From b610750593c7727ac1aef12212af6ed39ee8ee2f Mon Sep 17 00:00:00 2001 From: James Elliott Date: Tue, 16 Feb 2021 08:00:30 +1100 Subject: [PATCH] refactor: indentation and tls --- charts/authelia/Chart.yaml | 2 +- charts/authelia/templates/deployment.yaml | 230 +++++++++--------- charts/authelia/templates/ingress.yaml | 44 ++-- charts/authelia/templates/networkPolicy.yaml | 2 +- .../templates/podDisruptionBudget.yaml | 3 +- charts/authelia/templates/service.yaml | 8 +- .../templates/traefikCRD/ingressRoute.yaml | 62 ++--- .../templates/traefikCRD/middlewares.yaml | 22 +- .../templates/traefikCRD/tlsOption.yaml | 4 +- charts/authelia/values.local.yaml | 62 ++--- charts/authelia/values.yaml | 30 ++- 11 files changed, 241 insertions(+), 228 deletions(-) diff --git a/charts/authelia/Chart.yaml b/charts/authelia/Chart.yaml index 6c79a28..245b621 100644 --- a/charts/authelia/Chart.yaml +++ b/charts/authelia/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: authelia -version: 0.1.4 +version: 0.1.5 kubeVersion: ">= 1.13.0" description: Authelia is a Single Sign-On Multi-Factor portal for web apps type: application diff --git a/charts/authelia/templates/deployment.yaml b/charts/authelia/templates/deployment.yaml index b5f769e..a2139fa 100644 --- a/charts/authelia/templates/deployment.yaml +++ b/charts/authelia/templates/deployment.yaml @@ -49,7 +49,7 @@ spec: {{- end }} spec: {{- with $tolerations := .Values.pod.tolerations }} - tolerations: {{ toYaml $tolerations | nindent 6 }} + tolerations: {{ toYaml $tolerations | nindent 8 }} {{- end }} hostNetwork: false hostPID: false @@ -67,137 +67,137 @@ spec: securityContext: {{ toYaml $context | nindent 8 }} {{- end }} containers: - - name: authelia - image: {{ include "authelia.image" . }} - imagePullPolicy: {{ default "IfNotPresent" .Values.image.pullPolicy }} - {{- with $pullSecrets := .Values.image.pullSecrets }} - imagePullSecrets: - {{- range $k, $secretName := $pullSecrets }} - - name: {{ $secretName }} - {{- end }} - {{- end }} - {{- with $resources :=.Values.pod.resources }} - resources: {{ toYaml $resources | nindent 10 }} - {{- end }} - env: - - name: AUTHELIA_JWT_SECRET_FILE - value: /usr/app/secrets/JWT_TOKEN - - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE - value: /usr/app/secrets/LDAP_PASSWORD - - name: AUTHELIA_SESSION_SECRET_FILE - value: /usr/app/secrets/SESSION_ENCRYPTION_KEY - {{- if .Values.configMap.storage.postgres }} - - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE - value: /usr/app/secrets/STORAGE_PASSWORD + - name: authelia + image: {{ include "authelia.image" . }} + imagePullPolicy: {{ default "IfNotPresent" .Values.image.pullPolicy }} + {{- with $pullSecrets := .Values.image.pullSecrets }} + imagePullSecrets: + {{- range $k, $secretName := $pullSecrets }} + - name: {{ $secretName }} {{- end }} - {{- if .Values.configMap.storage.mysql }} - - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE - value: /usr/app/secrets/STORAGE_PASSWORD {{- end }} - {{- if .Values.secret.smtp.enabled }} - - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE - value: /usr/app/secrets/SMTP_PASSWORD + {{- with $resources :=.Values.pod.resources }} + resources: {{ toYaml $resources | nindent 12 }} {{- end }} - {{- if and (.Values.configMap.session.redis) (.Values.secret.redis.enabled) }} - - name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE - value: /usr/app/secrets/REDIS_PASSWORD + env: + - name: AUTHELIA_JWT_SECRET_FILE + value: /usr/app/secrets/JWT_TOKEN + - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE + value: /usr/app/secrets/LDAP_PASSWORD + - name: AUTHELIA_SESSION_SECRET_FILE + value: /usr/app/secrets/SESSION_ENCRYPTION_KEY + {{- if .Values.configMap.storage.postgres }} + - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE + value: /usr/app/secrets/STORAGE_PASSWORD + {{- end }} + {{- if .Values.configMap.storage.mysql }} + - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE + value: /usr/app/secrets/STORAGE_PASSWORD + {{- end }} + {{- if .Values.secret.smtp.enabled }} + - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE + value: /usr/app/secrets/SMTP_PASSWORD + {{- end }} + {{- if and (.Values.configMap.session.redis) (.Values.secret.redis.enabled) }} + - name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE + value: /usr/app/secrets/REDIS_PASSWORD + {{- end }} + {{- if .Values.configMap.duo_api }} + - name: AUTHELIA_DUO_API_SECRET_KEY_FILE + value: /usr/app/secrets/DUO_API_KEY {{- end }} - {{- if .Values.configMap.duo_api }} - - name: AUTHELIA_DUO_API_SECRET_KEY_FILE - value: /usr/app/secrets/DUO_API_KEY - {{- end }} - {{- with .Values.pod.env }} - {{ toYaml . | indent 8 }} - {{- end }} - ports: - - name: http - containerPort: {{ default 9091 .Values.configMap.port }} - protocol: TCP - {{- with $probe := include "authelia.merge.probe" (merge (dict "Type" "startup" "Method" .Values.pod.probes.method "Probe" .Values.pod.probes.startup) .) }} - {{- $probe | nindent 8 }} - {{- end }} - {{- with $probe := include "authelia.merge.probe" (merge (dict "Type" "liveness" "Method" .Values.pod.probes.method "Probe" .Values.pod.probes.liveness) .) }} - {{- $probe | nindent 8 }} - {{- end }} - {{- with $probe := include "authelia.merge.probe" (merge (dict "Type" "readiness" "Method" .Values.pod.probes.method "Probe" .Values.pod.probes.readiness) .) }} - {{- $probe | nindent 8 }} - {{- end }} - volumeMounts: - {{- if (include "authelia.enabled.persistentVolumeClaim" .) }} - - mountPath: /config - name: authelia - readOnly: {{ .Values.persistence.readOnly }} - {{- with $subPath := .Values.persistence.subPath }} - subPath: {{ $subPath }} + {{- with $env := .Values.pod.env }} + {{ toYaml $env | indent 10 }} {{- end }} - {{- with $subPathExpr := .Values.persistence.subPathExpr }} - subPathExpr: {{ $subPathExpr }} + ports: + - name: http + containerPort: {{ default 9091 .Values.configMap.port }} + protocol: TCP + {{- with $probe := include "authelia.merge.probe" (merge (dict "Type" "startup" "Method" .Values.pod.probes.method "Probe" .Values.pod.probes.startup) .) }} + {{- $probe | nindent 10 }} {{- end }} - {{- with $mountPropagation := .Values.persistence.mountPropagation }} - mountPropagation: {{ $mountPropagation }} + {{- with $probe := include "authelia.merge.probe" (merge (dict "Type" "liveness" "Method" .Values.pod.probes.method "Probe" .Values.pod.probes.liveness) .) }} + {{- $probe | nindent 10 }} {{- end }} + {{- with $probe := include "authelia.merge.probe" (merge (dict "Type" "readiness" "Method" .Values.pod.probes.method "Probe" .Values.pod.probes.readiness) .) }} + {{- $probe | nindent 10 }} {{- end }} - {{- if (include "authelia.enabled.configMap" .) }} - - mountPath: /config - name: config - readOnly: true + volumeMounts: + {{- if (include "authelia.enabled.persistentVolumeClaim" .) }} + - mountPath: /config + name: authelia + readOnly: {{ .Values.persistence.readOnly }} + {{- with $subPath := .Values.persistence.subPath }} + subPath: {{ $subPath }} + {{- end }} + {{- with $subPathExpr := .Values.persistence.subPathExpr }} + subPathExpr: {{ $subPathExpr }} + {{- end }} + {{- with $mountPropagation := .Values.persistence.mountPropagation }} + mountPropagation: {{ $mountPropagation }} + {{- end }} + {{- end }} + {{- if (include "authelia.enabled.configMap" .) }} + - mountPath: /config + name: config + readOnly: true + {{- end }} + - mountPath: /usr/app/secrets + name: secrets + readOnly: true + {{- if (include "authelia.enabled.certificatesSecret" .) }} + - mountPath: /usr/app/certificates + name: certificates + readOnly: true {{- end }} - - mountPath: /usr/app/secrets - name: secrets - readOnly: true - {{- if (include "authelia.enabled.certificatesSecret" .) }} - - mountPath: /usr/app/certificates - name: certificates - readOnly: true - {{- end }} - {{- with $mounts := .Values.pod.extraVolumeMounts }} - {{ toYaml $mounts | indent 8 }} - {{- end }} - {{- with $context := .Values.pod.podSecurityContext }} - securityContext: {{ toYaml $context | nindent 10 }} + {{- with $mounts := .Values.pod.extraVolumeMounts }} + {{ toYaml $mounts | indent 8 }} + {{- end }} + {{- with $context := .Values.pod.podSecurityContext }} + securityContext: {{ toYaml $context | nindent 10 }} {{- end }} volumes: {{- if (include "authelia.enabled.persistentVolumeClaim" .) }} - - name: authelia - persistentVolumeClaim: - claimName: {{ default (include "authelia.name" .) .Values.persistence.existingClaim }} + - name: authelia + persistentVolumeClaim: + claimName: {{ default (include "authelia.name" .) .Values.persistence.existingClaim }} {{- end }} {{- if (include "authelia.enabled.configMap" .) }} - - name: config - configMap: - name: {{ default (include "authelia.name" .) .Values.configMap.existingConfigMap }} - items: - - key: {{ default "configuration.yml" .Values.configMap.key }} - path: configuration.yml + - name: config + configMap: + name: {{ default (include "authelia.name" .) .Values.configMap.existingConfigMap }} + items: + - key: {{ default "configuration.yml" .Values.configMap.key }} + path: configuration.yml {{- end }} - - name: secrets - secret: - secretName: {{ default (include "authelia.name" .) .Values.secret.existingSecret }} - items: - - key: {{ default "JWT_TOKEN" .Values.secret.jwt.key }} - path: JWT_TOKEN - - key: {{ default "LDAP_PASSWORD" .Values.secret.ldap.key }} - path: LDAP_PASSWORD - - key: {{ default "SESSION_ENCRYPTION_KEY" .Values.secret.session.key }} - path: SESSION_ENCRYPTION_KEY - - key: {{ default "STORAGE_PASSWORD" .Values.secret.storage.key }} - path: STORAGE_PASSWORD - {{- if .Values.secret.smtp.enabled }} - - key: {{ default "SMTP_PASSWORD" .Values.secret.smtp.key }} - path: SMTP_PASSWORD - {{- end }} - {{- if and (.Values.configMap.session.redis) (.Values.secret.redis.enabled) }} - - key: {{ default "REDIS_PASSWORD" .Values.secret.redis.key }} - path: REDIS_PASSWORD - {{- end }} - {{- if .Values.configMap.duo_api }} - - key: {{ default "DUO_API_KEY" .Values.secret.duo.key }} - path: DUO_API_KEY + - name: secrets + secret: + secretName: {{ default (include "authelia.name" .) .Values.secret.existingSecret }} + items: + - key: {{ default "JWT_TOKEN" .Values.secret.jwt.key }} + path: JWT_TOKEN + - key: {{ default "LDAP_PASSWORD" .Values.secret.ldap.key }} + path: LDAP_PASSWORD + - key: {{ default "SESSION_ENCRYPTION_KEY" .Values.secret.session.key }} + path: SESSION_ENCRYPTION_KEY + - key: {{ default "STORAGE_PASSWORD" .Values.secret.storage.key }} + path: STORAGE_PASSWORD + {{- if .Values.secret.smtp.enabled }} + - key: {{ default "SMTP_PASSWORD" .Values.secret.smtp.key }} + path: SMTP_PASSWORD + {{- end }} + {{- if and (.Values.configMap.session.redis) (.Values.secret.redis.enabled) }} + - key: {{ default "REDIS_PASSWORD" .Values.secret.redis.key }} + path: REDIS_PASSWORD + {{- end }} + {{- if .Values.configMap.duo_api }} + - key: {{ default "DUO_API_KEY" .Values.secret.duo.key }} + path: DUO_API_KEY {{- end }} {{- if (include "authelia.enabled.certificatesSecret" .) }} - - name: certificates - secret: - secretName: {{ include "authelia.names.certificatesSecret" . }} + - name: certificates + secret: + secretName: {{ include "authelia.names.certificatesSecret" . }} {{- end }} {{- with .Values.pod.extraVolumes }} {{ toYaml . | indent 6 }} diff --git a/charts/authelia/templates/ingress.yaml b/charts/authelia/templates/ingress.yaml index bca30e6..916df5b 100644 --- a/charts/authelia/templates/ingress.yaml +++ b/charts/authelia/templates/ingress.yaml @@ -9,25 +9,33 @@ metadata: annotations: {{ $annotations | nindent 4 }} {{- end }} spec: + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + {{- with $className := .Values.ingress.className }} + ingressClassName: {{ $className }} + {{- end }} + {{- end }} rules: - - host: {{ include "authelia.ingressHost" . }} - http: - paths: - - path: {{ (include "authelia.path" .) }} - backend: - {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} - service: - name: {{ include "authelia.name" . }} - port: - number: {{ include "authelia.service.port" . }} - {{- else }} - serviceName: {{ include "authelia.name" . }} - servicePort: {{ include "authelia.service.port" . }} + - host: {{ include "authelia.ingressHost" . }} + http: + paths: + - path: {{ (include "authelia.path" .) }} + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + {{- end }} + backend: + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + service: + name: {{ include "authelia.name" . }} + port: + number: {{ include "authelia.service.port" . }} + {{- else }} + serviceName: {{ include "authelia.name" . }} + servicePort: {{ include "authelia.service.port" . }} {{- end }} -{{- if .Values.ingress.tls }} + {{- if .Values.ingress.tls.enabled }} tls: - - hosts: - - {{ include "authelia.ingressHost" . }} - secretName: {{ .Values.ingress.tlsSecret }} -{{- end -}} + - hosts: + - {{ default (include "authelia.ingressHost" .) .Values.ingress.tls.hostNameOverride }} + secretName: {{ default "authelia-tls" .Values.ingress.tls.secret }} + {{- end -}} {{- end -}} diff --git a/charts/authelia/templates/networkPolicy.yaml b/charts/authelia/templates/networkPolicy.yaml index 97eda36..d32bffd 100644 --- a/charts/authelia/templates/networkPolicy.yaml +++ b/charts/authelia/templates/networkPolicy.yaml @@ -11,7 +11,7 @@ metadata: spec: podSelector: matchLabels: {{- include "authelia.matchLabels" . | nindent 6 }} - policyTypes: {{ toYaml .Values.networkPolicy.policyTypes | nindent 2 }} + policyTypes: {{ toYaml .Values.networkPolicy.policyTypes | nindent 4 }} {{- with $ingress := .Values.networkPolicy.ingress }} ingress: {{ toYaml $ingress | nindent 4 }} {{- end }} diff --git a/charts/authelia/templates/podDisruptionBudget.yaml b/charts/authelia/templates/podDisruptionBudget.yaml index 0844892..1d85315 100644 --- a/charts/authelia/templates/podDisruptionBudget.yaml +++ b/charts/authelia/templates/podDisruptionBudget.yaml @@ -17,6 +17,5 @@ spec: minAvailable: 1 {{- end }} selector: - matchLabels: - {{- include "authelia.matchLabels" . | nindent 6 }} + matchLabels: {{- include "authelia.matchLabels" . | nindent 6 }} {{- end -}} \ No newline at end of file diff --git a/charts/authelia/templates/service.yaml b/charts/authelia/templates/service.yaml index b1da978..adac585 100644 --- a/charts/authelia/templates/service.yaml +++ b/charts/authelia/templates/service.yaml @@ -14,7 +14,7 @@ spec: {{- end }} selector: {{- include "authelia.matchLabels" . | nindent 4 }} ports: - - name: http - protocol: TCP - port: {{ include "authelia.service.port" . }} - targetPort: http \ No newline at end of file + - name: http + protocol: TCP + port: {{ include "authelia.service.port" . }} + targetPort: http \ No newline at end of file diff --git a/charts/authelia/templates/traefikCRD/ingressRoute.yaml