# Include{groups} portals: open: protocols: - "$kubernetes-resource_configmap_portal_protocol" host: - "$kubernetes-resource_configmap_portal_host" ports: - "$kubernetes-resource_configmap_portal_port" questions: - variable: portal group: "Container Image" label: "Configure Portal Button" schema: type: dict hidden: true attrs: - variable: enabled label: "Enable" description: "enable the portal button" schema: hidden: true editable: false type: boolean default: true # Include{global} - variable: controller group: "Controller" label: "" schema: additional_attrs: true type: dict attrs: - variable: advanced label: "Show Advanced Controller Settings" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: type description: "Please specify type of workload to deploy" label: "(Advanced) Controller Type" schema: type: string default: "deployment" required: true enum: - value: "deployment" description: "Deployment" - value: "statefulset" description: "Statefulset" - value: "daemonset" description: "Daemonset" - variable: replicas description: "Number of desired pod replicas" label: "Desired Replicas" schema: type: int default: 1 required: true - variable: strategy description: "Please specify type of workload to deploy" label: "(Advanced) Update Strategy" schema: type: string default: "Recreate" required: true enum: - value: "Recreate" description: "Recreate: Kill existing pods before creating new ones" - value: "RollingUpdate" description: "RollingUpdate: Create new pods and then kill old ones" - value: "OnDelete" description: "(Legacy) OnDelete: ignore .spec.template changes" # Include{controllerExpert} # Include{containerConfig} - variable: domain group: "App Configuration" label: "Domain" description: "The highest domain level possible, for example: domain.com when using app.domain.com" schema: type: string default: "" required: true - variable: default_redirection_url group: "App Configuration" label: "Default Redirection Url" description: "If user tries to authenticate without any referer, this is used" schema: type: string default: "" required: false - variable: theme group: "App Configuration" label: "Theme" schema: type: string default: "light" enum: - value: "light" description: "info" - value: "grey" description: "grey" - value: "dark" description: "dark" - variable: log group: "App Configuration" label: "Log Configuration " schema: additional_attrs: true type: dict attrs: - variable: level label: "Log Level" schema: type: string default: "info" enum: - value: "info" description: "info" - value: "debug" description: "debug" - value: "trace" description: "trace" - variable: format label: "Log Format" schema: type: string default: "text" enum: - value: "json" description: "json" - value: "text" description: "text" - variable: totp group: "App Configuration" label: "TOTP Configuration" schema: additional_attrs: true type: dict attrs: - variable: issuer label: "Issuer" description: "The issuer name displayed in the Authenticator application of your choice" schema: type: string default: "" - variable: period label: "Period" description: "The period in seconds a one-time password is current for" schema: type: int default: 30 - variable: skew label: "skew" description: "Controls number of one-time passwords either side of the current one that are valid." schema: type: int default: 1 - variable: duo_api group: "App Configuration" label: "DUO API Configuration" description: "Parameters used to contact the Duo API." schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: hostname label: "Hostname" schema: type: string required: true default: "" - variable: integration_key label: "integration_key" schema: type: string default: "" required: true - variable: plain_api_key label: "plain_api_key" schema: type: string default: "" required: true - variable: session group: "App Configuration" label: "Session Provider" description: "The session cookies identify the user once logged in." schema: additional_attrs: true type: dict attrs: - variable: name label: "Cookie Name" description: "The name of the session cookie." schema: type: string required: true default: "authelia_session" - variable: same_site label: "SameSite Value" description: "Sets the Cookie SameSite value" schema: type: string default: "lax" enum: - value: "lax" description: "lax" - value: "strict" description: "strict" - variable: expiration label: "Expiration Time" description: "The time in seconds before the cookie expires and session is reset." schema: type: string default: "1h" required: true - variable: inactivity label: "Inactivity Time" description: "The inactivity time in seconds before the session is reset." schema: type: string default: "5m" required: true - variable: inactivity label: "Remember-Me duration" description: "The remember me duration" schema: type: string default: "5M" required: true - variable: regulation group: "App Configuration" label: "Regulation Configuration" description: "his mechanism prevents attackers from brute forcing the first factor." schema: additional_attrs: true type: dict attrs: - variable: max_retries label: "Maximum Retries" description: "The number of failed login attempts before user is banned. Set it to 0 to disable regulation." schema: type: int default: 3 - variable: find_time label: "Find Time" description: "The time range during which the user can attempt login before being banned." schema: type: string default: "2m" required: true - variable: ban_time label: "Ban Duration" description: "The length of time before a banned user can login again" schema: type: string default: "5m" required: true - variable: authentication_backend group: "App Configuration" label: "Authentication Backend Provider" description: "sed for verifying user passwords and retrieve information such as email address and groups users belong to." schema: additional_attrs: true type: dict attrs: - variable: disable_reset_password label: "Disable Reset Password" description: "Disable both the HTML element and the API for reset password functionality" schema: type: boolean default: false - variable: refresh_interval label: "Reset Interval" description: "The amount of time to wait before we refresh data from the authentication backend" schema: type: string default: "5m" required: true - variable: ldap label: "LDAP backend configuration" description: "Used for verifying user passwords and retrieve information such as email address and groups users belong to" schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: implementation label: "Implementation" description: "The LDAP implementation, this affects elements like the attribute utilised for resetting a password" schema: type: string default: "custom" enum: - value: "activedirectory" description: "activedirectory" - value: "custom" description: "custom" - variable: url label: "URL" description: "The url to the ldap server. Format: ://
[:]" schema: type: string default: "ldap://openldap.default.svc.cluster.local" required: true - variable: timeout label: "Connection Timeout" schema: type: string default: "5s" required: true - variable: start_tls label: "Start TLS" description: "Use StartTLS with the LDAP connection" schema: type: boolean default: false - variable: tls label: "TLS Settings" schema: additional_attrs: true type: dict attrs: - variable: server_name label: "Server Name" description: "Server Name for certificate validation (in case it's not set correctly in the URL)." schema: type: string default: "" - variable: skip_verify label: "Skip Certificate Verification" description: "Skip verifying the server certificate (to allow a self-signed certificate)" schema: type: boolean default: false - variable: minimum_version label: "Minimum TLS version" description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS." schema: type: string default: "TLS1.2" enum: - value: "TLS1.0" description: "TLS1.0" - value: "TLS1.1" description: "TLS1.1" - value: "TLS1.2" description: "TLS1.2" - value: "TLS1.3" description: "TLS1.3" - variable: base_dn label: "Base DN" description: "The base dn for every LDAP query." schema: type: string default: "DC=example,DC=com" required: true - variable: username_attribute label: "Username Attribute" description: "The attribute holding the username of the user" schema: type: string default: "" required: true - variable: additional_users_dn label: "Additional Users DN" description: "An additional dn to define the scope to all users." schema: type: string default: "OU=Users" required: true - variable: users_filter label: "Users Filter" description: "The groups filter used in search queries to find the groups of the user." schema: type: string default: "" required: true - variable: additional_groups_dn label: "Additional Groups DN" description: "An additional dn to define the scope of groups." schema: type: string default: "OU=Groups" required: true - variable: groups_filter label: "Groups Filter" description: "The groups filter used in search queries to find the groups of the user." schema: type: string default: "" required: true - variable: group_name_attribute label: "Group name Attribute" description: "The attribute holding the name of the group" schema: type: string default: "" required: true - variable: mail_attribute label: "Mail Attribute" description: "The attribute holding the primary mail address of the user" schema: type: string default: "" required: true - variable: display_name_attribute label: "Display Name Attribute" description: "he attribute holding the display name of the user. This will be used to greet an authenticated