coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df09dd42f4e7f05ab1121b5603f2fdf875e91194
net-kingdom/sso-mfa/k8s/authelia/configmap.yaml
Bernd Worsch f2f07871eb fix(sso-mfa): commit T02–T06 fixes and workplan status updates 
- authelia: users_filter uid→{username_attribute}, OIDC client secret
  moved from env var to inline bcrypt hash in configmap (4.38 limitation)
- authelia: remove unsupported CLIENTS_0_SECRET_FILE env var
- lldap: drop runAsNonRoot/runAsUser (image init requires root)
- verify-t02: keycloak→keycape NetworkPolicy check rename
- workplan: T02/T03/T05/T06 marked done with notes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-21 20:25:03 +00:00

122 lines
4.5 KiB
YAML
Raw Blame History

# ConfigMap — Authelia configuration (namespace: sso)
#
# Contains the full Authelia configuration.yml EXCEPT sensitive values,
# which are injected at runtime via environment variables from authelia-secrets:
#
# AUTHELIA_JWT_SECRET_FILE
# AUTHELIA_SESSION_SECRET_FILE
# AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
# AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE
#
# The *_FILE convention tells Authelia to read the secret from a file path
# (mounted from the authelia-secrets K8s Secret — see deployment.yaml).
#
# Access control policy is deliberately set to one_factor (password only).
# MFA is handled out-of-band by KeyCape via the privacyIDEA adapter AFTER
# Authelia confirms the user's password. Authelia must NOT prompt for a
# second factor; doing so would double-challenge the user.
apiVersion: v1
kind: ConfigMap
metadata:
name: authelia-config
namespace: sso
labels:
app.kubernetes.io/name: authelia
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
data:
configuration.yml: |
---
theme: dark
server:
host: "0.0.0.0"
port: 9091
log:
level: info
# jwt_secret: injected via AUTHELIA_JWT_SECRET_FILE
authentication_backend:
ldap:
# LLDAP preset configures the correct attributes for lldap/lldap image.
implementation: lldap
url: ldap://lldap.sso.svc.cluster.local:3890
base_dn: dc=netkingdom,dc=local
username_attribute: uid
additional_users_dn: ou=people
users_filter: "(&({username_attribute}={input})(objectClass=inetOrgPerson))"
additional_groups_dn: ou=groups
groups_filter: "(member={dn})"
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
user: uid=admin,ou=people,dc=netkingdom,dc=local
# password: injected via AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
session:
name: authelia_session
# secret: injected via AUTHELIA_SESSION_SECRET_FILE
expiration: 1h
inactivity: 15m
# domain must cover both auth.coulomb.social and kc.coulomb.social
# so the session cookie is valid across the SSO flow redirect.
domain: coulomb.social # CP-NK — parent domain; update if hostname domain changes
regulation:
max_retries: 5
find_time: 2m
ban_time: 10m
storage:
# encryption_key: injected via AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
local:
path: /var/authelia/data/db.sqlite3
notifier:
disable_startup_check: true
filesystem:
filename: /var/authelia/data/notification.txt
# ── Access control ────────────────────────────────────────────────────────
# one_factor = password only. MFA is handled by KeyCape + privacyIDEA.
# Do NOT change to two_factor here.
access_control:
default_policy: one_factor
# ── OIDC identity provider ────────────────────────────────────────────────
# Authelia acts as an upstream OIDC provider for KeyCape.
# KeyCape is the only registered client.
identity_providers:
oidc:
# hmac_secret: injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
# issuer_private_key: injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
clients:
- id: keycape
description: "KeyCape IAM Orchestration Layer"
# bcrypt hash of the KeyCape OIDC client secret (hash is not sensitive — safe in ConfigMap)
secret: "$2b$12$W/ct2nasY4wruQrFVh33UO5qgoxYTBNVvTBqfZHMwBVll13ZeCli."
public: false
authorization_policy: one_factor
consent_mode: implicit
redirect_uris:
# CP-NK-004 — update if kc.coulomb.social hostname changes
- "https://kc.coulomb.social/authorize/callback"
scopes:
- openid
- profile
- email
- groups
grant_types:
- authorization_code
response_types:
- code
response_modes:
- query
userinfo_signing_algorithm: none
Reference in New Issue View Git Blame Copy Permalink