Attention: Deprecation notice for Bintray, JCenter, GoCenter and ChartCenter. Learn More


Chart version: 1.0.5
Api version: v2
App version: 2.2.0
A minimal forward authentication service that provides OAuth/SS...
Chart Type
Set me up:
helm repo add center
Install Chart:
helm install traefik-forward-auth center/k8s-at-home/traefik-forward-auth
Versions (0)


Type: application Version: 1.0.5 AppVersion: 2.2.0 ArtifactHub

A minimal forward authentication service that provides OAuth/SSO login and authentication for the traefik reverse proxy/load balancer

The default values and container images used in this chart will allow for running in a multi-arch cluster (amd64, arm, arm64)

Chart that * Adds docker image information leveraging the official image * Deploys traefik-forward-auth


$ helm repo add k8s-at-home
$ helm install k8s-at-home/traefik-forward-auth

Installing the Chart

To install the chart with the release name traefik-forward-auth:

helm install traefik-forward-auth k8s-at-home/traefik-forward-auth

Uninstalling the Chart

To uninstall the traefik-forward-auth deployment:

helm uninstall traefik-forward-auth

The command removes all the Kubernetes components associated with the chart and deletes the release.


Read through the values.yaml file. It has several commented out suggested values.

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

helm install traefik-forward-auth \
  --set env.TZ="America/New York" \

Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,

helm install traefik-forward-auth k8s-at-home/traefik-forward-auth --values values.yaml


Key Type Default Description
affinity object {}
authHost string "" Single host to use when returning from 3rd party auth
autoscaling.enabled bool false
autoscaling.maxReplicas int 100
autoscaling.minReplicas int 1
autoscaling.targetCPUUtilizationPercentage int 80
cookie.csrfName string "" CSRF Cookie Name (default: _forward_auth_csrf)
cookie.domain string "" Domain(s) to set auth cookie on. (Comma delimited)
cookie.insecure string "" Use insecure cookies string "" Cookie Name (default: _forward_auth)
cookie.secret string "" Cookie Secret used for authentication across multiple instances / clusters (default: randomly generated)
default.action string "" [auth
default.provider string "" [google
env list []
envFrom string nil
fullnameOverride string ""
image.pullPolicy string "IfNotPresent"
image.repository string "thomseddon/traefik-forward-auth"
image.tag string ""
imagePullSecrets list []
ingress.annotations object {}
ingress.enabled bool false
ingress.hosts[0].host string "chart-example.local"
ingress.hosts[0].paths list []
ingress.tls list []
lifetime string "" Lifetime in seconds (default: 43200)
livenessProbe object {“periodSeconds”:20,“tcpSocket”:{“port”:“http”}} Liveness probe configuration
livenessProbe.enabled bool true Enable liveness probe
logging.format string "" [text
logging.level string "" [trace
logoutRedirect string "" URL to redirect to following logout
middleware.enabled bool false Enable to deploy a preconfigured middleware string "" Name for the middleware
nameOverride string ""
nodeSelector object {}
podAnnotations object {}
podSecurityContext object {}
providers.genericOauth.authUrl string "" Auth/Login URL
providers.genericOauth.clientId string "" Client ID
providers.genericOauth.clientSecret string "" Client Secret
providers.genericOauth.enabled bool false Enable the generic OAUTH2 provider
providers.genericOauth.resource string "" Optional resource indicator
providers.genericOauth.scope string "" Scopes (default: profile, email)
providers.genericOauth.tokenStyle string "" How token is presented when querying the User URL
providers.genericOauth.tokenUrl string "" Token URL
providers.genericOauth.userUrl string "" URL used to retrieve user info string "" Client ID string "" Client Secret bool false Enable the google provider string "" Space separated list of OpenID prompt options
providers.oidc.clientId string "" Client ID
providers.oidc.clientSecret string "" Client Secret
providers.oidc.enabled bool false Enable the generic OIDC provider
providers.oidc.issuerUrl string "" Issuer URL
providers.oidc.resource string "" Optional resource indicator
readinessProbe object {“periodSeconds”:10,“tcpSocket”:{“port”:“http”}} Readiness probe configuration
readinessProbe.enabled bool true Enable readiness probe
replicaCount int 1
resources object {}
restrictions.domain string "" Only allow given email domains. (Comma delimited)
restrictions.whitelist string "" Only allow given email addresses. (Comma delimited)
secret string "" Secret used for signing. If empty, one will be generated. If specifying your own in env use “-”
securityContext object {}
service.additionalSpec object {}
service.annotations object {}
service.labels object {}
service.port int 4181
service.type string "ClusterIP"
serviceAccount.annotations object {}
serviceAccount.create bool true string ""
tolerations list []
urlPath string "" Callback URL Path (default: /_oauth)