authservice values.yaml
π
replicaCountπ
Type: int
1
Description: When setting this above 1, a redis configuration is required. See globals.redis_server_uri
istio.namespaceπ
Type: string
"istio-system"
istio.mtlsπ
Type: object
{"mode":"STRICT"}
Default value (formatted)
{
"mode": "STRICT"
}
Description: Default authservice peer authentication
istio.mtls.modeπ
Type: string
"STRICT"
Description: Two mtls modes allowed STRICT = Allow only mutual TLS traffic PERMISSIVE = Allow both plain text and mutual TLS traffic
monitoring.enabledπ
Type: bool
false
networkPolicies.enabledπ
Type: bool
false
networkPolicies.ingressLabels.appπ
Type: string
"istio-ingressgateway"
networkPolicies.ingressLabels.istioπ
Type: string
"ingressgateway"
image.repositoryπ
Type: string
"registry1.dso.mil/ironbank/istio-ecosystem/authservice"
image.pullPolicyπ
Type: string
"IfNotPresent"
image.tagπ
Type: string
"0.5.3"
Description: Overrides the image tag whose default is the chart appVersion.
imagePullSecretsπ
Type: list
[]
Default value (formatted)
[]
issuer_uriπ
Type: string
""
Description: Issuer and jwks URIs if not using Keycloak
jwks_uriπ
Type: string
""
allow_unmatched_requestsπ
Type: bool
true
Description: If true will allow the requests even no filter chain match is found
custom_authpolicy_rulesπ
Type: list
[{"when":[{"key":"request.headers[authorization]","notValues":["*"]}]}]
Default value (formatted)
[
{
"when": [
{
"key": "request.headers[authorization]",
"notValues": [
"*"
]
}
]
}
]
Description: Extra Ruleset for AuthorizationPolicy CUSTOM action to forward to Authservice. To enable allow_unmatched_requests
must be false
. These custom rules mean that only these requests will be routed and will break default BigBang setup for prometheus/alertmanager/tempo
unless added. Path specific Operations are not supported, it is recommended to use only hosts, notHosts, & method operations. See reference: https://istio.io/latest/docs/reference/config/security/authorization-policy/
global.client_idπ
Type: string
"global_id"
Description: Global Authorization URI value to set if not using Keycloak authorization_uri: ββ Global Token URI Value to set if not using Keycloak token_uri: ββ Default client_id to be used in each chain
global.client_secretπ
Type: string
"global_secret"
Description: default client_secret to be used in each chain
global.match.headerπ
Type: string
":authority"
Description: Header to match. The value β:authorityβ is used to match the requested hostname
global.match.prefixπ
Type: string
"bigbang"
Description: value matches the start of the header value defined above
global.logout_pathπ
Type: string
"/globallogout"
Description: Logout URL for the client
global.logout_redirect_uriπ
Type: string
""
Description: Logout Redirect URI for the client
global.absolute_session_timeoutπ
Type: int
0
global.idle_session_timeoutπ
Type: int
0
global.certificate_authorityπ
Type: string
""
Description: CA signing the OIDC provider. Passed through as a Helm multi-line string. See README for example.
global.oidcπ
Type: object
{"host":"login.dso.mil","realm":"baby-yoda"}
Default value (formatted)
{
"host": "login.dso.mil",
"realm": "baby-yoda"
}
Description: URI for Redis instance used for OIDC token storage/retrieval. This may also be specified per-chain. redis_server_uri: tcp://{{ .Release.Name }}-{{ .Release.Namespace }}-auth-redis-master:6379/
global.oidc.hostπ
Type: string
"login.dso.mil"
Description: OpenID Connect hostname. Assumption of Keycloak based on URL construction
global.oidc.realmπ
Type: string
"baby-yoda"
Description: Realm for OpenID Connect
global.jwksπ
Type: string
""
Description: escaped json for the JWKS
global.jwks_uriπ
Type: string
""
Description: Request URI that has the JWKs. If neither jwks or jwks_uri are specified the jwks_uri is computed based on the provided OIDC realm and and hostβ
global.periodic_fetch_interval_secπ
Type: int
60
Description: Request interval to check whether new JWKs are available.
global.skip_verify_peer_certπ
Type: bool
false
Description: If set to true, the verification of the destination certificate will be skipped when making a request to the JWKs URI and the token endpoint. This option is useful when you want to use a self-signed certificate for testing purposes, but basically should not be set to true in any other cases.
chainsπ
Type: object
{"local":{"callback_uri":"https://localhost/login","client_id":"local_id","client_secret":"local_secret","logout_path":"/local","match":{"header":":local","prefix":"localhost"}}}
Default value (formatted)
{
"local": {
"callback_uri": "https://localhost/login",
"client_id": "local_id",
"client_secret": "local_secret",
"logout_path": "/local",
"match": {
"header": ":local",
"prefix": "localhost"
}
}
}
Description: Individual chains. Must have a name
value and a callback_uri
NOTE: if using βmatchβ can only specify prefix
OR equality
, not both
nameOverrideπ
Type: string
"authservice"
fullnameOverrideπ
Type: string
"authservice"
serviceAccount.createπ
Type: bool
true
Description: Specifies whether a service account should be created
serviceAccount.annotationsπ
Type: object
{}
Default value (formatted)
{}
Description: Annotations to add to the service account
serviceAccount.nameπ
Type: string
""
Description: The name of the service account to use. If not set and create is true, a name is generated using the fullname template
podAnnotationsπ
Type: object
{}
Default value (formatted)
{}
podSecurityContext.runAsUserπ
Type: int
1000
podSecurityContext.runAsGroupπ
Type: int
1000
podSecurityContext.runAsNonRootπ
Type: bool
true
securityContext.capabilities.drop[0]π
Type: string
"ALL"
securityContext.readOnlyRootFilesystemπ
Type: bool
true
securityContext.runAsNonRootπ
Type: bool
true
securityContext.runAsUserπ
Type: int
1000
service.typeπ
Type: string
"ClusterIP"
service.portπ
Type: int
10003
resources.limitsπ
Type: object
{"cpu":"100m","memory":"512Mi"}
Default value (formatted)
{
"cpu": "100m",
"memory": "512Mi"
}
Description: We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after βresources:β.
resources.requests.cpuπ
Type: string
"100m"
resources.requests.memoryπ
Type: string
"512Mi"
autoscaling.enabledπ
Type: bool
false
autoscaling.minReplicasπ
Type: int
1
autoscaling.maxReplicasπ
Type: int
3
autoscaling.targetCPUUtilizationPercentageπ
Type: int
80
nodeSelectorπ
Type: object
{}
Default value (formatted)
{}
tolerationsπ
Type: list
[]
Default value (formatted)
[]
affinityπ
Type: object
{}
Default value (formatted)
{}
configπ
Type: object
{"logLevel":"trace"}
Default value (formatted)
{
"logLevel": "trace"
}
Description: Name of the secret to source authservices config.json
from, created outside of helm chart TODO: Create this as part of the helmchart?
selectorπ
Type: object
{"key":"protect","value":"keycloak"}
Default value (formatted)
{
"key": "protect",
"value": "keycloak"
}
Description: Label to determine what workloads (pods/deployments) should be protected by authservice.
redisπ
Type: object
{"enabled":false,"image":{"tag":"7.2.2"}}
Default value (formatted)
{
"enabled": false,
"image": {
"tag": "7.2.2"
}
}
Description: Conditional for enabling Redis Subchart
redis.imageπ
Type: object
{"tag":"7.2.2"}
Default value (formatted)
{
"tag": "7.2.2"
}
Description: Values passthrough for redis Subchart
redis-bb.auth.enabledπ
Type: bool
false
redis-bb.istio.redis.enabledπ
Type: bool
false
redis-bb.image.pullSecrets[0]π
Type: string
"private-registry"
redis-bb.networkPolicies.enabledπ
Type: bool
true
redis-bb.networkPolicies.controlPlaneCidrπ
Type: string
"0.0.0.0/0"
redis-bb.master.containerSecurityContext.enabledπ
Type: bool
true
redis-bb.master.containerSecurityContext.runAsUserπ
Type: int
1001
redis-bb.master.containerSecurityContext.runAsGroupπ
Type: int
1001
redis-bb.master.containerSecurityContext.runAsNonRootπ
Type: bool
true
redis-bb.master.containerSecurityContext.capabilities.drop[0]π
Type: string
"ALL"
redis-bb.replica.containerSecurityContext.enabledπ
Type: bool
true
redis-bb.replica.containerSecurityContext.runAsUserπ
Type: int
1001
redis-bb.replica.containerSecurityContext.runAsGroupπ
Type: int
1001
redis-bb.replica.containerSecurityContext.runAsNonRootπ
Type: bool
true
redis-bb.replica.containerSecurityContext.capabilities.drop[0]π
Type: string
"ALL"
redis-bb.metrics.enabledπ
Type: bool
false
redis-bb.metrics.containerSecurityContext.enabledπ
Type: bool
true
redis-bb.metrics.containerSecurityContext.runAsUserπ
Type: int
1001
redis-bb.metrics.containerSecurityContext.runAsGroupπ
Type: int
1001
redis-bb.commonConfigurationπ
Type: string
"# Enable AOF https://redis.io/topics/persistence#append-only-file\nappendonly no\nmaxmemory 200mb\nmaxmemory-policy allkeys-lru\nsave \"\""
Default value (formatted)
# Enable AOF https://redis.io/topics/persistence#append-only-file
appendonly no
maxmemory 200mb
maxmemory-policy allkeys-lru
save \"\
openshiftπ
Type: bool
false
trigger_rulesπ
Type: list
[]
Default value (formatted)
[]
Description: Values to bypass OIDC chains in favor or using istio authorizationpolicies.security.istio.io and requestauthentications.security.istio.io for certain endpoints.