install rauthy
This commit is contained in:
parent
a0109d7109
commit
7ba597784f
703
apps/rauthy/configmap.yaml
Normal file
703
apps/rauthy/configmap.yaml
Normal file
|
@ -0,0 +1,703 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: rauthy-config
|
||||||
|
namespace: rauthy
|
||||||
|
data:
|
||||||
|
rauthy.cfg: |+
|
||||||
|
#####################################
|
||||||
|
############## ACCESS ###############
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# If the User Registration endpoint should be accessible by anyone.
|
||||||
|
# If not, an admin must create each new user. (default: false)
|
||||||
|
#OPEN_USER_REG=true
|
||||||
|
|
||||||
|
# Can be used when 'OPEN_USER_REG=true' to restrict the domains
|
||||||
|
# for a registration. For instance, set it to
|
||||||
|
# 'USER_REG_DOMAIN_RESTRICTION=gmail.com' to allow only
|
||||||
|
# registrations with 'user@gmail.com' (default: '')
|
||||||
|
#USER_REG_DOMAIN_RESTRICTION=some-domain.com
|
||||||
|
|
||||||
|
# If set to 'true', this will validate the remote peer IP address with
|
||||||
|
# each request and compare it with the IP which was used during the initial
|
||||||
|
# session creation / login. If the IP is different, the session will be
|
||||||
|
# rejected. This is a security hardening and prevents stolen access credentials,
|
||||||
|
# for instance if an attacker might have copied the encrypted session cookie
|
||||||
|
# and the XSRF token from the local storage from a user. However, this event
|
||||||
|
# is really unlikely, since it may only happen if an attacker has direct access
|
||||||
|
# to the machine itself.
|
||||||
|
#
|
||||||
|
# If your users are using mobile networks and get new IP addresses all the time,
|
||||||
|
# this means they have to do a new login each time. This is no big deal at all with
|
||||||
|
# Webauthn / FIDO keys anyway and should not be a reason to deactivate this feature.
|
||||||
|
#
|
||||||
|
# Caution: If you are running behind a reverse proxy which does not provide the
|
||||||
|
# X-FORWARDED-FOR header correctly, or you have the PROXY_MODE in this config
|
||||||
|
# disabled, this feature will not work. You can validate the IPs for each session
|
||||||
|
# in the Admin UI. If these are correct, your setup is okay.
|
||||||
|
#
|
||||||
|
# (default: true)
|
||||||
|
#SESSION_VALIDATE_IP=true
|
||||||
|
|
||||||
|
# This value may be set to 'true' to disable the binding cookie checking
|
||||||
|
# when a user uses the password reset link from an E-Mail.
|
||||||
|
#
|
||||||
|
# When using such a link, you will get a so called binding cookie. This
|
||||||
|
# happens on the very first usage of such a reset link. From that moment on,
|
||||||
|
# you will only be able to access the password reset form with this very
|
||||||
|
# device and browser. This is just another security mechanism and prevents
|
||||||
|
# someone else who might be passively sniffing network traffic to extract
|
||||||
|
# the (unencrypted) URI from the header and just use it, before the user
|
||||||
|
# has a change to fill out the form. This is a mechanism to prevent against
|
||||||
|
# account takeovers during a password reset.
|
||||||
|
#
|
||||||
|
# The problem however are companies (e.g. Microsoft) who scan their customers
|
||||||
|
# E-Mails and even follow links and so on. They call it a "feature". The
|
||||||
|
# problem is, that their servers get this binding cookie and the user will be
|
||||||
|
# unable to use this link himself. The usage of this config option is highly
|
||||||
|
# discouraged, but since everything moves very slow in big enterprises and
|
||||||
|
# you cannot change your E-Mail provider quickly, you can use it do just make
|
||||||
|
# it work for the moment and deal with it later.
|
||||||
|
#
|
||||||
|
# default: false
|
||||||
|
#UNSAFE_NO_RESET_BINDING=false
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
############# BACKUPS ###############
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# Cron job for automatic data store backups (default: "0 0 4 * * * *")
|
||||||
|
# sec min hour day_of_month month day_of_week year
|
||||||
|
#BACKUP_TASK="0 0 4 * * * *"
|
||||||
|
|
||||||
|
# The name for the data store backups. The current timestamp
|
||||||
|
# will always be appended automatically. (default: rauthy-backup-)
|
||||||
|
#BACKUP_NAME="rauthy-backup-"
|
||||||
|
|
||||||
|
# All backups older than the specified hours will be cleaned up
|
||||||
|
# automatically (default: 720)
|
||||||
|
#BACKUP_RETENTION_LOCAL=720
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
############## CACHE ################
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# If the cache should start in HA mode or standalone
|
||||||
|
# accepts 'true|false', defaults to 'false'
|
||||||
|
#HA_MODE=false
|
||||||
|
|
||||||
|
# The connection strings (with hostnames) of the HA instances
|
||||||
|
# as a CSV.
|
||||||
|
# Format: 'scheme://hostname:port'
|
||||||
|
#HA_HOSTS="http://rauthy-0.rauthy:8000, http://rauthy-1.rauthy:8000, http://rauthy-2.rauthy:8000"
