x.x versions at any time however we aim to keep the 12 | breaking changes within minor releases i.e. from v0.1.0 to v0.2.0. The following versions have notable breaking changes 13 | which users should be aware of: 14 | 15 | - [v0.10.0](https://github.com/authelia/chartrepo/blob/master/charts/authelia/BREAKING.md#0100) 16 | - [v0.9.0](https://github.com/authelia/chartrepo/blob/master/charts/authelia/BREAKING.md#090) 17 | - [v0.5.0](https://github.com/authelia/chartrepo/blob/master/charts/authelia/BREAKING.md#050) 18 | 19 | # Getting Started 20 | 21 | 1. Visit https://charts.authelia.com and follow the instructions to install the chart repo. 22 | 2. Configure the chart by setting the various [parameters](#parameters), either in a locally downloaded values.yaml or 23 | in the next step. 24 | 3. Install the chart with `helm install authelia authelia/authelia` and optionally set your values with `--values values.yaml` or 25 | via `--set [parameter]=[value]`. 26 | 27 | ## Values Files 28 | 29 | - **values.yaml:** basic template with no specific feature states enabled. 30 | - **values.production.yaml:** production environments with LDAP (auth), PostgreSQL (storage), SMTP (notification), and 31 | Redis (session). 32 | - **values.local.yaml:** environments with file (auth), SQLite3 (storage), filesystem (notification), and memory ( 33 | session). 34 | 35 | ## Expected Minimum Configuration 36 | 37 | It is expected you will configure at least the following sections/values: 38 | 39 | - The configMap section (the configMap follows a majority of the configuration options 40 | in [the documentation](https://www.authelia.com/configuration)) 41 | - The `configMap.session.cookies` section contains the domain configuration for the Authelia portal and session 42 | cookies: 43 | - The full Authelia URL will be in the format of `https://[.][/]` (part within the square braces is 44 | omitted if not configured) i.e. `domain` of `example.com` and `subdomain` empty yields `https://example.com` and 45 | `subdomain` of `auth` yields `https://auth.example.com`. The `subpath` is also optionally included. 46 | - The `domain` option is required. 47 | - The `subdomain` option is generally required. 48 | - The `path` option is generally **_NOT_** required or recommended. Every domain that has this option configured 49 | MUST have the same value i.e. you can have one blank and one configured but all those that are configured must be 50 | the same, and in addition if configured at all the `configMap.server.path` option must have the same value. 51 | 52 | - The following sections require one of the sub-options enabled: 53 | - The `configMap.storage` section: 54 | - `postgres` 55 | - `mysql` 56 | - `local` (stateful) 57 | - The `configMap.notifier` section: 58 | - `smtp` 59 | - `filesystem` (stateful) 60 | - The `configMap.authentication_backend` section: 61 | - `ldap` 62 | - `file` (stateful) 63 | 64 | # Parameters 65 | 66 | This documents the parameters in the chart values. As the chart values are quite large, we've split it into sections. 67 | 68 | ## General 69 | 70 | | Parameter | Description | Default | 71 | |:-----------------------:|:------------------------------------------------------:|:------------------:| 72 | | image.registry | The container registry to use when pulling the image | docker.io | 73 | | image.repository | The registry repository to use when pulling the image | authelia/authelia | 74 | | image.tag | The image tag to pull | (latest supported) | 75 | | image.pullSecrets | The k8s secret names to use for the pullSecrets | [] | 76 | | nameOverride | To be refactored | nil | 77 | | appNameOverride | To be refactored | nil | 78 | | annotations | A map of extra annotations to add to all manifests | {} | 79 | | labels | A map of extra labels to add to all manifests | {} | 80 | | rbac.enabled | Enable creation of a ServiceAccount to bind to the pod | false | 81 | | rbac.annotations | Extra annotations to add to the ServiceAccount | {} | 82 | | rbac.labels | Extra labels to add to the ServiceAccount | {} | 83 | | rbac.serviceAccountName | The name to use for the ServiceAccount | authelia | 84 | | service.annotations | Extra annotations to add to the service | {} | 85 | | service.labels | Extra labels to add to the Service | {} | 86 | | service.port | The exposed port on the ClusterIP Service | 80 | 87 | | service.clusterIP | The ClusterIP to assign to the Service | nil | 88 | | kubeVersionOverride | Allows overriding the detected Kubernetes Version | nil | 89 | | kubeDNSDomainOverride | Allows overriding the default Kubernetes DNS Domain | nil | 90 | 91 | ## Pod 92 | 93 | | Parameter | Description | Default | 94 | |:-----------------------------------------:|:--------------------------------------------------------------:|:-------------:| 95 | | pod.kind | Configures the kind of pod: StatefulSet, Deployment, DaemonSet | DaemonSet | 96 | | pod.annotations | Adds annotations specifically to the pod | {} | 97 | | pod.labels | Adds labels specifically to the pod | {} | 98 | | pod.initContainers | Adds additional init containers specifically to the pod | [] | 99 | | pod.replicas | Configures the replicas for Deployment's/statefulSet's | 1 | 100 | | pod.revisionHistoryLimit | Configures the revisionHistoryLimit | 1 | 101 | | pod.strategy.type | Configures the pods strategy/updateStrategy type | RollingUpdate | 102 | | pod.strategy.rollingUpdate.maxSurge | Configures the pods rolling update max surge | 25% | 103 | | pod.strategy.rollingUpdate.maxUnavailable | Configures the pods rolling update max unavailable | 25% | 104 | | pod.strategy.rollingUpdate.partition | Configures the pods rolling update partition | 1 | 105 | | pod.securityContext.container | Configures the main container's security context | {} | 106 | | pod.securityContext.pod | Configures the pod's security context | {} | 107 | | pod.tolerations | Configures the pods tolerations | [] | 108 | | pod.selectors.nodeSelector | Configures the pod to select nodes based on node labels | {} | 109 | | pod.selectors.affinity.nodeAffinity | Configures the pod to select nodes based affinity | {} | 110 | | pod.selectors.affinity.podAffinity | Configures the pod to select nodes based pods on the node | {} | 111 | | pod.selectors.affinity.podAntiAffinity | Configures the pod to select nodes based pods on the node | {} | 112 | | pod.env | Configures extra env to add to the node | [] | 113 | | pod.resources.limits.cpu | Configures the resource limit for CPU | nil | 114 | | pod.resources.limits.memory | Configures the resource limit for memory | nil | 115 | | pod.resources.requests.cpu | Configures the resource request for CPU | nil | 116 | | pod.resources.requests.memory | Configures the resource request for memory | nil | 117 | 118 | ## Ingress 119 | 120 | In addition to the below configuration parameters it should be noted that the generated ingress manifests use the values 121 | from configMap.session.cookies to determine how many ingress manifests to generate and how they should be configured. 122 | The configMap.session.cookies is a list of objects which have some key properties for this purpose, the `domain` is the 123 | suffix of the host, and if configured the `subdomain` is the prefix of the host (separated by a period). 124 | 125 | | Parameter | Description | Default | 126 | |:---------------------------------------------:|:------------------------------------------------------------------------------------------:|:------------:| 127 | | ingress.enabled | Enable the ingress for any type of proxy integration | false | 128 | | ingress.annotations | Adds annotations specifically to the ingress | {} | 129 | | ingress.labels | Adds labels specifically to the ingress | {} | 130 | | tls.enabled | Enable the tls cert for the ingress | true | 131 | | tls.secret | The tls cert that will be used in the ingress | authelia-tls | 132 | | ingress.traefikCRD.enabled | Enable the traefik for the proxy | false | 133 | | ingress.traefikCRD.disableIngressRoute | The ingress route can be disabled using the value | false | 134 | | ingress.traefikCRD.entryPoints | Entry Points configuration in the ingress route | [] | 135 | | ingress.traefikCRD.sticky | enable the sticky cookie in the ingress route | false | 136 | | ingress.traefikCRD.chains.auth.before | List of Middlewares to apply before the forwardAuth Middleware in the authentication chain | [] | 137 | | ingress.traefikCRD.chains.auth.after | List of Middlewares to apply after the forwardAuth Middleware in the authentication chain | [] | 138 | | ingress.traefikCRD.chains.ingressRoute.before | List of Middlewares to apply before the middleware in the IngressRoute chain | [] | 139 | | ingress.traefikCRD.chains.ingressRoute.after | List of Middlewares to apply after the middleware in the IngressRoute chain | [] | 140 | 141 | ## ConfigMap 142 | 143 | This section only documents the sections that are specific to the helm chart. The majority of this section of the 144 | values.yaml is based on the *Authelia* configuration. See the 145 | [Authelia documentation](https://www.authelia.com/configuration) for more information. 146 | 147 | | Parameter | Description | Default | 148 | |:-------------------------------------------------------:|:--------------------------------------------------------:|:------------------:| 149 | | configMap.enabled | If true generates the ConfigMap, otherwise it doesn't | true | 150 | | configMap.annotations | Extra annotations to add to the ConfigMap | {} | 151 | | configMap.labels | Extra labels to add to the ConfigMap | {} | 152 | | configMap.key | The key inside the ConfigMap which contains the config | configuration.yaml | 153 | | configMap.existingConfigMap | Instead of generating a ConfigMap refers to an existing | nil | 154 | | configMap.duo_api.enabled | Enables the Duo integration when generating the config | false | 155 | | configMap.authentication_backend.ldap.enabled | Enables LDAP auth when generating the config | true | 156 | | configMap.authentication_backend.file.enabled | Enables file auth when generating the config | false | 157 | | configMap.session.redis.enabled | Enables redis session storage when generating the config | true | 158 | | configMap.session.redis.deploy | Deploy a redis instance | false | 159 | | configMap.session.redis.enabledSecret | Forces redis password auth using a secret if true | false | 160 | | configMap.session.redis.high_availability.enabled | Enables redis sentinel when generating the config | false | 161 | | configMap.session.redis.high_availability.enabledSecret | Forces sentinel password auth using a secret if true | false | 162 | | configMap.storage.local.enabled | Enables the SQLite3 storage provider | false | 163 | | configMap.storage.mysql.enabled | Enables the MySQL storage provider | false | 164 | | configMap.storage.mysql.deploy | Deploy a MariaDB instance | false | 165 | | configMap.storage.postgres.enabled | Enables the PostgreSQL storage provider | true | 166 | | configMap.storage.postgres.deploy | Deploy a PostgreSQL instance | false | 167 | | configMap.notifier.filesystem.enabled | Enables the filesystem notification provider | false | 168 | | configMap.notifier.smtp.enabled | Enables the SMTP notification provider | true | 169 | | configMap.notifier.smtp.enabledSecret | Forces smtp password auth using a secret if true | false | 170 | | configMap.identity_providers.oidc.enabled | Enables the OpenID Connect Idp | false | 171 | 172 | If any of `configMap.session.redis.deploy`, `configMap.storage.mysql.deploy` or `configMap.storage.postgres.deploy` are enabled, the corresponding top-level `redis`, `mariadb` or `postgresql` sections must be configured. 173 | For more information, refer to the [Bitnami Redis Chart](https://github.com/bitnami/charts/tree/master/bitnami/redis), [Bitnami MariaDB Chart](https://github.com/bitnami/charts/tree/master/bitnami/mariadb), and [Bitnami PostgreSQL Chart](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) documentation. 174 | ## Secret 175 | 176 | The secret section defines how the secret values are added to Authelia. All values that can be a secret are forced as 177 | secrets with this chart. There are likely ways around this but we do not recommend it. Most secrets are automatically 178 | and randomly generated if the value is not defined, however we recommend manually generating the secret and mapping the 179 | chart to it so sensitive material isn't leaked. 180 | 181 | The `*` below can be one of any of the following values: 182 | 183 | - jwt 184 | - ldap 185 | - storage 186 | - storageEncryptionKey 187 | - session 188 | - duo 189 | - redis 190 | - redisSentinel 191 | - smtp 192 | - oidcPrivateKey 193 | - oidcHMACSecret 194 | 195 | | Parameter | Description | Default | 196 | |:---------------------:|:------------------------------------------------------:|:--------:| 197 | | secret.annotations | A map of extra annotations to add to the Secret | {} | 198 | | secret.labels | A map of extra labels to add to the Secret | {} | 199 | | secret.existingSecret | The name of the existing Secret instead of generating | nil | 200 | | secret.mountPath | The path where to mount all of the secrets | /secrets | 201 | | secret.*.key | The key in the secret where the secret value is stored | varies | 202 | | secret.*.value | The value to inject into this secret when generating | nil | 203 | | secret.*.filename | The filename of this secret within the mountPath | varies | 204 | 205 | # TODO 206 | 207 | - CI: 208 | - [ ] helm lint 209 | - [ ] renovate 210 | - [ ] yamllint config 211 | - [ ] [chart-testing](https://github.com/helm/chart-testing) 212 | - [ ] [chart-releaser](https://github.com/helm/chart-releaser) 213 | - [ ] Ensure no changes to the following files can be merged without a version bump to Chart.yaml: 214 | - ./templates/* 215 | - ./values.yaml 216 | - ./values.*.yaml 217 | - ./Chart.lock 218 | - ./README.md 219 | - ./LICENSE 220 | - [ ] Integration Testing 221 | - Chart Kinds: 222 | - [x] Deployment 223 | - [x] Ingress 224 | - TraefikCRD: 225 | - [x] IngressRoute 226 | - [x] Middleware 227 | - Validation: 228 | - [ ] Add validation checks for defined providers (allow one) 229 | - [ ] Add Statefulness validation 230 | - [ ] Setup volumeClaimTemplates for stateful installs 231 | - Ingress: 232 | - [ ] Test ingress-nginx 233 | - [ ] Test traefikCRD tls 234 | - Values Schema: 235 | - Future Notes? 236 | - [x] https://github.com/CesiumGS/wetzel 237 | - [x] https://github.com/karuppiah7890/helm-schema-gen 238 | - Misc 239 | - [x] updateStrategy 240 | - [ ] docs 241 | - [ ] investigate/implement TLS, including on the probe schemes (have to check if we can inject a ca) 242 | - [x] trusted certs 243 | - [ ] templates/NOTES.txt 244 | - Low Priority (not needed for beta/stable) 245 | - [x] file auth provider (secret - ldap is recommended for k8s) 246 | - [x] local db (pv/pvc - proper db recommended for k8s) 247 | - [x] podSecurityPolicy 248 | - [x] podDisruptionBudget 249 | -------------------------------------------------------------------------------- /charts/authelia/files/configuration.acl.yaml: -------------------------------------------------------------------------------- 1 | access_control: 2 | default_policy: {{ include "authelia.accessControl.defaultPolicy" . | trim | squote }} 3 | {{- if and .Values.configMap.access_control.networks (semverCompare "<4.39.0" (include "authelia.version" $)) }} 4 | networks: 5 | {{- range $network := .Values.configMap.access_control.networks }} 6 | - name: {{ $network.name }} 7 | networks: 8 | {{- if kindIs "string" $network.networks }} 9 | - {{ $network.networks | squote }} 10 | {{- else }} 11 | {{- range $value := $network.networks }} 12 | - {{ $value | squote }} 13 | {{- end }} 14 | {{- end }} 15 | {{- end }} 16 | {{- end }} 17 | {{- if .Values.configMap.access_control.rules }} 18 | rules: 19 | {{- range .Values.configMap.access_control.rules }} 20 | - policy: {{ .policy | default "deny" }} 21 | {{- if .domain }} 22 | domain: 23 | {{- if kindIs "string" .domain }} 24 | - {{ .domain | squote }} 25 | {{- else }} 26 | {{- include "authelia.squote.list" .domain | indent 8 }} 27 | {{- end }} 28 | {{- end }} 29 | {{- if .domain_regex }} 30 | domain_regex: 31 | {{- if kindIs "string" .domain_regex }} 32 | - {{ .domain_regex | squote }} 33 | {{- else }} 34 | {{- include "authelia.squote.list" .domain_regex | indent 8 }} 35 | {{- end }} 36 | {{- end }} 37 | {{- if .networks }} 38 | networks: 39 | {{- if kindIs "string" .networks }} 40 | - {{ .networks }} 41 | {{- else }} 42 | {{- range .networks }} 43 | - {{ . }} 44 | {{- end }} 45 | {{- end }} 46 | {{- end }} 47 | {{- if .subject }} 48 | subject: 49 | {{- if kindIs "string" .subject }} 50 | - [{{ .subject | squote }}] 51 | {{- else }} 52 | {{- range .subject }} 53 | - [{{ include "authelia.squote.join" . }}] 54 | {{- end }} 55 | {{- end }} 56 | {{- end }} 57 | {{- if .methods }} 58 | methods: 59 | {{- if kindIs "string" .methods }} 60 | - {{ .methods | squote }} 61 | {{- else }} 62 | {{- range .methods }} 63 | - {{ . | squote }} 64 | {{- end }} 65 | {{- end }} 66 | {{- end }} 67 | {{- if .resources }} 68 | resources: 69 | {{- if kindIs "string" .resources }} 70 | - {{ .resources | squote }} 71 | {{- else }} 72 | {{- range .resources }} 73 | - {{ . | squote }} 74 | {{- end }} 75 | {{- end }} 76 | {{- end }} 77 | {{- end }} 78 | {{- end }} 79 | -------------------------------------------------------------------------------- /charts/authelia/files/configuration.oidc.client.yaml: -------------------------------------------------------------------------------- 1 | - client_id: {{ .Client.client_id | squote }} 2 | client_name: {{ .Client.client_name | default .Client.client_id | squote }} 3 | {{- with (include "authelia.config.oidc.client.client_secret.render" .Client) }} 4 | client_secret: {{ . }} 5 | {{- end }} 6 | {{- if .Client.sector_identifier_uri }} 7 | sector_identifier_uri: {{ .Client.sector_identifier_uri | default "" | squote }} 8 | {{- end }} 9 | public: {{ .Client.public | default false }} 10 | {{- if .Client.redirect_uris }} 11 | redirect_uris: 12 | {{- range $redirect_uri := .Client.redirect_uris }} 13 | - {{ $redirect_uri | squote }} 14 | {{- end }} 15 | {{- end }} 16 | {{- if and .Client.request_uris (semverCompare ">=4.38.7" (include "authelia.version" $)) }} 17 | request_uris: 18 | {{- range $request_uri := .Client.request_uris }} 19 | - {{ $request_uri | squote }} 20 | {{- end }} 21 | {{- end }} 22 | {{- if .Client.audience }} 23 | audience: 24 | {{- range $audience := .Client.audience }} 25 | - {{ $audience | squote }} 26 | {{- end }} 27 | {{- end }} 28 | scopes: 29 | {{- range $scope := (.Client.scopes | default (list "openid" "profile" "email" "groups")) }} 30 | - {{ $scope | squote }} 31 | {{- end }} 32 | grant_types: 33 | {{- range $grant_type := (.Client.grant_types | default (list "authorization_code")) }} 34 | - {{ $grant_type | squote }} 35 | {{- end }} 36 | response_types: 37 | {{- range $response_type := (.Client.response_types | default (list "code")) }} 38 | - {{ $response_type | squote }} 39 | {{- end }} 40 | {{- if .Client.response_modes }} 41 | response_modes: 42 | {{- range $response_mode := .Client.response_modes }} 43 | - {{ $response_mode | squote }} 44 | {{- end }} 45 | {{- end }} 46 | authorization_policy: {{ .Client.authorization_policy | default "two_factor" | squote }} 47 | {{- if .Client.lifespan }} 48 | lifespan: {{ .Client.lifespan | squote }} 49 | {{- end }} 50 | {{- if and .Client.claims_policy (semverCompare ">=4.39.0" (include "authelia.version" $)) }} 51 | claims_policy: {{ .Client.claims_policy | squote }} 52 | {{- end }} 53 | {{- if .Client.requested_audience_mode }} 54 | requested_audience_mode: {{ .Client.requested_audience_mode | squote }} 55 | {{- end }} 56 | consent_mode: {{ .Client.consent_mode | default "auto" | squote }} 57 | {{- if .Client.pre_configured_consent_duration }} 58 | pre_configured_consent_duration: {{ .Client.pre_configured_consent_duration | squote }} 59 | {{- end }} 60 | require_pushed_authorization_requests: {{ .Client.require_pushed_authorization_requests | default false }} 61 | {{- if .Client.require_pkce }} 62 | {{- else }} 63 | {{- end }} 64 | require_pkce: {{ .Client.require_pkce | default false }} 65 | pkce_challenge_method: {{ (include "authelia.config.oidc.client.pkce_challenge_method" .Client) | squote }} 66 | authorization_signed_response_alg: {{ .Client.authorization_signed_response_alg | default "none" | squote }} 67 | authorization_signed_response_key_id: {{ .Client.authorization_signed_response_key_id | default "" | squote }} 68 | {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }} 69 | authorization_encrypted_response_key_id: {{ .Client.authorization_encrypted_response_key_id | default "" | squote }} 70 | authorization_encrypted_response_alg: {{ .Client.authorization_encrypted_response_alg | default "" | squote }} 71 | authorization_encrypted_response_enc: {{ .Client.authorization_encrypted_response_enc | default "" | squote }} 72 | {{- end }} 73 | id_token_signed_response_alg: {{ .Client.id_token_signed_response_alg | default "RS256" | squote }} 74 | id_token_signed_response_key_id: {{ .Client.id_token_signed_response_key_id | default "" | squote }} 75 | {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }} 76 | id_token_encrypted_response_key_id: {{ .Client.id_token_encrypted_response_key_id | default "" | squote }} 77 | id_token_encrypted_response_alg: {{ .Client.id_token_encrypted_response_alg | default "" | squote }} 78 | id_token_encrypted_response_enc: {{ .Client.id_token_encrypted_response_enc | default "" | squote }} 79 | {{- end }} 80 | access_token_signed_response_alg: {{ .Client.access_token_signed_response_alg | default "none" | squote }} 81 | access_token_signed_response_key_id: {{ .Client.access_token_signed_response_key_id | default "" | squote }} 82 | {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }} 83 | access_token_encrypted_response_key_id: {{ .Client.access_token_encrypted_response_key_id | default "" | squote }} 84 | access_token_encrypted_response_alg: {{ .Client.access_token_encrypted_response_alg | default "" | squote }} 85 | access_token_encrypted_response_enc: {{ .Client.access_token_encrypted_response_enc | default "" | squote }} 86 | {{- end }} 87 | userinfo_signed_response_alg: {{ .Client.userinfo_signed_response_alg | default "none" | squote }} 88 | userinfo_signed_response_key_id: {{ .Client.userinfo_signed_response_key_id | default "" | squote }} 89 | {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }} 90 | userinfo_encrypted_response_key_id: {{ .Client.userinfo_encrypted_response_key_id | default "" | squote }} 91 | userinfo_encrypted_response_alg: {{ .Client.userinfo_encrypted_response_alg | default "" | squote }} 92 | userinfo_encrypted_response_enc: {{ .Client.userinfo_encrypted_response_enc | default "" | squote }} 93 | {{- end }} 94 | introspection_signed_response_alg: {{ .Client.introspection_signed_response_alg | default "none" | squote }} 95 | introspection_signed_response_key_id: {{ .Client.introspection_signed_response_key_id | default "" | squote }} 96 | {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }} 97 | introspection_encrypted_response_key_id: {{ .Client.introspection_encrypted_response_key_id | default "" | squote }} 98 | introspection_encrypted_response_alg: {{ .Client.introspection_encrypted_response_alg | default "" | squote }} 99 | introspection_encrypted_response_enc: {{ .Client.introspection_encrypted_response_enc | default "" | squote }} 100 | introspection_endpoint_auth_method: {{ .Client.introspection_endpoint_auth_method | default "client_secret_basic" | squote }} 101 | introspection_endpoint_auth_signing_alg: {{ .Client.introspection_endpoint_auth_signing_alg | default "RS256" | squote }} 102 | {{- end }} 103 | request_object_signing_alg: {{ .Client.request_object_signing_alg | default "" | squote }} 104 | {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }} 105 | request_object_encryption_alg: {{ .Client.request_object_encryption_alg | default "none" | squote }} 106 | request_object_encryption_enc: {{ .Client.request_object_encryption_enc | default "" | squote }} 107 | {{- end }} 108 | token_endpoint_auth_method: {{ (include "authelia.config.oidc.client.token_endpoint_auth_method" .Client) | squote }} 109 | token_endpoint_auth_signing_alg: {{ .Client.token_endpoint_auth_signing_alg | default "" | squote }} 110 | {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }} 111 | revocation_endpoint_auth_method: {{ .Client.revocation_endpoint_auth_method | default "client_secret_basic" | squote }} 112 | revocation_endpoint_auth_signing_alg: {{ .Client.revocation_endpoint_auth_signing_alg | default "RS256" | squote }} 113 | pushed_authorization_request_endpoint_auth_method: {{ .Client.pushed_authorization_request_endpoint_auth_method | default "client_secret_basic" | squote }} 114 | pushed_authorization_request_endpoint_auth_signing_alg: {{ .Client.pushed_authorization_request_endpoint_auth_signing_alg | default "RS256" | squote }} 115 | {{- end }} 116 | {{- if .Client.jwks_uri }} 117 | jwks_uri: {{ .Client.jwks_uri | squote }} 118 | {{- end }} 119 | {{- if .Client.jwks }} 120 | jwks: 121 | {{- range $key := .Client.jwks }} 122 | {{- tpl ($.Files.Get "files/configuration.oidc.jwk.yaml") (merge (dict "Key" $key "Indent" 8) $) | trim | nindent 4 }} 123 | {{- end }} 124 | {{- end }} -------------------------------------------------------------------------------- /charts/authelia/files/configuration.oidc.jwk.yaml: -------------------------------------------------------------------------------- 1 | {{- $key := "" }}{{ $certificate_chain := "" }} 2 | {{- if .Key.key }} 3 | {{- if .Key.key.path }} 4 | {{- $key = (include "authelia.secrets.template" (dict "Path" .Key.key.path "Indent" (add 4 .Indent))) }} 5 | {{- else if .Key.key.value }} 6 | {{- $key = printf "| %s" (.Key.key.value | trimSuffix "\n" | nindent 4) }} 7 | {{- end }} 8 | {{- end }} 9 | {{- if .Key.certificate_chain }} 10 | {{- if .Key.certificate_chain.path }} 11 | {{- $certificate_chain = (include "authelia.secrets.template" (dict "Path" .Key.certificate_chain.path "Indent" (add 4 .Indent))) }} 12 | {{- else if .Key.key.value }} 13 | {{- $certificate_chain = printf "| %s" (.Key.certificate_chain.value | nindent 4) }} 14 | {{- end }} 15 | {{- end }} 16 | - algorithm: {{ .Key.algorithm | default "RS256" | squote }} 17 | use: {{ .Key.use | default "sig" | squote }} 18 | {{- if .Key.key_id }} 19 | key_id: {{ .Key.key_id | squote }} 20 | {{- end }} 21 | key: {{ $key }} 22 | {{- if $certificate_chain }} 23 | certificate_chain: {{ $certificate_chain }} 24 | {{- end }} -------------------------------------------------------------------------------- /charts/authelia/files/configuration.server.endpoints.authz.yaml: -------------------------------------------------------------------------------- 1 | {{ .Name }}: 2 | implementation: {{ .Endpoint.implementation | squote }} 3 | {{- with $strategies := .Endpoint.authn_strategies }} 4 | authn_strategies: 5 | {{- range $strategy := $strategies }} 6 | - name: {{ $strategy.name | squote }} 7 | {{- with $schemes := $strategy.schemes }} 8 | schemes: 9 | {{- range $schemes }} 10 | - {{ . | squote }} 11 | {{- end }} 12 | {{- end }} 13 | {{- if semverCompare ">=4.39.0" (include "authelia.version" $) }} 14 | scheme_basic_cache_lifespan: {{ $strategy.scheme_basic_cache_lifespan | default 0 }} 15 | {{- end }} 16 | {{- end }} 17 | {{- end }} -------------------------------------------------------------------------------- /charts/authelia/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Thank you for installing the {{ include "authelia.chart" . }} chart. 2 | 3 | IMPORTANT: This chart automatically generated an encryption key for sensitive data in your database. Please ensure you backup this key. 4 | 5 | Please report any chart issues at https://github.com/authelia/chartrepo/issues and any application issues at https://github.com/authelia/authelia/issues. 6 | 7 | You can configure your ingress or proxy in the following ways: 8 | 9 | {{- range $name, $endpoint := (include "authelia.authz" .) | fromJson }} 10 | {{- if eq $endpoint.implementation "AuthRequest" }} 11 | 12 | The following example demonstrates configuration of the AuthRequest implementation for ingresses like ingress-nginx: 13 | 14 | apiVersion: {{ (include "capabilities.apiVersion.ingress" $) }} 15 | kind: Ingress 16 | metadata: 17 | name: example 18 | namespace: example-namespace 19 | annotations: 20 | nginx.ingress.kubernetes.io/auth-url: http://{{ (printf "%s.%s" (include "authelia.name" $) $.Release.Namespace) }}.svc.{{ include "kube.DNSDomain" $ }}/api/authz/{{ $name }} 21 | nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email 22 | {{- else if eq $endpoint.implementation "ExtAuthz" }} 23 | 24 | The following examples demonstrate configuration of the ExtAuthz implementation for ingresses like Istio and Envoy: 25 | 26 | At this stage no examples exist. Feel free to contribute. 27 | 28 | The URL for this implementation is: http://{{ (printf "%s.%s" (include "authelia.name" $) $.Release.Namespace) }}.svc.{{ include "kube.DNSDomain" $ }}/api/authz/{{ $name }} 29 | {{- else if eq $endpoint.implementation "ForwardAuth" }} 30 | 31 | The following examples demonstrate configuration of the ForwardAuth implementation for ingresses like Traefik using a IngressRoute CRD manifest: 32 | 33 | apiVersion: {{ (include "capabilities.apiVersion.traefik.IngressRoute" $) }} 34 | kind: IngressRoute 35 | metadata: 36 | name: example 37 | namespace: example-namespace 38 | spec: 39 | routes: 40 | - kind: Rule 41 | middlewares: 42 | - name: {{ (include "authelia.ingress.traefikCRD.middleware.chainAuth.name" (merge (dict "Name" $name) $)) }} 43 | namespace: {{ $.Release.Namespace }} 44 | 45 | The following examples demonstrate configuration of the ForwardAuth implementation for ingresses like Traefik using a standard Ingress manifest: 46 | 47 | apiVersion: {{ (include "capabilities.apiVersion.ingress" $) }} 48 | kind: Ingress 49 | metadata: 50 | name: example 51 | namespace: example-namespace 52 | annotations: 53 | traefik.ingress.kubernetes.io/router.middlewares: {{ printf "%s-%s@kubernetescrd" $.Release.Namespace (include "authelia.ingress.traefikCRD.middleware.chainAuth.name" (merge (dict "Name" $name) $)) }} 54 | {{- end }} 55 | {{- end }} -------------------------------------------------------------------------------- /charts/authelia/templates/_authz.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Return the default endpoint name. 3 | */}} 4 | {{- define "authelia.authz.name" -}} 5 | {{- if eq .Implementation "AuthRequest" }} 6 | {{- "auth-request" }} 7 | {{- else if eq .Implementation "ExtAuthz" }} 8 | {{- "ext-authz" }} 9 | {{- else if eq .Implementation "ForwardAuth" }} 10 | {{- "forward-auth" }} 11 | {{- else if eq .Implementation "Legacy" }} 12 | {{- "legacy" }} 13 | {{- end }} 14 | {{- end -}} 15 | 16 | 17 | {{/* 18 | Returns the Authz configuration as JSON. 19 | */}} 20 | {{- define "authelia.authz" -}} 21 | {{- $authz := dict }} 22 | {{- if .Values.configMap.server.endpoints.automatic_authz_implementations }} 23 | {{- range $implementation := .Values.configMap.server.endpoints.automatic_authz_implementations }} 24 | {{- $name := (include "authelia.authz.name" (dict "Implementation" $implementation)) }} 25 | {{- if $name }} 26 | {{- $_ := set $authz $name (dict "implementation" $implementation "authn_strategies" list) }} 27 | {{- end }} 28 | {{- end }} 29 | {{- else if .Values.configMap.server.endpoints.authz }} 30 | {{- $authz = deepCopy .Values.configMap.server.endpoints.authz }} 31 | {{- else }} 32 | {{- $authz = dict "auth-request" (dict "implementation" "AuthRequest" "authn_strategies" list) "ext-authz" (dict "implementation" "ExtAuthz" "authn_strategies" list) "forward-auth" (dict "implementation" "ForwardAuth" "authn_strategies" list) }} 33 | {{- end }} 34 | {{- $authz | toJson }} 35 | {{- end -}} 36 | 37 | {{- define "authelia.authz.implementations" -}} 38 | {{ (list "AuthRequest" "ExtAuthz" "ForwardAuth" "Legacy") | toJson }} 39 | {{- end -}} -------------------------------------------------------------------------------- /charts/authelia/templates/_capabilities.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Returns an overridable KubeVersion 3 | */}} 4 | {{- define "capabilities.kubeVersion" -}} 5 | {{- .Values.kubeVersionOverride | default .Capabilities.KubeVersion.Version -}} 6 | {{- end -}} 7 | 8 | {{/* 9 | Returns applicable Deployment/DaemonSet/Ingress API Version 10 | */}} 11 | {{- define "capabilities.apiVersion.kind" -}} 12 | {{- if eq "DaemonSet" (.Kind | default "DaemonSet") -}} 13 | {{- include "capabilities.apiVersion.daemonSet" . -}} 14 | {{- else if eq "Ingress" .Kind -}} 15 | {{- include "capabilities.apiVersion.ingress" . -}} 16 | {{- else if eq "StatefulSet" .Kind -}} 17 | {{- include "capabilities.apiVersion.statefulSet" . -}} 18 | {{- else -}} 19 | {{- include "capabilities.apiVersion.deployment" . -}} 20 | {{- end -}} 21 | {{- end -}} 22 | 23 | {{/* 24 | Returns applicable Deployment API version 25 | Deployment API Version Releases: apps/v1 in 1.9, apps/v1beta2 in 1.8, apps/v1beta1 prior. 26 | */}} 27 | {{- define "capabilities.apiVersion.deployment" -}} 28 | {{- if .Capabilities.APIVersions.Has "apps/v1/Deployment" -}} 29 | {{- print "apps/v1" -}} 30 | {{- else if .Capabilities.APIVersions.Has "apps/v1beta2/Deployment" -}} 31 | {{- print "apps/v1beta2" -}} 32 | {{- else if .Capabilities.APIVersions.Has "apps/v1beta1/Deployment" -}} 33 | {{- print "apps/v1beta1" -}} 34 | {{- else if semverCompare ">=1.9-0" (include "capabilities.kubeVersion" .) -}} 35 | {{- print "apps/v1" -}} 36 | {{- else if semverCompare ">=1.8-0" (include "capabilities.kubeVersion" .) -}} 37 | {{- print "apps/v1beta2" -}} 38 | {{- else -}} 39 | {{- print "apps/v1beta1" -}} 40 | {{- end }} 41 | {{- end -}} 42 | 43 | {{/* 44 | Returns applicable DaemonSet API version 45 | DaemonSet API Version Releases: apps/v1 in 1.9, apps/v1beta2 in 1.8, apps/v1beta1 prior. 46 | */}} 47 | {{- define "capabilities.apiVersion.daemonSet" -}} 48 | {{- if .Capabilities.APIVersions.Has "apps/v1/DaemonSet" -}} 49 | {{- print "apps/v1" -}} 50 | {{- else if .Capabilities.APIVersions.Has "apps/v1beta2/DaemonSet" -}} 51 | {{- print "apps/v1beta2" -}} 52 | {{- else if .Capabilities.APIVersions.Has "apps/v1beta1/DaemonSet" -}} 53 | {{- print "apps/v1beta1" -}} 54 | {{- else if semverCompare ">=1.9-0" (include "capabilities.kubeVersion" .) -}} 55 | {{- print "apps/v1" -}} 56 | {{- else if semverCompare ">=1.8-0" (include "capabilities.kubeVersion" .) -}} 57 | {{- print "apps/v1beta2" -}} 58 | {{- else -}} 59 | {{- print "apps/v1beta1" -}} 60 | {{- end }} 61 | {{- end -}} 62 | 63 | {{/* 64 | Returns applicable StatefulSet API version 65 | StatefulSet API Version Releases: apps/v1 in 1.9, apps/v1beta2 in 1.8, apps/v1beta1 prior. 66 | */}} 67 | {{- define "capabilities.apiVersion.statefulSet" -}} 68 | {{- if .Capabilities.APIVersions.Has "apps/v1/StatefulSet" -}} 69 | {{- print "apps/v1" -}} 70 | {{- else if .Capabilities.APIVersions.Has "apps/v1beta2/StatefulSet" -}} 71 | {{- print "apps/v1beta2" -}} 72 | {{- else if .Capabilities.APIVersions.Has "apps/v1beta1/StatefulSet" -}} 73 | {{- print "apps/v1beta1" -}} 74 | {{- else if semverCompare ">=1.9-0" (include "capabilities.kubeVersion" .) -}} 75 | {{- print "apps/v1" -}} 76 | {{- else if semverCompare ">=1.8-0" (include "capabilities.kubeVersion" .) -}} 77 | {{- print "apps/v1beta2" -}} 78 | {{- else -}} 79 | {{- print "apps/v1beta1" -}} 80 | {{- end }} 81 | {{- end -}} 82 | 83 | {{/* 84 | Returns applicable Ingress API version 85 | Ingress API Version Releases: networking.k8s.io/v1 in 1.19, extensions/v1beta1 prior. 86 | */}} 87 | {{- define "capabilities.apiVersion.ingress" -}} 88 | {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}} 89 | {{- print "networking.k8s.io/v1" -}} 90 | {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}} 91 | {{- print "networking.k8s.io/v1beta1" -}} 92 | {{- else if semverCompare ">=1.19-0" (include "capabilities.kubeVersion" .) -}} 93 | {{- print "networking.k8s.io/v1" -}} 94 | {{- else -}} 95 | {{- print "networking.k8s.io/v1beta1" -}} 96 | {{- end }} 97 | {{- end -}} 98 | 99 | {{/* 100 | Returns applicable NetworkPolicy API version 101 | NetworkPolicy API Version Releases: networking.k8s.io/v1 in 1.9, extensions/v1beta1 prior. 102 | */}} 103 | {{- define "capabilities.apiVersion.networkPolicy" -}} 104 | {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/NetworkPolicy" -}} 105 | {{- print "networking.k8s.io/v1" -}} 106 | {{- else if .Capabilities.APIVersions.Has "extensions/v1beta1/NetworkPolicy" -}} 107 | {{- print "extensions/v1beta1" -}} 108 | {{- else if semverCompare ">=1.9-0" (include "capabilities.kubeVersion" .) -}} 109 | {{- print "networking.k8s.io/v1" -}} 110 | {{- else -}} 111 | {{- print "extensions/v1beta1" -}} 112 | {{- end }} 113 | {{- end -}} 114 | 115 | {{/* 116 | Returns applicable PodDisruptionBudget API version 117 | PodDisruptionBudget API Version Releases: policy/v1 in 1.21, policy/v1beta1 prior. 118 | */}} 119 | {{- define "capabilities.apiVersion.podDisruptionBudget" -}} 120 | {{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} 121 | {{- print "policy/v1" -}} 122 | {{- else if .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}} 123 | {{- print "policy/v1beta1" -}} 124 | {{- else if semverCompare ">=1.21-0" (include "capabilities.kubeVersion" .) -}} 125 | {{- print "policy/v1" -}} 126 | {{- else -}} 127 | {{- print "policy/v1beta1" -}} 128 | {{- end }} 129 | {{- end -}} 130 | 131 | {{- define "authelia.pod.priorityClassName.enabled" -}} 132 | {{- if and (hasKey .Values.pod "priorityClassName") .Values.pod.priorityClassName (semverCompare ">=1.14-0" (include "capabilities.kubeVersion" .)) }} 133 | {{- true -}} 134 | {{- end }} 135 | {{- end }} 136 | 137 | {{/* 138 | 139 | */}} 140 | {{- define "capabilities.apiVersion.traefik" -}} 141 | {{- $group := "traefik.io" }} 142 | {{- if .Values.ingress.traefikCRD.apiGroupOverride }} 143 | {{- $group = .Values.ingress.traefikCRD.apiGroupOverride }} 144 | {{- else if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRoute" -}} 145 | {{- $group = "traefik.io" }} 146 | {{- else if .Capabilities.APIVersions.Has "traefik.containo.us/v1alpha1/IngressRoute" -}} 147 | {{- $group = "traefik.containo.us" }} 148 | {{- end }} 149 | {{- $version := "v1alpha1" }} 150 | {{- if .Values.ingress.traefikCRD.apiVersionOverride }} 151 | {{- $version = .Values.ingress.traefikCRD.apiVersionOverride }} 152 | {{- end }} 153 | {{- printf "%s/%s" $group $version }} 154 | {{- end -}} 155 | 156 | {{/* 157 | 158 | */}} 159 | {{- define "capabilities.apiVersion.traefik.IngressRoute" -}} 160 | {{- include "capabilities.apiVersion.traefik" . }} 161 | {{- end -}} 162 | 163 | {{/* 164 | 165 | */}} 166 | {{- define "capabilities.apiVersion.traefik.Middleware" -}} 167 | {{- include "capabilities.apiVersion.traefik" . }} 168 | {{- end -}} 169 | 170 | {{/* 171 | 172 | */}} 173 | {{- define "capabilities.apiVersion.traefik.TLSOption" -}} 174 | {{- include "capabilities.apiVersion.traefik" . }} 175 | {{- end -}} -------------------------------------------------------------------------------- /charts/authelia/templates/_hashes.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Is truthy if the value provided has a known hash prefix. 3 | */}} 4 | {{- define "authelia.hashes.prefix.has" -}} 5 | {{- if or (hasPrefix "$plaintext$" .) (hasPrefix "$base64$" .) }} 6 | {{- true }} 7 | {{- else if (include "authelia.hashes.prefix.has.np" .) }} 8 | {{- true }} 9 | {{- end }} 10 | {{- end -}} 11 | 12 | {{/* 13 | Is truthy if the value provided has a known hash prefix which is not a plaintext variant. 14 | */}} 15 | {{- define "authelia.hashes.prefix.has.np" -}} 16 | {{- if or (hasPrefix "$argon2id$" .) (hasPrefix "$argon2i$" .) (hasPrefix "$argon2d$" .) }} 17 | {{- true }} 18 | {{- else if or (hasPrefix "$5$" .) (hasPrefix "$6$" .) }} 19 | {{- true }} 20 | {{- else if or (hasPrefix "$pbkdf2$" .) (hasPrefix "$pbkdf2-sha1$" .) (hasPrefix "$pbkdf2-sha224$" .) (hasPrefix "$pbkdf2-sha256$" .) (hasPrefix "$pbkdf2-sha384$" .) (hasPrefix "$pbkdf2-sha512$" .) }} 21 | {{- true }} 22 | {{- else if or (hasPrefix "$2$" .) (hasPrefix "$2a$" .) (hasPrefix "$2b$" .) (hasPrefix "$2x$" .) (hasPrefix "$2y$" .) (hasPrefix "$bcrypt-sha256$" .) }} 23 | {{- true }} 24 | {{- else if or (hasPrefix "$scrypt$" .) }} 25 | {{- true }} 26 | {{- end }} 27 | {{- end -}} -------------------------------------------------------------------------------- /charts/authelia/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Return the proper image name 3 | */}} 4 | {{- define "authelia.image" -}} 5 | {{- $registryName := default "docker.io" .Values.image.registry -}} 6 | {{- $repositoryName := default "authelia/authelia" .Values.image.repository -}} 7 | {{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}} 8 | {{- if hasPrefix "sha256:" $tag }} 9 | {{- printf "%s/%s@%s" $registryName $repositoryName $tag -}} 10 | {{- else -}} 11 | {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} 12 | {{- end -}} 13 | {{- end -}} 14 | 15 | {{/* 16 | Return the name for this install 17 | */}} 18 | {{- define "authelia.name" -}} 19 | {{- if .Values.nameOverride -}} 20 | {{- .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 21 | {{- else -}} 22 | {{- $name := default .Chart.Name .Values.nameOverride -}} 23 | {{- if contains $name .Release.Name -}} 24 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}} 25 | {{- else -}} 26 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 27 | {{- end -}} 28 | {{- end -}} 29 | {{- end -}} 30 | 31 | {{/* 32 | Return the name for this chart 33 | */}} 34 | {{- define "authelia.chart" -}} 35 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 36 | {{- end -}} 37 | 38 | {{/* 39 | Return the app version. 40 | */}} 41 | {{- define "authelia.version" -}} 42 | {{ .Values.versionOverride | default .Chart.AppVersion | toString }} 43 | {{- end -}} 44 | 45 | {{- define "authelia.schema" -}} 46 | {{- $version := semver (include "authelia.version" .) }} 47 | {{- printf "# yaml-language-server: $schema=https://www.authelia.com/schemas/v%d.%d/json-schema/%s.json" $version.Major $version.Minor (.SchemaName | default "configuration") }} 48 | {{- end -}} 49 | 50 | {{/* 51 | Returns true if pod is stateful. 52 | */}} 53 | {{- define "authelia.stateful" -}} 54 | {{- if .Values.configMap -}} 55 | {{- if not .Values.configMap.disabled -}} 56 | {{- if .Values.configMap.authentication_backend.file.enabled -}} 57 | {{- true -}} 58 | {{- else if and (.Values.configMap.storage.local) (.Values.configMap.storage.local.enabled) -}} 59 | {{- true -}} 60 | {{- else if not (and (.Values.configMap.session.redis) (.Values.configMap.session.redis.enabled)) -}} 61 | {{- true -}} 62 | {{- else if and (not (and (.Values.configMap.storage.mysql) (.Values.configMap.storage.mysql.enabled))) (not (and (.Values.configMap.storage.postgres) (.Values.configMap.storage.postgres.enabled))) -}} 63 | {{- true -}} 64 | {{- else if not (and (.Values.configMap.authentication_backend) (.Values.configMap.authentication_backend.ldap.enabled)) -}} 65 | {{- true -}} 66 | {{- end -}} 67 | {{- end -}} 68 | {{- end -}} 69 | {{- end -}} 70 | 71 | {{/* 72 | Returns true if duo is enabled. 73 | */}} 74 | {{- define "authelia.configured.duo" -}} 75 | {{- if .Values.configMap -}} 76 | {{- if and .Values.configMap.duo_api -}} 77 | {{- if and .Values.configMap.duo_api.enabled -}} 78 | {{- if and (hasKey .Values.configMap.duo_api "integration_key") (hasKey .Values.configMap.duo_api "hostname") -}}-}} 79 | {{- true -}} 80 | {{- end -}} 81 | {{- end -}} 82 | {{- end -}} 83 | {{- end -}} 84 | {{- end -}} 85 | 86 | {{- define "authelia.accessControl.defaultPolicy" }} 87 | {{- $defaultPolicy := "deny" }} 88 | {{- if (eq (len .Values.configMap.access_control.rules) 0) }} 89 | {{- if (eq .Values.configMap.access_control.default_policy "bypass") }} 90 | {{- $defaultPolicy = "one_factor" }} 91 | {{- else if (eq .Values.configMap.access_control.default_policy "deny") }} 92 | {{- $defaultPolicy = "two_factor" }} 93 | {{- else }} 94 | {{- $defaultPolicy = .Values.configMap.access_control.default_policy }} 95 | {{- end }} 96 | {{- else }} 97 | {{- $defaultPolicy = .Values.configMap.access_control.default_policy }} 98 | {{- end }} 99 | {{ $defaultPolicy }} 100 | {{- end }} 101 | 102 | {{/* 103 | Returns the common labels 104 | */}} 105 | {{- define "authelia.labels" -}} 106 | {{ include "authelia.matchLabels" . }} 107 | app.kubernetes.io/version: {{ include "authelia.version" . }} 108 | app.kubernetes.io/managed-by: {{ .Release.Service }} 109 | helm.sh/chart: {{ include "authelia.chart" . }} 110 | {{- if .Values.labels }} 111 | {{- toYaml .Values.labels | nindent 0 }} 112 | {{- end }} 113 | {{- if .Labels }} 114 | {{- toYaml .Labels | nindent 0 }} 115 | {{- end }} 116 | {{- end -}} 117 | 118 | {{/* 119 | Returns the match labels 120 | */}} 121 | {{- define "authelia.matchLabels" -}} 122 | app.kubernetes.io/name: {{ .Values.appNameOverride | default .Chart.Name | trunc 63 | trimSuffix "-" }} 123 | app.kubernetes.io/instance: {{ .Release.Name }} 124 | {{- end -}} 125 | 126 | {{/* 127 | Returns the common annotations 128 | */}} 129 | {{- define "authelia.annotations" -}} 130 | {{- $annotations := dict -}} 131 | {{- if .Values.annotations -}} 132 | {{ $annotations = mergeOverwrite $annotations .Values.annotations -}} 133 | {{- end -}} 134 | {{- if hasKey . "Annotations" -}} 135 | {{ $annotations = mergeOverwrite $annotations .Annotations -}} 136 | {{- end -}} 137 | {{- if $annotations -}} 138 | {{- toYaml $annotations | indent 0 -}} 139 | {{- end -}} 140 | {{- end -}} 141 | 142 | {{/* 143 | Returns the value of .SecretValue or a randomly generated one 144 | */}} 145 | {{- define "authelia.secret.standard" -}} 146 | {{- if and .SecretValue (not (eq .SecretValue "")) -}} 147 | {{- .SecretValue | b64enc -}} 148 | {{- else if and .LookupValue -}} 149 | {{- if (not (eq .LookupValue "")) -}} 150 | {{- .LookupValue -}} 151 | {{- else -}} 152 | {{- randAlphaNum 128 | b64enc -}} 153 | {{- end -}} 154 | {{- else -}} 155 | {{- randAlphaNum 128 | b64enc -}} 156 | {{- end -}} 157 | {{- end -}} 158 | 159 | {{/* 160 | Returns the mountPath of the secrets. 161 | */}} 162 | {{- define "authelia.secret.mountPath" -}} 163 | {{- .Values.secret.mountPath | trimSuffix "/" | default "/secrets" -}} 164 | {{- end -}} 165 | 166 | {{- define "authelia.secret.path" -}} 167 | {{- if eq .Secret "jwt" -}} 168 | {{- default "JWT_TOKEN" .Values.secret.jwt.filename -}} 169 | {{- else if eq .Secret "storage" -}} 170 | {{- default "STORAGE_PASSWORD" .Values.secret.storage.filename -}} 171 | {{- else if eq .Secret "storageEncryptionKey" -}} 172 | {{- default "STORAGE_ENCRYPTION_KEY" .Values.secret.storageEncryptionKey.filename -}} 173 | {{- else if eq .Secret "session" -}} 174 | {{- default "SESSION_ENCRYPTION_KEY" .Values.secret.session.filename -}} 175 | {{- else if eq .Secret "ldap" -}} 176 | {{- default "LDAP_PASSWORD" .Values.secret.ldap.filename -}} 177 | {{- else if eq .Secret "smtp" -}} 178 | {{- default "SMTP_PASSWORD" .Values.secret.smtp.filename -}} 179 | {{- else if eq .Secret "duo" -}} 180 | {{- default "DUO_API_KEY" .Values.secret.duo.filename -}} 181 | {{- else if eq .Secret "redis" -}} 182 | {{- default "REDIS_PASSWORD" .Values.secret.redis.filename -}} 183 | {{- else if eq .Secret "redis-sentinel" -}} 184 | {{- default "REDIS_SENTINEL_PASSWORD" .Values.secret.redisSentinel.filename -}} 185 | {{- else if eq .Secret "oidc-private-key" -}} 186 | {{- default "OIDC_PRIVATE_KEY" .Values.secret.oidcPrivateKey.filename -}} 187 | {{- else if eq .Secret "oidc-hmac-secret" -}} 188 | {{- default "OIDC_HMAC_SECRET" .Values.secret.oidcHMACSecret.filename -}} 189 | {{- end -}} 190 | {{- end -}} 191 | 192 | {{- define "authelia.secret.fullPath" -}} 193 | {{- $path := (include "authelia.secret.mountPath" .) -}} 194 | {{- $filename := (include "authelia.secret.path" .) -}} 195 | {{- printf "%s/%s" $path $filename -}} 196 | {{- end -}} 197 | 198 | {{/* 199 | Returns the kind for the pod. 200 | */}} 201 | {{- define "authelia.pod.kind" -}} 202 | {{- if not .Values.pod.kind -}} 203 | {{- if (include "authelia.stateful" .) -}} 204 | {{- "StatefulSet" -}} 205 | {{- else -}} 206 | {{- "DaemonSet" -}} 207 | {{- end -}} 208 | {{- else if eq "daemonset" (.Values.pod.kind | lower) -}} 209 | {{- "DaemonSet" -}} 210 | {{- else if eq "statefulset" (.Values.pod.kind | lower) -}} 211 | {{- "StatefulSet" -}} 212 | {{- else if eq "deployment" (.Values.pod.kind | lower) -}} 213 | {{- "Deployment" -}} 214 | {{- else }} 215 | {{- if (include "authelia.stateful" .) -}} 216 | {{- "StatefulSet" -}} 217 | {{- else -}} 218 | {{- "DaemonSet" -}} 219 | {{- end -}} 220 | {{- end -}} 221 | {{- end -}} 222 | 223 | {{/* 224 | Returns the smtp password or a randomly generated one 225 | */}} 226 | {{- define "authelia.deploymentStrategy" -}} 227 | {{- if .Values.pod.strategy -}} 228 | {{- if .Values.pod.strategy.type -}} 229 | {{- if eq "DaemonSet" (include "authelia.pod.kind" .) -}} 230 | {{- if or (eq .Values.pod.strategy.type "RollingUpdate") (eq .Values.pod.strategy.type "OnDelete") -}} 231 | {{- .Values.pod.strategy.type -}} 232 | {{- else -}} 233 | {{- "RollingUpdate" -}} 234 | {{- end -}} 235 | {{- else -}} 236 | {{- if or (eq .Values.pod.strategy.type "RollingUpdate") (eq .Values.pod.strategy.type "Recreate") -}} 237 | {{- .Values.pod.strategy.type -}} 238 | {{- else -}} 239 | {{- "RollingUpdate" -}} 240 | {{- end -}} 241 | {{- end -}} 242 | {{- end -}} 243 | {{- else -}} 244 | {{- "RollingUpdate" -}} 245 | {{- end -}} 246 | {{- end -}} 247 | 248 | {{/* 249 | Returns the rollingUpdate spec 250 | */}} 251 | {{- define "authelia.rollingUpdate" -}} 252 | {{- $result := dict -}} 253 | {{- if eq "StatefulSet" (include "authelia.pod.kind" .) -}} 254 | {{ $result = dict "partition" 0 }} 255 | {{- if .Values.pod.strategy -}} 256 | {{- if .Values.pod.strategy.rollingUpdate -}} 257 | {{- $_ := set $result "partition" (default 0 .Values.pod.strategy.rollingUpdate.partition) -}} 258 | {{- end -}} 259 | {{- end -}} 260 | {{- else if eq "DaemonSet" (include "authelia.pod.kind" .) -}} 261 | {{ $result = dict "maxUnavailable" "25%" }} 262 | {{- if .Values.pod.strategy -}} 263 | {{- if .Values.pod.strategy.rollingUpdate -}} 264 | {{- $_ := set $result "maxUnavailable" (default "25%" .Values.pod.strategy.rollingUpdate.maxUnavailable) -}} 265 | {{- end -}} 266 | {{- end -}} 267 | {{- else -}} 268 | {{ $result = dict "maxSurge" "25%" "maxUnavailable" "25%" }} 269 | {{- if .Values.pod.strategy -}} 270 | {{- if .Values.pod.strategy.rollingUpdate -}} 271 | {{- $_ := set $result "maxSurge" (default "25%" .Values.pod.strategy.rollingUpdate.maxSurge) "maxUnavailable" (default "25%" .Values.pod.strategy.rollingUpdate.maxUnavailable) -}} 272 | {{- end -}} 273 | {{- end -}} 274 | {{- end -}} 275 | {{ toYaml $result | indent 0 }} 276 | {{- end -}} 277 | 278 | {{/* 279 | Returns the number of replicas 280 | */}} 281 | {{- define "authelia.replicas" -}} 282 | {{- if (include "authelia.stateful" .) }} 283 | {{- 1 -}} 284 | {{- else -}} 285 | {{- if (eq 0 (int .Values.pod.replicas))}} 286 | {{- 0 -}} 287 | {{- else }} 288 | {{- .Values.pod.replicas | default 1 -}} 289 | {{- end }} 290 | {{- end -}} 291 | {{- end -}} 292 | 293 | {{/* 294 | Returns the pod management policy 295 | */}} 296 | {{- define "authelia.podManagementPolicy" -}} 297 | {{- if (include "authelia.stateful" .) }} 298 | {{- "Parallel" -}} 299 | {{- else -}} 300 | {{- default "Parallel" .Values.pod.managementPolicy -}} 301 | {{- end -}} 302 | {{- end -}} 303 | 304 | {{/* 305 | Returns true if we should generate a ConfigMap. 