-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathconfig.sample.yaml
318 lines (271 loc) · 10.4 KB
/
config.sample.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
## hostname (string)
## Description:
## The hostname the application is reached at.
## This is used for setting the "redirect_uri" field for OAuth2 callbacks.
## Required
hostname:
## cookieDomain (string)
## Description:
## Domain name for setting cookies.
## If empty, this is set to the value of the `hostname` property.
## This value must either be the same as the `hostname` property, or the hostname must be a sub-domain of the cookie domain name.
#cookieDomain:
## cookieName (string)
## Description:
## Name of the cookie used to store the session.
## Default: "tf_sess"
#cookieName:
## cookieInsecure (boolean)
## Description:
## If true, sets cookies as "insecure", which are served on HTTP endpoints too.
## By default, this is false and cookies are sent on HTTPS endpoints only.
## Default: false
#cookieInsecure:
## sessionLifetime (duration)
## Description:
## Lifetime for sessions after a successful authentication.
## Default: 2h
#sessionLifetime:
## port (number)
## Description:
## Port to bind to.
## Default: 4181
#port:
## bind (string)
## Description:
## Address/interface to bind to.
## Default: "0.0.0.0"
#bind:
## basePath (string)
## Description:
## Base path for all routes.
## Set this if Traefik is forwarding requests to traefik-forward-auth for specific paths only.
## Note: this does not apply to /api and /healthz routes
#basePath:
## logLevel (string)
## Description:
## Controls log level and verbosity. Supported values: `debug`, `info` (default), `warn`, `error`.
## Default: info
#logLevel:
## enableMetrics (boolean)
## Description:
## Enable the metrics server, which exposes a Prometheus-compatible endpoint `/metrics`.
## Default: false
#enableMetrics:
## metricsPort (number)
## Description:
## Port for the metrics server to bind to.
## Default: 2112
#metricsPort:
## metricsBind (string)
## Description:
## Address/interface for the metrics server to bind to.
## Default: "0.0.0.0"
#metricsBind:
## omitHealthCheckLogs (boolean)
## Description:
## If true, calls to the healthcheck endpoint (`/healthz`) are not included in the logs.
## Default: true
#omitHealthCheckLogs:
## tokenSigningKey (string)
## Description:
## String used as key to sign state tokens.
## Can be generated for example with `openssl rand -base64 32`
## If left empty, it will be randomly generated every time the app starts (recommended, unless you need user sessions to persist after the application is restarted).
#tokenSigningKey:
## authProvider (string)
## Description:
## Authentication provider to use
## Currently supported providers:
##
## - `github`
## - `google`
## - `microsoftentraid`
## - `openidconnect`
## - `tailscalewhois`
## Required
authProvider:
## authGoogle_clientID (string)
## Description:
## Client ID for the Google auth application
## Ignored if `authProvider` is not `google`
#authGoogle_clientID:
## authGoogle_clientSecret (string)
## Description:
## Client secret for the Google auth application
## Ignored if `authProvider` is not `google`
#authGoogle_clientSecret:
## authGoogle_allowedUsers (list of strings)
## Description:
## List of allowed users for Google auth
## This is a list of user IDs
## Ignored if `authProvider` is not `google`
#authGoogle_allowedUsers:
## authGoogle_allowedEmails (list of strings)
## Description:
## List of allowed email addresses of users for Google auth
## This is a list of email addresses
## Ignored if `authProvider` is not `google`
#authGoogle_allowedEmails:
## authGoogle_allowedDomains (list of strings)
## Description:
## List of allowed domains for Google auth
## This is a list of domains for email addresses
## Ignored if `authProvider` is not `google`
#authGoogle_allowedDomains:
## authGoogle_requestTimeout (duration)
## Description:
## Timeout for network requests for Google auth
## Ignored if `authProvider` is not `google`
## Default: 10s
#authGoogle_requestTimeout:
## authGitHub_clientID (string)
## Description:
## Client ID for the GitHub auth application
## Ignored if `authProvider` is not `github`
#authGitHub_clientID:
## authGitHub_clientSecret (string)
## Description:
## Client secret for the GitHub auth application
## Ignored if `authProvider` is not `github`
#authGitHub_clientSecret:
## authGitHub_allowedUsers (list of strings)
## Description:
## List of allowed users for GitHub auth
## This is a list of usernames
## Ignored if `authProvider` is not `github`
#authGitHub_allowedUsers:
## authGitHub_requestTimeout (duration)
## Description:
## Timeout for network requests for GitHub auth
## Ignored if `authProvider` is not `github`
## Default: 10s
#authGitHub_requestTimeout:
## authMicrosoftEntraID_tenantID (string)
## Description:
## Tenant ID for the Microsoft Entra ID auth application
## Ignored if `authProvider` is not `microsoftentraid`
#authMicrosoftEntraID_tenantID:
## authMicrosoftEntraID_clientID (string)
## Description:
## Client ID for the Microsoft Entra ID auth application
## Ignored if `authProvider` is not `microsoftentraid`
#authMicrosoftEntraID_clientID:
## authMicrosoftEntraID_clientSecret (string)
## Description:
## Client secret for the Microsoft Entra ID auth application
## Ignored if `authProvider` is not `microsoftentraid`
#authMicrosoftEntraID_clientSecret:
## authMicrosoftEntraID_allowedUsers (list of strings)
## Description:
## List of allowed users for Microsoft Entra ID auth
## This is a list of user IDs
## Ignored if `authProvider` is not `microsoftentraid`
#authMicrosoftEntraID_allowedUsers:
## authMicrosoftEntraID_allowedEmails (list of strings)
## Description:
## List of allowed email addresses of users for Microsoft Entra ID auth
## This is a list of email addresses
## Ignored if `authProvider` is not `microsoftentraid`
#authMicrosoftEntraID_allowedEmails:
## authMicrosoftEntraID_requestTimeout (duration)
## Description:
## Timeout for network requests for Microsoft Entra ID auth
## Ignored if `authProvider` is not `microsoftentraid`
## Default: 10s
#authMicrosoftEntraID_requestTimeout:
## authOpenIDConnect_clientID (string)
## Description:
## Client ID for the OpenID Connect auth application
## Ignored if `authProvider` is not `openidconnect`
#authOpenIDConnect_clientID:
## authOpenIDConnect_clientSecret (string)
## Description:
## Client secret for the OpenID Connect auth application
## Ignored if `authProvider` is not `openidconnect`
#authOpenIDConnect_clientSecret:
## authOpenIDConnect_tokenIssuer (string)
## Description:
## OpenID Connect token issuer
## The OpenID Connect configuration document will be fetched at `<token-issuer>/.well-known/openid-configuration`
## Ignored if `authProvider` is not `openidconnect`
#authOpenIDConnect_tokenIssuer:
## authOpenIDConnect_allowedUsers (list of strings)
## Description:
## List of allowed users for OpenID Connect auth
## This is a list of user IDs, as returned by the ID provider in the "sub" claim
## Ignored if `authProvider` is not `openidconnect`
#authOpenIDConnect_allowedUsers:
## authOpenIDConnect_allowedEmails (list of strings)
## Description:
## List of allowed email addresses for users for OpenID Connect auth
## This is a list of email addresses, as returned by the ID provider in the "email" claim
## Ignored if `authProvider` is not `openidconnect`
#authOpenIDConnect_allowedEmails:
## authOpenIDConnect_requestTimeout (duration)
## Description:
## Timeout for network requests for OpenID Connect auth
## Ignored if `authProvider` is not `openidconnect`
## Default: 10s
#authOpenIDConnect_requestTimeout:
## authTailscaleWhois_allowedTailnet (string)
## Description:
## If non-empty, requires the Tailnet of the user to match this value
## Ignored if `authProvider` is not `tailscalewhois`
#authTailscaleWhois_allowedTailnet:
## authTailscaleConnect_allowedUsers (list of strings)
## Description:
## List of allowed users for Tailscale Whois auth
## This is a list of user IDs as returned by the ID provider
## Ignored if `authProvider` is not `tailscalewhois`
#authTailscaleConnect_allowedUsers:
## authTailscaleWhois_requestTimeout (duration)
## Description:
## Timeout for network requests for Tailscale Whois auth
## Ignored if `authProvider` is not `tailscalewhois`
## Default: 10s
#authTailscaleWhois_requestTimeout:
## authenticationTimeout (duration)
## Description:
## Timeout for authenticating with the authentication provider.
## Default: 5m
#authenticationTimeout:
## tlsPath (string)
## Description:
## Path where to load TLS certificates from. Within the folder, the files must be named `tls-cert.pem` and `tls-key.pem` (and optionally `tls-ca.pem`).
## Vault watches for changes in this folder and automatically reloads the TLS certificates when they're updated.
## If empty, certificates are loaded from the same folder where the loaded `config.yaml` is located.
## Default: Folder where the `config.yaml` file is located
#tlsPath:
## tlsCertPEM (string)
## Description:
## Full, PEM-encoded TLS certificate.
## Using `tlsCertPEM` and `tlsKeyPEM` is an alternative method of passing TLS certificates than using `tlsPath`.
#tlsCertPEM:
## tlsKeyPEM (string)
## Description:
## Full, PEM-encoded TLS key.
## Using `tlsCertPEM` and `tlsKeyPEM` is an alternative method of passing TLS certificates than using `tlsPath`.
#tlsKeyPEM:
## tlsCAPEM (string)
## Description:
## Full, PEM-encoded TLS CA certificate, used for TLS client authentication (mTLS).
## This is an alternative method of passing the CA certificate than using `tlsPath`.
## Note that this is ignored unless `tlsClientAuth` is set to `true`.
#tlsCAPEM:
## tlsClientAuth (boolean)
## Description:
## If true, enables mTLS for client authentication.
## Requests to the root endpoint (normally used by Traefik) must have a valid client certificate signed by the CA.
## Default: false
#tlsClientAuth:
## trustedRequestIdHeader (string)
## Description:
## String with the name of a header to trust as ID of each request. The ID is included in logs and in responses as `X-Request-ID` header.
## Common values include:
##
## - `X-Request-ID`: a [de-facto standard](https://http.dev/x-request-id) that's vendor agnostic
## - `CF-Ray`: when the application is served by a [Cloudflare CDN](https://developers.cloudflare.com/fundamentals/get-started/reference/cloudflare-ray-id/)
##
## If this option is empty, or if it contains the name of a header that is not found in an incoming request, a random UUID is generated as request ID.
#trustedRequestIdHeader: