authelia helm

Authelia is an open-source authentication and authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing multi-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for common reverse proxies.

More popular helm chart found

authelia from bjw-s is more popular with 44 repositories.

Install

Install with:

helm repo add authelia https://charts.authelia.com/
helm install authelia authelia/authelia -f values.yaml

Examples

See examples from other people.

Top Repositories (3 out of 4)

NameRepoStarsVersionTimestamp
autheliaPumba98/flux2-gitops550.10.59 hours ago
autheliawrmilling/k3s-gitops2200.10.52 days ago
autheliapascaliske/infrastructure640.9.17a month ago

Values

See the most popular values for this chart:

KeyTypes
configMap.notifier.smtp.enabled (4)
true
boolean
configMap.notifier.smtp.address (3)
submission://smtp.fastmail.com:587
string
configMap.notifier.smtp.enabledSecret (3)
true
boolean
configMap.notifier.smtp.sender (3)
Authelia <authelia@${SECRET_DOMAIN}>
string
configMap.notifier.smtp.username (3)
mail@${SECRET_DOMAIN}
string
configMap.notifier.smtp.subject (2)
[auth@infrastructure] {title}
string
configMap.notifier.smtp.identifier (1)
localhost
string
configMap.notifier.smtp.password.path (1)
SMTP_PASSWORD
string
configMap.notifier.smtp.password.value (1)
${SECRET_AUTH_SMTP_PASSWORD}
string
configMap.notifier.smtp.startup_check_address (1)
${SECRET_AUTH_SMTP_USER}
string
configMap.notifier.disable_startup_check (2)
true
boolean
configMap.notifier.filesystem.enabled (1)
true
boolean
configMap.notifier.filesystem.filename (1)
/config/notification.txt
string
configMap.session.redis.enabled (4)
true
boolean
configMap.session.redis.host (3)
authelia-redis-master
string
configMap.session.redis.enabledSecret (2)
true
boolean
configMap.session.redis.port (2)
26379
number
configMap.session.redis.database_index (1)
0
number
configMap.session.redis.high_availability.enabled (1)
true
boolean
configMap.session.redis.high_availability.password.disabled (1)
true
boolean
configMap.session.redis.high_availability.sentinel_name (1)
mymaster
string
configMap.session.redis.password.disabled (1)
true
boolean
configMap.session.redis.password.value (1)
${SECRET_AUTH_REDIS_PASSWORD}
string
configMap.session.redis.username (1)

string
configMap.session.cookies[].domain (3)
${SECRET_DOMAIN}
string
configMap.session.cookies[].subdomain (3)
auth
string
configMap.session.cookies[].authelia_url (1)
https://auth.${SECRET_DOMAIN}
string
configMap.session.cookies[].default_redirection_url (1)
https://${DOMAIN_INTERNAL}
https://${DOMAIN_EXTERNAL}
string
configMap.session.inactivity (3)
5m
string
configMap.session.expiration (2)
1h
string
configMap.session.encryption_key.path (1)
STORAGE_ENCRYPTION_KEY
string
configMap.session.name (1)
authelia_session
string
configMap.session.remember_me (1)
1 month
string
configMap.session.remember_me_duration (1)
1M
string
configMap.session.same_site (1)
lax
string
configMap.storage.postgres.enabled (4)
true
boolean
configMap.storage.postgres.address (3)
tcp://authelia-postgresql:5432
string
configMap.storage.postgres.database (3)
authelia
string
configMap.storage.postgres.username (3)
authelia
string
configMap.storage.postgres.password.disabled (1)
true
boolean
configMap.storage.postgres.password.path (1)
/extras/postgresql-password
string
configMap.storage.postgres.password.value (1)
${SECRET_AUTH_STORAGE_PASSWORD}
string
configMap.storage.encryption_key.path (1)
STORAGE_ENCRYPTION_KEY
string
configMap.storage.encryption_key.value (1)
${SECRET_AUTH_STORAGE_ENC_KEY}
string
configMap.storage.local.enabled (1)
true
boolean
configMap.storage.local.path (1)
/config/db.sqlite3
string
configMap.storage.mysql.enabled (1)
false
boolean
configMap.access_control.default_policy (3)
deny
string
configMap.access_control.rules[].domain (3)
*.${SECRET_DOMAIN}
sftpgo.${SECRET_DOMAIN}
*.${SECRET_DOMAIN}
string
configMap.access_control.rules[].policy (3)
two_factor
two_factor
bypass
bypass
bypass
two_factor
string
configMap.access_control.rules[].domain[] (2)
- syncthing.${SECRET_DOMAIN}
- radicale.${SECRET_DOMAIN}
- radicale.${SECRET_DOMAIN}
string
configMap.access_control.rules[].resources[] (2)
- ^/.web/.*
- ^/web/client/pubshares.*
- ^/static.*
string
configMap.access_control.rules[].subject[] (2)
- group:admins
- group:admins
string
configMap.access_control.rules[].networks[] (1)
- private
string
configMap.access_control.secret.enabled (1)
true
boolean
configMap.authentication_backend.file.enabled (3)
true
boolean
configMap.authentication_backend.file.password.algorithm (3)
argon2
string
configMap.authentication_backend.file.password.argon2.iterations (1)
1
number
configMap.authentication_backend.file.password.argon2.key_length (1)
32
number
configMap.authentication_backend.file.password.argon2.memory (1)
1024
number
configMap.authentication_backend.file.password.argon2.parallelism (1)
8
number
configMap.authentication_backend.file.password.argon2.salt_length (1)
16
number
configMap.authentication_backend.file.password.argon2.variant (1)
argon2id
string
configMap.authentication_backend.file.path (3)
/config/users_database.yml
string
configMap.authentication_backend.file.password_change.disable (1)
true
boolean
configMap.authentication_backend.file.password_reset.disable (1)
true
boolean
configMap.authentication_backend.file.search.email (1)
true
boolean
configMap.authentication_backend.file.watch (1)
true
boolean
configMap.authentication_backend.ldap.enabled (2)
false
boolean
configMap.authentication_backend.ldap.additional_groups_dn (1)