306 | */}} 307 | {{- define "authelia.generate.configMap" -}} 308 | {{- if include "authelia.enabled.configMap" . -}} 309 | {{- if not .Values.configMap.existingConfigMap -}} 310 | {{- true -}} 311 | {{- end -}} 312 | {{- end -}} 313 | {{- end -}} 314 | 315 | {{/* 316 | Returns true if we should use a ConfigMap. 317 | */}} 318 | {{- define "authelia.enabled.configMap" -}} 319 | {{- if .Values.configMap -}} 320 | {{- if not .Values.configMap.disabled -}} 321 | {{- true -}} 322 | {{- end -}} 323 | {{- end -}} 324 | {{- end -}} 325 | 326 | {{/* 327 | Returns true if we should use the ACL Secret. 328 | */}} 329 | {{- define "authelia.enabled.acl.secret" -}} 330 | {{- if hasKey .Values "configMap" -}} 331 | {{- if not .Values.configMap.disabled -}} 332 | {{- if .Values.configMap.access_control.secret.enabled }} 333 | {{- true -}} 334 | {{- end -}} 335 | {{- end -}} 336 | {{- end -}} 337 | {{- end -}} 338 | 339 | {{/* 340 | Returns true if we should use a mount the ACL Secret. 341 | */}} 342 | {{- define "authelia.mount.acl.secret" -}} 343 | {{- if or (include "authelia.enabled.acl.secret" .) .Values.configMap.access_control.secret.existingSecret -}} 344 | {{- true -}} 345 | {{- end -}} 346 | {{- end -}} 347 | 348 | {{/* 349 | Returns true if we should use a generate the ACL Secret. 350 | */}} 351 | {{- define "authelia.generate.acl.secret" -}} 352 | {{- if and (include "authelia.enabled.acl.secret" .) (not .Values.configMap.access_control.secret.existingSecret) -}} 353 | {{- true -}} 354 | {{- end -}} 355 | {{- end -}} 356 | 357 | {{/* 358 | Returns the ACL secret name. 359 | */}} 360 | {{- define "authelia.name.acl.secret" -}} 361 | {{- default (printf "%s-acl" (include "authelia.name" .) | trunc 63 | trimSuffix "-") .Values.configMap.access_control.secret.existingSecret -}} 362 | {{- end -}} 363 | 364 | {{/* 365 | Returns true if we should use a PDB. 366 | */}} 367 | {{- define "authelia.enabled.podDisruptionBudget" -}} 368 | {{- if .Values.podDisruptionBudget -}} 369 | {{- if .Values.podDisruptionBudget.enabled -}} 370 | {{- true -}} 371 | {{- end -}} 372 | {{- end -}} 373 | {{- end -}} 374 | 375 | {{/* 376 | Returns if we should generate the secret 377 | */}} 378 | {{- define "authelia.enabled.secret" -}} 379 | {{- if .Values.secret -}} 380 | {{- if not .Values.secret.existingSecret -}} 381 | {{- true -}} 382 | {{- else if eq "" .Values.secret.existingSecret -}} 383 | {{- true -}} 384 | {{- end -}} 385 | {{- end -}} 386 | {{- end -}} 387 | 388 | {{/* 389 | Returns if we should generate the secret for certificates 390 | */}} 391 | {{- define "authelia.generate.certificatesSecret" -}} 392 | {{- if .Values.certificates -}} 393 | {{- if .Values.certificates.values -}} 394 | {{- if not .Values.certificates.existingSecret -}} 395 | {{- true -}} 396 | {{- else if eq "" .Values.certificates.existingSecret -}} 397 | {{- true -}} 398 | {{- end -}} 399 | {{- end -}} 400 | {{- end -}} 401 | {{- end -}} 402 | 403 | {{/* 404 | Returns if we should generate the secret for certificates 405 | */}} 406 | {{- define "authelia.enabled.certificatesSecret" -}} 407 | {{- if .Values.certificates -}} 408 | {{- if .Values.certificates.values -}} 409 | {{- true -}} 410 | {{- else if .Values.certificates.existingSecret -}} 411 | {{- true -}} 412 | {{- end -}} 413 | {{- end -}} 414 | {{- end -}} 415 | 416 | {{/* 417 | Returns if we should generate the secret for certificates 418 | */}} 419 | {{- define "authelia.names.certificatesSecret" -}} 420 | {{- if .Values.certificates -}} 421 | {{- if .Values.certificates.existingSecret -}} 422 | {{- .Values.certificates.existingSecret -}} 423 | {{- else -}} 424 | {{- printf "%s-certificates" (include "authelia.name" .) -}} 425 | {{- end -}} 426 | {{- else -}} 427 | {{- printf "%s-certificates" (include "authelia.name" .) -}} 428 | {{- end -}} 429 | {{- end -}} 430 | 431 | {{/* 432 | Returns if we should generate the NetworkPolicy. 433 | */}} 434 | {{- define "authelia.enabled.networkPolicy" -}} 435 | {{- if .Values.networkPolicy -}} 436 | {{- if .Values.networkPolicy.enabled -}} 437 | {{- true -}} 438 | {{- end -}} 439 | {{- end -}} 440 | {{- end -}} 441 | 442 | {{/* 443 | Returns if we should generate the PersistentVolumeClaim. 444 | */}} 445 | {{- define "authelia.generate.persistentVolumeClaim" -}} 446 | {{- if include "authelia.enabled.persistentVolumeClaim" . -}} 447 | {{- if not .Values.persistence.existingClaim -}} 448 | {{- true -}} 449 | {{- end -}} 450 | {{- end -}} 451 | {{- end -}} 452 | 453 | {{/* 454 | Returns if we should generate the PersistentVolumeClaim. 455 | */}} 456 | {{- define "authelia.enabled.persistentVolumeClaim" -}} 457 | {{- if .Values.persistence -}} 458 | {{- if .Values.persistence.enabled -}} 459 | {{- true -}} 460 | {{- end -}} 461 | {{- end -}} 462 | {{- end -}} 463 | 464 | {{/* 465 | Renders a probe 466 | {{ include "authelia.snippets.probe" (dict "Probe" .Values.path.to.the.probe "Method" .Values.path.to.the.method) }} 467 | */}} 468 | {{- define "authelia.merge.probe" -}} 469 | {{- if and .Method .Probe .Type -}} 470 | {{- $probe := dict -}} 471 | {{- $probe = merge $probe .Method -}} 472 | {{- $probe = merge $probe .Probe -}} 473 | {{- if eq "startup" .Type -}} 474 | {{ toYaml (dict "startupProbe" $probe) }} 475 | {{- else if eq "liveness" .Type -}} 476 | {{ toYaml (dict "livenessProbe" $probe) }} 477 | {{- else if eq "readiness" .Type -}} 478 | {{ toYaml (dict "readinessProbe" $probe) }} 479 | {{- end -}} 480 | {{- end -}} 481 | {{- end -}} 482 | 483 | {{/* 484 | Renders a value that contains template. 485 | Usage: 486 | {{ include "authelia.snippets.render" ( dict "value" .Values.path.to.the.Value "context" $) }} 487 | */}} 488 | {{- define "authelia.snippets.render" -}} 489 | {{- if typeIs "string" .value }} 490 | {{- tpl .value .context }} 491 | {{- else }} 492 | {{- tpl (.value | toYaml) .context }} 493 | {{- end }} 494 | {{- end -}} 495 | 496 | {{/* 497 | Returns the service port. 498 | */}} 499 | {{- define "authelia.service.port" -}} 500 | {{- if .Values.service -}} 501 | {{- if .Values.service.port -}} 502 | {{- .Values.service.port -}} 503 | {{- else -}} 504 | {{- 80 -}} 505 | {{- end -}} 506 | {{- else -}} 507 | {{- 80 -}} 508 | {{- end -}} 509 | {{- end -}} 510 | 511 | {{/* 512 | Returns the path value. 513 | */}} 514 | {{- define "authelia.path" -}} 515 | {{- if .Values.configMap -}} 516 | {{- if .Values.configMap.server.path -}} 517 | {{- printf "/%s" .Values.configMap.server.path -}} 518 | {{- else -}} 519 | {{- "/" -}} 520 | {{- end -}} 521 | {{- else -}} 522 | {{- "/" -}} 523 | {{- end -}} 524 | {{- end -}} 525 | 526 | {{/* 527 | Returns the password reset disabled value. 528 | */}} 529 | {{- define "authelia.config.password_reset.disable" -}} 530 | {{- if hasKey .Values.configMap.authentication_backend "disable_reset_password" }} 531 | {{- .Values.configMap.authentication_backend.disable_reset_password }} 532 | {{- else }} 533 | {{- .Values.configMap.authentication_backend.password_reset.disable | default false }} 534 | {{- end }} 535 | {{- end -}} 536 | -------------------------------------------------------------------------------- /charts/authelia/templates/_ingress.tpl: -------------------------------------------------------------------------------- 1 | {{- define "authelia.ingress.uri" -}} 2 | {{- if .Path }} 3 | {{- printf "https://%s/%s" (include "authelia.ingress.host" .) .Path }} 4 | {{- else }} 5 | {{- printf "https://%s" (include "authelia.ingress.host" .) }} 6 | {{- end }} 7 | {{- end -}} 8 | 9 | {{/* 10 | Returns the ingress host value. 11 | */}} 12 | {{- define "authelia.ingress.host" -}} 13 | {{- if .SubDomain }} 14 | {{- printf "%s.%s" .SubDomain .Domain }} 15 | {{- else }} 16 | {{- .Domain }} 17 | {{- end }} 18 | {{- end }} 19 | 20 | {{/* 21 | Returns the forward auth URL. 22 | */}} 23 | {{- define "authelia.ingress.traefikCRD.middleware.forwardAuth.address" -}} 24 | {{- $scheme := "http" -}} 25 | {{- $host := printf "%s.%s" (include "authelia.name" .) .Release.Namespace -}} 26 | {{- if .Namespace -}} 27 | {{- $host = printf "%s.%s" $host .Namespace -}} 28 | {{- end -}} 29 | {{- $path := (include "authelia.path" .) | trimSuffix "/" -}} 30 | {{- (printf "%s://%s.svc.%s%s/api/authz/%s" $scheme $host (include "kube.DNSDomain" $) $path (.Name | default "forward-auth")) -}} 31 | {{- end -}} 32 | 33 | {{/* 34 | Returns the name of the forwardAuth Middleware for forward auth which gets applied to other IngressRoutes. 35 | */}} 36 | {{- define "authelia.ingress.traefikCRD.middleware.forwardAuth.name" -}} 37 | {{- if eq .Name "forward-auth" -}} 38 | {{- if .Values.ingress.traefikCRD.middlewares.auth.nameOverride -}} 39 | {{- .Values.ingress.traefikCRD.middlewares.auth.nameOverride | trunc 63 -}} 40 | {{- else -}} 41 | {{- (printf "forwardauth-%s" (include "authelia.name" .)) | trunc 63 -}} 42 | {{- end -}} 43 | {{- else -}} 44 | {{- $name := .Name | trimPrefix "forward-auth-" -}} 45 | {{- if .Values.ingress.traefikCRD.middlewares.auth.nameOverride -}} 46 | {{- (printf "%s-%s" .Values.ingress.traefikCRD.middlewares.auth.nameOverride $name) | trunc 63 -}} 47 | {{- else -}} 48 | {{- (printf "forwardauth-%s-%s" (include "authelia.name" .) $name) | trunc 63 -}} 49 | {{- end -}} 50 | {{- end -}} 51 | {{- end -}} 52 | 53 | {{/* 54 | Returns the name of the chain Middleware for forward auth which gets applied to other IngressRoutes. 55 | */}} 56 | {{- define "authelia.ingress.traefikCRD.middleware.chainAuth.name" -}} 57 | {{- if eq .Name "forward-auth" -}} 58 | {{- if .Values.ingress.traefikCRD.middlewares.chains.auth.nameOverride -}} 59 | {{- .Values.ingress.traefikCRD.middlewares.chains.auth.nameOverride | trunc 63 -}} 60 | {{- else -}} 61 | {{- printf "chain-%s-auth" (include "authelia.name" .) -}} 62 | {{- end -}} 63 | {{- else -}} 64 | {{- $name := (.Name | trimPrefix "forward-auth-") -}} 65 | {{- if .Values.ingress.traefikCRD.middlewares.chains.auth.nameOverride -}} 66 | {{- (printf "%s-%s" .Values.ingress.traefikCRD.middlewares.chains.auth.nameOverride $name) | trunc 63 -}} 67 | {{- else -}} 68 | {{- (printf "chain-%s-auth-%s" (include "authelia.name" .) $name) | trunc 63 -}} 69 | {{- end -}} 70 | {{- end -}} 71 | {{- end -}} 72 | 73 | {{/* 74 | Special Annotations Generator for the Ingress kind. 75 | */}} 76 | {{- define "authelia.ingress.annotations" -}} 77 | {{- $annotations := dict -}} 78 | {{- $annotations = mergeOverwrite $annotations .Values.ingress.annotations -}} 79 | {{- if .Values.ingress.certManager -}} 80 | {{- $annotations = set $annotations "kubernetes.io/tls-acme" "true" -}} 81 | {{- end -}} 82 | {{- if and .Values.ingress.traefikCRD .Values.ingress.traefikCRD.disableIngressRoute -}} 83 | {{- if and (gt (len .Values.ingress.traefikCRD.entryPoints) 0) (not (hasKey $annotations "traefik.ingress.kubernetes.io/router.entryPoints")) -}} 84 | {{- $annotations = set $annotations "traefik.ingress.kubernetes.io/router.entryPoints" (.Values.ingress.traefikCRD.entryPoints | join ",") -}} 85 | {{- end -}} 86 | {{- if not (hasKey $annotations "traefik.ingress.kubernetes.io/router.middlewares") }} 87 | {{- $annotations = set $annotations "traefik.ingress.kubernetes.io/router.middlewares" (printf "%s-%s@kubernetescrd" .Release.Namespace (include "authelia.ingress.traefikCRD.middleware.chainIngress.name" .)) -}} 88 | {{- end }} 89 | {{- end -}} 90 | {{ include "authelia.annotations" (merge (dict "Annotations" $annotations) .) }} 91 | {{- end -}} 92 | 93 | {{/* 94 | Returns the name of the chain Middleware for forward auth which gets applied to other IngressRoutes. 95 | */}} 96 | {{- define "authelia.ingress.traefikCRD.middleware.chainIngress.name" -}} 97 | {{- printf "chain-%s" (include "authelia.name" .) -}} 98 | {{- end -}} 99 | 100 | {{/* 101 | Returns if we should use existing TraefikCRD TLSOption 102 | */}} 103 | {{- define "authelia.existing.ingress.traefik.tlsOption" -}} 104 | {{- if .Values.ingress.traefikCRD.tls -}} 105 | {{- if .Values.ingress.traefikCRD.tls.existingOptions -}} 106 | {{- true -}} 107 | {{- end -}} 108 | {{- end -}} 109 | {{- end -}} 110 | 111 | {{/* 112 | Returns the ingress hostname 113 | */}} 114 | {{- define "authelia.ingressHost" -}} 115 | {{- if .Values.ingress.subdomain -}} 116 | {{- printf "%s.%s" (default "auth" .Values.ingress.subdomain) .Values.domain -}} 117 | {{- else -}} 118 | {{- .Values.domain -}} 119 | {{- end -}} 120 | {{- end -}} 121 | 122 | {{/* 123 | Returns the ingress hostname with the path 124 | */}} 125 | {{- define "authelia.ingressHostWithPath" -}} 126 | {{- printf "%s%s" (include "authelia.ingressHost" .) (include "authelia.path" . | trimSuffix "/") -}} 127 | {{- end -}} 128 | 129 | 130 | {{/* 131 | Returns true if generation of an ingress is enabled. 132 | */}} 133 | {{- define "authelia.enabled.ingress" -}} 134 | {{- if .Values.ingress -}} 135 | {{- if .Values.ingress.enabled -}} 136 | {{- true -}} 137 | {{- end -}} 138 | {{- end -}} 139 | {{- end -}} 140 | 141 | {{/* 142 | Returns true if generation of the TraefikCRD resources is enabled. 143 | */}} 144 | {{- define "authelia.enabled.ingress.traefik" -}} 145 | {{- if (include "authelia.enabled.ingress" .) -}} 146 | {{- if .Values.ingress.traefikCRD -}} 147 | {{- if .Values.ingress.traefikCRD.enabled -}} 148 | {{- true -}} 149 | {{- end -}} 150 | {{- end -}} 151 | {{- end -}} 152 | {{- end -}} 153 | 154 | {{/* 155 | Returns true if generation of an Ingress is enabled. 156 | */}} 157 | {{- define "authelia.enabled.ingress.ingress" -}} 158 | {{- if .Values.ingress.enabled -}} 159 | {{- if or (not (include "authelia.enabled.ingress.traefik" .)) (.Values.ingress.traefikCRD.disableIngressRoute) -}} 160 | {{- true -}} 161 | {{- end -}} 162 | {{- end -}} 163 | {{- end -}} 164 | 165 | {{/* 166 | Returns true if generation of an IngressRoute is enabled. 167 | */}} 168 | {{- define "authelia.enabled.ingress.ingressRoute" -}} 169 | {{- if and (include "authelia.enabled.ingress.traefik" .) (not .Values.ingress.traefikCRD.disableIngressRoute) -}} 170 | {{- true -}} 171 | {{- end -}} 172 | {{- end -}} 173 | 174 | {{/* 175 | Returns if we should use existing TraefikCRD TLSOption 176 | */}} 177 | {{- define "authelia.enabled.ingress.traefik.tlsOption" -}} 178 | {{- if .Values.ingress.tls.enabled -}} 179 | {{- if (include "authelia.enabled.ingress.traefik" .) -}} 180 | {{- if .Values.ingress.traefikCRD.tls -}} 181 | {{- if .Values.ingress.traefikCRD.tls.options -}} 182 | {{- if not (include "authelia.existing.ingress.traefik.tlsOption" .) -}} 183 | {{- true -}} 184 | {{- end -}} 185 | {{- end -}} 186 | {{- end -}} 187 | {{- end -}} 188 | {{- end -}} 189 | {{- end -}} 190 | 191 | {{/* 192 | Returns true if generation of an Ingress is enabled. 193 | */}} 194 | {{- define "authelia.enabled.ingress.standard" -}} 195 | {{- if and (include "authelia.enabled.ingress" .) (not (include "authelia.enabled.ingress.traefik" .)) -}} 196 | {{- true -}} 197 | {{- end -}} 198 | {{- end -}} -------------------------------------------------------------------------------- /charts/authelia/templates/_k8s.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Returns an overridable Kubernetes DNS Domain 3 | */}} 4 | {{- define "kube.DNSDomain" -}} 5 | {{- .Values.kubeDNSDomainOverride | default "cluster.local" -}} 6 | {{- end -}} -------------------------------------------------------------------------------- /charts/authelia/templates/_misc.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Returns the file configuration list as a csv. 3 | */}} 4 | {{- define "authelia.config.paths" -}} 5 | {{- $paths := (list "/configuration.yaml") }} 6 | {{- if (include "authelia.mount.acl.secret" .) }} 7 | {{- $paths = append $paths "/configuration.acl.yaml" }} 8 | {{- end }} 9 | {{- if .Values.configMap.extraConfigs }} 10 | {{- $paths = concat $paths .Values.configMap.extraConfigs }} 11 | {{- end }} 12 | {{- join "," $paths }} 13 | {{- end }} 14 | 15 | {{/* 16 | Performs squote on a duration. 17 | */}} 18 | {{- define "authelia.func.dquote" }} 19 | {{- if kindIs "string" . }} 20 | {{- . | squote }} 21 | {{- else }} 22 | {{- . }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | squote a list joined by comma 28 | */}} 29 | {{- define "authelia.squote.join" -}} 30 | {{- if kindIs "string" . }} 31 | {{- . | squote }} 32 | {{- else -}} 33 | {{- range $i, $val := . -}} 34 | {{- if $i -}} 35 | {{- print ", " -}} 36 | {{- end -}} 37 | {{- $val | squote -}} 38 | {{- end -}} 39 | {{- end -}} 40 | {{- end -}} 41 | 42 | {{/* 43 | Wraps something with YAML header/footer 44 | */}} 45 | {{- define "authelia.wrapYAML" -}} 46 | {{- "---" }} 47 | {{ . }} 48 | {{ "..." }} 49 | {{- end -}} 50 | 51 | {{/* 52 | squote a list joined by comma 53 | */}} 54 | {{- define "authelia.squote.list" -}} 55 | {{- range . }} 56 | {{ printf "- %s" (. | squote) }} 57 | {{- end }} 58 | {{- end -}} 59 | -------------------------------------------------------------------------------- /charts/authelia/templates/_oidc.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Returns the OpenID Connect 1.0 clients token endpoint authentication method. 3 | */}} 4 | {{- define "authelia.config.oidc.client.token_endpoint_auth_method" -}} 5 | {{- if .public }} 6 | {{- .token_endpoint_auth_method | default "none" }} 7 | {{- else }} 8 | {{- .token_endpoint_auth_method | default "client_secret_basic" }} 9 | {{- end }} 10 | {{- end }} 11 | 12 | 13 | {{/* 14 | Returns the OpenID Connect 1.0 clients secret. 15 | */}} 16 | {{- define "authelia.config.oidc.client.client_secret" -}} 17 | {{- if .public }} 18 | {{- "" }} 19 | {{- else if kindIs "string" .client_secret }} 20 | {{- .client_secret }} 21 | {{- else if and (kindIs "map" .client_secret) (hasKey .client_secret "value") }} 22 | {{- .client_secret.value }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{- define "authelia.config.oidc.client.client_secret.render" -}} 27 | {{- if not .public }} 28 | {{- if and (not (kindIs "string" .client_secret)) .client_secret.path }} 29 | {{- printf "'{{ secret \"%s\" }}'" .client_secret.path }} 30 | {{- else }} 31 | {{- (include "authelia.config.oidc.client.client_secret" .) | squote }} 32 | {{- end }} 33 | {{- end }} 34 | {{- end -}} 35 | 36 | {{- define "authelia.config.oidc.client.pkce_challenge_method" -}} 37 | {{- if .enforce_pkce }} 38 | {{- .pkce_challenge_method | default "S256" -}} 39 | {{- else }} 40 | {{- .pkce_challenge_method | default "" -}} 41 | {{- end }} 42 | {{- end -}} -------------------------------------------------------------------------------- /charts/authelia/templates/_secrets.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Given a path outputs a filter valid template for that path including multiline detection. 3 | */}} 4 | {{- define "authelia.secrets.template" -}} 5 | {{- printf "{{ secret %s | mindent %d \"|\" | msquote }}" (.Path | quote) .Indent }} 6 | {{- end }} 7 | 8 | {{- define "authelia.secret.path.ldap" -}} 9 | {{- end -}} 10 | 11 | {{/* 12 | Returns the value of .SecretValue or a randomly generated one 13 | */}} 14 | {{- define "authelia.secret.value.standard" -}} 15 | {{- if .Secret.value -}} 16 | {{- .Secret.value | b64enc -}} 17 | {{- else }} 18 | {{- $lookup := (get .Lookup .Secret.path) | default false }} 19 | {{- if $lookup }} 20 | {{- $lookup }} 21 | {{- else }} 22 | {{- randAlphaNum 128 | b64enc -}} 23 | {{- end }} 24 | {{- end }} 25 | {{- end -}} 26 | 27 | {{- define "authelia.secret.generate" -}} 28 | {{- if and (not .disabled) (not .secret_name) (not (hasPrefix "/" .path)) }} 29 | {{- true }} 30 | {{- end }} 31 | {{- end -}} 32 | 33 | {{- define "authelia.secret.env.path" -}} 34 | {{- if (hasPrefix "/" .SecretPath) }} 35 | {{ .path | squote }} 36 | {{- else }} 37 | {{- (printf "%s/%s/%s" .MountPath (.SecretName | default "internal") .SecretPath) | squote }} 38 | {{- end }} 39 | {{- end -}} 40 | 41 | {{- define "authelia.secret.path.reset_password.jwt" -}} 42 | {{- .Values.configMap.identity_validation.reset_password.secret.path | default "identity_validation.reset_password.jwt.hmac.key" }} 43 | {{- end -}} 44 | 45 | {{- define "authelia.secret.path.session.encryption_key" -}} 46 | {{- .Values.configMap.session.encryption_key.path | default "session.encryption.key" }} 47 | {{- end -}} 48 | 49 | {{- define "authelia.secret.path.redis.password" -}} 50 | {{- .Values.configMap.session.redis.password.path | default "session.redis.password.txt" }} 51 | {{- end -}} 52 | 53 | {{- define "authelia.secret.path.redis.sentinel.password" -}} 54 | {{- .Values.configMap.session.redis.high_availability.password.path | default "session.redis.sentinel.password.txt" }} 55 | {{- end -}} 56 | 57 | {{- define "authelia.secret.path.ldap.password" -}} 58 | {{- .Values.configMap.authentication_backend.ldap.password.path | default "authentication.ldap.password.txt" }} 59 | {{- end -}} 60 | 61 | {{- define "authelia.secret.path.smtp.password" -}} 62 | {{- .Values.configMap.notifier.smtp.password.path | default "notifier.smtp.password.txt" }} 63 | {{- end -}} 64 | 65 | {{- define "authelia.secret.path.storage.encryption_key" -}} 66 | {{- .Values.configMap.storage.encryption_key.path | default "storage.encryption.key" }} 67 | {{- end -}} 68 | 69 | {{- define "authelia.secret.path.postgres.password" -}} 70 | {{- .Values.configMap.storage.postgres.password.path | default "storage.postgres.password.txt" }} 71 | {{- end -}} 72 | 73 | {{- define "authelia.secret.path.mysql.password" -}} 74 | {{- .Values.configMap.storage.mysql.password.path | default "storage.mysql.password.txt" }} 75 | {{- end -}} 76 | 77 | {{- define "authelia.secret.path.duo" -}} 78 | {{- .Values.configMap.duo_api.secret.path | default "duo.key" }} 79 | {{- end -}} 80 | 81 | {{- define "authelia.secret.path.oidc.hmac_key" -}} 82 | {{- .Values.configMap.identity_providers.oidc.hmac_secret.path | default "identity_providers.oidc.hmac.key" }} 83 | {{- end -}} 84 | 85 | -------------------------------------------------------------------------------- /charts/authelia/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | {{- $kind := (include "authelia.pod.kind" .) }} 2 | --- 3 | apiVersion: {{ include "capabilities.apiVersion.kind" (merge (dict "Kind" $kind) .) }} 4 | kind: {{ $kind }} 5 | metadata: 6 | name: {{ include "authelia.name" . }} 7 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.pod.labels) .) | nindent 4 }} 8 | {{- with $annotations := include "authelia.annotations" (merge (dict "Annotations" .Values.pod.annotations) .) }} 9 | annotations: {{ $annotations | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | selector: 13 | matchLabels: {{ include "authelia.matchLabels" . | nindent 6 }} 14 | revisionHistoryLimit: {{ default 5 .Values.pod.revisionHistoryLimit }} 15 | {{- if or (eq "StatefulSet" $kind) (eq "Deployment" $kind) }} 16 | replicas: {{ include "authelia.replicas" . }} 17 | {{- end }} 18 | {{- if or (eq "Deployment" $kind) (eq "DaemonSet" $kind) }} 19 | minReadySeconds: {{ default 0 .Values.pod.minReadySeconds }} 20 | {{- end }} 21 | {{- if (eq "Deployment" $kind)}} 22 | {{- $type := include "authelia.deploymentStrategy" . }} 23 | strategy: 24 | type: {{ $type }} 25 | {{- if eq "RollingUpdate" $type }} 26 | rollingUpdate: {{ (include "authelia.rollingUpdate" .) | nindent 6 }} 27 | {{- end }} 28 | {{- end }} 29 | {{- if (or (eq "DaemonSet" $kind) (eq "StatefulSet" $kind)) }} 30 | {{- $type := include "authelia.deploymentStrategy" . }} 31 | updateStrategy: 32 | type: {{ $type }} 33 | {{- if eq "RollingUpdate" $type }} 34 | rollingUpdate: {{ (include "authelia.rollingUpdate" .) | nindent 6 }} 35 | {{- end }} 36 | {{- end }} 37 | {{- if eq "StatefulSet" $kind }} 38 | podManagementPolicy: {{ include "authelia.podManagementPolicy" . }} 39 | serviceName: {{ default (include "authelia.name" .) .Values.pod.serviceName }} 40 | {{- end }} 41 | {{- if eq "Deployment" $kind }} 42 | {{- end }} 43 | template: 44 | metadata: 45 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.pod.labels) .) | nindent 8 }} 46 | annotations: 47 | {{- if (include "authelia.generate.configMap" .) }} 48 | authelia.com/checksum-config: {{ include (print $.Template.BasePath "/configMap.yaml") . | sha256sum }} 49 | {{- end }} 50 | {{- if (include "authelia.generate.acl.secret" .) }} 51 | authelia.com/checksum-acl: {{ include (print $.Template.BasePath "/secretACL.yaml") . | sha256sum }} 52 | {{- end }} 53 | {{ if and (include "authelia.enabled.secret" .) (not .Values.secret.excludeVolumeAndMounts) -}} 54 | authelia.com/checksum-secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} 55 | {{- end }} 56 | {{- with $annotations := include "authelia.annotations" (merge (dict "Annotations" .Values.pod.annotations) .) }} 57 | {{- $annotations | nindent 8 }} 58 | {{- end }} 59 | spec: 60 | {{- with $tolerations := .Values.pod.tolerations }} 61 | tolerations: {{ toYaml $tolerations | nindent 8 }} 62 | {{- end }} 63 | hostNetwork: false 64 | hostPID: false 65 | hostIPC: false 66 | {{- if (include "authelia.pod.priorityClassName.enabled" .) }} 67 | priorityClassName: {{ .Values.pod.priorityClassName }} 68 | {{- end }} 69 | {{- with $nodeName := .Values.pod.selectors.nodeName }} 70 | nodeName: {{ $nodeName }} 71 | {{- end }} 72 | {{- with $selector := .Values.pod.selectors.nodeSelector }} 73 | nodeSelector: {{ toYaml $selector | nindent 8 }} 74 | {{- end }} 75 | {{- with $affinity := .Values.pod.selectors.affinity }} 76 | affinity: {{ toYaml $affinity | nindent 8 }} 77 | {{- end }} 78 | {{- with $context := .Values.pod.securityContext.pod }} 79 | securityContext: {{ toYaml $context | nindent 8 }} 80 | {{- end }} 81 | {{- if .Values.rbac.enabled }} 82 | serviceAccountName: {{ default (include "authelia.name" .) .Values.rbac.serviceAccountName }} 83 | {{- end }} 84 | enableServiceLinks: {{ .Values.pod.enableServiceLinks | default false }} 85 | {{- if .Values.pod.initContainers }} 86 | initContainers: {{- include "authelia.snippets.render" (dict "value" .Values.pod.initContainers "context" $) | nindent 8 }} 87 | {{- end }} 88 | containers: 89 | - name: authelia 90 | image: {{ include "authelia.image" . }} 91 | imagePullPolicy: {{ default "IfNotPresent" .Values.image.pullPolicy }} 92 | {{- $command := list "authelia" }} 93 | {{- if .Values.pod.command }} 94 | {{- if kindIs "slice" .Values.pod.command }}{{ $command = .Values.pod.command }} 95 | {{- else if kindIs "string" .Values.pod.command }}{{ $command = list .Values.pod.command }} 96 | {{- end }} 97 | {{- end }} 98 | command: 99 | {{- range $command }} 100 | - {{ . | squote }} 101 | {{- end }} 102 | {{- $args := list }} 103 | {{- if .Values.pod.args }} 104 | {{- if kindIs "slice" .Values.pod.args }}{{ $args = .Values.pod.args }} 105 | {{- else if kindIs "string" .Values.pod.args }}{{ $args = list .Values.pod.args }} 106 | {{- end }} 107 | {{- end }} 108 | {{- if not (eq 0 (len $args)) }} 109 | args: 110 | {{- range $args }} 111 | - {{ . | squote }} 112 | {{- end }} 113 | {{- end }} 114 | {{- with $resources :=.Values.pod.resources }} 115 | resources: {{ toYaml $resources | nindent 10 }} 116 | {{- end }} 117 | env: 118 | - name: AUTHELIA_SERVER_DISABLE_HEALTHCHECK 119 | value: "true" 120 | {{- if not .Values.secret.disabled }} 121 | {{- with $secret := .Values.configMap.identity_validation.reset_password.secret }} 122 | {{- if and (not $secret.disabled) }} 123 | - name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE 124 | value: {{ include "authelia.secret.env.path" (merge (dict "MountPath" (include "authelia.secret.mountPath" $) "SecretName" $secret.secret_name "SecretPath" (include "authelia.secret.path.reset_password.jwt" $)) $) }} 125 | {{- end }} 126 | {{- end }} 127 | {{- with $secret := .Values.configMap.session.encryption_key }} 128 | {{- if and (not $secret.disabled) }} 129 | - name: AUTHELIA_SESSION_SECRET_FILE 130 | value: {{ include "authelia.secret.env.path" (merge (dict "MountPath" (include "authelia.secret.mountPath" $) "SecretName" $secret.secret_name "SecretPath" (include "authelia.secret.path.session.encryption_key" $)) $) }} 131 | {{- end }} 132 | {{- end }} 133 | {{- if $.Values.configMap.session.redis }} 134 | {{- with $secret := .Values.configMap.session.redis.password }} 135 | {{- if and (not $secret.disabled) $.Values.configMap.session.redis.enabled }} 136 | - name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE 137 | value: {{ include "authelia.secret.env.path" (merge (dict "MountPath" (include "authelia.secret.mountPath" $) "SecretName" $secret.secret_name "SecretPath" (include "authelia.secret.path.redis.password" $)) $) }} 138 | {{- end }} 139 | {{- end }} 140 | {{- with $secret := .Values.configMap.session.redis.high_availability.password }} 141 | {{- if and (not $secret.disabled) $.Values.configMap.session.redis.high_availability.enabled }} 142 | - name: AUTHELIA_SESSION_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE 143 | value: {{ include "authelia.secret.env.path" (merge (dict "MountPath" (include "authelia.secret.mountPath" $) "SecretName" $secret.secret_name "SecretPath" (include "authelia.secret.path.redis.sentinel.password" $)) $) }} 144 | {{- end }} 145 | {{- end }} 146 | {{- end }} 147 | {{- if $.Values.configMap.authentication_backend.ldap }} 148 | {{- with $secret := .Values.configMap.authentication_backend.ldap.password }} 149 | {{- if and (not $secret.disabled) $.Values.configMap.authentication_backend.ldap.enabled }} 150 | - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE 151 | value: {{ include "authelia.secret.env.path" (merge (dict "MountPath" (include "authelia.secret.mountPath" $) "SecretName" $secret.secret_name "SecretPath" (include "authelia.secret.path.ldap.password" $)) $) }} 152 | {{- end }} 153 | {{- end }} 154 | {{- end }} 155 | {{- if $.Values.configMap.notifier.smtp }} 156 | {{- with $secret := .Values.configMap.notifier.smtp.password }} 157 | {{- if and (not $secret.disabled) $.Values.configMap.notifier.smtp.enabled }} 158 | - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE 159 | value: {{ include "authelia.secret.env.path" (merge (dict "MountPath" (include "authelia.secret.mountPath" $) "SecretName" $secret.secret_name "SecretPath" (include "authelia.secret.path.smtp.password" $)) $) }} 160 | {{- end }} 161 | {{- end }} 162 | {{- end }} 163 | {{- with $secret := .Values.configMap.storage.encryption_key }} 164 | {{- if and (not $secret.disabled) }} 165 | - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE 166 | value: {{ include "authelia.secret.env.path" (merge (dict "MountPath" (include "authelia.secret.mountPath" $) "SecretName" $secret.secret_name "SecretPath" (include "authelia.secret.path.storage.encryption_key" $)) $) }} 167 | {{- end }} 168 | {{- end }} 169 | {{- if $.Values.configMap.storage.postgres }} 170 | {{- with $secret := .Values.configMap.storage.postgres.password }} 171 | {{- if and (not $secret.disabled) $.Values.configMap.storage.postgres.enabled }} 172 | - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE 173 | value: {{ include "authelia.secret.env.path" (merge (dict "MountPath" (include "authelia.secret.mountPath" $) "SecretName" $secret.secret_name "SecretPath" (include "authelia.secret.path.postgres.password" $)) $) }} 174 | {{- end }} 175 | {{- end }} 176 | {{- end }} 177 | {{- if $.Values.configMap.storage.mysql }} 178 | {{- with $secret := .Values.configMap.storage.mysql.password }} 179 | {{- if and (not $secret.disabled) $.Values.configMap.storage.mysql.enabled }} 180 | - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE 181 | value: {{ include "authelia.secret.env.path" (merge (dict "MountPath" (include "authelia.secret.mountPath" $) "SecretName" $secret.secret_name "SecretPath" (include "authelia.secret.path.mysql.password" $)) $) }} 182 | {{- end }} 183 | {{- end }} 184 | {{- end }} 185 | {{- if $.Values.configMap.duo_api }} 186 | {{- with $secret := .Values.configMap.duo_api.secret }} 187 | {{- if and (not $secret.disabled) $.Values.configMap.duo_api.enabled }} 188 | - name: AUTHELIA_DUO_API_SECRET_KEY_FILE 189 | value: {{ include "authelia.secret.env.path" (merge (dict "MountPath" (include "authelia.secret.mountPath" $) "SecretName" $secret.secret_name "SecretPath" (include "authelia.secret.path.duo" $)) $) }} 190 | {{- end }} 191 | {{- end }} 192 | {{- end }} 193 | {{- if $.Values.configMap.identity_providers.oidc }} 194 | {{- with $secret := .Values.configMap.identity_providers.oidc.hmac_secret }} 195 | {{- if and (not $secret.disabled) $.Values.configMap.identity_providers.oidc.enabled }} 196 | - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE 197 | value: {{ include "authelia.secret.env.path" (merge (dict "MountPath" (include "authelia.secret.mountPath" $) "SecretName" $secret.secret_name "SecretPath" (include "authelia.secret.path.oidc.hmac_key" $)) $) }} 