diff --git a/charts/authelia/Chart.yaml b/charts/authelia/Chart.yaml index 824aed3..03fdc83 100644 --- a/charts/authelia/Chart.yaml +++ b/charts/authelia/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: authelia -version: 0.1.6 +version: 0.1.7 kubeVersion: ">= 1.13.0" description: Authelia is a Single Sign-On Multi-Factor portal for web apps type: application diff --git a/charts/authelia/values.local.yaml b/charts/authelia/values.local.yaml index 083e032..1aece73 100644 --- a/charts/authelia/values.local.yaml +++ b/charts/authelia/values.local.yaml @@ -444,134 +444,134 @@ configMap: ## Disable both the HTML element and the API for reset password functionality disable_reset_password: false - ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. - ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will - ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. - ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. - ## See the below documentation for more information. - ## Duration Notation docs: https://www.authelia.com/docs/configuration/index.html#duration-notation-format - ## Refresh Interval docs: https://www.authelia.com/docs/configuration/authentication/ldap.html#refresh-interval - refresh_interval: 5m - - ## LDAP backend configuration. - ## - ## This backend allows Authelia to be scaled to more - ## than one instance and therefore is recommended for - ## production. - ldap: {} - # ldap: - ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. - ## Acceptable options are as follows: - ## - 'activedirectory' - For Microsoft Active Directory. - ## - 'custom' - For custom specifications of attributes and filters. - ## This currently defaults to 'custom' to maintain existing behaviour. + ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. + ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will + ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. + ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. + ## See the below documentation for more information. + ## Duration Notation docs: https://www.authelia.com/docs/configuration/index.html#duration-notation-format + ## Refresh Interval docs: https://www.authelia.com/docs/configuration/authentication/ldap.html#refresh-interval + refresh_interval: 5m + + ## LDAP backend configuration. ## - ## Depending on the option here certain other values in this section have a default value, notably all of the - ## attribute mappings have a default value that this config overrides, you can read more about these default values - ## at https://www.authelia.com/docs/configuration/authentication/ldap.html#defaults - # implementation: custom - - ## The url to the ldap server. Format: ://
[:]. - ## Scheme can be ldap or ldaps in the format (port optional). - # url: ldap://openldap.default.svc.cluster.local - - ## Use StartTLS with the LDAP connection. - # start_tls: false - - # tls: - ## Server Name for certificate validation (in case it's not set correctly in the URL). - # server_name: ldap.example.com + ## This backend allows Authelia to be scaled to more + ## than one instance and therefore is recommended for + ## production. + ldap: {} + # ldap: + ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. + ## Acceptable options are as follows: + ## - 'activedirectory' - For Microsoft Active Directory. + ## - 'custom' - For custom specifications of attributes and filters. + ## This currently defaults to 'custom' to maintain existing behaviour. + ## + ## Depending on the option here certain other values in this section have a default value, notably all of the + ## attribute mappings have a default value that this config overrides, you can read more about these default values + ## at https://www.authelia.com/docs/configuration/authentication/ldap.html#defaults + # implementation: custom + + ## The url to the ldap server. Format: ://
[:]. + ## Scheme can be ldap or ldaps in the format (port optional). + # url: ldap://openldap.default.svc.cluster.local + + ## Use StartTLS with the LDAP connection. + # start_tls: false + + # tls: + ## Server Name for certificate validation (in case it's not set correctly in the URL). + # server_name: ldap.example.com + + ## Skip verifying the server certificate (to allow a self-signed certificate). + # skip_verify: false + + ## Minimum TLS version for either Secure LDAP or LDAP StartTLS. + # minimum_version: TLS1.2 + + ## The base dn for every LDAP query. + # base_dn: DC=example,DC=com + + ## The attribute holding the username of the user. This attribute is used to populate the username in the session + ## information. It was introduced due to #561 to handle case insensitive search queries. For you information, + ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this + ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database. + ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user + ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also + ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above + ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt. + # username_attribute: uid + + ## An additional dn to define the scope to all users. + # additional_users_dn: OU=Users + + ## The users filter used in search queries to find the user profile based on input filled in login form. + ## Various placeholders are available in the user filter: + ## - {input} is a placeholder replaced by what the user inputs in the login form. + ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`. + ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. + ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later + ## versions, so please don't use it. + ## + ## Recommended settings are as follows: + ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) + ## - OpenLDAP: + ## - (&({username_attribute}={input})(objectClass=person)) + ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) + ## + ## To allow sign in both with username and email, one can use a filter like + ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) + # users_filter: (&({username_attribute}={input})(objectClass=person)) - ## Skip