b/charts/authelia/templates/traefikCRD/ingressRoute.yaml index 56ad638..9347f79 100644 --- a/charts/authelia/templates/traefikCRD/ingressRoute.yaml +++ b/charts/authelia/templates/traefikCRD/ingressRoute.yaml @@ -10,37 +10,37 @@ metadata: {{- end }} spec: {{- with $entryPoints := default (list "http") .Values.ingress.traefikCRD.entryPoints }} - entryPoints: {{- toYaml $entryPoints | nindent 2 }} + entryPoints: {{- toYaml $entryPoints | nindent 4 }} {{- end }} routes: - - kind: Rule - match: {{ default (printf "Host(`%s`) && PathPrefix(`%s`)" (include "authelia.ingressHost" .) (include "authelia.path" .)) .Values.ingress.traefikCRD.matchOverride }} - priority: {{ default 10 .Values.ingress.traefikCRD.priority }} - middlewares: - - name: {{ include "authelia.ingress.traefikCRD.middleware.name.chain" . }} - namespace: {{ .Release.Namespace }} - services: - - kind: Service - name: {{ include "authelia.name" . }} - port: {{ include "authelia.service.port" . }} - namespace: {{ .Release.Namespace }} - passHostHeader: true - strategy: {{ default "RoundRobin" .Values.ingress.traefikCRD.strategy }} - scheme: {{ default "http" .Values.ingress.traefikCRD.scheme }} - weight: {{ default 10 .Values.ingress.traefikCRD.weight }} - responseForwarding: - flushInterval: {{ default "100ms" .Values.ingress.traefikCRD.responseForwardingFlushInterval }} - {{- if .Values.ingress.traefikCRD.sticky }} - sticky: - cookie: - httpOnly: true - name: {{ default (printf "%s_traefik_lb" (include "authelia.name" .)) .Values.ingress.traefikCRD.stickyCookieNameOverride }} - secure: true - sameSite: None + - kind: Rule + match: {{ default (printf "Host(`%s`) && PathPrefix(`%s`)" (include "authelia.ingressHost" .) (include "authelia.path" .)) .Values.ingress.traefikCRD.matchOverride }} + priority: {{ default 10 .Values.ingress.traefikCRD.priority }} + middlewares: + - name: {{ include "authelia.ingress.traefikCRD.middleware.name.chain" . }} + namespace: {{ .Release.Namespace }} + services: + - kind: Service + name: {{ include "authelia.name" . }} + port: {{ include "authelia.service.port" . }} + namespace: {{ .Release.Namespace }} + passHostHeader: true + strategy: {{ default "RoundRobin" .Values.ingress.traefikCRD.strategy }} + scheme: {{ default "http" .Values.ingress.traefikCRD.scheme }} + weight: {{ default 10 .Values.ingress.traefikCRD.weight }} + responseForwarding: + flushInterval: {{ default "100ms" .Values.ingress.traefikCRD.responseForwardingFlushInterval }} + {{- if .Values.ingress.traefikCRD.sticky }} + sticky: + cookie: + httpOnly: true + name: {{ default (printf "%s_traefik_lb" (include "authelia.name" .)) .Values.ingress.traefikCRD.stickyCookieNameOverride }} + secure: true + sameSite: None {{- end }} - {{- if .Values.ingress.traefikCRD.tls }} + {{- if .Values.ingress.tls.enabled }} tls: - secretName: {{ default (printf "%s-traefik-tls" (include "authelia.name" .)) .Values.ingress.traefikCRD.tls.secretName }} + secretName: {{ default (printf "%s-traefik-tls" (include "authelia.name" .)) .Values.ingress.tls.secret }} options: {{- if (include "authelia.existing.ingress.traefik.tlsOption" .) }} {{- toYaml .Values.ingress.traefikCRD.tls.existingOptions | nindent 6 }} @@ -50,10 +50,10 @@ spec: {{- end }} certResolver: {{ default "default" .Values.ingress.traefikCRD.tls.certResolver }} domains: - {{- if .Values.ingress.traefikCRD.tls.domains }} - {{- toYaml .Values.ingress.traefikCRD.tls.domains | nindent 4 }} - {{- else }} - - main: {{ include "authelia.ingressHost" . }} + - main: {{ default (include "authelia.ingressHost" .) .Values.ingress.tls.hostNameOverride }} + {{- if .Values.ingress.traefikCRD.tls.sans }} + sans: {{- toYaml .Values.ingress.traefikCRD.tls.sans | nindent 10 }} {{- end }} + {{- else }} {{- end }} {{- end -}} \ No newline at end of file diff --git a/charts/authelia/templates/traefikCRD/middlewares.yaml b/charts/authelia/templates/traefikCRD/middlewares.yaml index 530c761..68d9739 100644 --- a/charts/authelia/templates/traefikCRD/middlewares.yaml +++ b/charts/authelia/templates/traefikCRD/middlewares.yaml @@ -13,7 +13,7 @@ spec: address: {{ (include "authelia.forwardAuthPath" .) }} trustForwardHeader: true {{- with .Values.ingress.traefikCRD.middlewares.auth.authResponseHeaders }} - authResponseHeaders: {{- toYaml . | nindent 4 }} + authResponseHeaders: {{- toYaml . | nindent 6 }} {{- end }} --- apiVersion: traefik.containo.us/v1alpha1 @@ -44,12 +44,12 @@ spec: chain: middlewares: {{- with $middlewares := .Values.ingress.traefikCRD.middlewares.chains.auth.before }} - {{- toYaml $middlewares | nindent 4 }} + {{- toYaml $middlewares | nindent 6 }} {{- end }} - - name: {{ include "authelia.ingress.traefikCRD.middleware.name.forwardAuth" . }} - namespace: {{ .Release.Namespace }} + - name: {{ include "authelia.ingress.traefikCRD.middleware.name.forwardAuth" . }} + namespace: {{ .Release.Namespace }} {{- with $middlewares := .Values.ingress.traefikCRD.middlewares.chains.auth.after }} - {{- toYaml $middlewares | nindent 4 }} + {{- toYaml $middlewares | nindent 6 }} {{- end }} --- apiVersion: traefik.containo.us/v1alpha1 @@ -58,19 +58,19 @@ metadata: name: {{ include "authelia.name" . }} labels: {{- include "authelia.labels" . | nindent 4 }} - {{- with (include "authelia.annotations" .) }} + {{- with $annotations := (include "authelia.annotations" .) }} annotations: - {{- . | nindent 4 }} + {{- $annotations | nindent 4 }} {{- end }} spec: chain: middlewares: {{- with $middlewares := .Values.ingress.traefikCRD.middlewares.chains.ingressRoute.before }} - {{- toYaml $middlewares | nindent 4 }} + {{- toYaml $middlewares | nindent 6 }} {{- end }} - - name: {{ printf "headers-%s" (include "authelia.name" .) }} - namespace: {{ .Release.Namespace }} + - name: {{ printf "headers-%s" (include "authelia.name" .) }} + namespace: {{ .Release.Namespace }} {{- with $middlewares := .Values.ingress.traefikCRD.middlewares.chains.ingressRoute.after }} - {{- toYaml $middlewares | nindent 4 }} + {{- toYaml $middlewares | nindent 6 }} {{- end }} {{- end -}} \ No newline at end of file diff --git a/charts/authelia/templates/traefikCRD/tlsOption.yaml b/charts/authelia/templates/traefikCRD/tlsOption.yaml index 0347387..bdc9bbb 100644 --- a/charts/authelia/templates/traefikCRD/tlsOption.yaml +++ b/charts/authelia/templates/traefikCRD/tlsOption.yaml @@ -12,10 +12,10 @@ spec: minVersion: {{ default "VersionTLS12" .Values.ingress.traefikCRD.tls.options.minVersion }} maxVersion: {{ default "VersionTLS13" .Values.ingress.traefikCRD.tls.options.maxVersion }} {{- with $prefernces := .Values.ingress.traefikCRD.tls.options.curvePreferences }} - curvePreferences: {{ toYaml $prefernces | nindent 2 }} + curvePreferences: {{ toYaml $prefernces | nindent 4 }} {{- end }} {{- with $suites := default (list "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_RSA_WITH_AES_256_GCM_SHA384") .Values.ingress.traefikCRD.tls.options.cipherSuites }} - cipherSuites: {{ toYaml $suites | nindent 2 }} + cipherSuites: {{ toYaml $suites | nindent 4 }} {{- end }} {{ with $strict := .Values.ingress.traefikCRD.tls.options.sniStrict }} sniStrict: {{ $strict }} diff --git a/charts/authelia/values.local.yaml b/charts/authelia/values.local.yaml index 18f5c69..083e032 100644 --- a/charts/authelia/values.local.yaml +++ b/charts/authelia/values.local.yaml @@ -73,84 +73,88 @@ ingress: certManager: false rewriteTarget: true - + + ## The Ingress Class Name. + # className: ingress-nginx + ## Subdomain is the only thing required since we specify the domain as part of the root values of the chart. ## Example: To get Authelia to listen on https://auth.example.com specify 'auth' for ingress.subdomain, ## and specify example.com for the domain. subdomain: auth - tls: true - tlsSecret: authelia-tls + tls: + enabled: true + secret: authelia-tls + + # hostNameOverride: traefikCRD: enabled: false - + # matchOverride: Host(`auth.example.com`) && PathPrefix(`/`) - + entrypoints: [ ] # entrypoints: # - http - + # priority: 10 - + # weight: 10 - + sticky: false - + # stickyCookieNameOverride: authelia_traefik_lb - + # strategy: RoundRobin - + # responseForwardingFlushInterval: 100ms - + middlewares: auth: # nameOverride: authelia-auth authResponseHeaders: - - Remote-User - - Remote-Name - - Remote-Email - - Remote-Groups - + - Remote-User + - Remote-Name + - Remote-Email + - Remote-Groups + chains: auth: # nameOverride: authelia-auth-chain - + # List of Middlewares to apply before the forwardAuth Middleware in the authentication chain. before: [ ] # before: # - name: extra-middleware-name # namespace: default - + # List of Middlewares to apply after the forwardAuth Middleware in the authentication chain. after: [ ] # after: # - name: extra-middleware-name # namespace: default - + ingressRoute: - + # List of Middlewares to apply before the middleware in the IngressRoute chain. before: [ ] # before: # - name: extra-middleware-name # namespace: default - + # List of Middlewares to apply after the middleware in the IngressRoute chain. after: [ ] # after: # - name: extra-middleware-name # namespace: default - + + # Specific options for the TraefikCRD TLS configuration. The above TLS section is still used. tls: - # secretName: traefik-example-com-wildcard - # existingOptions + # existingOptions: # name: default-traefik-options # namespace: default # certResolver: default - # domains: - # - main: example.com - # sans: + # sans: # - *.example.com # options: { } @@ -857,11 +861,9 @@ secret: key: DUO_API_KEY # value: redis: - enabled: false key: REDIS_PASSWORD # value: smtp: - enabled: false key: SMTP_PASSWORD # value: diff --git a/charts/authelia/values.yaml b/charts/authelia/values.yaml index 6ca5591..028c634 100644 --- a/charts/authelia/values.yaml +++ b/charts/authelia/values.yaml @@ -72,24 +72,30 @@ ingress: certManager: false rewriteTarget: true - + + ## The Ingress Class Name. + # className: ingress-nginx + ## Subdomain is the only thing required since we specify the domain as part of the root values of the chart. ## Example: To get Authelia to listen on https://auth.example.com specify 'auth' for ingress.subdomain, ## and specify example.com for the domain. subdomain: auth - tls: true - tlsSecret: authelia-tls + tls: + enabled: true + secret: authelia-tls + + # hostNameOverride: traefikCRD: enabled: false - + # matchOverride: Host(`auth.example.com`) && PathPrefix(`/`) - + entrypoints: [ ] # entrypoints: # - http - + # priority: 10 # weight: 10 @@ -134,22 +140,20 @@ ingress: # before: # - name: extra-middleware-name # namespace: default - + # List of Middlewares to apply after the middleware in the IngressRoute chain. after: [ ] # after: # - name: extra-middleware-name # namespace: default - + + # Specific options for the TraefikCRD TLS configuration. The above TLS section is still used. tls: - # secretName: traefik-example-com-wildcard - # existingOptions + # existingOptions: # name: default-traefik-options # namespace: default # certResolver: default - # domains: - # - main: example.com - # sans: + # sans: # - *.example.com # options: { }