SYS-657 use built-in TOTP for guacamole, instead of Authelia (#218)

instantlinux · web-flow · commit acf7ae866a23 · 2025-08-29T10:31:07.000-07:00
diff --git a/k8s/helm/guacamole/subcharts/guacamole-server/values.yaml b/k8s/helm/guacamole/subcharts/guacamole-server/values.yaml
@@ -23,11 +23,6 @@ service:
   type: ClusterIP
 autoscaling:
   enabled: false
-
-authelia:
-  fqdn: authtotp.example.com
-  ip: 10.101.1.5
-  path: /guacamole/\#/login
 ingress:
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
@@ -38,5 +33,3 @@ ingress:
     nginx.ingress.kubernetes.io/configuration-snippet: |
       proxy_set_header Connection $http_connection;
       proxy_set_header Upgrade $http_upgrade;
-ingressTOTP:
-  enabled: true
diff --git a/k8s/helm/guacamole/values.yaml b/k8s/helm/guacamole/values.yaml
@@ -11,11 +11,18 @@ guacamole-server:
   tlsHostname: guacamole.example.com
   deployment:
     env:
+      # TODO: enable the BAN extension introduced in 1.6.0; for now
+      #   break-in attempts are blocked by TOTP because BAN requires
+      #   more ingress-nginx directives to provide proxy IP address
+      ban_enabled: "false"
       guacd_hostname: guacamole-guacd
       guacd_port: 4822
+      ldap_enabled: "false"
       mysql_database: guacamole
       mysql_hostname: db00
-      mysql_user: guacamole_user
+      mysql_username: guacamole_user
+      skip_if_unavailable: ldap
+      totp_enabled: "true"
     xenv:
     - name: MYSQL_PASSWORD
       valueFrom:
