fix(authelia): incorrect vault injector annotations and missing secur…

…ity context (#29) This corrects issues in the helm chart annotations for vault injector and quotes most of the command and template annotations, additionally it adds the security context to the pod spec when using injector.
authelia · Apr 1, 2021 · cbef048 · cbef048
1 parent 56a2462
commit cbef048
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 27 deletions.
diff --git a/charts/authelia/Chart.yaml b/charts/authelia/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: authelia
-version: 0.3.2
+version: 0.3.3
 kubeVersion: ">= 1.13.0-0"
 description: Authelia is a Single Sign-On Multi-Factor portal for web apps
 type: application

diff --git a/charts/authelia/templates/_helpers.tpl b/charts/authelia/templates/_helpers.tpl
@@ -216,104 +216,104 @@ vault.hashicorp.com/agent-configmap: {{ $vault.agent.configMap }}
 vault.hashicorp.com/agent-image: {{ $vault.agent.image }}
 {{- end }}
 {{- if $vault.agent.initFirst }}
-vault.hashicorp.com/agent-init-first: {{ $vault.agent.initFirst }}
+vault.hashicorp.com/agent-init-first: {{ $vault.agent.initFirst | quote }}
 {{- end }}
 {{- if $vault.agent.command }}
-vault.hashicorp.com/agent-inject-command: {{ $vault.agent.command }}
+vault.hashicorp.com/agent-inject-command: {{ $vault.agent.command | quote }}
 {{- end }}
-vault.hashicorp.com/agent-inject-volume-path: {{ include "authelia.secret.mountPath" $ }}
+vault.hashicorp.com/secret-volume-path: {{ include "authelia.secret.mountPath" $ }}
 vault.hashicorp.com/agent-inject-secret-jwt: {{ $vault.secrets.jwt.path }}
 vault.hashicorp.com/agent-inject-file-jwt: {{ include "authelia.secret.path" (merge (dict "Secret" "jwt") $) }}
 {{- if or $vault.agent.templateValue $vault.secrets.jwt.templateValue }}
-vault.hashicorp.com/agent-inject-secret-template-jwt: {{ default $vault.agent.templateValue $vault.secrets.jwt.templateValue }}
+vault.hashicorp.com/agent-inject-template-jwt: {{ default $vault.agent.templateValue $vault.secrets.jwt.templateValue | quote }}
 {{- end }}
 {{- if $vault.secrets.jwt.command }}
-vault.hashicorp.com/agent-inject-secret-command-jwt: {{ $vault.secrets.jwt.command }}
+vault.hashicorp.com/agent-inject-command-jwt: {{ $vault.secrets.jwt.command | quote }}
 {{- end }}
 vault.hashicorp.com/agent-inject-secret-session: {{ $vault.secrets.session.path }}
 vault.hashicorp.com/agent-inject-file-session: {{ include "authelia.secret.path" (merge (dict "Secret" "session") $) }}
 {{- if or $vault.agent.templateValue $vault.secrets.session.templateValue }}
-vault.hashicorp.com/agent-inject-secret-template-session: {{ default $vault.agent.templateValue $vault.secrets.session.templateValue }}
+vault.hashicorp.com/agent-inject-template-session: {{ default $vault.agent.templateValue $vault.secrets.session.templateValue | quote }}
 {{- end }}
 {{- if $vault.secrets.session.command }}
-vault.hashicorp.com/agent-inject-secret-command-session: {{ $vault.secrets.session.command }}
+vault.hashicorp.com/agent-inject-command-session: {{ $vault.secrets.session.command | quote }}
 {{- end }}
 {{- if $.Values.configMap.authentication_backend.ldap.enabled }}
 vault.hashicorp.com/agent-inject-secret-ldap: {{ $vault.secrets.ldap.path }}
 vault.hashicorp.com/agent-inject-file-ldap: {{ include "authelia.secret.path" (merge (dict "Secret" "ldap") $) }}
 {{- if or $vault.secrets.ldap.templateValue $vault.agent.templateValue }}
-vault.hashicorp.com/agent-inject-secret-template-ldap: {{ default $vault.agent.templateValue $vault.secrets.ldap.templateValue }}
+vault.hashicorp.com/agent-inject-template-ldap: {{ default $vault.agent.templateValue $vault.secrets.ldap.templateValue | quote }}
 {{- end }}
 {{- if $vault.secrets.ldap.command }}
-vault.hashicorp.com/agent-inject-secret-command-ldap: {{ $vault.secrets.ldap.command }}
+vault.hashicorp.com/agent-inject-command-ldap: {{ $vault.secrets.ldap.command | quote }}
 {{- end }}
 {{- end }}
 {{- if or $.Values.configMap.storage.mysql.enabled $.Values.configMap.storage.postgres.enabled }}
 vault.hashicorp.com/agent-inject-secret-storage: {{ $vault.secrets.storage.path }}
 vault.hashicorp.com/agent-inject-file-storage: {{ include "authelia.secret.path" (merge (dict "Secret" "storage") $) }}
 {{- if or $vault.agent.templateValue $vault.secrets.storage.templateValue }}
-vault.hashicorp.com/agent-inject-secret-template-storage: {{ default $vault.agent.templateValue $vault.secrets.storage.templateValue }}
+vault.hashicorp.com/agent-inject-template-storage: {{ default $vault.agent.templateValue $vault.secrets.storage.templateValue | quote }}
 {{- end }}
 {{- if $vault.secrets.storage.command }}
-vault.hashicorp.com/agent-inject-secret-command-storage: {{ $vault.secrets.storage.command }}
+vault.hashicorp.com/agent-inject-command-storage: {{ $vault.secrets.storage.command | quote }}
 {{- end }}
 {{- end }}
 {{- if and $.Values.configMap.session.redis.enabled $.Values.configMap.session.redis.enabledSecret }}
 vault.hashicorp.com/agent-inject-secret-redis: {{ $vault.secrets.redis.path }}
 vault.hashicorp.com/agent-inject-file-redis: {{ include "authelia.secret.path" (merge (dict "Secret" "redis") $) }}
 {{- if or $vault.agent.templateValue $vault.secrets.redis.templateValue }}
-vault.hashicorp.com/agent-inject-secret-template-redis: {{ default $vault.agent.templateValue $vault.secrets.redis.templateValue }}
+vault.hashicorp.com/agent-inject-template-redis: {{ default $vault.agent.templateValue $vault.secrets.redis.templateValue | quote }}
 {{- end }}
 {{- if $vault.secrets.redis.command }}
-vault.hashicorp.com/agent-inject-secret-command-redis: {{ $vault.secrets.redis.command }}
+vault.hashicorp.com/agent-inject-command-redis: {{ $vault.secrets.redis.command | quote }}
 {{- end }}
 {{- if and $.Values.configMap.session.redis.high_availability.enabled $.Values.configMap.session.redis.high_availability.enabledSecret }}
 vault.hashicorp.com/agent-inject-secret-redis-sentinel: {{ $vault.secrets.redisSentinel.path }}
 vault.hashicorp.com/agent-inject-file-redis-sentinel: {{ include "authelia.secret.path" (merge (dict "Secret" "redis-sentinel") $) }}
 {{- if or $vault.agent.templateValue $vault.secrets.redisSentinel.templateValue }}
-vault.hashicorp.com/agent-inject-secret-template-redis-sentinel {{ default $vault.agent.templateValue $vault.secrets.redisSentinel.templateValue }}
+vault.hashicorp.com/agent-inject-template-redis-sentinel {{ default $vault.agent.templateValue $vault.secrets.redisSentinel.templateValue | quote }}
 {{- end }}
 {{- if $vault.secrets.redisSentinel.command }}
-vault.hashicorp.com/agent-inject-secret-command-redis-sentinel: {{ $vault.secrets.redisSentinel.command }}
+vault.hashicorp.com/agent-inject-command-redis-sentinel: {{ $vault.secrets.redisSentinel.command | quote }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{- if and $.Values.configMap.notifier.smtp.enabled $.Values.configMap.notifier.smtp.enabledSecret }}
 vault.hashicorp.com/agent-inject-secret-smtp: {{ $vault.secrets.smtp.path }}
 vault.hashicorp.com/agent-inject-file-smtp: {{ include "authelia.secret.path" (merge (dict "Secret" "smtp") $) }}
 {{- if or $vault.agent.templateValue $vault.secrets.smtp.templateValue }}
-vault.hashicorp.com/agent-inject-secret-template-smtp: {{ default $vault.agent.templateValue $vault.secrets.smtp.templateValue }}
+vault.hashicorp.com/agent-inject-template-smtp: {{ default $vault.agent.templateValue $vault.secrets.smtp.templateValue | quote }}
 {{- end }}
 {{- if $vault.secrets.smtp.command }}
-vault.hashicorp.com/agent-inject-secret-command-smtp: {{ $vault.secrets.smtp.command }}
+vault.hashicorp.com/agent-inject-command-smtp: {{ $vault.secrets.smtp.command | quote }}
 {{- end }}
 {{- end }}
 {{- if include "authelia.configured.duo" $ }}
 vault.hashicorp.com/agent-inject-secret-duo: {{ $vault.secrets.duo.path }}
 vault.hashicorp.com/agent-inject-file-duo: {{ include "authelia.secret.path" (merge (dict "Secret" "duo") $) }}
 {{- if or $vault.agent.templateValue $vault.secrets.duo.templateValue }}
-vault.hashicorp.com/agent-inject-secret-template-duo: {{ default $vault.agent.templateValue $vault.secrets.duo.templateValue }}
+vault.hashicorp.com/agent-inject-template-duo: {{ default $vault.agent.templateValue $vault.secrets.duo.templateValue | quote }}
 {{- end }}
 {{- if $vault.secrets.duo.command }}
-vault.hashicorp.com/agent-inject-secret-command-duo: {{ $vault.secrets.duo.command }}
+vault.hashicorp.com/agent-inject-command-duo: {{ $vault.secrets.duo.command | quote }}
 {{- end }}
 {{- end }}
 {{- if $.Values.configMap.identity_providers.oidc.enabled }}
 vault.hashicorp.com/agent-inject-secret-oidc-private-key: {{ $vault.secrets.oidcPrivateKey.path }}
 vault.hashicorp.com/agent-inject-file-oidc-private-key: {{ include "authelia.secret.path" (merge (dict "Secret" "oidc-private-key") $) }}
 {{- if or $vault.agent.templateValue $vault.secrets.oidcPrivateKey.templateValue }}
-vault.hashicorp.com/agent-inject-secret-template-oidc-private-key: {{ default $vault.agent.templateValue $vault.secrets.oidcPrivateKey.templateValue }}
+vault.hashicorp.com/agent-inject-template-oidc-private-key: {{ default $vault.agent.templateValue $vault.secrets.oidcPrivateKey.templateValue | quote }}
 {{- end }}
 {{- if $vault.secrets.oidcPrivateKey.command }}
-vault.hashicorp.com/agent-inject-secret-command-oidc-private-key: {{ $vault.secrets.oidcPrivateKey.command }}
+vault.hashicorp.com/agent-inject-command-oidc-private-key: {{ $vault.secrets.oidcPrivateKey.command | quote }}
 {{- end }}
 vault.hashicorp.com/agent-inject-secret-oidc-hmac-secret: {{ $vault.secrets.oidcHMACSecret.path }}
 vault.hashicorp.com/agent-inject-file-oidc-hmac-secret: {{ include "authelia.secret.path" (merge (dict "Secret" "oidc-hmac-secret") $) }}
 {{- if or $vault.agent.templateValue $vault.secrets.oidcHMACSecret.templateValue }}
-vault.hashicorp.com/agent-inject-secret-template-oidc-hmac-secret: {{ default $vault.agent.templateValue $vault.secrets.oidcHMACSecret.templateValue }}
+vault.hashicorp.com/agent-inject-template-oidc-hmac-secret: {{ default $vault.agent.templateValue $vault.secrets.oidcHMACSecret.templateValue | quote }}
 {{- end }}
 {{- if $vault.secrets.oidcHMACSecret.command }}
-vault.hashicorp.com/agent-inject-secret-command-oidc-hmac-secret: {{ $vault.secrets.oidcHMACSecret.command }}
+vault.hashicorp.com/agent-inject-command-oidc-hmac-secret: {{ $vault.secrets.oidcHMACSecret.command | quote }}
 {{- end }}
 {{- end }}
 vault.hashicorp.com/agent-run-as-same-user: {{ default "true" $vault.agent.runAsSameUser | quote }}
@@ -763,4 +763,4 @@ Returns the path value.
     {{- else -}}
         {{- "/" -}}
     {{- end -}}
-{{- end -}}
+{{- end -}}
diff --git a/charts/authelia/templates/configMap.yaml b/charts/authelia/templates/configMap.yaml
@@ -139,7 +139,7 @@ data:
         port: {{ default 25 $notifier.smtp.port }}
         sender: {{ $notifier.smtp.sender }}
         identifier: {{ $notifier.smtp.identifier }}
-        subject: {{ $notifier.smtp.subject }}
+        subject: {{ $notifier.smtp.subject | quote }}
         startup_check_address: {{ $notifier.smtp.startup_check_address }}
         disable_require_tls: {{ $notifier.smtp.disable_require_tls }}
         disable_html_emails: {{ $notifier.smtp.disable_html_emails }}

diff --git a/charts/authelia/templates/deployment.yaml b/charts/authelia/templates/deployment.yaml
@@ -81,6 +81,11 @@ spec:
         - name: {{ $secretName }}
         {{- end }}
         {{- end }}
+        {{- if .Values.secret.vaultInjector.enabled }}
+        securityContext:
+          runAsUser: 1000
+          allowPrivilegeEscalation: false
+        {{- end }}
         command: ["authelia"]
         args:
         - --config=/config/configuration.yaml
@@ -237,4 +242,4 @@ spec:
   {{- end }}
   {{- with .Values.pod.extraVolumes }}
   {{ toYaml . | indent 6 }}
-  {{- end }}
+  {{- end }}
diff --git a/charts/authelia/values.local.yaml b/charts/authelia/values.local.yaml
@@ -45,6 +45,7 @@ labels: {}
 rbac:
 
   ## Enable RBAC. Turning this on associates Authelia with a service account.
+  ## If the vault injector is enabled, then RBAC must be enabled.
   enabled: false
 
   annotations: {}

diff --git a/charts/authelia/values.yaml b/charts/authelia/values.yaml
@@ -43,6 +43,7 @@ labels: {}
 rbac:
 
   ## Enable RBAC. Turning this on associates Authelia with a service account.
+  ## If the vault injector is enabled, then RBAC must be enabled.
   enabled: false
 
   annotations: {}