user." schema: type: string default: "" - variable: user label: "Admin User" description: "The username of the admin user used to connect to LDAP." schema: type: string default: "CN=Authelia,DC=example,DC=com" required: true - variable: plain_password label: "Password" schema: type: string default: "" required: true - variable: file label: "File backend configuration" description: "With this backend, the users database is stored in a file which is updated when users reset their passwords." schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: path label: "Path" schema: type: string default: "/config/users_database.yml" required: true - variable: password label: "Password Settings" schema: additional_attrs: true type: dict attrs: - variable: algorithm label: "Algorithm" schema: type: string default: "argon2id" enum: - value: "argon2id" description: "argon2id" - value: "sha512" description: "sha512" - variable: iterations label: "Iterations" schema: type: int default: 1 required: true - variable: key_length label: "Key Length" schema: type: int default: 32 required: true - variable: salt_length label: "Salt Length" schema: type: int default: 16 required: true - variable: memory label: "Memory" schema: type: int default: 1024 required: true - variable: parallelism label: "Parallelism" schema: type: int default: 8 required: true - variable: notifier group: "App Configuration" label: "Notifier Configuration" description: "otifications are sent to users when they require a password reset, a u2f registration or a TOTP registration." schema: additional_attrs: true type: dict attrs: - variable: disable_startup_check label: "Disable Startup Check" schema: type: boolean default: false - variable: filesystem label: "Filesystem Provider" schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: filename label: "File Path" schema: type: string default: "/config/notification.txt" required: true - variable: smtp label: "SMTP Provider" description: "Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate." schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: true show_subquestions_if: true subquestions: - variable: host label: "Host" schema: type: string default: "smtp.mail.svc.cluster.local" required: true - variable: port label: "Port" schema: type: int default: 25 required: true - variable: timeout label: "Timeout" schema: type: string default: "5s" required: true - variable: username label: "Username" schema: type: string default: "" required: true - variable: plain_password label: "Password" schema: type: string default: "" required: true - variable: sender label: "Sender" schema: type: string default: "" required: true - variable: identifier label: "Identifier" description: "HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost." schema: type: string default: "localhost" required: true - variable: subject label: "Subject" description: "Subject configuration of the emails sent, {title} is replaced by the text from the notifier" schema: type: string default: "[Authelia] {title}" required: true - variable: startup_check_address label: "Startup Check Address" description: "This address is used during the startup check to verify the email configuration is correct." schema: type: string default: "test@authelia.com" required: true - variable: disable_require_tls label: "Disable Require TLS" schema: type: boolean default: false - variable: disable_html_emails label: "Disable HTML emails" schema: type: boolean default: false - variable: tls label: "TLS Settings" schema: additional_attrs: true type: dict attrs: - variable: server_name label: "Server Name" description: "Server Name for certificate validation (in case it's not set correctly in the URL)." schema: type: string default: "" - variable: skip_verify label: "Skip Certificate Verification" description: "Skip verifying the server certificate (to allow a self-signed certificate)" schema: type: boolean default: false - variable: minimum_version label: "Minimum TLS version" description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS." schema: type: string default: "TLS1.2" enum: - value: "TLS1.0" description: "TLS1.0" - value: "TLS1.1" description: "TLS1.1" - value: "TLS1.2" description: "TLS1.2" - value: "TLS1.3" description: "TLS1.3" - variable: access_control group: "App Configuration" label: "Access Control Configuration" description: "Access control is a list of rules defining the authorizations applied for one resource to users or group of users." schema: additional_attrs: true type: dict attrs: - variable: default_policy label: "Default Policy" description: "Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'." schema: type: string default: "two_factor" enum: - value: "bypass" description: "bypass" - value: "one_factor" description: "one_factor" - value: "two_factor" description: "two_factor" - value: "deny" description: "deny" - variable: networks label: "Networks" schema: type: list default: [] items: - variable: networkItem label: "Network Item" schema: additional_attrs: true type: dict attrs: - variable: name label: "Name" schema: type: string default: "" required: true - variable: networks label: "Networks" schema: type: list default: [] items: - variable: network label: "network" schema: type: string default: "" required: true - variable: rules label: "Rules" schema: type: list default: [] items: - variable: rulesItem label: "Rule" schema: additional_attrs: true type: dict attrs: - variable: domain label: "Domains" description: "defines which domain or set of domains the rule applies to." schema: type: list default: [] items: - variable: domainEntry label: "Domain" schema: type: string default: "" required: true - variable: policy label: "Policy" description: "The policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'." schema: type: string default: "two_factor" enum: - value: "bypass" description: "bypass" - value: "one_factor" description: "one_factor" - value: "two_factor" description: "two_factor" - value: "deny" description: "deny" - variable: subject label: "Subject" description: "defines the subject to apply authorizations to. This parameter is optional and matching any user if not provided" schema: type: list default: [] items: - variable: subjectitem label: "Subject" schema: type: string default: "" required: true - variable: networks label: "Networks" schema: type: list default: [] items: - variable: network label: "Network" schema: type: string default: "" required: true - variable: resources label: "Resources" description: "is a list of regular expressions that matches a set of resources to apply the policy to" schema: type: list default: [] items: - variable: resource label: "Resource" schema: type: string default: "" required: true - variable: service group: "Networking and Services" label: "Configure Service(s)" schema: additional_attrs: true type: dict attrs: - variable: main label: "Main Service" description: "The Primary service on which the healthcheck runs, often the webUI" schema: additional_attrs: true type: dict attrs: # Include{serviceSelector} - variable: main label: "Main Service Port Configuration" schema: additional_attrs: true type: dict attrs: - variable: port label: "Port" description: "This port exposes the container port on the service" schema: type: int default: 9091 required: true - variable: advanced label: "Show Advanced settings" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: protocol label: "Port Type" schema: type: string default: "HTTP" enum: - value: HTTP description: "HTTP" - value: "HTTPS" description: "HTTPS" - value: TCP description: "TCP" - value: "UDP" description: "UDP" - variable: nodePort label: "Node Port (Optional)" description: "This port gets exposed to the node. Only considered when service type is NodePort, Simple or LoadBalancer" schema: type: int min: 9000 max: 65535 - variable: targetPort label: "Target Port" description: "The internal(!) port on the container the Application runs on" schema: type: int default: 9091 - variable: serviceexpert group: "Networking and Services" label: "Show Expert Config" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: hostNetwork group: "Networking and Services" label: "Host-Networking (Complicated)" schema: type: boolean default: false # Include{serviceExpert} # Include{serviceList} - variable: persistence label: "Integrated Persistent Storage" description: "Integrated Persistent Storage" group: "Storage and Persistence" schema: additional_attrs: true type: dict attrs: - variable: config label: "App Config Storage" description: "Stores the Application Configuration." schema: additional_attrs: true type: dict attrs: # Include{persistenceBasic} # Include{persistenceAdvanced} # Include{persistenceList} - variable: ingress label: "" group: "Ingress" schema: additional_attrs: true type: dict attrs: - variable: main label: "Main Ingress" schema: additional_attrs: true type: dict attrs: # Include{ingressDefault} # Include{ingressTLS} # Include{ingressTraefik} # Include{ingressExpert} # Include{ingressList} # Include{security} - variable: advancedSecurity label: "Show Advanced Security Settings" group: "Security and Permissions" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: securityContext label: "Security Context" schema: additional_attrs: true type: dict attrs: - variable: privileged label: "Privileged mode" schema: type: boolean default: false - variable: readOnlyRootFilesystem label: "ReadOnly Root Filesystem" schema: type: boolean default: true - variable: allowPrivilegeEscalation label: "Allow Privilege Escalation" schema: type: boolean default: false - variable: runAsNonRoot label: "runAsNonRoot" schema: type: boolean default: true # Include{securityContextAdvanced} - variable: podSecurityContext group: "Security and Permissions" label: "Pod Security Context" schema: additional_attrs: true type: dict attrs: - variable: runAsUser label: "runAsUser" description: "The UserID of the user running the application" schema: type: int default: 568 - variable: runAsGroup label: "runAsGroup" description: "The groupID this App of the user running the application" schema: type: int default: 568 - variable: fsGroup label: "fsGroup" description: "The group that should own ALL storage." schema: type: int default: 568 # Include{podSecurityContextAdvanced} # Include{resources} # Include{advanced} # Include{addons} - variable: identity_providers group: "Advanced" label: "Authelia Identity Providers (BETA)" schema: additional_attrs: true type: dict attrs: - variable: oidc label: "OpenID Connect(BETA)" schema: additional_attrs: true type: dict attrs: - variable: enabled label: "enabled" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: access_token_lifespan label: "Access Token Lifespan" schema: type: string default: "1h" required: true - variable: authorize_code_lifespan label: "Authorize Code Lifespan" schema: type: string default: "1m" required: true - variable: id_token_lifespan label: "ID Token Lifespan" schema: type: string default: "1h" required: true - variable: refresh_token_lifespan label: "Refresh Token Lifespan" schema: type: string default: "90m" required: true - variable: enable_client_debug_messages label: "Enable Client Debug Messages" schema: type: boolean default: false - variable: clients label: "Clients" schema: type: list default: [] items: - variable: clientEntry label: "Client" schema: additional_attrs: true type: dict attrs: - variable: id label: "ID/Name" description: "The ID is the OpenID Connect ClientID which is used to link an application to a configuration." schema: type: string default: "myapp" required: true - variable: description label: "Description" description: "The description to show to users when they end up on the consent screen. Defaults to the ID above." schema: type: string default: "My Application" required: true - variable: secret label: "Secret" description: "The client secret is a shared secret between Authelia and the consumer of this client." schema: type: string default: "" required: true - variable: public label: "public" description: "Sets the client to public. This should typically not be set, please see the documentation for usage." schema: type: boolean default: false - variable: authorization_policy label: "Authorization Policy" description: "The policy to require for this client; one_factor or two_factor." schema: type: string default: "two_factor" enum: - value: "one_factor" description: "one_factor" - value: "two_factor" description: "two_factor" - variable: userinfo_signing_algorithm label: "Userinfo Signing Algorithm" description: "The algorithm used to sign userinfo endpoint responses for this client, either none or RS256." schema: type: string default: "none" enum: - value: "none" description: "none" - value: "RS256" description: "RS256" - variable: audience label: "Audience" description: "Audience this client is allowed to request." schema: type: list default: [] items: - variable: audienceEntry label: "" schema: type: string default: "" required: true - variable: scopes label: "Scopes" description: "Scopes this client is allowed to request." schema: type: list default: [] items: - variable: ScopeEntry label: "Scope" schema: type: string default: "openid" required: true - variable: redirect_uris label: "redirect_uris" description: "Redirect URI's specifies a list of valid case-sensitive callbacks for this client." schema: type: list default: [] items: - variable: uriEntry label: "Url" schema: type: string default: "https://oidc.example.com/oauth2/callback" required: true - variable: grant_types description: "Grant Types configures which grants this client can obtain." label: "grant_types" schema: type: list default: [] items: - variable: grantEntry label: "Grant" schema: type: string default: "refresh_token" required: true - variable: response_types description: "Response Types configures which responses this client can be sent." label: "response_types" schema: type: list default: [] items: - variable: responseEntry label: "type" schema: type: string default: "code" required: true - variable: response_modes description: "Response Modes configures which response modes this client supports." label: "response_modes" schema: type: list default: [] items: - variable: modeEntry label: "Mode" schema: type: string default: "form_post" required: true