string
configMap.authentication_backend.ldap.additional_users_dn (1)

string
configMap.authentication_backend.ldap.address (1)
ldap://openldap.kube-system.svc:1389
string
configMap.authentication_backend.ldap.base_dn (1)
${SECRET_LDAP_BASE_DN}
string
configMap.authentication_backend.ldap.groups_filter (1)
(&(member={dn})(objectclass=groupOfNames))
string
configMap.authentication_backend.ldap.implementation (1)
custom
string
configMap.authentication_backend.ldap.password.value (1)
${SECRET_LDAP_ADMIN_PASSWORD}
string
configMap.authentication_backend.ldap.user (1)
CN=${SECRET_LDAP_ADMIN_USERNAME},${SECRET_LDAP_BASE_DN}
string
configMap.authentication_backend.ldap.username_attribute (1)
uid
string
configMap.authentication_backend.ldap.users_filter (1)
(&({username_attribute}={input})(objectClass=person))
string
configMap.authentication_backend.disable_reset_password (1)
true
boolean
configMap.authentication_backend.password_reset.disable (1)
true
boolean
configMap.theme (3)
dark
string
configMap.enabled (2)
true
boolean
configMap.identity_providers.oidc.clients[].authorization_policy (2)
two_factor
two_factor
two_factor
two_factor
two_factor
two_factor
two_factor
two_factor
two_factor
string
configMap.identity_providers.oidc.clients[].client_id (2)
Ph_ZrFAgRfB79_grNoVYFC3sPgQ9GLUKptNuTGNGpSe9bltBqDw45rNQ_oIWI2CAfnMqpGRL
0lKCSv_puuemgh08buYozXwRJ61u129TDEq42EBvnRcbGqJuZ25KywlUkviurEsJ~MbqvrM4
KNv~V~FBVK5R0bznkuHPV.fo-FmdqO0gUyifPqE6wH5SFTUgZma7uCJJTEinTNshwBVi4eWe
2HilffOuYvUuFZ6mBu0elHbv6KAQrwQsCCsAs5SaIIUq.ZyiwKb70upbQQmI7sXjBs~i60Tz
R4Fy_RAZUfHmPsCAWaD89Snt7wABRsD2IUTP3Xm0AxKbRWzBLIMqQNIpTvuLfKkC6_bvNagL
wCDESryfxgaEQUrgISZWrcNgNQCCUL3u1PZulzpSTaRvkQTpN4CQvrWx6RTa69flzhonmC5p
MJ04uHbUwWj00-RYG3X4QACoW-45EF0u0ahDEpv48yDT~caYFZMb240_nT8Z3kHrY6jmvY~Q
hqIfa24KNqYGpyBr1Q400RH1zgUxQnmIvE.e5sYyog-9aQLqbuUarr0F6OoOxSewwEaiXbic
QMoUzm-Ja2bDZ5.bk-BYBmH3x5Qwwfn6GqppaKOKIoPB6VLc14Pb7mtB33Mx.ibpzfqO9Yr2
string
configMap.identity_providers.oidc.clients[].client_name (2)
Immich
Memos
Paperless
Tandoor
Rancher
Grafana
SFTPGo
Linkwarden
Jellyfin
string
configMap.identity_providers.oidc.clients[].redirect_uris[] (2)
- https://immich.${SECRET_DOMAIN}/auth/login
- https://immich.${SECRET_DOMAIN}/user-settings
- https://immich.${SECRET_DOMAIN}/api/oauth/mobile-redirect
- https://memos.${SECRET_DOMAIN}/auth/callback
- https://paperless.${SECRET_DOMAIN}/accounts/oidc/authelia/login/callback/
- https://recipes.${SECRET_DOMAIN}/accounts/oidc/authelia/login/callback/
- https://rancher.${SECRET_DOMAIN}/verify-auth
- https://grafana.${SECRET_DOMAIN}/login/generic_oauth
- https://sftpgo.${SECRET_DOMAIN}/web/oidc/redirect
- https://linkwarden.${SECRET_DOMAIN}/api/v1/auth/callback/authelia
- https://jellyfin.${SECRET_DOMAIN}/sso/OID/redirect/authelia
string
configMap.identity_providers.oidc.clients[].scopes[] (2)
- openid
- profile
- email
- groups
- openid
- profile
- email
- preferred_username
string
configMap.identity_providers.oidc.clients[].token_endpoint_auth_method (2)
client_secret_post
client_secret_post
string
configMap.identity_providers.oidc.clients[].claims_policy (1)
default
default
string
configMap.identity_providers.oidc.clients[].client_secret.path (1)
/secrets/authelia/oidc.client.immich.value
/secrets/authelia/oidc.client.memos.value
/secrets/authelia/oidc.client.paperless.value
/secrets/authelia/oidc.client.tandoor.value
/secrets/authelia/oidc.client.rancher.value
/secrets/authelia/oidc.client.grafana.value
/secrets/authelia/oidc.client.sftpgo.value
/secrets/authelia/oidc.client.linkwarden.value
/secrets/authelia/oidc.client.jellyfin.value
string
configMap.identity_providers.oidc.clients[].client_secret (1)
${AUTH_OIDC_CLIENT_SECRET_HASH}
${AUTH_OIDC_CLIENT_SECRET_HASH}
${AUTH_OIDC_CLIENT_SECRET_HASH}
string
configMap.identity_providers.oidc.clients[].consent_mode (1)
implicit
implicit
implicit
implicit
implicit
implicit
implicit
implicit
implicit
string
configMap.identity_providers.oidc.clients[].public (1)
false
false
false
boolean
configMap.identity_providers.oidc.clients[].userinfo_signed_response_alg (1)
none
none
none
string
configMap.identity_providers.oidc.enabled (2)
true
boolean
configMap.identity_providers.oidc.hmac_secret.path (2)
identity_providers.oidc.hmac.key
string
configMap.identity_providers.oidc.hmac_secret.secret_name (1)
authelia
string
configMap.identity_providers.oidc.jwks[].key.path (2)
/secrets/authelia/oidc.jwk.RS256.pem
string
configMap.identity_providers.oidc.claims_policies.default.id_token[] (1)
- email
- preferred_username
- groups
string
configMap.identity_providers.oidc.enable_client_debug_messages (1)
false
boolean
configMap.log.level (2)
trace
string
configMap.regulation.ban_time (2)
5m
string
configMap.regulation.find_time (2)
2m
string
configMap.regulation.max_retries (2)
3
number
configMap.definitions.network.private[] (1)
- ${PRIVATE_NETWORK}
- "100.64.0.0/10"
string
configMap.identity_validation.reset_password.secret.path (1)
JWT_TOKEN
string
configMap.server.timeouts.idle (1)
30s
string
configMap.server.timeouts.read (1)
15s
string
configMap.server.timeouts.write (1)
15s
string
configMap.telemetry.metrics.enabled (1)
true
boolean
configMap.telemetry.metrics.serviceMonitor.enabled (1)
true
boolean
configMap.totp.issuer (1)
Infrastructure
string
configMap.webauthn.display_name (1)
Infrastructure
string
configMap.webauthn.enable_passkey_login (1)
true
boolean
pod.kind (3)
Deployment
string
pod.extraVolumeMounts[].mountPath (2)
/config/users_database.yml
string
pod.extraVolumeMounts[].name (2)
users-volume
string
pod.extraVolumeMounts[].subPath (2)
users_database.yml
string
pod.extraVolumeMounts[].readOnly (1)
true
true
true
boolean
pod.extraVolumes[].name (2)
users-volume
string
pod.extraVolumes[].secret.secretName (2)
authelia-users
string
pod.extraVolumes[].secret.items[].key (1)
password
oidc-jwks-key.pem
string
pod.extraVolumes[].secret.items[].path (1)
password
oidc-jwks-key.pem
string
pod.extraVolumes[].configMap.items[].key (1)
users.yaml
string
pod.extraVolumes[].configMap.items[].path (1)
users.yaml
string
pod.extraVolumes[].configMap.name (1)
authelia-users
string
pod.replicas (2)
1
number
pod.strategy.type (2)
RollingUpdate
string
pod.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[].matchExpressions[].key (1)
kubernetes.io/arch
string
pod.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[].matchExpressions[].operator (1)
In
string
pod.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[].matchExpressions[].values[] (1)
- amd64
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN (1)
ou=groups
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN (1)
ou=people
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN (1)
dc=home,dc=arpa
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE (1)
displayName
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE (1)
cn
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER (1)
(member={dn})
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION (1)
custom
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE (1)
mail
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS (1)
false
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT (1)
5s
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL (1)
ldap://lldap.default.svc.cluster.local:389
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER (1)
uid=admin,ou=people,dc=home,dc=arpa
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE (1)
uid
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER (1)
(&({username_attribute}={input})(objectClass=person))
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE (1)
true
string
pod.env.AUTHELIA_AUTHENTICATION_BACKEND_REFRESH_INTERVAL (1)
1m
string
pod.env.AUTHELIA_DEFAULT_REDIRECTION_URL (1)
https://auth.${SECRET_DOMAIN}
string
pod.env.AUTHELIA_DUO_API_DISABLE (1)
true
string
pod.env.AUTHELIA_LOG_LEVEL (1)
trace
string
pod.env.AUTHELIA_SERVER_PORT (1)
80
number
pod.env.AUTHELIA_SESSION_DOMAIN (1)
${SECRET_DOMAIN}
string
pod.env.AUTHELIA_THEME (1)
grey
string
pod.env.AUTHELIA_TOTP_ISSUER (1)
authelia.com
string
pod.env.AUTHELIA_WEBAUTHN_DISABLE (1)
true
string
pod.env[].name (1)
TZ
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
string
pod.env[].value (1)
${TIMEZONE}
/extras/postgresql-password
string
pod.resources.requests.cpu (1)
150m
string
pod.resources.requests.memory (1)
200Mi
string
pod.tolerations[].effect (1)
NoSchedule
NoSchedule
string
pod.tolerations[].key (1)
node-role.kubernetes.io/control-plane
k8s.pascaliske.dev/location
string
pod.tolerations[].operator (1)
Exists
Equal
string
pod.tolerations[].value (1)
public
string
secret.existingSecret (3)
authelia-secrets
string
secret.additionalSecrets.authelia.items[].key (1)
identity_providers.oidc.hmac.key
oidc.jwk.RS256.pem
oidc.client.immich.value
oidc.client.memos.value
oidc.client.paperless.value
oidc.client.tandoor.value
oidc.client.rancher.value
oidc.client.grafana.value
oidc.client.sftpgo.value
oidc.client.linkwarden.value
oidc.client.jellyfin.value
string
domain (2)
${SECRET_DOMAIN}
string
ingress.annotations."kubernetes.io/tls-acme" (2)
true
string
ingress.annotations."cert-manager.io/cluster-issuer" (1)
letsencrypt-prod
string
ingress.annotations."external-dns.alpha.kubernetes.io/target" (1)
${SECRET_GATEWAY}
string
ingress.annotations."nginx.ingress.kubernetes.io/custom-http-errors" (1)
418
string
ingress.className (2)
nginx-external
string
ingress.enabled (2)
true
boolean
ingress.subdomain (2)
auth
string
ingress.tls.enabled (2)
true
boolean
ingress.tls.secret (1)
authelia-cert
string
envFrom[].secretRef.name (1)
authelia-secrets
string
image.registry (1)
ghcr.io
string
image.repository (1)
authelia/authelia
string
image.tag (1)
4.38.19
string
persistence.enabled (1)
true
boolean
persistence.existingClaim (1)
pvc-authelia
string
service.port (1)
80
number