# ConfigMap — Authelia configuration (namespace: sso) # # Contains the full Authelia configuration.yml EXCEPT sensitive values, # which are injected at runtime via environment variables from authelia-secrets: # # AUTHELIA_JWT_SECRET_FILE # AUTHELIA_SESSION_SECRET_FILE # AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE # AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE # AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE # AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE # AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE # # The *_FILE convention tells Authelia to read the secret from a file path # (mounted from the authelia-secrets K8s Secret — see deployment.yaml). # # Access control policy is deliberately set to one_factor (password only). # MFA is handled out-of-band by KeyCape via the privacyIDEA adapter AFTER # Authelia confirms the user's password. Authelia must NOT prompt for a # second factor; doing so would double-challenge the user. apiVersion: v1 kind: ConfigMap metadata: name: authelia-config namespace: sso labels: app.kubernetes.io/name: authelia app.kubernetes.io/part-of: net-kingdom-sso-mfa net-kingdom/component: sso data: configuration.yml: | --- theme: dark server: host: "0.0.0.0" port: 9091 log: level: info # jwt_secret: injected via AUTHELIA_JWT_SECRET_FILE authentication_backend: ldap: # LLDAP preset configures the correct attributes for lldap/lldap image. implementation: lldap url: ldap://lldap.sso.svc.cluster.local:3890 base_dn: dc=netkingdom,dc=local username_attribute: uid additional_users_dn: ou=people users_filter: "(&({username_attribute}={input})(objectClass=inetOrgPerson))" additional_groups_dn: ou=groups groups_filter: "(member={dn})" group_name_attribute: cn mail_attribute: mail display_name_attribute: displayName user: uid=admin,ou=people,dc=netkingdom,dc=local # password: injected via AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE session: name: authelia_session # secret: injected via AUTHELIA_SESSION_SECRET_FILE expiration: 1h inactivity: 15m # domain must cover both auth.coulomb.social and kc.coulomb.social # so the session cookie is valid across the SSO flow redirect. domain: coulomb.social # CP-NK — parent domain; update if hostname domain changes regulation: max_retries: 5 find_time: 2m ban_time: 10m storage: # encryption_key: injected via AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE local: path: /var/authelia/data/db.sqlite3 notifier: disable_startup_check: true filesystem: filename: /var/authelia/data/notification.txt # ── Access control ──────────────────────────────────────────────────────── # one_factor = password only. MFA is handled by KeyCape + privacyIDEA. # Do NOT change to two_factor here. access_control: default_policy: one_factor # ── OIDC identity provider ──────────────────────────────────────────────── # Authelia acts as an upstream OIDC provider for KeyCape. # KeyCape is the only registered client. identity_providers: oidc: # hmac_secret: injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE # issuer_private_key: injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE clients: - id: keycape description: "KeyCape IAM Orchestration Layer" # bcrypt hash of the KeyCape OIDC client secret (hash is not sensitive — safe in ConfigMap) secret: "$2b$12$W/ct2nasY4wruQrFVh33UO5qgoxYTBNVvTBqfZHMwBVll13ZeCli." public: false authorization_policy: one_factor consent_mode: implicit redirect_uris: # CP-NK-004 — update if kc.coulomb.social hostname changes - "https://kc.coulomb.social/authorize/callback" scopes: - openid - profile - email - groups grant_types: - authorization_code response_types: - code response_modes: - query userinfo_signing_algorithm: none