Helm chart SSO support (#17205)
* Add SAML support * move extAuth below essential components * Add CAS, PAM, LDAP support * Add WEB_DOMAIN and S3_ALIAS_HOST support * SAML defaults aligned * Bump chart version * SSO & WEB_DOMAIN support added * Add OIDC support * Correct typo * Notice for OIDC support Co-authored-by: Eugen Rochko <eugen@zeonfederated.com>
This commit is contained in:
parent
c9a52833b6
commit
a131f06e12
|
@ -15,7 +15,7 @@ type: application
|
||||||
# This is the chart version. This version number should be incremented each time you make changes
|
# This is the chart version. This version number should be incremented each time you make changes
|
||||||
# to the chart and its templates, including the app version.
|
# to the chart and its templates, including the app version.
|
||||||
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
# Versions are expected to follow Semantic Versioning (https://semver.org/)
|
||||||
version: 1.2.0
|
version: 1.2.1
|
||||||
|
|
||||||
# This is the version number of the application being deployed. This version number should be
|
# This is the version number of the application being deployed. This version number should be
|
||||||
# incremented each time you make changes to the application. Versions are not expected to
|
# incremented each time you make changes to the application. Versions are not expected to
|
||||||
|
|
|
@ -24,9 +24,7 @@ The variables that _must_ be configured are:
|
||||||
Currently this chart does _not_ support:
|
Currently this chart does _not_ support:
|
||||||
|
|
||||||
- Hidden services
|
- Hidden services
|
||||||
- Single Sign-On
|
|
||||||
- Swift
|
- Swift
|
||||||
- configurations using `WEB_DOMAIN`
|
|
||||||
|
|
||||||
# Upgrading
|
# Upgrading
|
||||||
|
|
||||||
|
|
|
@ -21,6 +21,9 @@ data:
|
||||||
ES_PORT: "9200"
|
ES_PORT: "9200"
|
||||||
{{- end }}
|
{{- end }}
|
||||||
LOCAL_DOMAIN: {{ .Values.mastodon.local_domain }}
|
LOCAL_DOMAIN: {{ .Values.mastodon.local_domain }}
|
||||||
|
{{- if .Values.mastodon.web_domain }}
|
||||||
|
WEB_DOMAIN: {{ .Values.mastodon.web_domain }}
|
||||||
|
{{- end }}
|
||||||
# https://devcenter.heroku.com/articles/tuning-glibc-memory-behavior
|
# https://devcenter.heroku.com/articles/tuning-glibc-memory-behavior
|
||||||
MALLOC_ARENA_MAX: "2"
|
MALLOC_ARENA_MAX: "2"
|
||||||
NODE_ENV: "production"
|
NODE_ENV: "production"
|
||||||
|
@ -36,6 +39,9 @@ data:
|
||||||
{{- if .Values.mastodon.s3.region }}
|
{{- if .Values.mastodon.s3.region }}
|
||||||
S3_REGION: {{ .Values.mastodon.s3.region }}
|
S3_REGION: {{ .Values.mastodon.s3.region }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
{{- if .Values.mastodon.s3.alias_host }}
|
||||||
|
S3_ALIAS_HOST: {{ .Values.mastodon.s3.alias_host}}
|
||||||
|
{{- end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
{{- if .Values.mastodon.smtp.auth_method }}
|
{{- if .Values.mastodon.smtp.auth_method }}
|
||||||
SMTP_AUTH_METHOD: {{ .Values.mastodon.smtp.auth_method }}
|
SMTP_AUTH_METHOD: {{ .Values.mastodon.smtp.auth_method }}
|
||||||
|
@ -77,3 +83,221 @@ data:
|
||||||
SMTP_TLS: {{ .Values.mastodon.smtp.tls | quote }}
|
SMTP_TLS: {{ .Values.mastodon.smtp.tls | quote }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
STREAMING_CLUSTER_NUM: {{ .Values.mastodon.streaming.workers | quote }}
|
STREAMING_CLUSTER_NUM: {{ .Values.mastodon.streaming.workers | quote }}
|
||||||
|
{{- if .Values.externalAuth.oidc.enabled }}
|
||||||
|
OIDC_ENABLED: {{ .Values.externalAuth.oidc.enabled | quote }}
|
||||||
|
OIDC_DISPLAY_NAME: {{ .Values.externalAuth.oidc.display_name }}
|
||||||
|
OIDC_ISSUER: {{ .Values.externalAuth.oidc.issuer }}
|
||||||
|
OIDC_DISCOVERY: {{ .Values.externalAuth.oidc.discovery | quote }}
|
||||||
|
OIDC_SCOPE: {{ .Values.externalAuth.oidc.scope | quote }}
|
||||||
|
OIDC_UID_FIELD: {{ .Values.externalAuth.oidc.uid_field }}
|
||||||
|
OIDC_CLIENT_ID: {{ .Values.externalAuth.oidc.client_id }}
|
||||||
|
OIDC_CLIENT_SECRET: {{ .Values.externalAuth.oidc.client_secret }}
|
||||||
|
OIDC_REDIRECT_URI: {{ .Values.externalAuth.oidc.redirect_uri }}
|
||||||
|
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.oidc.assume_email_is_verified | quote }}
|
||||||
|
{{- if .Values.externalAuth.oidc.client_auth_method }}
|
||||||
|
OIDC_CLIENT_AUTH_METHOD: {{ .Values.externalAuth.oidc.client_auth_method }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.response_type }}
|
||||||
|
OIDC_RESPONSE_TYPE: {{ .Values.externalAuth.oidc.response_type }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.response_mode }}
|
||||||
|
OIDC_RESPONSE_MODE: {{ .Values.externalAuth.oidc.response_mode }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.display }}
|
||||||
|
OIDC_DISPLAY: {{ .Values.externalAuth.oidc.display }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.prompt }}
|
||||||
|
OIDC_PROMPT: {{ .Values.externalAuth.oidc.prompt }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.send_nonce }}
|
||||||
|
OIDC_SEND_NONCE: {{ .Values.externalAuth.oidc.send_nonce }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.send_scope_to_token_endpoint }}
|
||||||
|
OIDC_SEND_SCOPE_TO_TOKEN_ENDPOINT: {{ .Values.externalAuth.oidc.send_scope_to_token_endpoint | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.idp_logout_redirect_uri }}
|
||||||
|
OIDC_IDP_LOGOUT_REDIRECT_URI: {{ .Values.externalAuth.oidc.idp_logout_redirect_uri }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.http_scheme }}
|
||||||
|
OIDC_HTTP_SCHEME: {{ .Values.externalAuth.oidc.http_scheme }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.host }}
|
||||||
|
OIDC_HOST: {{ .Values.externalAuth.oidc.host }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.port }}
|
||||||
|
OIDC_PORT: {{ .Values.externalAuth.oidc.port }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.jwks_uri }}
|
||||||
|
OIDC_JWKS_URI: {{ .Values.externalAuth.oidc.jwks_uri }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.auth_endpoint }}
|
||||||
|
OIDC_AUTH_ENDPOINT: {{ .Values.externalAuth.oidc.auth_endpoint }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.token_endpoint }}
|
||||||
|
OIDC_TOKEN_ENDPOINT: {{ .Values.externalAuth.oidc.token_endpoint }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.user_info_endpoint }}
|
||||||
|
OIDC_USER_INFO_ENDPOINT: {{ .Values.externalAuth.oidc.user_info_endpoint }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oidc.end_session_endpoint }}
|
||||||
|
OIDC_END_SESSION_ENDPOINT: {{ .Values.externalAuth.oidc.end_session_endpoint }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.enabled }}
|
||||||
|
SAML_ENABLED: {{ .Values.externalAuth.saml.enabled | quote }}
|
||||||
|
SAML_ACS_URL: {{ .Values.externalAuth.saml.acs_url }}
|
||||||
|
SAML_ISSUER: {{ .Values.externalAuth.saml.issuer }}
|
||||||
|
SAML_IDP_SSO_TARGET_URL: {{ .Values.externalAuth.saml.idp_sso_target_url }}
|
||||||
|
SAML_IDP_CERT: {{ .Values.externalAuth.saml.idp_cert | quote }}
|
||||||
|
{{- if .Values.externalAuth.saml.idp_cert_fingerprint }}
|
||||||
|
SAML_IDP_CERT_FINGERPRINT: {{ .Values.externalAuth.saml.idp_cert_fingerprint | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.name_identifier_format }}
|
||||||
|
SAML_NAME_IDENTIFIER_FORMAT: {{ .Values.externalAuth.saml.name_identifier_format }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.cert }}
|
||||||
|
SAML_CERT: {{ .Values.externalAuth.saml.cert | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.private_key }}
|
||||||
|
SAML_PRIVATE_KEY: {{ .Values.externalAuth.saml.private_key | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.want_assertion_signed }}
|
||||||
|
SAML_SECURITY_WANT_ASSERTION_SIGNED: {{ .Values.externalAuth.saml.want_assertion_signed | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.want_assertion_encrypted }}
|
||||||
|
SAML_SECURITY_WANT_ASSERTION_ENCRYPTED: {{ .Values.externalAuth.saml.want_assertion_encrypted | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.assume_email_is_verified }}
|
||||||
|
SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.saml.assume_email_is_verified | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.uid_attribute }}
|
||||||
|
SAML_UID_ATTRIBUTE: {{ .Values.externalAuth.saml.uid_attribute }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.attributes_statements.uid }}
|
||||||
|
SAML_ATTRIBUTES_STATEMENTS_UID: {{ .Values.externalAuth.saml.attributes_statements.uid | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.attributes_statements.email }}
|
||||||
|
SAML_ATTRIBUTES_STATEMENTS_EMAIL: {{ .Values.externalAuth.saml.attributes_statements.email | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.attributes_statements.full_name }}
|
||||||
|
SAML_ATTRIBUTES_STATEMENTS_FULL_NAME: {{ .Values.externalAuth.saml.attributes_statements.full_name | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.attributes_statements.first_name }}
|
||||||
|
SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME: {{ .Values.externalAuth.saml.attributes_statements.first_name | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.attributes_statements.last_name }}
|
||||||
|
SAML_ATTRIBUTES_STATEMENTS_LAST_NAME: {{ .Values.externalAuth.saml.attributes_statements.last_name | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.attributes_statements.verified }}
|
||||||
|
SAML_ATTRIBUTES_STATEMENTS_VERIFIED: {{ .Values.externalAuth.saml.attributes_statements.verified | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.saml.attributes_statements.verified_email }}
|
||||||
|
SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL: {{ .Values.externalAuth.saml.attributes_statements.verified_email | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.oauth_global.oauth_redirect_at_sign_in }}
|
||||||
|
OAUTH_REDIRECT_AT_SIGN_IN: {{ .Values.externalAuth.oauth_global.oauth_redirect_at_sign_in | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.enabled }}
|
||||||
|
CAS_ENABLED: {{ .Values.externalAuth.cas.enabled | quote }}
|
||||||
|
CAS_URL: {{ .Values.externalAuth.cas.url }}
|
||||||
|
CAS_HOST: {{ .Values.externalAuth.cas.host }}
|
||||||
|
CAS_PORT: {{ .Values.externalAuth.cas.port }}
|
||||||
|
CAS_SSL: {{ .Values.externalAuth.cas.ssl | quote }}
|
||||||
|
{{- if .Values.externalAuth.cas.validate_url }}
|
||||||
|
CAS_VALIDATE_URL: {{ .Values.externalAuth.cas.validate_url }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.callback_url }}
|
||||||
|
CAS_CALLBACK_URL: {{ .Values.externalAuth.cas.callback_url }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.logout_url }}
|
||||||
|
CAS_LOGOUT_URL: {{ .Values.externalAuth.cas.logout_url }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.login_url }}
|
||||||
|
CAS_LOGIN_URL: {{ .Values.externalAuth.cas.login_url }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.uid_field }}
|
||||||
|
CAS_UID_FIELD: {{ .Values.externalAuth.cas.uid_field | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.ca_path }}
|
||||||
|
CAS_CA_PATH: {{ .Values.externalAuth.cas.ca_path }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.disable_ssl_verification }}
|
||||||
|
CAS_DISABLE_SSL_VERIFICATION: {{ .Values.externalAuth.cas.disable_ssl_verification | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.assume_email_is_verified }}
|
||||||
|
CAS_SECURITY_ASSUME_EMAIL_IS_VERIFIED: {{ .Values.externalAuth.cas.assume_email_is_verified | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.keys.uid }}
|
||||||
|
CAS_UID_KEY: {{ .Values.externalAuth.cas.keys.uid | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.keys.name }}
|
||||||
|
CAS_NAME_KEY: {{ .Values.externalAuth.cas.keys.name | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.keys.email }}
|
||||||
|
CAS_EMAIL_KEY: {{ .Values.externalAuth.cas.keys.email | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.keys.nickname }}
|
||||||
|
CAS_NICKNAME_KEY: {{ .Values.externalAuth.cas.keys.nickname | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.keys.first_name }}
|
||||||
|
CAS_FIRST_NAME_KEY: {{ .Values.externalAuth.cas.keys.first_name | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.keys.last_name }}
|
||||||
|
CAS_LAST_NAME_KEY: {{ .Values.externalAuth.cas.keys.last_name | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.keys.location }}
|
||||||
|
CAS_LOCATION_KEY: {{ .Values.externalAuth.cas.keys.location | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.keys.image }}
|
||||||
|
CAS_IMAGE_KEY: {{ .Values.externalAuth.cas.keys.image | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.cas.keys.phone }}
|
||||||
|
CAS_PHONE_KEY: {{ .Values.externalAuth.cas.keys.phone | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.pam.enabled }}
|
||||||
|
PAM_ENABLED: {{ .Values.externalAuth.pam.enabled | quote }}
|
||||||
|
{{- if .Values.externalAuth.pam.email_domain }}
|
||||||
|
PAM_EMAIL_DOMAIN: {{ .Values.externalAuth.pam.email_domain }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.pam.default_service }}
|
||||||
|
PAM_DEFAULT_SERVICE: {{ .Values.externalAuth.pam.default_service }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.pam.controlled_service }}
|
||||||
|
PAM_CONTROLLED_SERVICE: {{ .Values.externalAuth.pam.controlled_service }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.ldap.enabled }}
|
||||||
|
LDAP_ENABLED: {{ .Values.externalAuth.ldap.enabled | quote }}
|
||||||
|
LDAP_HOST: {{ .Values.externalAuth.ldap.host }}
|
||||||
|
LDAP_PORT: {{ .Values.externalAuth.ldap.port }}
|
||||||
|
LDAP_METHOD: {{ .Values.externalAuth.ldap.method }}
|
||||||
|
{{- if .Values.externalAuth.ldap.base }}
|
||||||
|
LDAP_BASE: {{ .Values.externalAuth.ldap.base }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.ldap.bind_on }}
|
||||||
|
LDAP_BIND_ON: {{ .Values.externalAuth.ldap.bind_on }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.ldap.password }}
|
||||||
|
LDAP_PASSWORD: {{ .Values.externalAuth.ldap.password }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.ldap.uid }}
|
||||||
|
LDAP_UID: {{ .Values.externalAuth.ldap.uid }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.ldap.mail }}
|
||||||
|
LDAP_MAIL: {{ .Values.externalAuth.ldap.mail }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.ldap.search_filter }}
|
||||||
|
LDAP_SEARCH_FILTER: {{ .Values.externalAuth.ldap.search_filter }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.ldap.uid_conversion.enabled }}
|
||||||
|
LDAP_UID_CONVERSION_ENABLED: {{ .Values.externalAuth.ldap.uid_conversion.enabled | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.ldap.uid_conversion.search }}
|
||||||
|
LDAP_UID_CONVERSION_SEARCH: {{ .Values.externalAuth.ldap.uid_conversion.search }}
|
||||||
|
{{- end }}
|
||||||
|
{{- if .Values.externalAuth.ldap.uid_conversion.replace }}
|
||||||
|
LDAP_UID_CONVERSION_REPLACE: {{ .Values.externalAuth.ldap.uid_conversion.replace }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
|
@ -27,6 +27,9 @@ mastodon:
|
||||||
# available locales: https://github.com/tootsuite/mastodon/blob/master/config/application.rb#L43
|
# available locales: https://github.com/tootsuite/mastodon/blob/master/config/application.rb#L43
|
||||||
locale: en
|
locale: en
|
||||||
local_domain: mastodon.local
|
local_domain: mastodon.local
|
||||||
|
# Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
|
||||||
|
# You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
|
||||||
|
# web_domain: mastodon.example.com
|
||||||
persistence:
|
persistence:
|
||||||
assets:
|
assets:
|
||||||
# ReadWriteOnce is more widely supported than ReadWriteMany, but limits
|
# ReadWriteOnce is more widely supported than ReadWriteMany, but limits
|
||||||
|
@ -49,6 +52,8 @@ mastodon:
|
||||||
endpoint: https://us-east-1.linodeobjects.com
|
endpoint: https://us-east-1.linodeobjects.com
|
||||||
hostname: us-east-1.linodeobjects.com
|
hostname: us-east-1.linodeobjects.com
|
||||||
region: ""
|
region: ""
|
||||||
|
# If you have a caching proxy, enter its base URL here.
|
||||||
|
alias_host: ""
|
||||||
# these must be set manually; autogenerated keys are rotated on each upgrade
|
# these must be set manually; autogenerated keys are rotated on each upgrade
|
||||||
secrets:
|
secrets:
|
||||||
secret_key_base: ""
|
secret_key_base: ""
|
||||||
|
@ -136,6 +141,105 @@ service:
|
||||||
type: ClusterIP
|
type: ClusterIP
|
||||||
port: 80
|
port: 80
|
||||||
|
|
||||||
|
externalAuth:
|
||||||
|
oidc:
|
||||||
|
# OpenID Connect support is proposed in PR #16221 and awaiting merge.
|
||||||
|
enabled: false
|
||||||
|
# display_name: "example-label"
|
||||||
|
# issuer: https://login.example.space/auth/realms/example-space
|
||||||
|
# discovery: true
|
||||||
|
# scope: "openid,profile"
|
||||||
|
# uid_field: uid
|
||||||
|
# client_id: mastodon
|
||||||
|
# client_secret: SECRETKEY
|
||||||
|
# redirect_uri: https://example.com/auth/auth/openid_connect/callback
|
||||||
|
# assume_email_is_verified: true
|
||||||
|
# client_auth_method:
|
||||||
|
# response_type:
|
||||||
|
# response_mode:
|
||||||
|
# display:
|
||||||
|
# prompt:
|
||||||
|
# send_nonce:
|
||||||
|
# send_scope_to_token_endpoint:
|
||||||
|
# idp_logout_redirect_uri:
|
||||||
|
# http_scheme:
|
||||||
|
# host:
|
||||||
|
# port:
|
||||||
|
# jwks_uri:
|
||||||
|
# auth_endpoint:
|
||||||
|
# token_endpoint:
|
||||||
|
# user_info_endpoint:
|
||||||
|
# end_session_endpoint:
|
||||||
|
saml:
|
||||||
|
enabled: false
|
||||||
|
# acs_url: http://mastodon.example.com/auth/auth/saml/callback
|
||||||
|
# issuer: mastodon
|
||||||
|
# idp_sso_target_url: https://login.example.com/auth/realms/example/protocol/saml
|
||||||
|
# idp_cert: '-----BEGIN CERTIFICATE-----[your_cert_content]-----END CERTIFICATE-----'
|
||||||
|
# idp_cert_fingerprint:
|
||||||
|
# name_identifier_format: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
|
||||||
|
# cert:
|
||||||
|
# private_key:
|
||||||
|
# want_assertion_signed: true
|
||||||
|
# want_assertion_encrypted: true
|
||||||
|
# assume_email_is_verified: true
|
||||||
|
# uid_attribute: "urn:oid:0.9.2342.19200300.100.1.1"
|
||||||
|
# attributes_statements:
|
||||||
|
# uid: "urn:oid:0.9.2342.19200300.100.1.1"
|
||||||
|
# email: "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
|
||||||
|
# full_name: "urn:oid:2.16.840.1.113730.3.1.241"
|
||||||
|
# first_name: "urn:oid:2.5.4.42"
|
||||||
|
# last_name: "urn:oid:2.5.4.4"
|
||||||
|
# verified:
|
||||||
|
# verified_email:
|
||||||
|
oauth_global:
|
||||||
|
# Force redirect local login to CAS. Does not function with SAML or LDAP.
|
||||||
|
oauth_redirect_at_sign_in: false
|
||||||
|
cas:
|
||||||
|
enabled: false
|
||||||
|
# url: https://sso.myserver.com
|
||||||
|
# host: sso.myserver.com
|
||||||
|
# port: 443
|
||||||
|
# ssl: true
|
||||||
|
# validate_url:
|
||||||
|
# callback_url:
|
||||||
|
# logout_url:
|
||||||
|
# login_url:
|
||||||
|
# uid_field: 'user'
|
||||||
|
# ca_path:
|
||||||
|
# disable_ssl_verification: false
|
||||||
|
# assume_email_is_verified: true
|
||||||
|
# keys:
|
||||||
|
# uid: 'user'
|
||||||
|
# name: 'name'
|
||||||
|
# email: 'email'
|
||||||
|
# nickname: 'nickname'
|
||||||
|
# first_name: 'firstname'
|
||||||
|
# last_name: 'lastname'
|
||||||
|
# location: 'location'
|
||||||
|
# image: 'image'
|
||||||
|
# phone: 'phone'
|
||||||
|
pam:
|
||||||
|
enabled: false
|
||||||
|
# email_domain: example.com
|
||||||
|
# default_service: rpam
|
||||||
|
# controlled_service: rpam
|
||||||
|
ldap:
|
||||||
|
enabled: false
|
||||||
|
# host: myservice.namespace.svc
|
||||||
|
# port: 389
|
||||||
|
# method: simple_tls
|
||||||
|
# base:
|
||||||
|
# bind_on:
|
||||||
|
# password:
|
||||||
|
# uid: cn
|
||||||
|
# mail: mail
|
||||||
|
# search_filter: "(|(%{uid}=%{email})(%{mail}=%{email}))"
|
||||||
|
# uid_conversion:
|
||||||
|
# enabled: true
|
||||||
|
# search: "., -"
|
||||||
|
# replace: _
|
||||||
|
|
||||||
# https://github.com/tootsuite/mastodon/blob/master/Dockerfile#L88
|
# https://github.com/tootsuite/mastodon/blob/master/Dockerfile#L88
|
||||||
#
|
#
|
||||||
# if you manually change the UID/GID environment variables, ensure these values
|
# if you manually change the UID/GID environment variables, ensure these values
|
||||||
|
|
Loading…
Reference in New Issue