|
||||||
|
|
||||||
|
# Overwrite the hostname which is used to identify each cache member.
|
||||||
|
# Useful in scenarios, where for instance all members are on the same host with
|
||||||
|
# different ports or for testing.
|
||||||
|
#HOSTNAME_OVERWRITE="rauthy-0.rauthy:8080"
|
||||||
|
|
||||||
|
## Define buffer sizes for channels between the components
|
||||||
|
# Buffer for client requests on the incoming stream - server
|
||||||
|
# side (default: 128)
|
||||||
|
# Make sense to have the CACHE_BUF_SERVER set to:
|
||||||
|
# `(number of total HA cache hosts - 1) * CACHE_BUF_CLIENT`
|
||||||
|
# In a non-HA deployment, set the same size for both
|
||||||
|
#CACHE_BUF_SERVER=128
|
||||||
|
# Buffer for client requests to remote servers for all cache
|
||||||
|
# operations (default: 128)
|
||||||
|
#CACHE_BUF_CLIENT=128
|
||||||
|
|
||||||
|
# Secret token, which is used to authenticate the cache members
|
||||||
|
#CACHE_AUTH_TOKEN=SomeSuperSecretAndVerySafeToken1337
|
||||||
|
|
||||||
|
## Connections Timeouts
|
||||||
|
|
||||||
|
# The Server sends out keepalive pings with configured timeouts
|
||||||
|
# The keepalive ping interval in seconds (default: 5)
|
||||||
|
#CACHE_KEEPALIVE_INTERVAL=5
|
||||||
|
# The keepalive ping timeout in seconds (default: 5)
|
||||||
|
#CACHE_KEEPALIVE_TIMEOUT=5
|
||||||
|
|
||||||
|
# The timeout for the leader election. If a newly saved leader
|
||||||
|
# request has not reached quorum after the timeout, the leader
|
||||||
|
# will be reset and a new request will be sent out.
|
||||||
|
# CAUTION:
|
||||||
|
# This should not be lower than CACHE_RECONNECT_TIMEOUT_UPPER,
|
||||||
|
# since cold starts and elections will be problematic in that
|
||||||
|
# case.
|
||||||
|
# value in seconds, default: 15
|
||||||
|
#CACHE_ELECTION_TIMEOUT=15
|
||||||
|
|
||||||
|
# These 2 values define the reconnect timeout for the HA Cache
|
||||||
|
# Clients. The values are in ms and a random between these 2
|
||||||
|
# will be chosen each time to avoid conflicts and race conditions
|
||||||
|
# (default: 2500)
|
||||||
|
#CACHE_RECONNECT_TIMEOUT_LOWER=2500
|
||||||
|
# (default: 5000)
|
||||||
|
#CACHE_RECONNECT_TIMEOUT_UPPER=5000
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
############ DATABASE ###############
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# The database driver will be chosen at runtime depending on
|
||||||
|
# the given DATABASE_URL format. Examples:
|
||||||
|
# Sqlite: 'sqlite:data/rauthy.db' or 'sqlite::memory:'
|
||||||
|
# Postgres: 'postgresql://User:PasswordWithoutSpecialCharacters@localhost:5432/DatabaseName'
|
||||||
|
#
|
||||||
|
# NOTE: The password in this case should be alphanumeric. Special
|
||||||
|
# characters could cause problems in the connection string.
|
||||||
|
#
|
||||||
|
# CAUTION:
|
||||||
|
# To make the automatic migrations work with Postgres15, when
|
||||||
|
# you do not want to just use the `postgres` user, You need
|
||||||
|
# to have a user with the same name as the DB / schema. For
|
||||||
|
# instance, the following would work without granting extra
|
||||||
|
# access to the `public` schema which is disabled by default
|
||||||
|
# since PG15:
|
||||||
|
#
|
||||||
|
# database: rauthy
|
||||||
|
# user: rauthy
|
||||||
|
# schema: rauthy with owner rauthy
|
||||||
|
#
|
||||||
|
#DATABASE_URL=sqlite::memory:
|
||||||
|
#DATABASE_URL=sqlite:data/rauthy.db
|
||||||
|
#DATABASE_URL=postgresql://rauthy:123SuperSafe@localhost:5432/rauthy
|
||||||
|
|
||||||
|
# Max DB connections - irrelevant for SQLite (default: 5)
|
||||||
|
#DATABASE_MAX_CONN=5
|
||||||
|
|
||||||
|
# If specified, the current Database, set with DATABASE_URL,
|
||||||
|
# will be DELETED and OVERWRITTEN with a migration from the
|
||||||
|
# given database with this variable. Can be used to migrate
|
||||||
|
# between different databases.
|
||||||
|
#
|
||||||
|
# !!! USE WITH CARE !!!
|
||||||
|
#MIGRATE_DB_FROM=sqlite:data/rauthy.db
|
||||||
|
|
||||||
|
# Disables the housekeeping schedulers (default: false)
|
||||||
|
#SCHED_DISABLE=true
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
############# E-MAIL ################
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# Will be used as the prefix for the E-Mail subject for each E-Mail
|
||||||
|
# that will be sent out to a client.
|
||||||
|
# This can be used to further customize your deployment.
|
||||||
|
# default: "Rauthy IAM"
|
||||||
|
EMAIL_SUB_PREFIX="Rauthy IAM"
|
||||||
|
|
||||||
|
SMTP_USERNAME=
|
||||||
|
#SMTP_PASSWORD=
|
||||||
|
SMTP_URL=
|
||||||
|
# Format: "Rauthy <rauthy@localhost.de>"
|
||||||
|
SMTP_FROM=
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
###### ENCRYPTION / HASHING #########
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# Format: "key_id/enc_key another_key_id/another_enc_key" - the
|
||||||
|
# enc_key itself must be exactly 32 characters long and and
|
||||||
|
# should not contain special characters.
|
||||||
|
# The ID must match '[a-zA-Z0-9]{2,20}'
|
||||||
|
#ENC_KEYS="bVCyTsGaggVy5yqQ/S9n7oCen53xSJLzcsmfdnBDvNrqQ63r4 q6u26onRvXVG4427/3CEC8RJWBcMkrBMkRXgx65AmJsNTghSA"
|
||||||
|
ENC_KEY_ACTIVE=bVCyTsGaggVy5yqQ
|
||||||
|
|
||||||
|
# M_COST should never be below 32768 in production
|
||||||
|
ARGON2_M_COST=32768
|
||||||
|
# T_COST should never be below 1 in production
|
||||||
|
ARGON2_T_COST=3
|
||||||
|
# P_COST should never be below 2 in production
|
||||||
|
ARGON2_P_COST=2
|
||||||
|
|
||||||
|
# Limits the maximum amount of parallel password hashes at
|
||||||
|
# the exact same time to never exceed system memory while
|
||||||
|
# still allowing a good amount of memory for the argon2id
|
||||||
|
# algorithm (default: 2)
|
||||||
|
# CAUTION: You must make sure, that you have at least
|
||||||
|
# (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + ~30 MB of memory
|
||||||
|
# available.
|
||||||
|
MAX_HASH_THREADS=1
|
||||||
|
|
||||||
|
# The time in ms when to log a warning, if a request waited
|
||||||
|
# longer than this time. This is an indicator, that you have
|
||||||
|
# more concurrent logins than allowed and may need config
|
||||||
|
# adjustments,
|
||||||
|
# if this happens more often. (default: 500)
|
||||||
|
#HASH_AWAIT_WARN_TIME=500
|
||||||
|
|
||||||
|
# JWKS auto rotate cronjob. This will (by default) rotate
|
||||||
|
# all JWKs every 1. day of the month. If you need smaller
|
||||||
|
# intervals, you may adjust this value. For security reasons,
|
||||||
|
# you cannot fully disable it.
|
||||||
|
# In a HA deployment, this job will only be executed on the
|
||||||
|
# current cache leader at that time.
|
||||||
|
# Format: "sec min hour day_of_month month day_of_week year"
|
||||||
|
# default: "0 30 3 1 * * *"
|
||||||
|
JWK_AUTOROTATE_CRON="0 30 3 1 * * *"
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
####### EPHEMERAL CLIENTS ###########
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# Can be set to 'true' to allow the dynamic client lookup via URLs as
|
||||||
|
# 'client_id's during authorization_code flow initiation.
|
||||||
|
# default: false
|
||||||
|
#ENABLE_EPHEMERAL_CLIENTS=false
|
||||||
|
|
||||||
|
# Can be set to 'true' to enable WebID functionality like needed
|
||||||
|
# for things like Solid OIDC.
|
||||||
|
# default: false
|
||||||
|
ENABLE_WEB_ID=true
|
||||||
|
|
||||||
|
# If set to 'true', 'solid' will be added to the 'aud' claim from the ID token
|
||||||
|
# for ephemeral clients.
|
||||||
|
# default: false
|
||||||
|
#ENABLE_SOLID_AUD=false
|
||||||
|
|
||||||
|
# If set to 'true', MFA / Passkeys will be forced for ephemeral clients.
|
||||||
|
# default: false
|
||||||
|
#EPHEMERAL_CLIENTS_FORCE_MFA=false
|
||||||
|
|
||||||
|
# The allowed flows separated by ' ' for ephemeral clients.
|
||||||
|
# default: "authorization_code"
|
||||||
|
#EPHEMERAL_CLIENTS_ALLOWED_FLOWS="authorization_code refresh_token"
|
||||||
|
|
||||||
|
# The allowed scopes separated by ' ' for ephemeral clients.
|
||||||
|
# default: "openid profile email webid"
|
||||||
|
#EPHEMERAL_CLIENTS_ALLOWED_SCOPES="openid profile email webid"
|
||||||
|
|
||||||
|
# The lifetime in seconds ephemeral clients will be kept inside the cache.
|
||||||
|
# default: 3600
|
||||||
|
#EPHEMERAL_CLIENTS_CACHE_LIFETIME=3600
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
######### EVENTS / AUDIT ############
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# The E-Mail address event notifications should be sent to.