verifying the server certificate (to allow a self-signed certificate). - # skip_verify: false + ## An additional dn to define the scope of groups. + # additional_groups_dn: OU=Groups + + ## The groups filter used in search queries to find the groups of the user. + ## - {input} is a placeholder replaced by what the user inputs in the login form. + ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`). + ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN. + ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. + ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. + ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later + ## versions, so please don't use it. + ## - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in + ## later version, so please don't use it. + ## + ## If your groups use the `groupOfUniqueNames` structure use this instead: + ## (&(uniquemember={dn})(objectclass=groupOfUniqueNames)) + # groups_filter: (&(member={dn})(objectclass=groupOfNames)) + + ## The attribute holding the name of the group + # group_name_attribute: cn + + ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the + ## first one returned by the LDAP server is used. + # mail_attribute: mail + + ## The attribute holding the display name of the user. This will be used to greet an authenticated user. + # display_name_attribute: displayname + + ## The username of the admin user. + # user: CN=Authelia,DC=example,DC=com - ## Minimum TLS version for either Secure LDAP or LDAP StartTLS. - # minimum_version: TLS1.2 - - ## The base dn for every LDAP query. - # base_dn: DC=example,DC=com - - ## The attribute holding the username of the user. This attribute is used to populate the username in the session - ## information. It was introduced due to #561 to handle case insensitive search queries. For you information, - ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this - ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database. - ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user - ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also - ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above - ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt. - # username_attribute: uid - - ## An additional dn to define the scope to all users. - # additional_users_dn: OU=Users - - ## The users filter used in search queries to find the user profile based on input filled in login form. - ## Various placeholders are available in the user filter: - ## - {input} is a placeholder replaced by what the user inputs in the login form. - ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`. - ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. - ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later - ## versions, so please don't use it. ## - ## Recommended settings are as follows: - ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) - ## - OpenLDAP: - ## - (&({username_attribute}={input})(objectClass=person)) - ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) + ## File (Authentication Provider) ## - ## To allow sign in both with username and email, one can use a filter like - ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) - # users_filter: (&({username_attribute}={input})(objectClass=person)) - - ## An additional dn to define the scope of groups. - # additional_groups_dn: OU=Groups - - ## The groups filter used in search queries to find the groups of the user. - ## - {input} is a placeholder replaced by what the user inputs in the login form. - ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`). - ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN. - ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. - ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. - ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later - ## versions, so please don't use it. - ## - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in - ## later version, so please don't use it. + ## With this backend, the users database is stored in a file which is updated when users reset their passwords. + ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia + ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security + ## implications it is highly recommended you leave the default values. Before considering changing these settings + ## please read the docs page below: + ## https://www.authelia.com/docs/configuration/authentication/file.html#password-hash-algorithm-tuning ## - ## If your groups use the `groupOfUniqueNames` structure use this instead: - ## (&(uniquemember={dn})(objectclass=groupOfUniqueNames)) - # groups_filter: (&(member={dn})(objectclass=groupOfNames)) - - ## The attribute holding the name of the group - # group_name_attribute: cn - - ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the - ## first one returned by the LDAP server is used. - # mail_attribute: mail - - ## The attribute holding the display name of the user. This will be used to greet an authenticated user. - # display_name_attribute: displayname - - ## The username of the admin user. - # user: CN=Authelia,DC=example,DC=com - - ## - ## File (Authentication Provider) - ## - ## With this backend, the users database is stored in a file which is updated when users reset their passwords. - ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia - ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security - ## implications it is highly recommended you leave the default values. Before considering changing these settings - ## please read the docs page below: - ## https://www.authelia.com/docs/configuration/authentication/file.html#password-hash-algorithm-tuning - ## - ## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html - ## - file: - path: /config/users_database.yml - password: - algorithm: sha512 - iterations: 100000 - key_length: 32 - salt_length: 16 + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html + ## + file: + path: /config/users_database.yml + password: + algorithm: sha512 + iterations: 100000 + key_length: 32 + salt_length: 16 ## ## Access Control Configuration diff --git a/charts/authelia/values.yaml b/charts/authelia/values.yaml index 028c634..cc504f6 100644 --- a/charts/authelia/values.yaml +++ b/charts/authelia/values.yaml @@ -443,135 +443,135 @@ configMap: ## Disable both the HTML element and the API for reset password functionality disable_reset_password: false - ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. - ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will - ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. - ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. - ## See the below documentation for more information. - ## Duration Notation docs: https://www.authelia.com/docs/configuration/index.html#duration-notation-format - ## Refresh Interval docs: https://www.authelia.com/docs/configuration/authentication/ldap.html#refresh-interval - refresh_interval: 5m - - ## LDAP backend configuration. - ## - ## This backend allows Authelia to be scaled to more - ## than one instance and therefore is recommended for - ## production. - ldap: - ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. - ## Acceptable options are as follows: - ## - 'activedirectory' - For Microsoft Active Directory. - ## - 'custom' - For custom specifications of attributes and filters. - ## This currently defaults to 'custom' to maintain existing behaviour. + ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation. + ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will + ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP. + ## To force update on every request you can set this to '0' or 'always', this will increase processor demand. + ## See the below documentation for more information. + ## Duration Notation docs: https://www.authelia.com/docs/configuration/index.html#duration-notation-format + ## Refresh Interval docs: https://www.authelia.com/docs/configuration/authentication/ldap.html#refresh-interval + refresh_interval: 5m + + ## LDAP backend configuration. ## - ## Depending on the option here certain other values in this section have a default value, notably all of the - ## attribute mappings have a default value that this config overrides, you can read more about these default values - ## at https://www.authelia.com/docs/configuration/authentication/ldap.html#defaults - implementation: custom - - ## The url to the ldap server. Format: ://
[:]. - ## Scheme can be ldap or ldaps in the format (port optional). - url: ldap://openldap.default.svc.cluster.local - - ## Use StartTLS with the LDAP connection. - start_tls: false - - tls: - ## Server Name for certificate validation (in case it's not set correctly in the URL). - # server_name: ldap.example.com + ## This backend allows Authelia to be scaled to more + ## than one instance and therefore is recommended for + ## production. + ldap: + ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. + ## Acceptable options are as follows: + ## - 'activedirectory' - For Microsoft Active Directory. + ## - 'custom' - For custom specifications of attributes and filters. + ## This currently defaults to 'custom' to maintain existing behaviour. + ## + ## Depending on the option here certain other values in this section have a default value, notably all of the + ## attribute mappings have a default value that this config overrides, you can read more about these default values + ## at https://www.authelia.com/docs/configuration/authentication/ldap.html#defaults + implementation: custom + + ## The url to the ldap server. Format: ://
[:]. + ## Scheme can be ldap or ldaps in the format (port optional). + url: ldap://openldap.default.svc.cluster.local + + ## Use StartTLS with the LDAP connection. + start_tls: false + + tls: + ## Server Name for certificate validation (in case it's not set correctly in the URL). + # server_name: ldap.example.com + + ## Skip verifying the server certificate (to allow a self-signed certificate). + skip_verify: false + + ## Minimum TLS version for either Secure LDAP or LDAP StartTLS. + minimum_version: TLS1.2 + + ## The base dn for every LDAP query. + base_dn: DC=example,DC=com + + ## The attribute holding the username of the user. This attribute is used to populate the username in the session + ## information. It was introduced due to #561 to handle case insensitive search queries. For you information, + ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this + ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database. + ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user + ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also + ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above + ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt. + # username_attribute: uid + + ## An additional dn to define the scope to all users. + # additional_users_dn: OU=Users - ## Skip verifying the server certificate (to allow a self-signed certificate). - skip_verify: false + ## The users filter used in search queries to find the user profile based on input filled in login form. + ## Various placeholders are available in the user filter: + ## - {input} is a placeholder replaced by what the user inputs in the login form. + ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`. + ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. + ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later + ## versions, so please don't use it. + ## + ## Recommended settings are as follows: + ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) + ## - OpenLDAP: + ## - (&({username_attribute}={input})(objectClass=person)) + ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) + ## + ## To allow sign in both with username and email, one can use a filter like + ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) + # users_filter: (&({username_attribute}={input})(objectClass=person)) + + ## An additional dn to define the scope of groups. + # additional_groups_dn: OU=Groups + + ## The groups filter used in search queries to find the groups of the user. + ## - {input} is a placeholder replaced by what the user inputs in the login form. + ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`). + ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN. + ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. + ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. + ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later + ## versions, so please don't use it. + ## - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in + ## later version, so please don't use it. + ## + ## If your groups use the `groupOfUniqueNames` structure use this instead: + ## (&(uniquemember={dn})(objectclass=groupOfUniqueNames)) + # groups_filter: (&(member={dn})(objectclass=groupOfNames)) + + ## The attribute holding the name of the group + # group_name_attribute: cn + + ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the + ## first one returned by the LDAP server is used. + # mail_attribute: mail + + ## The attribute holding the display name of the user. This will be used to greet an authenticated user. + # display_name_attribute: displayname + + ## The username of the admin user. + user: CN=Authelia,DC=example,DC=com - ## Minimum TLS version for either Secure LDAP or LDAP StartTLS. - minimum_version: TLS1.2 - - ## The base dn for every LDAP query. - base_dn: DC=example,DC=com - - ## The attribute holding the username of the user. This attribute is used to populate the username in the session - ## information. It was introduced due to #561 to handle case insensitive search queries. For you information, - ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this - ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database. - ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user - ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also - ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above - ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt. - # username_attribute: uid - - ## An additional dn to define the scope to all users. - # additional_users_dn: OU=Users - - ## The users filter used in search queries to find the user profile based on input filled in login form. - ## Various placeholders are available in the user filter: - ## - {input} is a placeholder replaced by what the user inputs in the login form. - ## - {username_attribute} is a mandatory placeholder replaced by what is configured in `username_attribute`. - ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. - ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later - ## versions, so please don't use it. ## - ## Recommended settings are as follows: - ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) - ## - OpenLDAP: - ## - (&({username_attribute}={input})(objectClass=person)) - ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) + ## File (Authentication Provider) ## - ## To allow sign in both with username and email, one can use a filter like - ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) - # users_filter: (&({username_attribute}={input})(objectClass=person)) - - ## An additional dn to define the scope of groups. - # additional_groups_dn: OU=Groups - - ## The groups filter used in search queries to find the groups of the user. - ## - {input} is a placeholder replaced by what the user inputs in the login form. - ## - {username} is a placeholder replace by the username stored in LDAP (based on `username_attribute`). - ## - {dn} is a matcher replaced by the user distinguished name, aka, user DN. - ## - {username_attribute} is a placeholder replaced by what is configured in `username_attribute`. - ## - {mail_attribute} is a placeholder replaced by what is configured in `mail_attribute`. - ## - DON'T USE - {0} is an alias for {input} supported for backward compatibility but it will be deprecated in later - ## versions, so please don't use it. - ## - DON'T USE - {1} is an alias for {username} supported for backward compatibility but it will be deprecated in - ## later version, so please don't use it. + ## With this backend, the users database is stored in a file which is updated when users reset their passwords. + ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia + ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security + ## implications it is highly recommended you leave the default values. Before considering changing these settings + ## please read the docs page below: + ## https://www.authelia.com/docs/configuration/authentication/file.html#password-hash-algorithm-tuning ## - ## If your groups use the `groupOfUniqueNames` structure use this instead: - ## (&(uniquemember={dn})(objectclass=groupOfUniqueNames)) - # groups_filter: (&(member={dn})(objectclass=groupOfNames)) - - ## The attribute holding the name of the group - # group_name_attribute: cn - - ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the - ## first one returned by the LDAP server is used. - # mail_attribute: mail - - ## The attribute holding the display name of the user. This will be used to greet an authenticated user. - # display_name_attribute: displayname - - ## The username of the admin user. - user: CN=Authelia,DC=example,DC=com - - ## - ## File (Authentication Provider) - ## - ## With this backend, the users database is stored in a file which is updated when users reset their passwords. - ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia - ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security - ## implications it is highly recommended you leave the default values. Before considering changing these settings - ## please read the docs page below: - ## https://www.authelia.com/docs/configuration/authentication/file.html#password-hash-algorithm-tuning - ## - ## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html - ## - # file: - # path: /config/users_database.yml - # password: - # algorithm: argon2id - # iterations: 1 - # key_length: 32 - # salt_length: 16 - # memory: 1024 - # parallelism: 8 + ## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html + ## + # file: + # path: /config/users_database.yml + # password: + # algorithm: argon2id + # iterations: 1 + # key_length: 32 + # salt_length: 16 + # memory: 1024 + # parallelism: 8 ## ## Access Control Configuration