198 | {{- end }} 199 | {{- end }} 200 | {{- end }} 201 | {{- end }} 202 | - name: X_AUTHELIA_CONFIG 203 | value: {{ (include "authelia.config.paths" .) | squote }} 204 | {{- if not .Values.configMap.filters.disabled }} 205 | - name: X_AUTHELIA_CONFIG_FILTERS 206 | value: template 207 | {{- end }} 208 | {{- with $env := .Values.pod.env }}{{ toYaml $env | nindent 8 }}{{- end }} 209 | {{- with $probe := include "authelia.merge.probe" (merge (dict "Type" "startup" "Method" .Values.pod.probes.method "Probe" .Values.pod.probes.startup) .) }} 210 | {{- $probe | nindent 8 }} 211 | {{- end }} 212 | {{- with $probe := include "authelia.merge.probe" (merge (dict "Type" "liveness" "Method" .Values.pod.probes.method "Probe" .Values.pod.probes.liveness) .) }} 213 | {{- $probe | nindent 8 }} 214 | {{- end }} 215 | {{- with $probe := include "authelia.merge.probe" (merge (dict "Type" "readiness" "Method" .Values.pod.probes.method "Probe" .Values.pod.probes.readiness) .) }} 216 | {{- $probe | nindent 8 }} 217 | {{- end }} 218 | ports: 219 | - name: http 220 | containerPort: {{ .Values.configMap.port | default 9091 }} 221 | protocol: TCP 222 | {{- if .Values.configMap.telemetry.metrics.enabled }} 223 | - name: metrics 224 | containerPort: {{ .Values.configMap.telemetry.metrics.port | default 9959 }} 225 | protocol: TCP 226 | {{- end }} 227 | volumeMounts: 228 | {{- if (include "authelia.enabled.persistentVolumeClaim" .) }} 229 | - mountPath: /config 230 | name: authelia 231 | readOnly: {{ .Values.persistence.readOnly }} 232 | {{- with $subPath := .Values.persistence.subPath }} 233 | subPath: {{ $subPath }} 234 | {{- end }} 235 | {{- with $subPathExpr := .Values.persistence.subPathExpr }} 236 | subPathExpr: {{ $subPathExpr }} 237 | {{- end }} 238 | {{- with $mountPropagation := .Values.persistence.mountPropagation }} 239 | mountPropagation: {{ $mountPropagation }} 240 | {{- end }} 241 | {{- else if and (eq (len .Values.pod.extraVolumes) 0) (eq (len .Values.pod.extraVolumeMounts) 0) }} 242 | - mountPath: /config 243 | name: authelia 244 | readOnly: false 245 | {{- end }} 246 | {{- if (include "authelia.enabled.configMap" .) }} 247 | - mountPath: /configuration.yaml 248 | name: config 249 | readOnly: true 250 | subPath: configuration.yaml 251 | {{- end }} 252 | {{- if (include "authelia.mount.acl.secret" .) }} 253 | - mountPath: /configuration.acl.yaml 254 | name: config-acl 255 | readOnly: true 256 | subPath: configuration.acl.yaml 257 | {{- end }} 258 | {{- if (not .Values.secret.disabled) }} 259 | - mountPath: {{ printf "%s/internal" (include "authelia.secret.mountPath" .) }} 260 | name: secrets 261 | readOnly: true 262 | {{- end }} 263 | {{- range $key, $secret := .Values.secret.additionalSecrets }} 264 | - mountPath: {{ printf "%s/%s" (include "authelia.secret.mountPath" $) $key }} 265 | name: {{ printf "secret-%s" $key }} 266 | readOnly: true 267 | {{- end }} 268 | {{- if (include "authelia.enabled.certificatesSecret" .) }} 269 | - mountPath: /certificates 270 | name: certificates 271 | readOnly: true 272 | {{- end }} 273 | {{- with $mounts := .Values.pod.extraVolumeMounts }} 274 | {{- toYaml $mounts | nindent 8 }} 275 | {{- end }} 276 | {{- with $context := .Values.pod.securityContext.container }} 277 | securityContext: {{ toYaml $context | nindent 10 }} 278 | {{- end }} 279 | {{- with $pullSecrets := .Values.image.pullSecrets }} 280 | imagePullSecrets: {{- range $k, $secretName := $pullSecrets }} 281 | - name: {{ $secretName }} 282 | {{- end }} 283 | {{- end }} 284 | volumes: 285 | {{- if (include "authelia.enabled.persistentVolumeClaim" .) }} 286 | - name: authelia 287 | persistentVolumeClaim: 288 | claimName: {{ default (include "authelia.name" .) .Values.persistence.existingClaim }} 289 | {{- else if and (eq (len .Values.pod.extraVolumes) 0) (eq (len .Values.pod.extraVolumeMounts) 0) }} 290 | - name: authelia 291 | emptyDir: 292 | sizeLimit: 100Mi 293 | {{- end }} 294 | {{- if (include "authelia.enabled.configMap" .) }} 295 | - name: config 296 | configMap: 297 | name: {{ default (include "authelia.name" .) .Values.configMap.existingConfigMap }} 298 | items: 299 | - key: {{ default "configuration.yaml" .Values.configMap.key }} 300 | path: configuration.yaml 301 | {{- end }} 302 | {{- if (include "authelia.mount.acl.secret" .) }} 303 | - name: config-acl 304 | secret: 305 | secretName: {{ include "authelia.name.acl.secret" . }} 306 | items: 307 | - key: {{ default "configuration.acl.yaml" .Values.configMap.access_control.secret.key }} 308 | path: configuration.acl.yaml 309 | {{- end }} 310 | {{- if (not .Values.secret.disabled) }} 311 | - name: secrets 312 | secret: 313 | secretName: {{ default (include "authelia.name" .) .Values.secret.existingSecret }} 314 | items: 315 | {{- with $secret := .Values.configMap.identity_validation.reset_password.secret }} 316 | {{- if and (not $secret.disabled) (not $secret.secret_name) }} 317 | - key: {{ include "authelia.secret.path.reset_password.jwt" $ }} 318 | path: {{ include "authelia.secret.path.reset_password.jwt" $ }} 319 | {{- end }} 320 | {{- end }} 321 | {{- with $secret := .Values.configMap.session.encryption_key }} 322 | {{- if and (not $secret.disabled) (not $secret.secret_name) }} 323 | - key: {{ include "authelia.secret.path.session.encryption_key" $ }} 324 | path: {{ include "authelia.secret.path.session.encryption_key" $ }} 325 | {{- end }} 326 | {{- end }} 327 | {{- with $secret := .Values.configMap.session.redis.password }} 328 | {{- if and (not $secret.disabled) (not $secret.secret_name) $.Values.configMap.session.redis.enabled }} 329 | - key: {{ include "authelia.secret.path.redis.password" $ }} 330 | path: {{ include "authelia.secret.path.redis.password" $ }} 331 | {{- end }} 332 | {{- end }} 333 | {{- with $secret := .Values.configMap.session.redis.high_availability.password }} 334 | {{- if and (not $secret.disabled) (not $secret.secret_name) $.Values.configMap.session.redis.high_availability.enabled }} 335 | - key: {{ include "authelia.secret.path.redis.sentinel.password" $ }} 336 | path: {{ include "authelia.secret.path.redis.sentinel.password" $ }} 337 | {{- end }} 338 | {{- end }} 339 | {{- with $secret := .Values.configMap.authentication_backend.ldap.password }} 340 | {{- if and (not $secret.disabled) (not $secret.secret_name) $.Values.configMap.authentication_backend.ldap.enabled }} 341 | - key: {{ include "authelia.secret.path.ldap.password" $ }} 342 | path: {{ include "authelia.secret.path.ldap.password" $ }} 343 | {{- end }} 344 | {{- end }} 345 | {{- with $secret := .Values.configMap.notifier.smtp.password }} 346 | {{- if and (not $secret.disabled) (not $secret.secret_name) $.Values.configMap.notifier.smtp.enabled }} 347 | - key: {{ include "authelia.secret.path.smtp.password" $ }} 348 | path: {{ include "authelia.secret.path.smtp.password" $ }} 349 | {{- end }} 350 | {{- end }} 351 | {{- with $secret := .Values.configMap.storage.encryption_key }} 352 | {{- if and (not $secret.disabled) (not $secret.secret_name) }} 353 | - key: {{ include "authelia.secret.path.storage.encryption_key" $ }} 354 | path: {{ include "authelia.secret.path.storage.encryption_key" $ }} 355 | {{- end }} 356 | {{- end }} 357 | {{- with $secret := .Values.configMap.storage.postgres.password }} 358 | {{- if and (not $secret.disabled) (not $secret.secret_name) $.Values.configMap.storage.postgres.enabled }} 359 | - key: {{ include "authelia.secret.path.postgres.password" $ }} 360 | path: {{ include "authelia.secret.path.postgres.password" $ }} 361 | {{- end }} 362 | {{- end }} 363 | {{- with $secret := .Values.configMap.storage.mysql.password }} 364 | {{- if and (not $secret.disabled) (not $secret.secret_name) $.Values.configMap.storage.mysql.enabled }} 365 | - key: {{ include "authelia.secret.path.mysql.password" $ }} 366 | path: {{ include "authelia.secret.path.mysql.password" $ }} 367 | {{- end }} 368 | {{- end }} 369 | {{- with $secret := .Values.configMap.duo_api.secret }} 370 | {{- if and (not $secret.disabled) (not $secret.secret_name) $.Values.configMap.duo_api.enabled }} 371 | - key: {{ include "authelia.secret.path.duo" $ }} 372 | path: {{ include "authelia.secret.path.duo" $ }} 373 | {{- end }} 374 | {{- end }} 375 | {{- with $secret := .Values.configMap.identity_providers.oidc.hmac_secret }} 376 | {{- if and (not $secret.disabled) (not $secret.secret_name) $.Values.configMap.identity_providers.oidc.enabled }} 377 | - key: {{ include "authelia.secret.path.oidc.hmac_key" $ }} 378 | path: {{ include "authelia.secret.path.oidc.hmac_key" $ }} 379 | {{- end }} 380 | {{- end }} 381 | {{- end }} 382 | {{- range $key, $secret := .Values.secret.additionalSecrets }} 383 | - name: {{ printf "secret-%s" $key }} 384 | secret: 385 | secretName: {{ $key }} 386 | {{- with $items := $secret.items }} 387 | items: 388 | {{- range $items }} 389 | - key: {{ .key | default .path }} 390 | path: {{ .path | default .key }} 391 | {{- end }} 392 | {{- end }} 393 | {{- end }} 394 | {{- if (include "authelia.enabled.certificatesSecret" .) }} 395 | - name: certificates 396 | secret: 397 | secretName: {{ include "authelia.names.certificatesSecret" . }} 398 | {{- end }} 399 | {{- with .Values.pod.extraVolumes }} 400 | {{- toYaml . | nindent 6 }} 401 | {{- end }} 402 | -------------------------------------------------------------------------------- /charts/authelia/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if (include "authelia.enabled.ingress.ingress" .) }} 2 | {{- $ver := (include "capabilities.apiVersion.ingress" $) }} 3 | --- 4 | apiVersion: {{ $ver }} 5 | kind: Ingress 6 | metadata: 7 | name: {{ include "authelia.name" . }} 8 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.ingress.labels) .) | nindent 4 }} 9 | {{- with $annotations := (include "authelia.ingress.annotations" .) }} 10 | annotations: {{ $annotations | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | {{- if eq $ver "networking.k8s.io/v1" }} 14 | {{- with $className := .Values.ingress.className }} 15 | ingressClassName: {{ $className }} 16 | {{- end }} 17 | {{- end }} 18 | rules: 19 | {{- if .Values.ingress.rulesOverride }} 20 | {{- range $rule := .Values.ingress.rulesOverride }} 21 | - host: {{ $rule.host | squote }} 22 | http: 23 | paths: 24 | - path: {{ $rule.path | default "/" | squote }} 25 | {{- if eq $ver "networking.k8s.io/v1" }} 26 | pathType: Prefix 27 | {{- end }} 28 | backend: 29 | {{- if eq $ver "networking.k8s.io/v1" }} 30 | service: 31 | name: {{ include "authelia.name" $ }} 32 | port: 33 | number: {{ include "authelia.service.port" $ }} 34 | {{- else }} 35 | serviceName: {{ include "authelia.name" $ }} 36 | servicePort: {{ include "authelia.service.port" $ }} 37 | {{- end }} 38 | {{- end }} 39 | {{- else }} 40 | {{- range $cookie := .Values.configMap.session.cookies }} 41 | - host: {{ (include "authelia.ingress.host" (merge (dict "SubDomain" $cookie.subdomain "Domain" $cookie.domain) $)) | squote }} 42 | http: 43 | paths: 44 | - path: {{ (include "authelia.path" $) }} 45 | {{- if eq $ver "networking.k8s.io/v1" }} 46 | pathType: Prefix 47 | {{- end }} 48 | backend: 49 | {{- if eq $ver "networking.k8s.io/v1" }} 50 | service: 51 | name: {{ include "authelia.name" $ }} 52 | port: 53 | number: {{ include "authelia.service.port" $ }} 54 | {{- else }} 55 | serviceName: {{ include "authelia.name" $ }} 56 | servicePort: {{ include "authelia.service.port" $ }} 57 | {{- end }} 58 | {{- end }} 59 | {{- end }} 60 | {{- if .Values.ingress.tls.enabled }} 61 | tls: 62 | - hosts: 63 | {{- if .Values.ingress.rulesOverride }} 64 | {{- range $rule := .Values.ingress.rulesOverride }} 65 | - {{ $rule.host | squote }} 66 | {{- end }} 67 | {{- else }} 68 | {{- range $cookie := .Values.configMap.session.cookies }} 69 | - {{ (include "authelia.ingress.host" (merge (dict "SubDomain" $cookie.subdomain "Domain" $cookie.domain) $)) | squote }} 70 | {{- end }} 71 | {{- end }} 72 | secretName: {{ default "authelia-tls" .Values.ingress.tls.secret }} 73 | {{- end }} 74 | {{- end -}} 75 | -------------------------------------------------------------------------------- /charts/authelia/templates/networkPolicy.yaml: -------------------------------------------------------------------------------- 1 | {{ if (include "authelia.enabled.networkPolicy" .) -}} 2 | --- 3 | apiVersion: {{ include "capabilities.apiVersion.networkPolicy" . }} 4 | kind: NetworkPolicy 5 | metadata: 6 | name: {{ include "authelia.name" . }} 7 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.networkPolicy.labels) .) | nindent 4 }} 8 | {{- with $annotations := include "authelia.annotations" (merge (dict "Annotations" .Values.networkPolicy.annotations) .) }} 9 | annotations: {{ $annotations | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | podSelector: 13 | matchLabels: {{- include "authelia.matchLabels" . | nindent 6 }} 14 | policyTypes: 15 | {{- range .Values.networkPolicy.policyTypes }} 16 | - {{ . }} 17 | {{- end }} 18 | {{- with $ingress := .Values.networkPolicy.ingress }} 19 | ingress: {{ toYaml $ingress | nindent 4 }} 20 | {{- end }} 21 | {{- with $egress := .Values.networkPolicy.egress }} 22 | egress: {{- toYaml $egress | nindent 4 }} 23 | {{- end }} 24 | {{- end -}} -------------------------------------------------------------------------------- /charts/authelia/templates/persistentVolumeClaim.yaml: -------------------------------------------------------------------------------- 1 | {{- if include "authelia.generate.persistentVolumeClaim" . }} 2 | --- 3 | apiVersion: v1 4 | kind: PersistentVolumeClaim 5 | metadata: 6 | name: {{ include "authelia.name" . }} 7 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.persistence.labels) .) | nindent 4 }} 8 | {{- with $annotations := include "authelia.annotations" (merge (dict "Annotations" .Values.persistence.annotations) .) }} 9 | annotations: {{ $annotations | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | accessModes: 13 | {{- range (.Values.persistence.accessModes | default (list "ReadWriteOnce")) }} 14 | - {{ . }} 15 | {{- end }} 16 | {{- with $storageClass := .Values.persistence.storageClass }} 17 | storageClassName: {{ $storageClass }} 18 | {{- end }} 19 | resources: 20 | requests: 21 | storage: {{ default "100Mi" .Values.persistence.size }} 22 | {{- if .Values.persistence.selector }} 23 | selector: 24 | {{- if .Values.persistence.selector.matchLabels }} 25 | matchLabels: 26 | {{- range $key, $value := .Values.persistence.selector.matchLabels }} 27 | {{ $key}}: {{ $value | squote }} 28 | {{- end }} 29 | {{- end }} 30 | {{- if .Values.persistence.selector.matchExpressions }} 31 | matchExpressions: 32 | {{- range $expression := .Values.persistence.selector.matchExpressions }} 33 | - key: {{ $expression.key }} 34 | operator: {{ $expression.operator }} 35 | {{- if $expression.values }} 36 | values: 37 | {{- range $expression.values }} 38 | - {{ . }} 39 | {{- end }} 40 | {{- end }} 41 | {{- end }} 42 | {{- end }} 43 | {{- end }} 44 | {{- if .Values.persistence.volumeName }} 45 | volumeName: "{{ .Values.persistence.volumeName }}" 46 | {{- end -}} 47 | {{- end }} 48 | -------------------------------------------------------------------------------- /charts/authelia/templates/podDisruptionBudget.yaml: -------------------------------------------------------------------------------- 1 | {{- if (include "authelia.enabled.podDisruptionBudget" .) }} 2 | --- 3 | apiVersion: {{ include "capabilities.apiVersion.podDisruptionBudget" . }} 4 | kind: PodDisruptionBudget 5 | metadata: 6 | name: {{ include "authelia.name" . }} 7 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.podDisruptionBudget.labels) .) | nindent 4 }} 8 | {{- with $annotations := include "authelia.annotations" (merge (dict "Labels" .Values.podDisruptionBudget.annotations) .) }} 9 | annotations: {{ $annotations | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | {{- if .Values.podDisruptionBudget.minAvailable }} 13 | minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} 14 | {{- else if .Values.podDisruptionBudget.maxUnavailable }} 15 | maxUnavailable: {{ .Values.podDisruptionBudget.minAvailable }} 16 | {{- else }} 17 | minAvailable: 1 18 | {{- end }} 19 | selector: 20 | matchLabels: {{- include "authelia.matchLabels" . | nindent 6 }} 21 | {{- end -}} -------------------------------------------------------------------------------- /charts/authelia/templates/rbac/serviceAccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.enabled }} 2 | --- 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ default (include "authelia.name" .) .Values.rbac.serviceAccountName }} 7 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.rbac.labels) .) | nindent 4 }} 8 | {{- with $annotations := include "authelia.annotations" (merge (dict "Annotations" .Values.rbac.annotations) .) }} 9 | annotations: {{ $annotations | nindent 4 }} 10 | {{- end }} 11 | namespace: {{ .Release.Namespace }} 12 | {{- end }} -------------------------------------------------------------------------------- /charts/authelia/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{ if (include "authelia.enabled.secret" .) -}} 2 | {{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "authelia.name" .)) | default dict -}} 3 | {{- $secretData := $secret.data | default dict -}} 4 | --- 5 | apiVersion: v1 6 | kind: Secret 7 | type: Opaque 8 | metadata: 9 | name: {{ include "authelia.name" . }} 10 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.secret.labels) .) | nindent 4 }} 11 | {{- with $annotations := include "authelia.annotations" (merge (dict "Annotations" .Values.secret.annotations) .) }} 12 | annotations: {{ $annotations | nindent 4 }} 13 | {{- end }} 14 | data: 15 | {{- if include "authelia.secret.generate" .Values.configMap.identity_validation.reset_password.secret }} 16 | {{ include "authelia.secret.path.reset_password.jwt" . }}: {{ include "authelia.secret.value.standard" (merge (dict "Lookup" $secretData "Secret" .Values.configMap.identity_validation.reset_password.secret) .) }} 17 | {{- end }} 18 | {{- if include "authelia.secret.generate" .Values.configMap.session.encryption_key }} 19 | {{ include "authelia.secret.path.session.encryption_key" . }}: {{ include "authelia.secret.value.standard" (merge (dict "Lookup" $secretData "Secret" .Values.configMap.session.encryption_key) .) }} 20 | {{- end }} 21 | {{- if and (include "authelia.secret.generate" .Values.configMap.session.redis.password) .Values.configMap.session.redis.enabled }} 22 | {{ include "authelia.secret.path.redis.password" . }}: {{ include "authelia.secret.value.standard" (merge (dict "Lookup" $secretData "Secret" .Values.configMap.session.redis.password) .) }} 23 | {{- end }} 24 | {{- if and (include "authelia.secret.generate" .Values.configMap.session.redis.high_availability.password) .Values.configMap.session.redis.high_availability.enabled }} 25 | {{ include "authelia.secret.path.redis.sentinel.password" . }}: {{ include "authelia.secret.value.standard" (merge (dict "Lookup" $secretData "Secret" .Values.configMap.session.redis.high_availability.password) .) }} 26 | {{- end }} 27 | {{- if and (include "authelia.secret.generate" .Values.configMap.authentication_backend.ldap.password) .Values.configMap.authentication_backend.ldap.enabled }} 28 | {{ include "authelia.secret.path.ldap.password" . }}: {{ include "authelia.secret.value.standard" (merge (dict "Lookup" $secretData "Secret" .Values.configMap.authentication_backend.ldap.password) .) }} 29 | {{- end }} 30 | {{- if and (include "authelia.secret.generate" .Values.configMap.notifier.smtp.password) .Values.configMap.notifier.smtp.enabled }} 31 | {{ include "authelia.secret.path.smtp.password" . }}: {{ include "authelia.secret.value.standard" (merge (dict "Lookup" $secretData "Secret" .Values.configMap.notifier.smtp.password) .) }} 32 | {{- end }} 33 | {{- if include "authelia.secret.generate" .Values.configMap.storage.encryption_key }} 34 | {{ include "authelia.secret.path.storage.encryption_key" . }}: {{ include "authelia.secret.value.standard" (merge (dict "Lookup" $secretData "Secret" .Values.configMap.storage.encryption_key) .) }} 35 | {{- end }} 36 | {{- if and (include "authelia.secret.generate" .Values.configMap.storage.postgres.password) .Values.configMap.storage.postgres.enabled }} 37 | {{ include "authelia.secret.path.postgres.password" . }}: {{ include "authelia.secret.value.standard" (merge (dict "Lookup" $secretData "Secret" .Values.configMap.storage.postgres.password) .) }} 38 | {{- end }} 39 | {{- if and (include "authelia.secret.generate" .Values.configMap.storage.mysql.password) .Values.configMap.storage.mysql.enabled }} 40 | {{ include "authelia.secret.path.mysql.password" . }}: {{ include "authelia.secret.value.standard" (merge (dict "Lookup" $secretData "Secret" .Values.configMap.storage.mysql.password) .) }} 41 | {{- end }} 42 | {{- if and (include "authelia.secret.generate" .Values.configMap.duo_api.secret) .Values.configMap.duo_api.enabled }} 43 | {{ include "authelia.secret.path.duo" . }}: {{ include "authelia.secret.value.standard" (merge (dict "Lookup" $secretData "Secret" .Values.configMap.duo_api.secret) .) }} 44 | {{- end }} 45 | {{- if and (include "authelia.secret.generate" .Values.configMap.identity_providers.oidc.hmac_secret) .Values.configMap.identity_providers.oidc.enabled }} 46 | {{ include "authelia.secret.path.oidc.hmac_key" . }}: {{ include "authelia.secret.value.standard" (merge (dict "Lookup" $secretData "Secret" .Values.configMap.identity_providers.oidc.hmac_secret) .) }} 47 | {{- end }} 48 | {{- end -}} 49 | -------------------------------------------------------------------------------- /charts/authelia/templates/secretACL.yaml: -------------------------------------------------------------------------------- 1 | {{- if (include "authelia.generate.acl.secret" .) }} 2 | --- 3 | {{- $yaml := tpl (.Files.Get "files/configuration.acl.yaml") . | trim }} 4 | apiVersion: v1 5 | kind: Secret 6 | type: Opaque 7 | metadata: 8 | name: {{ include "authelia.name.acl.secret" . }} 9 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.secret.labels) .) | nindent 4 }} 10 | {{- with $annotations := include "authelia.annotations" (merge (dict "Annotations" .Values.secret.annotations) .) }} 11 | annotations: {{ $annotations | nindent 4 }} 12 | {{- end }} 13 | data: 14 | {{ default "configuration.acl.yaml" .Values.configMap.access_control.secret.key }}: {{ (include "authelia.wrapYAML" $yaml) | b64enc }} 15 | {{- end }} -------------------------------------------------------------------------------- /charts/authelia/templates/secretCertificates.yaml: -------------------------------------------------------------------------------- 1 | {{ if (include "authelia.generate.certificatesSecret" .) -}} 2 | --- 3 | apiVersion: v1 4 | kind: Secret 5 | type: Opaque 6 | metadata: 7 | name: {{ include "authelia.names.certificatesSecret" . }} 8 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.certificates.labels) .) | nindent 4 }} 9 | {{- with $annotations := include "authelia.annotations" (merge (dict "Annotations" .Values.certificates.annotations) .) }} 10 | annotations: {{ $annotations | nindent 4 }} 11 | {{- end }} 12 | data: 13 | {{- range $key, $value := .Values.certificates.values }} 14 | {{- if $value.name }} 15 | {{- if $value.secretValue }} 16 | {{ $value.name | indent 2 }}: {{ $value.secretValue }} 17 | {{- else }} 18 | {{ $value.name | indent 2 }}: {{ $value.value | b64enc }} 19 | {{- end }} 20 | {{- end }} 21 | {{- end }} 22 | {{- end -}} -------------------------------------------------------------------------------- /charts/authelia/templates/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: {{ include "authelia.name" . }} 6 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.service.labels) .) | nindent 4 }} 7 | {{- with $annotations := include "authelia.annotations" (merge (dict "Annotations" .Values.service.annotations) .) }} 8 | annotations: {{ $annotations | nindent 4 }} 9 | {{- end }} 10 | spec: 11 | type: {{ .Values.service.type }} 12 | {{- with $ip := .Values.service.clusterIP }} 13 | clusterIP: {{ $ip }} 14 | {{- end }} 15 | {{- with $ips := .Values.service.externalIPs }} 16 | externalIPs: 17 | {{- range $ips }} 18 | - {{ . }} 19 | {{- end }} 20 | {{- end }} 21 | sessionAffinity: {{ default "None" .Values.service.sessionAffinity }} 22 | selector: {{- include "authelia.matchLabels" . | nindent 4 }} 23 | ports: 24 | - name: http 25 | protocol: TCP 26 | port: {{ include "authelia.service.port" . }} 27 | targetPort: http 28 | {{- if eq .Values.service.type "NodePort" }} 29 | nodePort: {{ .Values.service.nodePort }} 30 | {{- end }} 31 | {{- if and (semverCompare ">=4.36.0" (include "authelia.version" .)) .Values.configMap.telemetry.metrics.enabled }} 32 | - name: metrics 33 | protocol: TCP 34 | port: {{ .Values.configMap.telemetry.metrics.port | default 9959 }} 35 | targetPort: metrics 36 | {{- end }} -------------------------------------------------------------------------------- /charts/authelia/templates/serviceMonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.configMap.telemetry.metrics.enabled .Values.configMap.telemetry.metrics.serviceMonitor.enabled }} 2 | --- 3 | apiVersion: monitoring.coreos.com/v1 4 | kind: ServiceMonitor 5 | metadata: 6 | name: {{ include "authelia.name" . }} 7 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.configMap.telemetry.metrics.serviceMonitor.labels) .) | nindent 4 }} 8 | {{- with $annotations := include "authelia.annotations" (merge (dict "Annotations" .Values.configMap.telemetry.metrics.serviceMonitor.annotations) .) }} 9 | annotations: {{ $annotations | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | endpoints: 13 | - path: /metrics 14 | port: metrics 15 | namespaceSelector: 16 | matchNames: 17 | - {{ .Release.Namespace }} 18 | selector: 19 | matchLabels: {{ include "authelia.labels" (merge (dict "Labels" .Values.service.labels) .) | nindent 6 }} 20 | ... 21 | {{- end }} -------------------------------------------------------------------------------- /charts/authelia/templates/traefikCRD/ingressRoute.yaml: -------------------------------------------------------------------------------- 1 | {{ if (include "authelia.enabled.ingress.ingressRoute" .) -}} 2 | --- 3 | apiVersion: {{ include "capabilities.apiVersion.traefik.IngressRoute" . }} 4 | kind: IngressRoute 5 | metadata: 6 | name: {{ include "authelia.name" . }} 7 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.ingress.labels) .) | nindent 4 }} 8 | {{- with $annotations := include "authelia.annotations" (merge (dict "Annotations" .Values.ingress.annotations) .) }} 9 | annotations: {{ $annotations | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | {{- with $entryPoints := default (list "http") .Values.ingress.traefikCRD.entryPoints }} 13 | entryPoints: 14 | {{- range $entryPoints }} 15 | - {{ . }} 16 | {{- end }} 17 | {{- end }} 18 | routes: 19 | {{- if .Values.ingress.rulesOverride }} 20 | {{- range $rule := .Values.ingress.rulesOverride }} 21 | - kind: Rule 22 | match: {{ printf "Host(`%s`) && PathPrefix(`%s`)" $rule.host ($rule.path | default "/") }} 23 | priority: {{ $.Values.ingress.traefikCRD.priority | default 10 }} 24 | middlewares: 25 | - name: {{ include "authelia.ingress.traefikCRD.middleware.chainIngress.name" $ }} 26 | namespace: {{ $.Release.Namespace }} 27 | services: 28 | - kind: Service 29 | name: {{ include "authelia.name" $ }} 30 | port: {{ include "authelia.service.port" $ }} 31 | namespace: {{ $.Release.Namespace }} 32 | passHostHeader: true 33 | strategy: {{ $.Values.ingress.traefikCRD.strategy | default "RoundRobin" }} 34 | scheme: {{ $.Values.ingress.traefikCRD.scheme | default "http" }} 35 | weight: {{ $.Values.ingress.traefikCRD.weight | default 10 }} 36 | responseForwarding: 37 | flushInterval: {{ $.Values.ingress.traefikCRD.responseForwardingFlushInterval | default "100ms" }} 38 | {{- if $.Values.ingress.traefikCRD.sticky }} 39 | sticky: 40 | cookie: 41 | httpOnly: true 42 | name: {{ $.Values.ingress.traefikCRD.stickyCookieNameOverride | default (printf "%s_traefik_lb" (include "authelia.name" $)) }} 43 | secure: true 44 | sameSite: None 45 | {{- end }} 46 | {{- end }} 47 | {{- else }} 48 | {{- range $cookie := .Values.configMap.session.cookies }} 49 | - kind: Rule 50 | match: {{ $.Values.ingress.traefikCRD.matchOverride | default (printf "Host(`%s`) && PathPrefix(`%s`)" (include "authelia.ingress.host" (merge (dict "SubDomain" $cookie.subdomain "Domain" $cookie.domain) $)) (include "authelia.path" $)) }} 51 | priority: {{ $.Values.ingress.traefikCRD.priority | default 10 }} 52 | middlewares: 53 | - name: {{ include "authelia.ingress.traefikCRD.middleware.chainIngress.name" $ }} 54 | namespace: {{ $.Release.Namespace }} 55 | services: 56 | - kind: Service 57 | name: {{ include "authelia.name" $ }} 58 | port: {{ include "authelia.service.port" $ }} 59 | namespace: {{ $.Release.Namespace }} 60 | passHostHeader: true 61 | strategy: {{ $.Values.ingress.traefikCRD.strategy | default "RoundRobin" }} 62 | scheme: {{ $.Values.ingress.traefikCRD.scheme | default "http" }} 63 | weight: {{ $.Values.ingress.traefikCRD.weight | default 10 }} 64 | responseForwarding: 65 | flushInterval: {{ $.Values.ingress.traefikCRD.responseForwardingFlushInterval | default "100ms" }} 66 | {{- if $.Values.ingress.traefikCRD.sticky }} 67 | sticky: 68 | cookie: 69 | httpOnly: true 70 | name: {{ $.Values.ingress.traefikCRD.stickyCookieNameOverride | default (printf "%s_traefik_lb" (include "authelia.name" $)) }} 71 | secure: true 72 | sameSite: None 73 | {{- end }} 74 | {{- end }} 75 | {{- end }} 76 | {{- if .Values.ingress.tls.enabled }} 77 | tls: 78 | {{- if .Values.ingress.traefikCRD.tls.certResolver }} 79 | certResolver: {{ .Values.ingress.traefikCRD.tls.certResolver }} 80 | domains: 81 | {{- if .Values.ingress.traefikCRD.tls.domainsOverride }} 82 | {{- range $domain := .Values.ingress.traefikCRD.tls.domainsOverride }} 83 | {{- if and $domain.main $domain.sans }} 84 | - main: {{ $domain.main }} 85 | sans: 86 | {{- range $domain.sans }} 87 | - {{ . }} 88 | {{- end }} 89 | {{- else if $domain.sans }} 90 | - sans: 91 | {{- range $domain.sans }} 92 | - {{ . }} 93 | {{- end }} 94 | {{- else }} 95 | - main: {{ $domain.main }} 96 | {{- end }} 97 | {{- end }} 98 | {{- else if .Values.ingress.rulesOverride }} 99 | {{- range $rule := .Values.ingress.rulesOverride }} 100 | - main: {{ $rule.host }} 101 | {{- end }} 102 | {{- else }} 103 | {{- range $cookie := .Values.configMap.session.cookies }} 104 | - main: {{ include "authelia.ingress.host" (merge (dict "SubDomain" $cookie.subdomain "Domain" $cookie.domain) $) }} 105 | {{- end }} 106 | {{- end }} 107 | {{- else }} 108 | secretName: {{ .Values.ingress.tls.secret | default (printf "%s-traefik-tls" (include "authelia.name" .)) }} 109 | {{- end }} 110 | {{- if not .Values.ingress.traefikCRD.tls.disableTLSOptions }} 111 | options: 112 | {{- $name := $.Values.ingress.traefikCRD.tls.options.nameOverride | default (include "authelia.name" $) }}{{ $namespace := "" }} 113 | {{- if (include "authelia.existing.ingress.traefik.tlsOption" $) }} 114 | {{- $name = $.Values.ingress.traefikCRD.tls.existingOptions.name }} 115 | {{- if $.Values.ingress.traefikCRD.tls.existingOptions.namespace }}{{ $namespace = $.Values.ingress.traefikCRD.tls.existingOptions.namespace }}{{ end }} 116 | {{- else }}{{ $namespace = $.Release.Namespace }}{{ end }} 117 | name: {{ $name }} 118 | {{- if $namespace }} 119 | namespace: {{ $namespace }} 120 | {{- end }} 121 | {{- end }} 122 | {{- end }} 123 | {{- end -}} 124 | -------------------------------------------------------------------------------- /charts/authelia/templates/traefikCRD/middlewares.yaml: -------------------------------------------------------------------------------- 1 | {{ if (include "authelia.enabled.ingress.traefik" .) -}} 2 | {{- range $name, $endpoint := (include "authelia.authz" .) | fromJson }} 3 | {{- if eq $endpoint.implementation "ForwardAuth" }} 4 | --- 5 | apiVersion: {{ include "capabilities.apiVersion.traefik.Middleware" $ }} 6 | kind: Middleware 7 | metadata: 8 | name: {{ include "authelia.ingress.traefikCRD.middleware.forwardAuth.name" (merge (dict "Name" $name) $) }} 9 | labels: {{ include "authelia.labels" $ | nindent 4 }} 10 | {{- with $annotations := include "authelia.annotations" $ }} 11 | annotations: {{ $annotations | nindent 4 }} 12 | {{- end }} 13 | spec: 14 | forwardAuth: 15 | address: {{ (include "authelia.ingress.traefikCRD.middleware.forwardAuth.address" (merge (dict "Name" $name) $)) | squote }} 16 | trustForwardHeader: true 17 | {{- with $.Values.ingress.traefikCRD.middlewares.auth.authResponseHeaders }} 18 | authResponseHeaders: 19 | {{- range . }} 20 | - {{ . | squote }} 21 | {{- end }} 22 | {{- end }} 23 | --- 24 | apiVersion: {{ include "capabilities.apiVersion.traefik.Middleware" $ }} 25 | kind: Middleware 26 | metadata: 27 | name: {{ include "authelia.ingress.traefikCRD.middleware.chainAuth.name" (merge (dict "Name" $name) $) }} 28 | labels: {{ include "authelia.labels" $ | nindent 4 }} 29 | {{- with $annotations := include "authelia.annotations" $ }} 30 | annotations: {{ $annotations | nindent 4 }} 31 | {{- end }} 32 | spec: 33 | chain: 34 | middlewares: 35 | {{- range $middleware := $.Values.ingress.traefikCRD.middlewares.chains.auth.before }} 36 | - name: {{ $middleware.name }} 37 | {{- if $middleware.namespace }} 38 | namespace: {{ $middleware.namespace }} 39 | {{- end }} 40 | {{- end }} 41 | - name: {{ include "authelia.ingress.traefikCRD.middleware.forwardAuth.name" (merge (dict "Name" $name) $) }} 42 | namespace: {{ $.Release.Namespace }} 43 | {{- range $middleware := $.Values.ingress.traefikCRD.middlewares.chains.auth.after }} 44 | - name: {{ $middleware.name }} 45 | {{- if $middleware.namespace }} 46 | namespace: {{ $middleware.namespace }} 47 | {{- end }} 48 | {{- end }} 49 | {{- end }} 50 | {{- end }} 51 | --- 52 | apiVersion: {{ include "capabilities.apiVersion.traefik.Middleware" . }} 53 | kind: Middleware 54 | metadata: 55 | name: {{ printf "headers-%s" (include "authelia.name" .) }} 56 | labels: {{ include "authelia.labels" . | nindent 4 }} 57 | {{- with $annotations := include "authelia.annotations" . }} 58 | annotations: {{ $annotations | nindent 4 }} 59 | {{- end }} 60 | spec: 61 | headers: 62 | browserXssFilter: true 63 | customFrameOptionsValue: "SAMEORIGIN" 64 | customResponseHeaders: 65 | Cache-Control: "no-store" 66 | Pragma: "no-cache" 67 | --- 68 | apiVersion: {{ include "capabilities.apiVersion.traefik.Middleware" . }} 69 | kind: Middleware 70 | metadata: 71 | name: {{ include "authelia.ingress.traefikCRD.middleware.chainIngress.name" . }} 72 | labels: 73 | {{- include "authelia.labels" . | nindent 4 }} 74 | {{- with $annotations := (include "authelia.annotations" .) }} 75 | annotations: 76 | {{- $annotations | nindent 4 }} 77 | {{- end }} 78 | spec: 79 | chain: 80 | middlewares: 81 | {{- range $middleware := .Values.ingress.traefikCRD.middlewares.chains.ingressRoute.before }} 82 | - name: {{ $middleware.name }} 83 | {{- if $middleware.namespace }} 84 | namespace: {{ $middleware.namespace }} 85 | {{- end }} 86 | {{- end }} 87 | - name: {{ printf "headers-%s" (include "authelia.name" .) }} 88 | namespace: {{ .Release.Namespace }} 89 | {{- range $middleware := .Values.ingress.traefikCRD.middlewares.chains.ingressRoute.after }} 90 | - name: {{ $middleware.name }} 91 | {{- if $middleware.namespace }} 92 | namespace: {{ $middleware.namespace }} 93 | {{- end }} 94 | {{- end }} 95 | {{- end -}} -------------------------------------------------------------------------------- /charts/authelia/templates/traefikCRD/tlsOption.yaml: -------------------------------------------------------------------------------- 1 | {{ if (include "authelia.enabled.ingress.traefik.tlsOption" .) -}} 2 | --- 3 | apiVersion: {{ include "capabilities.apiVersion.traefik.TLSOption" . }} 4 | kind: TLSOption 5 | metadata: 6 | name: {{ .Values.ingress.traefikCRD.tls.options.nameOverride | default (include "authelia.name" .) }} 7 | namespace: {{ .Release.Namespace }} 8 | labels: {{ include "authelia.labels" (merge (dict "Labels" .Values.ingress.labels) .) | nindent 4 }} 9 | {{- with $annotations := include "authelia.annotations" (merge (dict "Annotations" .Values.ingress.annotations) .) }} 10 | annotations: {{ $annotations | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | minVersion: {{ default "VersionTLS12" .Values.ingress.traefikCRD.tls.options.minVersion }} 14 | maxVersion: {{ default "VersionTLS13" .Values.ingress.traefikCRD.tls.options.maxVersion }} 15 | {{- with $preferences := .Values.ingress.traefikCRD.tls.options.curvePreferences }} 16 | curvePreferences: 17 | {{- range $preferences }} 18 | - {{ . }} 19 | {{- end }} 20 | {{- end }} 21 | {{- with $suites := .Values.ingress.traefikCRD.tls.options.cipherSuites | default (list "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_RSA_WITH_AES_256_GCM_SHA384") }} 22 | cipherSuites: 23 | {{- range $suites }} 24 | - {{ . }} 25 | {{- end }} 26 | {{- end }} 27 | {{ with $strict := .Values.ingress.traefikCRD.tls.options.sniStrict }} 28 | sniStrict: {{ $strict }} 29 | {{- end }} 30 | {{- end -}} -------------------------------------------------------------------------------- /charts/authelia/templates/validations.configMap.check.yaml: -------------------------------------------------------------------------------- 1 | {{ if not .Values.configMap.disabled }} 2 | 3 | {{/* 4 | Validate the Cookies Configurations. 5 | */}} 6 | {{ if not .Values.configMap.session }} 7 | {{ fail "The value 'configMap.session' must exist" }} 8 | {{ else }} 9 | {{ range $cookie := .Values.configMap.session.cookies }} 10 | {{ if or (not $cookie.domain) (eq "" $cookie.domain) }} 11 | {{ fail "The value 'domain' for the 'configMap.session.cookies' configurations must be configured" }} 12 | {{ end }} 13 | {{ if and $cookie.path (not (eq $cookie.path "")) (not (eq $cookie.path $.Values.configMap.server.path)) }} 14 | {{ fail "The value 'path' for the 'configMap.session.cookies' must either not be configured or be the same value as the configMap.server.path" }} 15 | {{ end }} 16 | {{ end }} 17 | {{ end }} 18 | 19 | {{/* 20 | Validate the Storage config. 21 | */}} 22 | {{ if and (not .Values.configMap.storage.postgres) (not .Values.configMap.storage.mysql) (not .Values.configMap.storage.local) }} 23 | {{ fail "The option 'configMap.storage' must have one of the providers enabled such as 'postgres', 'mysql', or 'local'." }} 24 | {{ end }} 25 | 26 | {{/* 27 | Validate the Notifier config. 28 | */}} 29 | {{ if and (not .Values.configMap.notifier.smtp) (not .Values.configMap.notifier.filesystem) }} 30 | {{ fail "The option 'configMap.notifier' must have one of the providers enabled such as 'smtp', or 'local'." }} 31 | {{ end }} 32 | 33 | {{/* 34 | Validate the Authentication Backend config. 35 | */}} 36 | {{ if and (not .Values.configMap.authentication_backend.ldap) (not .Values.configMap.authentication_backend.file) }} 37 | {{ fail "The option 'configMap.authentication_backend' must have one of the providers enabled such as 'ldap', or 'local'." }} 38 | {{ end }} 39 | 40 | {{/* 41 | Validate the deprecated 'default_redirection_url' is not configured 42 | */}} 43 | {{ if .Values.configMap.default_redirection_url }} 44 | {{ fail "The value 'configMap.default_redirection_url' is no longer valid" }} 45 | {{ end }} 46 | 47 | {{ $authzimpl := (include "authelia.authz.implementations" .) | fromJsonArray }} 48 | {{/* 49 | Validate only one authz endpoint configuration method is configured 50 | */}} 51 | {{ if and .Values.configMap.server.endpoints.authz .Values.configMap.server.endpoints.automatic_authz_implementations }} 52 | {{ fail "Can't specify both automatic and manual authz endpoints (configMap.server.endpoints.automatic_authz_implementations and configMap.server.endpoints.authz respectively)." }} 53 | 54 | {{/* 55 | Validate only authz endpoint implementations with known names are configured (Automatic). 56 | */}} 57 | {{ else if .Values.configMap.server.endpoints.automatic_authz_implementations }} 58 | {{ range $implementation := .Values.configMap.server.endpoints.automatic_authz_implementations }} 59 | {{ if not (has $implementation $authzimpl) }} 60 | {{ fail (printf "The implementation name '%s' specified via 'configMap.server.endpoints.automatic_authz_implementations' is not known. Known values are '%s'." $implementation (join "', '" $authzimpl)) }} 61 | {{ end }} 62 | {{ end }} 63 | {{/* 64 | Validate only authz endpoint implementations with known names are configured (Manual). 65 | */}} 66 | {{ else if .Values.configMap.server.endpoints.authz }} 67 | {{ range $authz := .Values.configMap.server.endpoints.authz }} 68 | {{ if not (has $authz.implementation $authzimpl) }} 69 | {{ fail (printf "The implementation name '%s' specified via 'configMap.server.endpoints.authz' is not known. Known values are '%s'." $authz.implementation (join "', '" $authzimpl)) }} 70 | {{ end }} 71 | {{ end }} 72 | {{ end }} 73 | 74 | {{/* 75 | Validate OpenID Connect 1.0 client options. 76 | */}} 77 | {{ range $client := .Values.configMap.identity_providers.oidc.clients }} 78 | 79 | {{/* 80 | Validate OpenID Connect 1.0 client userinfo_signing_algorithm is NOT defined. 81 | */}} 82 | {{ if $client.userinfo_signing_algorithm }} 83 | {{ fail "The value 'userinfo_signing_algorithm' for the 'configMap.identity_providers.oidc.clients' is no longer supported." }} 84 | {{ end }} 85 | 86 | {{/* 87 | Validate OpenID Connect 1.0 client secret if defined as a value has a known prefix. 88 | */}} 89 | {{ $secret := include "authelia.config.oidc.client.client_secret" $client }} 90 | {{ if and .public $secret }} 91 | {{ fail (printf "The 'configMap.identity_providers.oidc.clients' which have the Public Client Type must not have a secret defined. The client with id '%s' does have a secret but has the Public Client Type." $client.client_id) }} 92 | {{ else if and (not .public) (not $secret) (or (not $client.client_secret) (not $client.client_secret.path)) }} 93 | {{ fail (printf "The 'configMap.identity_providers.oidc.clients' which have the Confidential Client Type must have a secret. The client with id '%s' does not have a secret but is Confidential." $client.client_id) }} 94 | {{ else if $secret }} 95 | {{ if (not (include "authelia.hashes.prefix.has" $secret)) }} 96 | {{ if eq "client_secret_jwt" $client.token_endpoint_auth_method }} 97 | {{ fail "The value 'secret.value' for the 'configMap.identity_providers.oidc.clients' must have a hash prefix. Please add the '$plaintext$' or '$base64$' prefix to this value." }} 98 | {{ else }} 99 | {{ fail "The value 'secret.value' for the 'configMap.identity_providers.oidc.clients' must have a hash prefix. At this time the '$plaintext$' prefix is still accepted however we recommend taking the opportunity to properly hash it as the plaintext variants will only be accepted in the future for the 'client_secret_jwt' authentication method." }} 100 | {{ end }} 101 | {{ end }} 102 | {{ end }} 103 | {{ end }} 104 | 105 | {{/* 106 | Validate OpenID Connect 1.0 provider option 'issuer_private_key' which have been removed. 107 | */}} 108 | {{ if .Values.configMap.identity_providers.oidc.issuer_private_key }} 109 | {{ fail "The value 'configMap.identity_providers.oidc.issuer_private_key' is no longer supported and has been replaced with the 'configMap.identity_providers.oidc.issuer_private_keys' multi-value option" }} 110 | {{ end }} 111 | 112 | {{/* 113 | Validate OpenID Connect 1.0 provider option 'issuer_certificate_chain' which have been removed. 114 | */}} 115 | {{ if .Values.configMap.identity_providers.oidc.issuer_certificate_chain }} 116 | {{ fail "The value 'configMap.identity_providers.oidc.issuer_certificate_chain' is no longer supported and has been replaced with the 'configMap.identity_providers.oidc.issuer_private_keys' multi-value option" }} 117 | {{ end }} 118 | 119 | {{ end }} 120 | -------------------------------------------------------------------------------- /charts/authelia/templates/validations.general.check.yaml: -------------------------------------------------------------------------------- 1 | {{ if not .Values.configMap.disabled }} 2 | 3 | {{ range $override := .Values.ingress.rulesOverride }} 4 | {{ if and (not $override.path) (not (eq $override.path "/")) (not (eq $override.path (printf "/%s" $.Values.configMap.server.path))) }} 5 | {{ fail "The value 'path' for the 'configMap.ingress.rulesOverride' must either not be configured, be configured as '/', or be the same value as the 'configMap.server.path' with the '/' prefix." }} 6 | {{ end }} 7 | {{ end }} 8 | 9 | {{- end }} -------------------------------------------------------------------------------- /charts/authelia/templates/validations.secrets.check.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.configMap.identity_validation.reset_password.secret.secret_name (not (hasKey .Values.secret.additionalSecrets .Values.configMap.identity_validation.reset_password.secret.secret_name)) }} 2 | {{- fail (printf "The secret %s must be configured as one of the additional secrets as it's being used for the 'configMap.identity_validation.reset_password.secret' secret" .Values.configMap.identity_validation.reset_password.secret.secret_name) }} 3 | {{- end }} 4 | 5 | {{- if and .Values.configMap.duo_api.secret.secret_name (not (hasKey .Values.secret.additionalSecrets .Values.configMap.duo_api.secret.secret_name)) }} 6 | {{- fail (printf "The secret %s must be configured as one of the additional secrets as it's being used for the 'configMap.duo_api.secret' secret" .Values.configMap.duo_api.secret.secret_name) }} 7 | {{- end }} 8 | 9 | {{- if and .Values.configMap.authentication_backend.ldap.password.secret_name (not (hasKey .Values.secret.additionalSecrets .Values.configMap.authentication_backend.ldap.password.secret_name)) }} 10 | {{- fail (printf "The secret %s must be configured as one of the additional secrets as it's being used for the 'configMap.authentication_backend.ldap.password' secret" .Values.configMap.authentication_backend.ldap.password.secret_name) }} 11 | {{- end }} 12 | 13 | {{- if and .Values.configMap.session.encryption_key.secret_name (not (hasKey .Values.secret.additionalSecrets .Values.configMap.session.encryption_key.secret_name)) }} 14 | {{- fail (printf "The secret %s must be configured as one of the additional secrets as it's being used for the 'configMap.session.encryption_key' secret" .Values.configMap.session.encryption_key.secret_name) }} 15 | {{- end }} 16 | 17 | {{- if and .Values.configMap.session.redis.password.secret_name (not (hasKey .Values.secret.additionalSecrets .Values.configMap.session.redis.password.secret_name)) }} 18 | {{- fail (printf "The secret %s must be configured as one of the additional secrets as it's being used for the 'configMap.session.redis.password' secret" .Values.configMap.session.redis.password.secret_name) }} 19 | {{- end }} 20 | 21 | {{- if and .Values.configMap.session.redis.high_availability.password.secret_name (not (hasKey .Values.secret.additionalSecrets .Values.configMap.session.redis.high_availability.password.secret_name)) }} 22 | {{- fail (printf "The secret %s must be configured as one of the additional secrets as it's being used for the 'configMap.session.redis.high_availability.password' secret" .Values.configMap.session.redis.high_availability.password.secret_name) }} 23 | {{- end }} 24 | 25 | {{- if and .Values.configMap.storage.encryption_key.secret_name (not (hasKey .Values.secret.additionalSecrets .Values.configMap.storage.encryption_key.secret_name)) }} 26 | {{- fail (printf "The secret %s must be configured as one of the additional secrets as it's being used for the 'configMap.storage.encryption_key' secret" .Values.configMap.storage.encryption_key.secret_name) }} 27 | {{- end }} 28 | 29 | {{- if and .Values.configMap.storage.mysql.password.secret_name (not (hasKey .Values.secret.additionalSecrets .Values.configMap.storage.mysql.password.secret_name)) }} 30 | {{- fail (printf "The secret %s must be configured as one of the additional secrets as it's being used for the 'configMap.storage.mysql.password' secret" .Values.configMap.storage.mysql.password.secret_name) }} 31 | {{- end }} 32 | 33 | {{- if and .Values.configMap.storage.postgres.password.secret_name (not (hasKey .Values.secret.additionalSecrets .Values.configMap.storage.postgres.password.secret_name)) }} 34 | {{- fail (printf "The secret %s must be configured as one of the additional secrets as it's being used for the 'configMap.storage.postgres.password' secret" .Values.configMap.storage.postgres.password.secret_name) }} 35 | {{- end }} 36 | 37 | {{- if and .Values.configMap.notifier.smtp.password.secret_name (not (hasKey .Values.secret.additionalSecrets .Values.configMap.notifier.smtp.password.secret_name)) }} 38 | {{- fail (printf "The secret %s must be configured as one of the additional secrets as it's being used for the 'configMap.notifier.smtp.password' secret" .Values.configMap.notifier.smtp.password.secret_name) }} 39 | {{- end }} 40 | 41 | {{- if and .Values.configMap.identity_providers.oidc.hmac_secret.secret_name (not (hasKey .Values.secret.additionalSecrets .Values.configMap.identity_providers.oidc.hmac_secret.secret_name)) }} 42 | {{- fail (printf "The secret %s must be configured as one of the additional secrets as it's being used for the 'configMap.identity_providers.oidc.hmac_secret' secret" .Values.configMap.identity_providers.oidc.hmac_secret.secret_name) }} 43 | {{- end }} -------------------------------------------------------------------------------- /charts/authelia/templates/validations.versions.check.yaml: -------------------------------------------------------------------------------- 1 | {{/* 2 | Validate 4.39.0 changes 3 | */}} 4 | {{ if semverCompare ">=4.39.0" (include "authelia.version" $) }} 5 | 6 | {{/* 7 | Validate access_control networks move. 8 | */}} 9 | {{ if and (hasKey .Values.configMap.access_control "networks") (ne .Values.configMap.access_control.networks nil) }} 10 | {{ fail "The value 'configMap.access_control.networks' is no longer supported and has been replaced with the 'configMap.definitions.network' for the chart when deployed with 4.39.0 and above" }} 11 | {{ end }} 12 | 13 | {{/* 14 | Validate webauthn user_verification move. 15 | */}} 16 | {{ if hasKey .Values.configMap.webauthn "user_verfication" }} 17 | {{ fail "The value 'configMap.webauthn.user_verfication ' is no longer supported and has been replaced with the 'configMap.webauthn.selection_criteria.user_verfication' for the chart when deployed with 4.39.0 and above" }} 18 | {{ end }} 19 | {{ end }} --------------------------------------------------------------------------------