-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue working with v0.9 and up #262
Comments
You have disabled the management of the postgres password secret entirely. You'd need to either enable that or set the volume mount and relevant env vars manually. |
I have just tried enabling the postgres password secret management. And disabled the secret mounting. Same issues remains. I took a look at the templates and I couldn't find any references of |
The Why did you change values additional to what was requested? |
Ah okay, it makes sense now. I only changed what is needed in order provide secrets to run my postgres RDS. EDIT: I am still missing what is needed in order establish a connection with postgres using my secrets. |
I'm also experiencing issues with the secrets changes - IME the:
and I (wasn't) adjusting any other secrets settings in the configmap, as reading the values.yaml indicates that the defaults behavior is to reference the k8s secret object & files.
|
I encountered the same issue and ended up simply using the env vars to define secrets: |
Also going down this path as figuring how secrets work with the chart has become too complex since the v0.9 changes. Downside is that all pods in the namespace now have access to the secrets. |
This can't really be considered a secret, they're being set as environment variables; it kind of defeats the purpose of setting things like this as secrets to some degree. The environment variables can be dumped by external processes trivially and are generally more accessible. I'm quite surprised since no one during the 4 months of the announced beta tests mentioned issues like this. I'll figure out the cause, the only thing that may help going forward is full values examples. |
True but risk can be alleviated by deploying authelia in its own namespace and poking just the couple needed holes in a deny-all-egress network policy.
Personally I have a 100+ apps running in my lab and since authelia is only used internally it gets thrown in the "upgrade once a year" bucket. I will say that while I can see and appreciate the work you put into this, I had a much simpler time navigating the pre v0.9 chart and it took me less time to set things up initially on v0.8 than it did upgrading to v0.9. |
Unrelated to this issue, but would it be possible to make the chart flexible enough to use multiple external secrets? For instance, I'm using 3 others secrets for SMTP, Redis and PostgreSQL because it's shared with other manifests. Right now, I'd have to copy them to the Authelia secret which isn't the most flexible way. Appreciate your work btw! |
This is not the case. The environment variables can potentially be read by processes either within the same k8s node or on the host OS. The manner in which they are read is substantially easier than files. The main reason we implemented the
I can somewhat understand this, however that was why the beta process was undertaken with this chart it had substantial changes around secrets and I wanted to ensure they made more sense than before. Nearly all the feedback suggested they were, probably all of it in fact until now. I suppose I can't really convince anyone to come around to a more beneficial approach for everyone including themselves, I can only just hope and not let it concern me if it doesn't occur. C'est la vie.
This is one of the elements that the new secret config should support. Feel free to open a discussion and I'll try to find some time to help or you can keep an eye on developments here. |
Obviously it's your chart and I see that a lot of effort has been made going to v0.9. Glad to hear feedback around the secret changes were positives in general, which must mean that people saw the added value of the new setup. From my perspective I went from setting I'll give a simple example. I set As I said I've got a whole bunch of apps running, all deployed using helm charts. None of them have such a convoluted setup to get keys and values referenced from a single secret. Sorry if I'm sounding harsh, I just wanted to give my perspective as a dumb user and do appreciate being able to use your chart. and FYI, the beta process also didn't catch that the deployment template pulls in |
pod:
kind: Deployment
replicas: 1
domain: SNIP
image:
pullPolicy: Always
configMap:
log:
level: trace
keep_stdout: true
session:
redis:
enabled: false
cookies:
- domain: SNIP
subdomain: auth
authelia_url: 'https://auth.SNIP'
default_redirection_url: 'https://immich.SNIP'
name: 'authelia_session'
same_site: 'lax'
inactivity: '5m'
expiration: '1h'
remember_me: '1d'
access_control:
default_policy: deny
rules:
- domain: "*.SNIP"
policy: two_factor
- domain: "metube.SNIP"
policy: one_factor
storage:
postgres:
enabled: true
address: tcp://database.lan.SNIP:5432
database: authelia
schema: public
username: authelia
authentication_backend:
ldap:
enabled: true
implementation: custom
address: ldap://lldap-service.default.svc.cluster.local:3890
timeout: 15s
start_tls: false
base_dn: dc=SNIP
username_attribute: uid
additional_users_dn: ou=people
users_filter: "(&({username_attribute}={input})(objectClass=person))"
addditional_groups_dn: ou=groups
groups_filter: "(member={dn})"
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
user: uid=admin,ou=people,dc=SNIP
notifier:
disable_startup_check: false
filesystem:
enabled: false
smtp:
enabled: true
enabledSecret: true
startup_check_address: "SNIP"
address: smtp.gmail.com:587
username: SNIP
sender: SNIP
identity_providers:
oidc:
enabled: true
jwks: ## I am thoroughly confused on how to use secrets to set JWKS keys. I would need to read the chart much more fully than I did to figure it out.
- use: sig
key:
value: SNIP
clients:
- client_id: immich
description: Immich
authorization_policy: one_factor
public: false
client_secret: SNIP
redirect_uris:
- "app.immich:/"
- "https://immich.SNIP/auth/login"
- "https://immich.SNIP/user-settings"
scopes:
- openid
- profile
- email
ingress:
enabled: true
subdomain: auth
tls:
enabled: true
secret-name: 'authelia-tls'
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
traefikCRD:
enabled: true
disableIngressRoute: true
secret:
storage:
value: SNIP
smtp:
value: SNIP
jwt:
value: SNIP
ldap:
value: SNIP
# storageEncryptionKey also did not seem to get taken up? not sure what to make of that.
# storageEncryptionKey:
# value: SNIP
oidcHMACSecret:
value: SNIP This did create the secret, and set the IMO, I don't think forcing secret values to be stored in secrets and mounted as files is the wrong move - this is in line with what I do at my job - I think this might be more of an issue with documentation for the chart specifically? if any addtl information would help figure this out I'm happy to provide. |
I think potentially this is just lacking documentation. The secret values have moved similar to this for everything: https://github.com/authelia/chartrepo/blob/master/charts/authelia/values.yaml#L1361-L1383 I'll make a better response and fix the docs in a few days to a week, as well as make some adjustments to make debugging this kind of thing easier. |
Ah, if I'm understanding you correctly then the |
Yes correct. I will double check the docs it's possibly something I didn't explain or didn't explain properly. I'm also adding the ability to adjust the container command so that we can adjust it to just sleep so we can interactively debug this in the future. I'll also add a validation case if it's not provided, I think. |
Can I confirm that #269 clarifies this better? |
left a comment with feedback; I think what you added is good, but ambiguity around the term "configuration" might be confusing with the example being generic and general purpose. |
Thanks a lot. If there is anything else ambiguous in general we'd like to clear it up or make it more obvious where practical. |
@james-d-elliott - I finally found some time to get back to this and followed your recommendation to not pass the secrets on as env vars to the Authelia container. Pulled the latest chart (0.9.14) and still ended up spending a good hour getting it all running, even with all the available docs. So for anyone struggling getting secrets mounted using a single k8s secret resource, this is the config which allowed me to do so..
Things that threw me off:
Glad I got it working but it just feels so convoluted. |
Thanks for the feedback, are you willing to be involved in the process for fixing these issues? @elaurensx |
Hello.
Recently we decided to upgrade to from v0.8.54 to v0.9.5. After reading and following the BREAKING.md guidelines on the major changes we are still unable to install the chart due to the following error:
The error message shows that the username and the password are not being detected for the postgres configuration. This could be for multiple reasons:
/secrets/authelia-secrets
Here are the configuration for these storage section:
And the secrets are applied and mapped properly as well.
authelia-secrets
The text was updated successfully, but these errors were encountered: