-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvalues.yaml
More file actions
446 lines (402 loc) · 12.2 KB
/
values.yaml
File metadata and controls
446 lines (402 loc) · 12.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
# -- Number of replicas. Must be 1 for SQLite mode.
# For HA (PostgreSQL + Redis), use 2+.
replicaCount: 1
image:
repository: ghcr.io/go-authgate/authgate
pullPolicy: IfNotPresent
# -- Overrides the image tag whose default is the chart appVersion
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# ============================================================
# Server Configuration
# ============================================================
server:
# -- Listening address (default: all interfaces on port 8080)
addr: ":8080"
# -- Public URL for OAuth redirects (REQUIRED)
# Example: https://auth.example.com
baseUrl: ""
# -- Environment mode: "production" or "development"
# production: session cookies require HTTPS, stricter security headers
environment: "production"
# -- TLS / HTTPS (optional). When both certFile and keyFile are set,
# AuthGate serves HTTPS on server.addr. Mount the PEM files into the pod via
# extraVolumes/extraVolumeMounts and point these paths at the mounted location.
# Remember to update server.baseUrl to https://... when enabling TLS.
tls:
certFile: ""
keyFile: ""
# ============================================================
# Database Configuration
# ============================================================
database:
# -- Driver: "sqlite" or "postgres"
driver: "sqlite"
# -- Persistence for SQLite database (ignored when database.driver=postgres)
persistence:
enabled: true
storageClass: ""
size: 1Gi
accessModes:
- ReadWriteOnce
# -- Use an existing PVC
existingClaim: ""
# -- Database connection pool settings
dbPool:
maxOpenConns: 25
maxIdleConns: 10
connMaxLifetime: "5m"
connMaxIdleTime: "10m"
# -- GORM log level: "silent", "error", "warn", "info"
logLevel: "warn"
# ============================================================
# Secrets
# ============================================================
# Sensitive values stored in a Kubernetes Secret.
# For production, use existingSecret with Vault/External Secrets Operator.
secrets:
# -- Use an existing Secret instead of creating one.
# Must contain keys: JWT_SECRET, SESSION_SECRET, and optionally others.
existingSecret: ""
# -- JWT signing secret (REQUIRED for HS256). Generate: openssl rand -hex 32
jwtSecret: ""
# -- Session encryption secret (REQUIRED). Generate: openssl rand -hex 32
sessionSecret: ""
# -- Default admin password. If empty, random 16-char password generated on first run.
defaultAdminPassword: ""
# -- PostgreSQL DSN (when database.driver=postgres and not using postgresql subchart)
# Example: "host=db user=authgate password=secret dbname=authgate port=5432 sslmode=require"
databaseDsn: ""
# ============================================================
# External Database (when database.driver=postgres and postgresql.enabled=false)
# ============================================================
externalDatabase:
host: ""
port: 5432
user: "authgate"
password: ""
database: "authgate"
sslmode: "require"
# ============================================================
# PostgreSQL Subchart (bitnami/postgresql)
# ============================================================
# Enable for dev/test one-click deployment.
# For production, use externalDatabase instead.
postgresql:
enabled: false
auth:
database: authgate
username: authgate
password: ""
postgresPassword: ""
# ============================================================
# External Redis (when redis subchart is disabled)
# ============================================================
externalRedis:
addr: ""
password: ""
db: 0
# ============================================================
# Redis Subchart (bitnami/redis)
# ============================================================
# Enable for dev/test. For production, use externalRedis.
redis:
enabled: false
architecture: standalone
auth:
enabled: false
password: ""
# ============================================================
# JWT Configuration
# ============================================================
jwt:
# -- Signing algorithm: HS256 (default), RS256, or ES256
signingAlgorithm: "HS256"
# -- Path to PEM private key (required for RS256/ES256 when privateKeyPem is empty)
privateKeyPath: ""
# -- Inline PEM private key content (alternative to privateKeyPath). Takes
# precedence over privateKeyPath when both are set. Stored in the Kubernetes
# Secret; use with External Secrets Operator for production.
privateKeyPem: ""
# -- Optional kid header value
keyId: ""
# -- Access token lifetime
expiration: "10h"
# -- Random jitter to prevent thundering herd
expirationJitter: "30m"
# -- Hard cap on any token profile's access TTL. Startup fails if a profile
# exceeds this limit.
maxExpiration: "24h"
# ============================================================
# Session Configuration
# ============================================================
session:
maxAge: 3600
idleTimeout: 1800
fingerprint: true
fingerprintIP: false
rememberMeEnabled: true
rememberMeMaxAge: 2592000
# ============================================================
# Rate Limiting
# ============================================================
rateLimit:
enabled: true
# -- Store: "memory" (single instance) or "redis" (multi-pod)
store: "memory"
cleanupInterval: "5m"
login: 5
deviceCode: 10
token: 20
deviceVerify: 10
introspect: 20
# -- Burst sizes (requests per minute). Ignored when store=redis.
loginBurst: 2
deviceCodeBurst: 3
tokenBurst: 5
deviceVerifyBurst: 3
# ============================================================
# Audit Logging
# ============================================================
audit:
enabled: true
retention: "2160h"
bufferSize: 1000
cleanupInterval: "24h"
# ============================================================
# Prometheus Metrics
# ============================================================
metrics:
enabled: false
# -- Bearer token for /metrics endpoint authentication
token: ""
gaugeUpdate:
enabled: true
interval: "5m"
cache:
type: "memory"
clientTTL: "30s"
sizePerConn: 32
# -- ServiceMonitor for Prometheus Operator
serviceMonitor:
enabled: false
namespace: ""
interval: "30s"
scrapeTimeout: "10s"
labels: {}
metricRelabelings: []
relabelings: []
# -- Metrics leader strategy for multi-replica gauge updates.
# "env-override": deploys a separate single-replica metrics-leader pod (recommended)
# "disabled": all pods update gauges (use PromQL max() aggregation)
metricsLeader:
strategy: "env-override"
# ============================================================
# Cache Configuration
# ============================================================
cache:
user:
type: "memory"
ttl: "5m"
clientTTL: "30s"
sizePerConn: 32
token:
enabled: false
type: "memory"
ttl: "10h"
clientTTL: "1h"
sizePerConn: 32
clientCount:
type: "memory"
ttl: "1h"
clientTTL: "10m"
sizePerConn: 32
# -- OAuth client lookup cache (queried on every OAuth flow).
# Mutations (create/update/delete/approve/reject/secret regen) invalidate immediately.
client:
type: "memory"
ttl: "5m"
clientTTL: "30s"
sizePerConn: 32
# ============================================================
# Authentication
# ============================================================
auth:
# -- Mode: "local" or "http_api"
mode: "local"
httpApi:
url: ""
timeout: "10s"
insecureSkipVerify: false
authMode: "none"
authSecret: ""
authHeader: "X-API-Secret"
maxRetries: 3
retryDelay: "1s"
maxRetryDelay: "10s"
# ============================================================
# OAuth Providers
# ============================================================
oauth:
autoRegister: true
timeout: "15s"
insecureSkipVerify: false
github:
enabled: false
clientId: ""
clientSecret: ""
redirectUrl: ""
scopes: "user:email"
gitea:
enabled: false
url: ""
clientId: ""
clientSecret: ""
redirectUrl: ""
scopes: "read:user"
microsoft:
enabled: false
tenantId: "common"
clientId: ""
clientSecret: ""
redirectUrl: ""
scopes: "openid,profile,email,User.Read"
gitlab:
enabled: false
url: ""
clientId: ""
clientSecret: ""
redirectUrl: ""
scopes: "read_user"
# ============================================================
# Refresh Token
# ============================================================
refreshToken:
enabled: true
rotation: false
expiration: "720h"
# -- Hard cap on any token profile's refresh TTL (default: 2160h / 90 days).
# Startup fails if a profile exceeds this limit.
maxExpiration: "2160h"
# ============================================================
# Token Profiles — per-OAuthApplication TTL presets
# ============================================================
# Each OAuth client selects one profile (short / standard / long) via the admin
# UI; tokens issued for that client use the preset's access & refresh TTLs.
# The "standard" profile inherits jwt.expiration / refreshToken.expiration by
# default when access/refresh are left empty.
tokenProfiles:
short:
accessTTL: "15m"
refreshTTL: "24h"
standard:
# -- Leave empty to inherit jwt.expiration
accessTTL: ""
# -- Leave empty to inherit refreshToken.expiration
refreshTTL: ""
long:
accessTTL: "24h"
refreshTTL: "2160h"
# ============================================================
# Client Credentials Flow (RFC 6749 §4.4)
# ============================================================
clientCredentials:
# -- Access token lifetime for client_credentials grant
tokenExpiration: "1h"
# ============================================================
# Authorization Code Flow
# ============================================================
authCode:
expiration: "10m"
pkceRequired: false
consentRemember: true
# ============================================================
# Dynamic Client Registration (RFC 7591)
# ============================================================
dynamicClientRegistration:
enabled: false
rateLimit: 5
token: ""
# ============================================================
# Expired Token / Device Code Cleanup
# ============================================================
expiredTokenCleanup:
enabled: false
interval: "1h"
# ============================================================
# Static File Caching
# ============================================================
staticCache:
# -- Cache-Control max-age for non-hashed static files (0 disables)
maxAge: "24h"
# ============================================================
# CORS
# ============================================================
cors:
enabled: false
allowedOrigins: []
allowedMethods: "GET,POST,PUT,DELETE,OPTIONS"
allowedHeaders: "Origin,Content-Type,Authorization"
maxAge: "12h"
# ============================================================
# Timeout Settings
# ============================================================
timeouts:
dbInit: "30s"
dbClose: "5s"
redisConn: "5s"
redisClose: "5s"
cacheInit: "5s"
cacheClose: "5s"
serverShutdown: "5s"
auditShutdown: "10s"
# ============================================================
# Kubernetes Resources
# ============================================================
serviceAccount:
create: true
automount: true
annotations: {}
name: ""
service:
type: ClusterIP
port: 80
ingress:
enabled: false
className: ""
annotations: {}
hosts: []
# - host: auth.example.com
# paths:
# - path: /
# pathType: Prefix
tls: []
autoscaling:
enabled: false
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 80
podDisruptionBudget:
enabled: false
minAvailable: 1
resources:
requests:
cpu: 100m
memory: 64Mi
limits:
cpu: 500m
memory: 256Mi
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
podAnnotations: {}
podLabels: {}
# -- Extra environment variables (list of name/value or name/valueFrom)
extraEnv: []
# -- Extra volume mounts for the authgate container
extraVolumeMounts: []
# -- Extra volumes for the pod
extraVolumes: []