|
||||||
|
# If left empty, no messages will be sent to Slack.
|
||||||
|
#EVENT_EMAIL=admin@localhost.de
|
||||||
|
|
||||||
|
# Matrix variables for event notifications.
|
||||||
|
# `EVENT_MATRIX_USER_ID` and `EVENT_MATRIX_ROOM_ID` are mandatory.
|
||||||
|
# Depending on your Matrix setup, additionally one of
|
||||||
|
# `EVENT_MATRIX_ACCESS_TOKEN` or `EVENT_MATRIX_USER_PASSWORD` is needed.
|
||||||
|
# If you log in to Matrix with User + Password, you may use `EVENT_MATRIX_USER_PASSWORD`.
|
||||||
|
# If you log in via OIDC SSO (or just want to use a session token you can revoke),
|
||||||
|
# you should provide `EVENT_MATRIX_ACCESS_TOKEN`.
|
||||||
|
# If both are given, the `EVENT_MATRIX_ACCESS_TOKEN` will be preferred.
|
||||||
|
#
|
||||||
|
# If left empty, no messages will be sent to Slack.
|
||||||
|
# Format: `@<user_id>:<server address>`
|
||||||
|
#EVENT_MATRIX_USER_ID=
|
||||||
|
# Format: `!<random string>:<server address>`
|
||||||
|
#EVENT_MATRIX_ROOM_ID=
|
||||||
|
#EVENT_MATRIX_ACCESS_TOKEN=
|
||||||
|
#EVENT_MATRIX_USER_PASSWORD=
|
||||||
|
# Optional path to a PEM Root CA certificate file for the Matrix client.
|
||||||
|
#EVENT_MATRIX_ROOT_CA_PATH=path/to/my/root_ca_cert.pem
|
||||||
|
# May be set to disable the TLS validation for the Matrix client.
|
||||||
|
# default: false
|
||||||
|
#EVENT_MATRIX_DANGER_DISABLE_TLS_VALIDATION=false
|
||||||
|
# The default behavior is, that Rauthy will panic at startup if it cannot connect
|
||||||
|
# to a configured Matrix server. The reason is that event notifications cannot be
|
||||||
|
# dropped silently.
|
||||||
|
# However, if you use a self-hosted Matrix server which uses Rauthy as its OIDC
|
||||||
|
# provider and both instances went offline, you will have a chicken and egg problem:
|
||||||
|
# - Rauthy cannot connect to Matrix and will panic
|
||||||
|
# - Your Matrix server cannot connect to Rauthy and will panic
|
||||||
|
# To solve this issue, you can temporarily set this value to 'true' and revert
|
||||||
|
# back, after the system is online again.
|
||||||
|
# default: false
|
||||||
|
#EVENT_MATRIX_ERROR_NO_PANIC=false
|
||||||
|
|
||||||
|
# The Webhook for Slack Notifications.
|
||||||
|
# If left empty, no messages will be sent to Slack.
|
||||||
|
#EVENT_SLACK_WEBHOOK=
|
||||||
|
|
||||||
|
# The notification level for events. Works the same way as a logging level.
|
||||||
|
# For instance: 'notice' means send out a notifications for all events with
|
||||||
|
# the info level or higher.
|
||||||
|
# Possible values:
|
||||||
|
# - info
|
||||||
|
# - notice
|
||||||
|
# - warning
|
||||||
|
# - critical
|
||||||
|
#
|
||||||
|
# default: 'warning'
|
||||||
|
EVENT_NOTIFY_LEVEL_EMAIL=warning
|
||||||
|
# default: 'notice'
|
||||||
|
EVENT_NOTIFY_LEVEL_MATRIX=notice
|
||||||
|
# default: 'notice'
|
||||||
|
EVENT_NOTIFY_LEVEL_SLACK=notice
|
||||||
|
|
||||||
|
# Define the level from which on events should be persisted inside the
|
||||||
|
# database. All events with a lower level will be lost, if there is no
|
||||||
|
# active event subscriber.
|
||||||
|
# Possible values:
|
||||||
|
# - info
|
||||||
|
# - notice
|
||||||
|
# - warning
|
||||||
|
# - critical
|
||||||
|
# default: 'info'
|
||||||
|
EVENT_PERSIST_LEVEL=info
|
||||||
|
|
||||||
|
# Define the number of days when events should be cleaned up from the database.
|
||||||
|
# default: 31
|
||||||
|
EVENT_CLEANUP_DAYS=31
|
||||||
|
|
||||||
|
# The level for the generated Event after a new user has been registered.
|
||||||
|
# default: info
|
||||||
|
EVENT_LEVEL_NEW_USER=info
|
||||||
|
# The level for the generated Event after a user has changed his E-Mail
|
||||||
|
# default: notice
|
||||||
|
EVENT_LEVEL_USER_EMAIL_CHANGE=notice
|
||||||
|
# The level for the generated Event after a user has reset its password
|
||||||
|
# default: notice
|
||||||
|
EVENT_LEVEL_USER_PASSWORD_RESET=notice
|
||||||
|
# The level for the generated Event after a user has been given the
|
||||||
|
# 'rauthy_admin' role
|
||||||
|
# default: notice
|
||||||
|
EVENT_LEVEL_RAUTHY_ADMIN=notice
|
||||||
|
# The level for the generated Event after a new App version has been found
|
||||||
|
# default: notice
|
||||||
|
EVENT_LEVEL_RAUTHY_VERSION=notice
|
||||||
|
# The level for the generated Event after the JWKS has been rotated
|
||||||
|
# default: notice
|
||||||
|
EVENT_LEVEL_JWKS_ROTATE=notice
|
||||||
|
# The level for the generated Event after DB secrets have been migrated
|
||||||
|
# to a new key
|
||||||
|
# default: notice
|
||||||
|
EVENT_LEVEL_SECRETS_MIGRATED=notice
|
||||||
|
# The level for the generated Event after a Rauthy instance has been
|
||||||
|
# started
|
||||||
|
# default: info
|
||||||
|
EVENT_LEVEL_RAUTHY_START=info
|
||||||
|
# The level for the generated Event after a Rauthy entered a healthy
|
||||||
|
# state (again)
|
||||||
|
# default: notice
|
||||||
|
EVENT_LEVEL_RAUTHY_HEALTHY=notice
|
||||||
|
# The level for the generated Event after a Rauthy entered an unhealthy
|
||||||
|
#state
|
||||||
|
# default: critical
|
||||||
|
EVENT_LEVEL_RAUTHY_UNHEALTHY=critical
|
||||||
|
# The level for the generated Event after an IP has been blacklisted
|
||||||
|
# default: warning
|
||||||
|
EVENT_LEVEL_IP_BLACKLISTED=warning
|
||||||
|
# The level for the generated Event after certain amounts of false
|
||||||
|
# logins from an IP
|
||||||
|
# default: critical
|
||||||
|
EVENT_LEVEL_FAILED_LOGINS_25=critical
|
||||||
|
# default: critical
|
||||||
|
EVENT_LEVEL_FAILED_LOGINS_20=critical
|
||||||
|
# default: warning
|
||||||
|
EVENT_LEVEL_FAILED_LOGINS_15=warning
|
||||||
|
# default: warning
|
||||||
|
EVENT_LEVEL_FAILED_LOGINS_10=warning
|
||||||
|
# default: notice
|
||||||
|
EVENT_LEVEL_FAILED_LOGINS_7=notice
|
||||||
|
# default: info
|
||||||
|
EVENT_LEVEL_FAILED_LOGIN=info
|
||||||
|
|
||||||
|
# If set to 'true', it will disable the app version checker.
|
||||||
|
# This is a scheduled task that looks up the latest version periodically
|
||||||
|
# by doing a request to the Github API to check the latest release.
|
||||||
|
# This ignores any type of prerelease and will only notify for a new stable.
|
||||||
|
# default: false
|
||||||
|
#DISABLE_APP_VERSION_CHECK=false
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
####### LIFETIMES / TIMEOUTS ########
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# Set the grace time in seconds for how long in seconds the
|
||||||
|
# refresh token should still be valid after usage. Keep this
|
||||||
|
# value small, but do not set it to 0 with an HA deployment
|
||||||
|
# to not get issues with small HA cache latencies.
|
||||||
|
#
|
||||||
|
# If you have an external client, which does concurrent
|
||||||
|
# requests, from which the request interceptor wants to refresh
|
||||||
|
# the token, you may have multiple hits on the endpoint and all
|
||||||
|
# of them should be valid.
|
||||||
|
#
|
||||||
|
# Caching is done on the endpoint itself, but grace time of 0
|
||||||
|
# will only be good for a single instance of rauthy.
|
||||||
|
# default: 5
|
||||||
|
#REFRESH_TOKEN_GRACE_TIME=5
|
||||||
|
|
||||||
|
# Lifetime for offline tokens in hours (default: 720)
|
||||||
|
#OFFLINE_TOKEN_LIFETIME=720
|
||||||
|
|
||||||
|
# Session lifetime in seconds - the session can not be
|
||||||
|
# extended beyond this time and a new login will be forced.
|
||||||
|
# This is the session for the authorization code flow. (default: 14400)
|
||||||
|
#SESSION_LIFETIME=14400
|
||||||
|
|
||||||
|
# If 'true', a 2FA / MFA check will be done with each automatic
|
||||||
|
# token generation, even with an active session, which kind of
|
||||||
|
# makes the session useless with Webauthn enabled, but provides
|
||||||
|
# maximum amount of security.
|
||||||
|
# If 'false', the user will not get a MFA prompt with an active
|
||||||
|
# session at the authorization endpoint.
|
||||||
|
# (default: false)
|
||||||
|
#SESSION_RENEW_MFA=false
|
||||||
|
|
||||||
|
# Session timeout in seconds
|
||||||
|
# When a new token / login is requested before this timeout hits
|
||||||
|
# the limit, the user will be authenticated without prompting for
|
||||||
|
# the credentials again.
|
||||||
|
# This is the value which can extend the session, until it hits
|
||||||
|
# its maximum lifetime set with SESSION_LIFETIME.
|
||||||
|
#SESSION_TIMEOUT=5400
|
||||||
|
|
||||||
|
# ML: magic link
|
||||||
|
# LT: lifetime
|
||||||
|
# Lifetime in minutes for reset password magic links (default: 30)
|
||||||
|
#ML_LT_PWD_RESET=30
|
||||||
|
|
||||||
|
# Lifetime in minutes for the first password magic link, for
|
||||||
|
# setting the initial password. (default: 4320)
|
||||||
|
#ML_LT_PWD_FIRST=4320
|
||||||
|
|
||||||
|
# The interval in seconds in which keep-alives should be sent to SSE clients.
|
||||||
|
# Depending on your network setup, proxy timeouts, ...
|
||||||
|
# you may adjust this value to fit your needs.
|
||||||
|
# default: 30
|
||||||
|
#SSE_KEEP_ALIVE=30
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
############# LOGGING ###############
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# This is the log level for stdout logs
|
||||||
|
# Accepts: error, info, debug, trace (default: info)
|
||||||
|
#LOG_LEVEL=info
|
||||||
|
|
||||||
|
# This is a special config which allows the configuration of
|
||||||
|
# customized access logs. These logs will be logged with each
|
||||||
|
# request in addition to the normal LOG_LEVEL logs.
|
||||||
|
# The following values are valid:
|
||||||
|
# - Debug
|
||||||
|
# CAUTION: The Debug setting logs every information available
|
||||||
|
# to the middleware which includes SENSITIVE HEADERS
|
||||||
|
# DO NOT use the Debug level in a working production environment!
|
||||||
|
# - Verbose
|
||||||
|
# Verbose logging without headers - generates huge outputs
|
||||||
|
# - Basic
|
||||||
|
# Logs access to all endpoints apart from the Frontend ones
|
||||||
|
# which all js, css, ...
|
||||||
|
# - Modifying
|
||||||
|
# Logs only requests to modifying endpoints and skips all GET
|
||||||
|
# - Off
|
||||||
|
# (default: Modifying)
|
||||||
|
LOG_LEVEL_ACCESS=Basic
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
################ MFA ################
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# If 'true', MFA for an account must be enabled to access the
|
||||||
|
# rauthy admin UI (default: true)
|
||||||
|
ADMIN_FORCE_MFA=false
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
############## POW #################
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
## Proof of Work (PoW) configuration for Client Endpoints like
|
||||||
|
# User Registration. The iteration count for the PoW calculation
|
||||||
|
# (default: 1000000)
|
||||||
|
#POW_IT=1000000
|
||||||
|
|
||||||
|
# The expiration duration in seconds when a saved PoW should be
|
||||||
|
# cleaned up (default: 300)
|
||||||
|
#POW_EXP=300
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
############# SERVER ################
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# The server address to listen on. Can bind to a specific IP.
|
||||||
|
# (default: 0.0.0.0)
|
||||||
|
#LISTEN_ADDRESS=0.0.0.0
|
||||||
|
|
||||||
|
# The listen ports for HTTP / HTTPS, depending on the
|
||||||
|
# activated 'LISTEN_SCHEME'
|
||||||
|
# default: 8080
|
||||||
|
#LISTEN_PORT_HTTP=8080
|
||||||
|
# default: 8443
|
||||||
|
#LISTEN_PORT_HTTPS=8443
|
||||||
|
|
||||||
|
# The scheme to use locally, valid values:
|
||||||
|
# http | https | http_https (default: http_https)
|
||||||
|
LISTEN_SCHEME=http
|
||||||
|
|
||||||
|
# The Public URL of the whole deployment
|
||||||
|
# The LISTEN_SCHEME + PUB_URL must match the HTTP ORIGIN
|
||||||
|
# HEADER later on, which is especially important when running
|
||||||
|
# rauthy behind a reverse proxy. In case of a non-standard
|
||||||
|
# port (80/443), you need to add the port to the PUB_URL
|
||||||
|
PUB_URL=localhost:8080
|
||||||
|
|
||||||
|
# default value: number of available physical cores
|
||||||
|
#HTTP_WORKERS=1
|
||||||
|
|
||||||
|
# When rauthy is running behind a reverse proxy, set to true
|
||||||
|
# (default: false)
|
||||||
|
PROXY_MODE=false
|
||||||
|
|
||||||
|
# To enable or disable the additional HTTP server to expose the /metrics endpoint
|
||||||
|
# default: true
|
||||||
|
#METRICS_ENABLE=true
|
||||||
|
|
||||||
|
# The IP address to listen on for the /metrics endpoint.
|
||||||
|
# You do not want to expose your metrics on a publicly reachable endpoint!
|
||||||
|
# default: 0.0.0.0
|
||||||
|
#METRICS_ADDR=0.0.0.0
|
||||||
|
|
||||||
|
# The post to listen on for the /metrics endpoint.
|
||||||
|
# You do not want to expose your metrics on a publicly reachable endpoint!
|
||||||
|
# default: 9090
|
||||||
|
#METRICS_PORT=9090
|
||||||
|
|
||||||
|
# If the Swagger UI should be served together with the /metrics route on the internal
|
||||||
|
# server. It it then reachable via:
|
||||||
|
# http://METRICS_ADDR:METRICS_PORT/docs/v1/swagger-ui/
|
||||||
|
# (default: true)
|
||||||
|
#SWAGGER_UI_INTERNAL=true
|
||||||
|
|
||||||
|
# If the Swagger UI should be served externally as well. This makes the link in the
|
||||||
|
# Admin UI work.
|
||||||
|
#
|
||||||
|
# CAUTION: The Swagger UI is open and does not require any login to be seen!
|
||||||
|
# Rauthy is open source, which means anyone could just download it and see on their
|
||||||
|
# own, but it may be a security concern to just expose less information.
|
||||||
|
# (default: false)
|
||||||
|
#SWAGGER_UI_EXTERNAL=false
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
############### TLS #################
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
## Rauthy TLS
|
||||||
|
|
||||||
|
# Overwrite the path to the TLS certificate file in PEM
|
||||||
|
# format for rauthy (default: tls/tls.crt)
|
||||||
|
#TLS_CERT=tls/tls.crt
|
||||||
|
# Overwrite the path to the TLS private key file in PEM
|
||||||
|
# format for rauthy. If the path / filename ends with
|
||||||
|
# '.der', rauthy will parse it as DER, otherwise as PEM.
|
||||||
|
# (default: tls/tls.key)
|
||||||
|
#TLS_KEY=tls/tls.key
|
||||||
|
|
||||||
|
## CACHE TLS
|
||||||
|
|
||||||
|
# Enable / disable TLS for the cache communication
|
||||||
|
# (default: true)
|
||||||
|
CACHE_TLS=true
|
||||||
|
|
||||||
|
# The path to the server TLS certificate PEM file
|
||||||
|
# default: tls/redhac.cert-chain.pem
|
||||||
|
CACHE_TLS_SERVER_CERT=tls/cert-chain.pem
|
||||||
|
# The path to the server TLS key PEM file
|
||||||
|
# default: tls/redhac.key.pem
|
||||||
|
CACHE_TLS_SERVER_KEY=tls/key.pem
|
||||||
|
|
||||||
|
# The path to the client mTLS certificate PEM file. This is optional.
|
||||||
|
#CACHE_TLS_CLIENT_CERT=tls/cert-chain.pem
|
||||||
|
# The path to the client mTLS key PEM file. This is optional.
|
||||||
|
#CACHE_TLS_CLIENT_KEY=tls/key.pem
|
||||||
|
|
||||||
|
# If not empty, the PEM file from the specified location will be
|
||||||
|
# added as the CA certificate chain for validating
|
||||||
|
# the servers TLS certificate. This is optional.
|
||||||
|
#CACHE_TLS_CA_SERVER=tls/ca-chain.pem
|
||||||
|
# If not empty, the PEM file from the specified location will
|
||||||
|
# be added as the CA certificate chain for validating
|
||||||
|
# the clients mTLS certificate. This is optional.
|
||||||
|
#CACHE_TLS_CA_CLIENT=tls/ca-chain.pem
|
||||||
|
|
||||||
|
# The domain / CN the client should validate the certificate
|
||||||
|
# against. This domain MUST be inside the
|
||||||
|
# 'X509v3 Subject Alternative Name' when you take a look at
|
||||||
|
# the servers certificate with the openssl tool.
|
||||||
|
# default: redhac.local
|
||||||
|
CACHE_TLS_CLIENT_VALIDATE_DOMAIN=redhac.local
|
||||||
|
|
||||||
|
# Can be used if you need to overwrite the SNI when the
|
||||||
|
# client connects to the server, for instance if you are
|
||||||
|
# behind a loadbalancer which combines multiple certificates.
|
||||||
|
# default: ""
|
||||||
|
#CACHE_TLS_SNI_OVERWRITE=
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
############# WEBAUTHN ##############
|
||||||
|
#####################################
|
||||||
|
|
||||||
|
# The 'Relaying Party (RP) ID' - effective domain name
|
||||||
|
# (default: localhost)
|
||||||
|
# CAUTION: When this changes, already registered devices will stop
|
||||||
|
# working and users cannot log in anymore!
|
||||||
|
RP_ID=localhost
|
||||||
|
|
||||||
|
# Url containing the effective domain name
|
||||||
|
# (default: http://localhost:8080)
|
||||||
|
# CAUTION: Must include the port number!
|
||||||
|
RP_ORIGIN=http://localhost:8080
|
||||||
|
|
||||||
|
# Non critical RP Name
|
||||||
|
# Has no security properties and may be changed without issues
|
||||||
|
# (default: Rauthy Webauthn)
|
||||||
|
RP_NAME='Rauthy Webauthn'
|
||||||
|
|
||||||
|
# The Cache lifetime in seconds for Webauthn requests. Within
|
||||||
|
# this time, a webauthn request must have been validated.
|
||||||
|
# (default: 60)
|
||||||
|
#WEBAUTHN_REQ_EXP=60
|
||||||
|
|
||||||
|
# The Cache lifetime for additional Webauthn Data like auth
|
||||||
|
# codes and so on. Should not be lower than WEBAUTHN_REQ_EXP.
|
||||||
|
# The value is in seconds (default: 90)
|
||||||
|
#WEBAUTHN_DATA_EXP=90
|
||||||
|
|
||||||
|
# With webauthn enabled for a user, he needs to enter
|
||||||
|
# username / password on a new system. If these credentials are
|
||||||
|
# verified, rauthy will set an additional cookie, which will
|
||||||
|
# determine how long the user can then use only (safe) MFA
|
||||||
|
# passwordless webauthn login with yubikeys, apple touch id,
|
||||||
|
# Windows hello, ... until he needs to verify his credentials
|
||||||
|
# again.
|
||||||
|
# Passwordless login is generally much safer than logging in
|
||||||
|
# with a password. But sometimes it is possible, that the
|
||||||
|
# Webauthn devices do not force the user to include a second
|
||||||
|
# factor, which in that case would be a single factor login
|
||||||
|
# again. That is why we should ask for the original password
|
||||||
|
# in addition once in a while to set the cookie.
|
||||||
|
# The value is in hours (default: 2160)
|
||||||
|
#WEBAUTHN_RENEW_EXP=2160
|
||||||
|
|
||||||
|
# This feature can be set to 'true' to force User verification
|
||||||
|
# during the Webauthn ceremony. UV will be true, if the user
|
||||||
|
# does not only need to verify its presence by touching the key,
|
||||||
|
# but by also providing proof that he knows (or is) some secret
|
||||||
|
# via a PIN or biometric key for instance. With UV, we have a
|
||||||
|
# true MFA scenario where UV == false (user presence only)
|
||||||
|
# would be a 2FA scenario (with password). Be careful with this
|
||||||
|
# option, since Android and some special combinations of OS +
|
||||||
|
# browser to not support UV yet.
|
||||||
|
# (default: false)
|
||||||
|
#WEBAUTHN_FORCE_UV=false
|
||||||
|
|
||||||
|
# Can be set to 'true' to disable password expiry for users
|
||||||
|
# that have at least one active passkey. When set to 'false',
|
||||||
|
# the same password expiry from the set policy will apply to
|
||||||
|
# these users as well.
|
||||||
|
# With this option active, rauthy will ignore any password
|
||||||
|
# expiry set by the password policy for Webauthn users.
|
||||||
|
# default: true
|
||||||
|
#WEBAUTHN_NO_PASSWORD_EXPIRY=true
|
||||||
|
|
25
apps/rauthy/ingress.yaml
Normal file
25
apps/rauthy/ingress.yaml
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
annotations:
|
||||||
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||||
|
traefik.ingress.kubernetes.io/router.middlewares: kube-system-redirect-https@kubernetescrd
|
||||||
|
name: rauthy
|
||||||
|
labels:
|
||||||
|
app: rauthy
|
||||||
|
spec:
|
||||||
|
rules:
|
||||||
|
- host: id.tobru.ch
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- path: /
|
||||||
|
pathType: Prefix
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: rauthy
|
||||||
|
port:
|
||||||
|
number: 8080
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- id.tobru.ch
|
||||||
|
secretName: id-tobru-ch-cert
|
10
apps/rauthy/kustomization.yaml
Normal file
10
apps/rauthy/kustomization.yaml
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
namespace: odoo
|
||||||
|
resources:
|
||||||
|
- configmap.yaml
|
||||||
|
- statefulset.yaml
|
||||||
|
- service.yaml
|
||||||
|
- ingress.yaml
|
||||||
|
generators:
|
||||||
|
- secret-generator.yaml
|
6
apps/rauthy/secret-generator.yaml
Normal file
6
apps/rauthy/secret-generator.yaml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
apiVersion: viaduct.ai/v1
|
||||||
|
kind: ksops
|
||||||
|
metadata:
|
||||||
|
name: secret-generator
|
||||||
|
files:
|
||||||
|
- secret.sops.yaml
|
29
apps/rauthy/secrets.sops.yaml
Normal file
29
apps/rauthy/secrets.sops.yaml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: rauthy-secrets
|
||||||
|
type: Opaque
|
||||||
|
stringData:
|
||||||
|
DATABASE_URL: ENC[AES256_GCM,data:7bL3UgDaVHnOnPAnvexMlcXNfkLu,iv:KfrewSX7UaQXMID7Sy33OnIlCDGKAzNxBgMKZvUiJ5Y=,tag:mb1B3t7Tlhfj7l/QGMNOnQ==,type:str]
|
||||||
|
ENC_KEYS: ENC[AES256_GCM,data:Tg7bOmHcdkiBHLs7p1in/moOsghdOD4slZjylEHt2NaLUJb7v5PzDSM=,iv:4tXRr89u/0AJuyBCphWrXrOfYR2ZhwkCIjbqqsCOKMg=,tag:mkeb7m1oJAr2Aozf64qQMQ==,type:str]
|
||||||
|
SMTP_PASSWORD: ENC[AES256_GCM,data:QHwEE/SYsg==,iv:dHCKwHdMS3mC87tJzUCMGniQ96u3V4Ky5KT0d6fFfog=,tag:4brW+KyANX/gVkKC/Wrs/Q==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1dfk8euu7afvw7ge5l2qek45z23hdq5anjd56cy4d7kcsf0e0e5pqfjylx8
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZlJadDR6QWdLTStGQ0tR
|
||||||
|
QVdHK3EzSDZWM291NkxOS0wzakY0cGFFVTBRCmJnMDVwbUo5ZFkzZDhXdWFrMFJC
|
||||||
|
SnVjcXRhSXhEajhKZENMRXB1Vmw3ZE0KLS0tIHJJLzVYL0FxSGNRTk8rUjViQ3hV
|
||||||
|
amdlMDZHSTlTUWRnZGQ3ZWlZRG1zbHMKN3OBmYiC09MJxuv8hdCR70UmJQDW102M
|
||||||
|
bLkcqw73GumzZsaPRBgIDpR3AKCsXlKC0orU/0HCjcc4qcS2WQ0cwA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2023-11-21T21:08:40Z"
|
||||||
|
mac: ENC[AES256_GCM,data:3jV++001/kUJkfG0jGZLZNiQFrXci5nWY34rjMqyUAeHLGWVtS6LJpmijlGyTMwhwKxQQFeugJovVHpM4wyXlOTtS0UHWyjlzFYBexp2e9EDaSaxJOh0L+G1UnIjmmSVhTb0zQNRo8pqa9phP16REfMf+NUwK9zx77sLm3HOcv4=,iv:XmDzp9KTElz8COR9KgLtTSGGc+TL+o9+PCkIXvMuG8A=,tag:Uy3ScFEnv/tqZLQSx+g20A==,type:str]
|
||||||
|
pgp: []
|
||||||
|
encrypted_regex: ^(data|stringData)$
|
||||||
|
version: 3.8.1
|
23
apps/rauthy/service.yaml
Normal file
23
apps/rauthy/service.yaml
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: rauthy
|
||||||
|
namespace: rauthy
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
app: rauthy
|
||||||
|
ports:
|
||||||
|
# If you use the HA feature later on, the port over which the cache layer does
|
||||||
|
# communicate.
|
||||||
|
- name: cache
|
||||||
|
port: 8000
|
||||||
|
targetPort: 8000
|
||||||
|
# Assuming that this example file will run behind a Kubernetes ingress and does
|
||||||
|
# use HTTP internally.
|
||||||
|
- name: http
|
||||||
|
port: 8080
|
||||||
|
targetPort: 8080
|
||||||
|
# Uncomment, if you change to direct HTTPS without a reverse proxy
|
||||||
|
#- name: https
|
||||||
|
# port: 8443
|
||||||
|
# targetPort: 8443
|
121
apps/rauthy/statefulset.yaml
Normal file
121
apps/rauthy/statefulset.yaml
Normal file
|
@ -0,0 +1,121 @@
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: StatefulSet
|
||||||
|
metadata:
|
||||||
|
name: rauthy
|
||||||
|
namespace: rauthy
|
||||||
|
labels:
|
||||||
|
app: rauthy
|
||||||
|
spec:
|
||||||
|
serviceName: rauthy
|
||||||
|
# Do not just scale up replicas without a proper HA Setup
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: rauthy
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: rauthy
|
||||||
|
spec:
|
||||||
|
securityContext:
|
||||||
|
fsGroup: 10001
|
||||||
|
containers:
|
||||||
|
- name: rauthy
|
||||||
|
image: ghcr.io/sebadob/rauthy:0.19.1-lite
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
securityContext:
|
||||||
|
# User ID 10001 is actually built into the container at the creation for
|
||||||
|
# better security
|
||||||
|
runAsUser: 10001
|
||||||
|
runAsGroup: 10001
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
ports:
|
||||||
|
- containerPort: 8000
|
||||||
|
# You may need to adjust this, if you decide to start in https only mode
|
||||||
|
# or use another port
|
||||||
|
- containerPort: 8080
|
||||||
|
- containerPort: 8443
|
||||||
|
env:
|
||||||
|
- name: DATABASE_URL
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: rauthy-secrets
|
||||||
|
key: DATABASE_URL
|
||||||
|
- name: ENC_KEYS
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: rauthy-secrets
|
||||||
|
key: ENC_KEYS
|
||||||
|
- name: SMTP_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: rauthy-secrets
|
||||||
|
key: SMTP_PASSWORD
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /app/data
|
||||||
|
name: rauthy-data
|
||||||
|
readOnly: false
|
||||||
|
- mountPath: /app/rauthy.cfg
|
||||||
|
subPath: rauthy.cfg
|
||||||
|
name: rauthy-config
|
||||||
|
readOnly: true
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
# You may need to adjust this, if you decide to start in https only
|
||||||
|
# mode or use another port
|
||||||
|
scheme: HTTP
|
||||||
|
port: 8080
|
||||||
|
#scheme: HTTPS
|
||||||
|
#port: 8443
|
||||||
|
path: /auth/v1/ping
|
||||||
|
initialDelaySeconds: 1
|
||||||
|
periodSeconds: 10
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
# You may need to adjust this, if you decide to start in https only
|
||||||
|
# mode or use another port
|
||||||
|
scheme: HTTP
|
||||||
|
port: 8080
|
||||||
|
#scheme: HTTPS
|
||||||
|
#port: 8443
|
||||||
|
path: /auth/v1/health
|
||||||
|
initialDelaySeconds: 1
|
||||||
|
periodSeconds: 30
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
# Tune the memory requests value carefully. Make sure, that the
|
||||||
|
# pods request at least:
|
||||||
|
# `ARGON2_M_COST` / 1024 * `MAX_HASH_THREADS` Mi
|
||||||
|
# With SQLite: for small deployments, add additional ~20-30Mi for
|
||||||
|
# "the rest", for larger ones ~50-70 Mi should be enough.
|
||||||
|
memory: 64Mi
|
||||||
|
# The CPU needs to be adjusted during runtime. This heavily
|
||||||
|
# depends on your use case.
|
||||||
|
cpu: 100m
|
||||||
|
limits:
|
||||||
|
# Be careful with the memory limit. You must make sure, that the
|
||||||
|
# (very costly) password hashing has enough memory available. If not,
|
||||||
|
# the application will crash. You do not really need a memory limit,
|
||||||
|
# since Rust is not a garbage collected language. Better take a close
|
||||||
|
# look at what the container actually needs during
|
||||||
|
# prime time and set the requested resources above properly.
|
||||||
|
#memory:
|
||||||
|
# A CPU limit may make sense in case of DDoS attacks or something
|
||||||
|
# like this, if you do not have external rate limiting or other
|
||||||
|
# mechanisms. Otherwise, `MAX_HASH_THREADS` is the main mechanism
|
||||||
|
# to limit resources.
|
||||||
|
cpu: 1000m
|
||||||
|
volumes:
|
||||||
|
- name: rauthy-config
|
||||||
|
configMap:
|
||||||
|
name: rauthy-config
|
||||||
|
volumeClaimTemplates:
|
||||||
|
- metadata:
|
||||||
|
name: rauthy-data
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- "ReadWriteOnce"
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 128Mi
|
||||||
|
#storageClassName: provideIfYouHaveMultipleOnes
|
19
system/apps/user/rauthy.yaml
Normal file
19
system/apps/user/rauthy.yaml
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: rauthy
|
||||||
|
namespace: argocd
|
||||||
|
finalizers:
|
||||||
|
- resources-finalizer.argocd.argoproj.io
|
||||||
|
spec:
|
||||||
|
project: apps
|
||||||
|
source:
|
||||||
|
path: apps/rauthy
|
||||||
|
repoURL: https://git.tbrnt.ch/tobru/gitops-zurrli.git
|
||||||
|
targetRevision: HEAD
|
||||||
|
destination:
|
||||||
|
namespace: rauthy
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
syncPolicy:
|
||||||
|
syncOptions:
|
||||||
|
- CreateNamespace=true
|
Loading…
Reference in a new issue