Cloned2Preserve
/
TrueChartsClone
mirror of https://github.com/truecharts/charts.git
1
0
Fork 0
Code

feat(authelia): Update Authelia question tooltips and defaults (#13487) 

**Description**
<!--
Replaced some descriptions with text from:
https://www.authelia.com/configuration/session
https://www.authelia.com/configuration/security

Added default settings to align with
https://truecharts.org/charts/enterprise/authelia/Setup-Guide/#setup-authelia
-->
⚒️ Fixes  # <!--(issue)-->

**⚙️ Type of change**

- [X] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [ ] ⚖️ My code follows the style guidelines of this project
- [X] 👀 I have performed a self-review of my own code
- [X] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [X] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [ ] ⬆️ I increased versions for any altered app according to semantic
versioning

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [ ] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [ ] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

---------

Signed-off-by: depasseg <depasseg@users.noreply.github.com>
Signed-off-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
Signed-off-by: Kjeld Schouten <kjeld@schouten-lebbing.nl>
Co-authored-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
Co-authored-by: Xstar97TheNoob <9399967+xstar97@users.noreply.github.com>
Co-authored-by: Kjeld Schouten <kjeld@schouten-lebbing.nl>
This commit is contained in:
depasseg 2023-11-10 05:53:07 -05:00 committed by GitHub
parent f04ecbf916
commit d42be3f9a5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 55 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
charts/enterprise/authelia/Chart.yaml
View File

@ -35,7 +35,7 @@ sources:
- https://github.com/authelia/chartrepo
- https://github.com/authelia/authelia
type: application
version: 19.0.11
version: 19.0.12
annotations:
truecharts.org/category: security
truecharts.org/SCALE-support: "true"

69
charts/enterprise/authelia/questions.yaml
View File

@ -230,14 +230,20 @@ questions:
attrs:
- variable: name
label: "Cookie Name"
description: "The name of the session cookie."
description: |
The name of the session cookie. By default this is set to authelia_session.
Its mostly useful to change this if you are doing development or running multiple instances of Authelia.
schema:
type: string
required: true
default: "authelia_session"
- variable: same_site
label: "SameSite Value"
description: "Sets the Cookie SameSite value"
description: |
You can read about the SameSite cookie in detail on the MDN. In short setting SameSite to Lax is generally
the most desirable option for Authelia. None is not recommended unless you absolutely know what youre doing
and trust all the protected apps. Strict is not going to work in many use cases and we have not tested it in
this state but its available as an option anyway.
schema:
type: string
default: "lax"
@ -248,21 +254,27 @@ questions:
description: "strict"
- variable: expiration
label: "Expiration Time"
description: "The time in seconds before the cookie expires and session is reset."
description: |
The period of time before the cookie expires and the session is destroyed. This is overriden by
remember_me_duration when the remember me box is checked.
schema:
type: string
default: "1h"
required: true
- variable: inactivity
label: "Inactivity Time"
description: "The inactivity time in seconds before the session is reset."
description: |
The period of time the user can be inactive for until the session is destroyed when the remember me box is
not checked or is otherwise disabled. Useful if you want long session timers but dont want unused devices to be vulnerable.
schema:
type: string
default: "5m"
required: true
- variable: remember_me_duration
label: "Remember-Me duration"
description: "The remember me duration"
description: |
The period of time before the cookie expires and the session is destroyed when the remember me box is checked, a user
selecting this option negates the inactivity timeout. Setting this to -1 disables this feature entirely.
schema:
type: string
default: "5M"
@ -283,14 +295,18 @@ questions:
default: 3
- variable: find_time
label: "Find Time"
description: "The time range during which the user can attempt login before being banned."
description: |
The period of time analyzed for failed attempts. For example if you set max_retries to 3 and find_time to
2m this means the user must have 3 failed logins in 2 minutes.
schema:
type: string
default: "2m"
required: true
- variable: ban_time
label: "Ban Duration"
description: "The length of time before a banned user can login again"
description: |
The period of time the user is banned for after meeting the max_retries and find_time configuration.
After this duration the account will be able to login again.
schema:
type: string
default: "5m"
@ -298,7 +314,9 @@ questions:
- variable: authentication_backend
group: "App Configuration"
label: "Authentication Backend Provider"
description: "sed for verifying user passwords and retrieve information such as email address and groups users belong to."
description: |
Used for verifying user passwords and retrieve information such as email
address and groups users belong to.
schema:
additional_attrs: true
type: dict
@ -405,14 +423,14 @@ questions:
description: "The attribute holding the username of the user"
schema:
type: string
default: ""
default: "uid"
required: true
- variable: additional_users_dn
label: "Additional Users DN"
description: "An additional dn to define the scope to all users."
schema:
type: string
default: "OU=Users"
default: "OU=people"
required: true
- variable: users_filter
label: "Users Filter"
@ -440,27 +458,27 @@ questions:
description: "The attribute holding the name of the group"
schema:
type: string
default: ""
default: "cn"
required: true
- variable: mail_attribute
label: "Mail Attribute"
description: "The attribute holding the primary mail address of the user"
schema:
type: string
default: ""
default: "mail"
required: true
- variable: display_name_attribute
label: "Display Name Attribute"
description: "he attribute holding the display name of the user. This will be used to greet an authenticated user."
schema:
type: string
default: ""
default: "displayName"
- variable: user
label: "Admin User"
description: "The username of the admin user used to connect to LDAP."
schema:
type: string
default: "CN=Authelia,DC=example,DC=com"
default: "CN=admin,ou=people,DC=example,DC=com"
required: true
- variable: plain_password
label: "Password"
@ -688,10 +706,13 @@ questions:
attrs:
- variable: default_policy
label: "Default Policy"
description: "Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'."
description: |
The default policy defines the policy applied if no rules section apply to the information known about the request.
It is recommended that this is configured to deny for security reasons. Sites which you do not wish to secure at all
with Authelia should not be configured in your reverse proxy to perform authentication with Authelia at all for performance reasons.
schema:
type: string
default: "two_factor"
default: "deny"
enum:
- value: "bypass"
description: "bypass"
@ -745,7 +766,7 @@ questions:
attrs:
- variable: domain
label: "Domains"
description: "defines which domain or set of domains the rule applies to."
description: "Defines which domain or set of domains the rule applies to."
schema:
type: list
default: []
@ -758,7 +779,9 @@ questions:
required: true
- variable: policy
label: "Policy"
description: "The policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'."
description: |
The specific policy to apply to the selected rule. This is not criteria for a match, this is the
action to take when a match is made.
schema:
type: string
default: "two_factor"
@ -773,7 +796,11 @@ questions:
description: "deny"
- variable: subject
label: "Subject"
description: "defines the subject to apply authorizations to. This parameter is optional and matching any user if not provided"
description: |
This criteria matches identifying characteristics about the subject. Currently this is either
user or groups the user belongs to. This allows you to effectively control exactly what each user is
authorized to access or to specifically require two-factor authentication to specific users. Subjects
are prefixed with either user: or group: to identify which part of the identity to check.
schema:
type: list
default: []
@ -982,7 +1009,9 @@ questions:
description: "two_factor"
- variable: consent_mode
label: "Consent Mode"
description: "Configures the consent mode. This can be set to auto (default), explicit (consent required every time) or implicit (automatically assumes consent for every authorization, never asking the user if they wish to give consent.)"
description: |
Configures the consent mode. This can be set to auto (default), explicit (consent required every time) or
implicit (automatically assumes consent for every authorization, never asking the user if they wish to give consent.)
schema:
type: string
default: "auto"

10
charts/enterprise/authelia/values.yaml
View File

@ -228,7 +228,7 @@ authentication_backend:
## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also
## be used but we don't recommend using them, we instead advise to use the attributes mentioned above
## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt.
username_attribute: ""
username_attribute: "uid"
## An additional dn to define the scope to all users.
additional_users_dn: OU=Users
@ -270,17 +270,17 @@ authentication_backend:
groups_filter: ""
## The attribute holding the name of the group
group_name_attribute: ""
group_name_attribute: "cn"
## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
## first one returned by the LDAP server is used.
mail_attribute: ""
mail_attribute: "mail"
## The attribute holding the display name of the user. This will be used to greet an authenticated user.
display_name_attribute: ""
display_name_attribute: "displayname"
## The username of the admin user.
user: CN=Authelia,DC=example,DC=com
user: CN=admin,DC=example,DC=com
plain_password: ""
##