Skip to content

authservice values.yaml📜

replicaCount📜

Type: int

Default value
1

Description: When setting this above 1, a redis configuration is required. See globals.redis_server_uri

istio.enabled📜

Type: bool

Default value
false

istio.hardened.enabled📜

Type: bool

Default value
false

istio.hardened.outboundTrafficPolicyMode📜

Type: string

Default value
"REGISTRY_ONLY"

istio.hardened.customServiceEntries📜

Type: list

Default value
[]

istio.hardened.customAuthorizationPolicies📜

Type: list

Default value
[]

istio.hardened.kiali.enabled📜

Type: bool

Default value
true

istio.hardened.kiali.namespaces[0]📜

Type: string

Default value
"kiali"

istio.hardened.kiali.principals[0]📜

Type: string

Default value
"cluster.local/ns/kiali/sa/kiali-service-account"

istio.namespace📜

Type: string

Default value
"istio-system"

istio.clusterWideHardeningEnabled📜

Type: bool

Default value
false

istio.mtls📜

Type: object

Default value
mode: STRICT

Description: Default authservice peer authentication

istio.mtls.mode📜

Type: string

Default value
"STRICT"

Description: Two mtls modes allowed STRICT = Allow only mutual TLS traffic PERMISSIVE = Allow both plain text and mutual TLS traffic

monitoring.enabled📜

Type: bool

Default value
false

networkPolicies.enabled📜

Type: bool

Default value
false

networkPolicies.ingressLabels.app📜

Type: string

Default value
"istio-ingressgateway"

networkPolicies.ingressLabels.istio📜

Type: string

Default value
"ingressgateway"

networkPolicies.additionalPolicies📜

Type: list

Default value
[]

image.repository📜

Type: string

Default value
"registry1.dso.mil/ironbank/istio-ecosystem/authservice"

image.pullPolicy📜

Type: string

Default value
"IfNotPresent"

image.tag📜

Type: string

Default value
"1.0.2-ubi9"

Description: Overrides the image tag whose default is the chart appVersion.

imagePullSecrets📜

Type: list

Default value
[]

issuer_uri📜

Type: string

Default value
""

Description: Issuer and jwks URIs if not using Keycloak

jwks_uri📜

Type: string

Default value
""

allow_unmatched_requests📜

Type: bool

Default value
true

Description: If true will allow the requests even no filter chain match is found

custom_authpolicy_rules📜

Type: list

Default value
- when:
  - key: request.headers[authorization]
    notValues:
    - '*'

Description: Extra Ruleset for AuthorizationPolicy CUSTOM action to forward to Authservice. To enable allow_unmatched_requests must be false. These custom rules mean that only these requests will be routed and will break default BigBang setup for prometheus/alertmanager/tempo unless added. Path specific Operations are not supported, it is recommended to use only hosts, notHosts, & method operations. See reference: https://istio.io/latest/docs/reference/config/security/authorization-policy/

global.client_id📜

Type: string

Default value
"global_id"

Description: Global Authorization URI value to set if not using Keycloak authorization_uri: “” Global Token URI Value to set if not using Keycloak token_uri: “” Default client_id to be used in each chain

global.client_secret📜

Type: string

Default value
"global_secret"

Description: default client_secret to be used in each chain

global.match.header📜

Type: string

Default value
":authority"

Description: Header to match. The value “:authority” is used to match the requested hostname

global.match.prefix📜

Type: string

Default value
"bigbang"

Description: value matches the start of the header value defined above

global.logout_path📜

Type: string

Default value
"/globallogout"

Description: Logout URL for the client

global.logout_redirect_uri📜

Type: string

Default value
""

Description: Logout Redirect URI for the client

global.absolute_session_timeout📜

Type: int

Default value
0

global.idle_session_timeout📜

Type: int

Default value
0

global.certificate_authority📜

Type: string

Default value
""

Description: CA signing the OIDC provider. Passed through as a Helm multi-line string. See README for example.

global.oidc📜

Type: object

Default value
host: login.dso.mil
realm: baby-yoda

Description: URI for Redis instance used for OIDC token storage/retrieval. This may also be specified per-chain. redis_server_uri: tcp://{{ .Release.Name }}-{{ .Release.Namespace }}-auth-redis-master:6379/

global.oidc.host📜

Type: string

Default value
"login.dso.mil"

Description: OpenID Connect hostname. Assumption of Keycloak based on URL construction

global.oidc.realm📜

Type: string

Default value
"baby-yoda"

Description: Realm for OpenID Connect

global.jwks📜

Type: string

Default value
""

Description: escaped json for the JWKS

global.jwks_uri📜

Type: string

Default value
""

Description: Request URI that has the JWKs. If neither jwks or jwks_uri are specified the jwks_uri is computed based on the provided OIDC realm and and host”

global.periodic_fetch_interval_sec📜

Type: int

Default value
60

Description: Request interval to check whether new JWKs are available.

global.skip_verify_peer_cert📜

Type: bool

Default value
false

Description: If set to true, the verification of the destination certificate will be skipped when making a request to the JWKs URI and the token endpoint. This option is useful when you want to use a self-signed certificate for testing purposes, but basically should not be set to true in any other cases.

chains📜

Type: object

Default value
local:
  callback_uri: https://localhost/login
  client_id: local_id
  client_secret: local_secret
  logout_path: /local
  match:
    header: :local
    prefix: localhost

Description: Individual chains. Must have a name value and a callback_uri NOTE: if using “match” can only specify prefix OR equality, not both

nameOverride📜

Type: string

Default value
"authservice"

fullnameOverride📜

Type: string

Default value
"authservice"

serviceAccount.create📜

Type: bool

Default value
true

Description: Specifies whether a service account should be created

serviceAccount.annotations📜

Type: object

Default value
{}

Description: Annotations to add to the service account

serviceAccount.name📜

Type: string

Default value
""

Description: The name of the service account to use. If not set and create is true, a name is generated using the fullname template

podAnnotations📜

Type: object

Default value
{}

podLabels📜

Type: object

Default value
{}

podSecurityContext.runAsUser📜

Type: int

Default value
1000

podSecurityContext.runAsGroup📜

Type: int

Default value
1000

podSecurityContext.runAsNonRoot📜

Type: bool

Default value
true

securityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

securityContext.readOnlyRootFilesystem📜

Type: bool

Default value
true

securityContext.runAsNonRoot📜

Type: bool

Default value
true

securityContext.runAsUser📜

Type: int

Default value
1000

service.type📜

Type: string

Default value
"ClusterIP"

service.port📜

Type: int

Default value
10003

resources.limits📜

Type: object

Default value
cpu: 100m
memory: 512Mi

Description: We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after ‘resources:’.

resources.requests.cpu📜

Type: string

Default value
"100m"

resources.requests.memory📜

Type: string

Default value
"512Mi"

autoscaling.enabled📜

Type: bool

Default value
false

autoscaling.minReplicas📜

Type: int

Default value
1

autoscaling.maxReplicas📜

Type: int

Default value
3

autoscaling.targetCPUUtilizationPercentage📜

Type: int

Default value
80

nodeSelector📜

Type: object

Default value
{}

tolerations📜

Type: list

Default value
[]

affinity📜

Type: object

Default value
{}

config📜

Type: object

Default value
logLevel: trace

Description: Name of the secret to source authservices config.json from, created outside of helm chart TODO: Create this as part of the helmchart?

selector📜

Type: object

Default value
key: protect
value: keycloak

Description: Label to determine what workloads (pods/deployments) should be protected by authservice.

redis📜

Type: object

Default value
enabled: false
image:
  tag: 7.4.0

Description: Conditional for enabling Redis Subchart

redis.image📜

Type: object

Default value
tag: 7.4.0

Description: Values passthrough for redis Subchart

redis-bb.auth.enabled📜

Type: bool

Default value
false

redis-bb.istio.redis.enabled📜

Type: bool

Default value
false

redis-bb.image.pullSecrets[0]📜

Type: string

Default value
"private-registry"

redis-bb.networkPolicies.enabled📜

Type: bool

Default value
true

redis-bb.networkPolicies.controlPlaneCidr📜

Type: string

Default value
"0.0.0.0/0"

redis-bb.master.containerSecurityContext.enabled📜

Type: bool

Default value
true

redis-bb.master.containerSecurityContext.runAsUser📜

Type: int

Default value
1001

redis-bb.master.containerSecurityContext.runAsGroup📜

Type: int

Default value
1001

redis-bb.master.containerSecurityContext.runAsNonRoot📜

Type: bool

Default value
true

redis-bb.master.containerSecurityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

redis-bb.replica.containerSecurityContext.enabled📜

Type: bool

Default value
true

redis-bb.replica.containerSecurityContext.runAsUser📜

Type: int

Default value
1001

redis-bb.replica.containerSecurityContext.runAsGroup📜

Type: int

Default value
1001

redis-bb.replica.containerSecurityContext.runAsNonRoot📜

Type: bool

Default value
true

redis-bb.replica.containerSecurityContext.capabilities.drop[0]📜

Type: string

Default value
"ALL"

redis-bb.metrics.enabled📜

Type: bool

Default value
false

redis-bb.metrics.containerSecurityContext.enabled📜

Type: bool

Default value
true

redis-bb.metrics.containerSecurityContext.runAsUser📜

Type: int

Default value
1001

redis-bb.metrics.containerSecurityContext.runAsGroup📜

Type: int

Default value
1001

redis-bb.commonConfiguration📜

Type: string

Default value
"# Enable AOF https://redis.io/topics/persistence#append-only-file\nappendonly no\nmaxmemory 200mb\nmaxmemory-policy allkeys-lru\nsave \"\""

openshift📜

Type: bool

Default value
false

trigger_rules📜

Type: list

Default value
[]

Description: Values to bypass OIDC chains in favor or using istio authorizationpolicies.security.istio.io and requestauthentications.security.istio.io for certain endpoints.