Rauthy is an OpenID Connect (OIDC) Provider and Single Sign-On (SSO) solution written in Rust. It provides a secure, fast, and reliable authentication service for your applications.
This helm chart aims to make your deployment and maintenance of rauthy easier in a kubernetes environment.
- Kubernetes 1.19+
- Helm 3.2.0+
- Persistent volume provisioner support in the underlying infrastructure (if persistence is enabled)
- Automated starter secret generation based on the minimal production configuration for getting familiar with rauthy,
- Bring Your Own configuration via external secret,
- Highly available, clustered setup support,
- External access via Ingress / httpRoute,
- Metrics and serviceMonitor support.
helm repo add rauthy-helm https://reversing0148.github.io/rauthy-helm
helm repo update# Install with default values
helm install rauthy rauthy-helm/rauthy
# Install with custom namespace
helm install rauthy rauthy-helm/rauthy --create-namespace --namespace rauthy
# Install with custom values file
helm install rauthy rauthy-helm/rauthy -f values.yamlhelm uninstall rauthy| Name | Description | Value |
|---|---|---|
nameOverride |
Override the chart name | `` |
fullnameOverride |
Override the chart name | `` |
replicaCount |
Number of Rauthy replicas | 3 |
| Name | Description | Value |
|---|---|---|
image.repository |
Rauthy image repository | ghcr.io/sebadob/rauthy |
image.pullPolicy |
Image pull policy | IfNotPresent |
image.tag |
Image tag (overrides the chart appVersion) | `` |
imagePullSecrets |
Docker registry secret names | [] |
| Name | Description | Value |
|---|---|---|
updateStrategy.type |
Update strategy of the statefulset | RollingUpdate |
updateStrategy.rollingUpdate.partition |
Define partitions of the rolling update | 0 |
| Name | Description | Value |
|---|---|---|
podAnnotations |
Additional annotations for the pod definition | {} |
podLabels |
Additional labels for the pod definition | {} |
| Name | Description | Value |
|---|---|---|
service.annotations |
Annotations for the service | {} |
service.type |
Service type | ClusterIP |
service.port |
Rauthy port exposed by the service | 8080 |
service.scheme |
Rauthy http and api scheme | http |
This is for configuring a headless service for hiqlite.
| Name | Description | Value |
|---|---|---|
hiqlite.ports.raft |
Raft port used by Rauthy | 8100 |
hiqlite.ports.api |
Api port used by Rauthy | 8200 |
This defines a port for metrics on the service and pod resources.
| Name | Description | Value |
|---|---|---|
metrics.enabled |
Enable metrics port on the service | false |
metrics.port |
Metrics port to be published via the service | 9090 |
| Name | Description | Value |
|---|---|---|
ingress.enabled |
Enable ingress record generation | false |
ingress.className |
IngressClass that will be used | `` |
ingress.annotations |
Additional annotations for the Ingress resource | {} |
ingress.hosts |
Array of ingress hosts | See values.yaml |
ingress.tls |
TLS configuration for ingress | [] |
| Name | Description | Value |
|---|---|---|
resources.requests.cpu |
CPU request of the container | medium |
resources.requests.memory |
Memory request of the container | "" |
Setting limits is possible but not recommended. For more details read the comments in values.yaml.
| Name | Description | Value |
|---|---|---|
malloc.preset |
Jemalloc preset (small/medium/big/open/custom) | medium |
malloc.custom |
Custom malloc configuration when preset is "custom" | "" |
| Name | Description | Value |
|---|---|---|
livenessProbe.httpGet.path |
Path for the liveness probe request | /auth/v1/health |
livenessProbe.httpGet.port |
Port for the liveness probe request | http |
livenessProbe.initialDelaySeconds |
Seconds to wait before the first liveness probe request is sent | 1 |
livenessProbe.periodSeconds |
How often should kubelet check liveness | 30 |
readinessProbe.httpGet.path |
Path for the readiness probe request | /ping |
readinessProbe.httpGet.port |
Port for the readiness probe request | api |
readinessProbe.initialDelaySeconds |
Seconds to wait before the first readiness probe request is sent | 5 |
readinessProbe.periodSeconds |
How often should kubelet check readiness | 1 |
| Name | Description | Value |
|---|---|---|
volumes |
Additional volumes on the output StatefulSet definition | {} |
volumeMounts |
Additional volumeMounts on the output StatefulSet definition | [] |
| Name | Description | Value |
|---|---|---|
nodeSelector |
Node selector for the statefulset definition | {} |
tolerations |
Tolerations for the statefulset definition | [] |
affinity |
Affinity rules for the statefulset definition | {} |
topologySpreadConstraints |
Topology spread constraints for the statefulset definition | [] |
| Name | Description | Value |
|---|---|---|
externalSecret |
Name of the secret with your existing configuration. | "" |
Either externalSecret or config can be used but not both.
| Name | Description | Value |
|---|---|---|
config.generate |
Enable automatic config.toml generation | true |
config.keep |
Annotate the generated secret, to ensure helm does not remove it during uninstall | true |
config.trustedProxies |
List of trusted proxy CIDR ranges | [] |
Either externalSecret or config can be used but not both.
| Name | Description | Value |
|---|---|---|
env |
List of key value pairs. These will be applied as environment variables. | {} |
| Name | Description | Value |
|---|---|---|
persistence.enabled |
Enable persistent volume claims | false |
persistence.size |
Persistent Volume size | 256Mi |
persistence.accessMode |
Persistent Volume access mode | ReadWriteOnce |
persistence.storageClassName |
Persistent Volume storage class | `` |
The chart allows you to deploy rauthy by generating a configuration for you based on the minimal production configuration.
To use this feature keep the externalSecret empty.
⚠️ Important! The configuration is re-genreated and applied on each upgrade! Make sure to migrate toexternalSecretafter your first install and before an upgrade to avoid data loss!
Migration steps:
-
Install the helm chart with
config.generatetrue -
Modify your
values.yamlas such:config: generate: false
externalSecret: "rauthy-config"
Make sure to use your secret's name!
-
You can now safely upgrade
The chart supports configuring rauthy via your own secret.
You can do this by creating a secret in the same namespace as rauthy, then providing the secret name, in the externalSecret field. For example:
apiVersion: v1
kind: Secret
metadata:
name: rauthy-config
namespace: rauthy
type: Opaque
stringData:
config.toml: |-
# paste and adjust config from
# https://sebadob.github.io/rauthy/config/config_minimal.html
# or
# https://sebadob.github.io/rauthy/config/config.htmlMake sure to keep values.yaml updated:
externalSecret: "rauthy-config"Rauthy is deployed as a statefulset, therefore the use of some form of persistent volume is inevitable.
The chart mounts a persistent volume at /app/data for storing Rauthy's internal hiqlite database and configuration.
By default, the chart uses an emptyDir volume when persistence is disabled.
Currently this helm chart only supports deploying rauthy with its internal hiqlite database.
External postgresql database support via the helm chart is planned but is not yet available.
- When
existingSecretis not set, andHTTPRouteis enabled the templates assume you have tls configured on the gateway when generating the secret template.
Like rauthy this helm chart is licensed under the Apache License 2.0.