authservice values.yaml💣
replicaCount💣
Type: int
1
Description: When setting this above 1, a redis configuration is required. See globals.redis_server_uri
istio.namespace💣
Type: string
"istio-system"
istio.mtls💣
Type: object
{"mode":"STRICT"}
Default value (formatted)
{
"mode": "STRICT"
}
Description: Default authservice peer authentication
istio.mtls.mode💣
Type: string
"STRICT"
Description: Two mtls modes allowed STRICT = Allow only mutual TLS traffic PERMISSIVE = Allow both plain text and mutual TLS traffic
monitoring.enabled💣
Type: bool
false
networkPolicies.enabled💣
Type: bool
false
networkPolicies.ingressLabels.app💣
Type: string
"istio-ingressgateway"
networkPolicies.ingressLabels.istio💣
Type: string
"ingressgateway"
image.repository💣
Type: string
"registry1.dso.mil/ironbank/istio-ecosystem/authservice"
image.pullPolicy💣
Type: string
"IfNotPresent"
image.tag💣
Type: string
"0.5.2"
Description: Overrides the image tag whose default is the chart appVersion.
imagePullSecrets💣
Type: list
[]
Default value (formatted)
[]
issuer_uri💣
Type: string
""
Description: Issuer and jwks URIs if not using Keycloak
jwks_uri💣
Type: string
""
allow_unmatched_requests💣
Type: bool
true
Description: If true will allow the requests even no filter chain match is found
global.client_id💣
Type: string
"global_id"
Description: Global Authorization URI value to set if not using Keycloak authorization_uri: “” Global Token URI Value to set if not using Keycloak token_uri: “” Default client_id to be used in each chain
global.client_secret💣
Type: string
"global_secret"
Description: default client_secret to be used in each chain
global.match.header💣
Type: string
":authority"
Description: Header to match. The value “:authority” is used to match the requested hostname
global.match.prefix💣
Type: string
"bigbang"
Description: value matches the start of the header value defined above
global.logout_path💣
Type: string
"/globallogout"
Description: Logout URL for the client
global.logout_redirect_uri💣
Type: string
""
Description: Logout Redirect URI for the client
global.absolute_session_timeout💣
Type: int
0
global.idle_session_timeout💣
Type: int
0
global.certificate_authority💣
Type: string
""
Description: CA signing the OIDC provider. Passed through as a Helm multi-line string. See README for example.
global.oidc💣
Type: object
{"host":"login.dso.mil","realm":"baby-yoda"}
Default value (formatted)
{
"host": "login.dso.mil",
"realm": "baby-yoda"
}
Description: URI for Redis instance used for OIDC token storage/retrieval. This may also be specified per-chain. redis_server_uri: tcp://{{ .Release.Name }}-{{ .Release.Namespace }}-auth-redis-master:6379/
global.oidc.host💣
Type: string
"login.dso.mil"
Description: OpenID Connect hostname. Assumption of Keycloak based on URL construction
global.oidc.realm💣
Type: string
"baby-yoda"
Description: Realm for OpenID Connect
global.jwks💣
Type: string
'{"keys":[{"kid":"4CK69bW66HE2wph9VuBs0fTc1MaETSTpU1iflEkBHR4","kty":"RSA","alg":"RS256","use":"sig","n":"hiML1kjw-sw25BgaZI1AyfgcCRBPJKPE-wwttqa7NNxptr_5RCBGuJXqDyo3p1vjcbb8KjdKnXI7kWer8b2Pz_RP1m_QcPrKOxSluk7GZF8ARsc6FPGbzYgi8o8cBVSsaml6HZzpN3ZnH4DFZ27ifM-Ul_PyMxZ2aweohIaizXp-rgF7Rqpav5NXUwmcSyH8LP92NVIuFlD3HYTDGosVbfA_u_H25Z4XCGKW_vLDTNrl8PcA3HqIoD-vNavysdxAq_KNw7iLLc0KLsjFYSdJL_54H7QubsGR0AyIrLLurJbqAtvttGJK38k5XYWKIwYGtu6iiJwjSb7UtonVdPh8Vw","e":"AQAB","x5c":["MIICoTCCAYkCBgFyLIEqUjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwHhcNMjAwNTE5MTAzNDIyWhcNMzAwNTE5MTAzNjAyWjAUMRIwEAYDVQQDDAliYWJ5LXlvZGEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCGIwvWSPD6zDbkGBpkjUDJ+BwJEE8ko8T7DC22prs03Gm2v/lEIEa4leoPKjenW+NxtvwqN0qdcjuRZ6vxvY/P9E/Wb9Bw+so7FKW6TsZkXwBGxzoU8ZvNiCLyjxwFVKxqaXodnOk3dmcfgMVnbuJ8z5SX8/IzFnZrB6iEhqLNen6uAXtGqlq/k1dTCZxLIfws/3Y1Ui4WUPcdhMMaixVt8D+78fblnhcIYpb+8sNM2uXw9wDceoigP681q/Kx3ECr8o3DuIstzQouyMVhJ0kv/ngftC5uwZHQDIissu6sluoC2+20YkrfyTldhYojBga27qKInCNJvtS2idV0+HxXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIVkoDYkM6ryBcuchdAL5OmyKbmmY4WDrMlatfa3uniK5jvFXrmVaJ3rcu0apdY/NhBeLSOLFVlC5w1QroGUhWm0EjAA4zyuU63Pk0sro0vyHrxztBrGPQrGXI3kjXEssaehZZvYP4b9VtYpus6oGP6bTmaDw94Zu+WrDsWdFs+27VEYwBuU0D6E+ENDGlfR+9ADEW53t6H2M3H0VsOtbArEutYgb4gmQcOIBygC7L1tGJ4IqbnhTYLh9DMKNklU+tq8TMHacps9FxELpeAib3O0J0E5zYXdraQobCCe+ao1Y7sA/wqcGQBCVuoFgty7Y37nNL7LMvygcafgqVDqw5U="],"x5t":"mxFIwx7EdgxyC3Y6ODLx8yr8Bx8","x5t#S256":"SdT7ScKVOnBW6qs_MuYdTGVtMGwYK_-nmQF9a_8lXco"}]}'
Description: escaped json for the JWKS
chains💣
Type: object
{"local":{"callback_uri":"https://localhost/login","client_id":"local_id","client_secret":"local_secret","logout_path":"/local","match":{"header":":local","prefix":"localhost"}}}
Default value (formatted)
{
"local": {
"callback_uri": "https://localhost/login",
"client_id": "local_id",
"client_secret": "local_secret",
"logout_path": "/local",
"match": {
"header": ":local",
"prefix": "localhost"
}
}
}
Description: Individual chains. Must have a name value and a callback_uri
nameOverride💣
Type: string
"authservice"
fullnameOverride💣
Type: string
"authservice"
serviceAccount.create💣
Type: bool
true
Description: Specifies whether a service account should be created
serviceAccount.annotations💣
Type: object
{}
Default value (formatted)
{}
Description: Annotations to add to the service account
serviceAccount.name💣
Type: string
""
Description: The name of the service account to use. If not set and create is true, a name is generated using the fullname template
podAnnotations💣
Type: object
{}
Default value (formatted)
{}
podSecurityContext.runAsUser💣
Type: int
1000
podSecurityContext.runAsGroup💣
Type: int
1000
podSecurityContext.runAsNonRoot💣
Type: bool
true
securityContext.capabilities.drop[0]💣
Type: string
"ALL"
securityContext.readOnlyRootFilesystem💣
Type: bool
true
securityContext.runAsNonRoot💣
Type: bool
true
securityContext.runAsUser💣
Type: int
1000
service.type💣
Type: string
"ClusterIP"
service.port💣
Type: int
10003
resources.limits💣
Type: object
{"cpu":"100m","memory":"512Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "512Mi"
}
Description: We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after ‘resources:’.
resources.requests.cpu💣
Type: string
"100m"
resources.requests.memory💣
Type: string
"512Mi"
autoscaling.enabled💣
Type: bool
false
autoscaling.minReplicas💣
Type: int
1
autoscaling.maxReplicas💣
Type: int
3
autoscaling.targetCPUUtilizationPercentage💣
Type: int
80
nodeSelector💣
Type: object
{}
Default value (formatted)
{}
tolerations💣
Type: list
[]
Default value (formatted)
[]
affinity💣
Type: object
{}
Default value (formatted)
{}
config💣
Type: object
{"logLevel":"trace"}
Default value (formatted)
{
"logLevel": "trace"
}
Description: Name of the secret to source authservices config.json from, created outside of helm chart TODO: Create this as part of the helmchart?
selector💣
Type: object
{"key":"protect","value":"keycloak"}
Default value (formatted)
{
"key": "protect",
"value": "keycloak"
}
Description: Label to determine what workloads (pods/deployments) should be protected by authservice.
redis💣
Type: object
{"enabled":false}
Default value (formatted)
{
"enabled": false
}
Description: Conditional for enabling Redis Subchart
redis-bb💣
Type: object
{"auth":{"enabled":false},"commonConfiguration":"# Enable AOF https://redis.io/topics/persistence#append-only-file\nappendonly no\nmaxmemory 200mb\nmaxmemory-policy allkeys-lru\nsave \"\"","istio":{"redis":{"enabled":false}},"networkPolicies":{"controlPlaneCidr":"0.0.0.0/0","enabled":true}}
Default value (formatted)
{
"auth": {
"enabled": false
},
"commonConfiguration": "# Enable AOF https://redis.io/topics/persistence#append-only-file
appendonly no
maxmemory 200mb
maxmemory-policy allkeys-lru
save \"\"",
"istio": {
"redis": {
"enabled": false
}
},
"networkPolicies": {
"controlPlaneCidr": "0.0.0.0/0",
"enabled": true
}
}
Description: Values passthrough for redis Subchart https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/redis/-/blob/main/chart/values.yaml
openshift💣
Type: bool
false