feat(authelia): authelia 4.30.0 (#90)

Adds full support for Authelia 4.30.0. BREAKING CHANGE: This change breaks the old values file layout and requires you upgrade. See the chart README for details.
authelia · Aug 5, 2021 · 0b1d308 · 0b1d308
1 parent 62bb3a5
commit 0b1d308
Show file tree

Hide file tree

Showing 6 changed files with 100 additions and 72 deletions.
diff --git a/charts/authelia/Chart.yaml b/charts/authelia/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: authelia
-version: 0.4.19
+version: 0.5.0
 kubeVersion: ">= 1.13.0-0"
 description: Authelia is a Single Sign-On Multi-Factor portal for web apps
 type: application
@@ -23,6 +23,6 @@ maintainers:
     email: [email protected]
     url: https://github.com/james-d-elliott
 icon: https://avatars2.githubusercontent.com/u/59122411?s=200&v=4
-appVersion: 4.29.4
+appVersion: 4.30.0
 deprecated: false
 annotations: {}
diff --git a/charts/authelia/README.md b/charts/authelia/README.md
@@ -8,6 +8,23 @@ This chart uses api version 2 which is only supported by helm v3+. This is a ***
 deploy *Authelia* on its own. Eventually we may publish an `authelia-bundle` chart which includes `redis` and
 `postgresql`.
 
+# Breaking Changes
+
+During the beta we will generally not be documenting breaking chart changes but there are exceptions and they are noted
+below.
+
+## 0.5.0
+
+- Does not support Authelia versions lower than 4.30.0
+- Had several changes to the values.yaml file, specifically:
+  - configMap.port is now configMap.server.port
+  - configMap.log_level is now configMap.log.level
+  - configMap.log_format is now configMap.log.format
+  - configMap.log_file_path is now configMap.log.file_path
+
+See the [official migration documentation](https://www.authelia.com/docs/configuration/migration.html#4300) 
+(not specific to Kubernetes) for more information.
+
 # Getting Started
 
 1. Visit https://charts.authelia.com and follow the instructions to install the chart repo.

diff --git a/charts/authelia/templates/configMap.yaml b/charts/authelia/templates/configMap.yaml
@@ -11,15 +11,28 @@ metadata:
 data:
   {{ default "configuration.yaml" .Values.configMap.key }}: |
     ---
-    host: 0.0.0.0
-    port: {{ default 9091 .Values.configMap.port }}
-    theme: {{ default "light" .Values.configMap.theme }}
-    log_level: {{ default "info" .Values.configMap.log_level  }}
-    default_redirection_url: {{ default (printf "https://www.%s" .Values.domain) .Values.configMap.default_redirection_url }}
     {{- if (include "authelia.enabled.certificatesSecret" .) }}
     certificates_directory: /certificates
     {{- end }}
-    server: {{ toYaml .Values.configMap.server | nindent 6 }}
+    theme: {{ default "light" .Values.configMap.theme }}
+    default_redirection_url: {{ default (printf "https://www.%s" .Values.domain) .Values.configMap.default_redirection_url }}
+    server:
+      host: 0.0.0.0
+      port: {{ default 9091 .Values.configMap.server.port }}
+      {{- if not (eq "" (default "" .Values.configMap.server.path)) }}
+      path: {{ .Values.configMap.server.path }}
+      {{- end }}
+      read_buffer_size: {{ default 4096 .Values.configMap.server.read_buffer_size }}
+      write_buffer_size: {{ default 4096 .Values.configMap.server.write_buffer_size }}
+      enable_pprof: {{ default false .Values.configMap.server.enable_pprof }}
+      enable_expvars: {{ default false .Values.configMap.server.enable_expvars }}
+    log:
+      level: {{ default "info" .Values.configMap.log.level }}
+      format: {{ default "text" .Values.configMap.log.format }}
+      {{- if not (eq "" (default "" .Values.configMap.log.file_path)) }}
+      file_path: {{ .Values.configMap.log.file_path }}
+      keep_stdout: true
+      {{- end }}
     totp:
       issuer: {{ default .Values.domain .Values.configMap.totp.issuer }}
       period: {{ default 30 .Values.configMap.totp.period }}
@@ -154,24 +167,13 @@ data:
     {{- if .Values.configMap.identity_providers.oidc.enabled }}
     identity_providers:
       oidc:
-        {{- if hasKey .Values.configMap.identity_providers.oidc "access_token_lifespan" }}
-        access_token_lifespan: {{ .Values.configMap.identity_providers.oidc.access_token_lifespan }}
-        {{- end }}
-        {{- if hasKey .Values.configMap.identity_providers.oidc "authorize_code_lifespan" }}
-        authorize_code_lifespan: {{ .Values.configMap.identity_providers.oidc.authorize_code_lifespan }}
-        {{- end }}
-        {{- if hasKey .Values.configMap.identity_providers.oidc "id_token_lifespan" }}
-        id_token_lifespan: {{ .Values.configMap.identity_providers.oidc.id_token_lifespan }}
-        {{- end }}
-        {{- if hasKey .Values.configMap.identity_providers.oidc "refresh_token_lifespan" }}
-        refresh_token_lifespan: {{ .Values.configMap.identity_providers.oidc.refresh_token_lifespan }}
-        {{- end }}
-        {{- if hasKey .Values.configMap.identity_providers.oidc "enable_client_debug_messages" }}
-        enable_client_debug_messages: {{ .Values.configMap.identity_providers.oidc.enable_client_debug_messages }}
-        {{- end }}
-        {{- if hasKey .Values.configMap.identity_providers.oidc "minimum_parameter_entropy" }}
-        minimum_parameter_entropy: {{ .Values.configMap.identity_providers.oidc.minimum_parameter_entropy }}
-        {{- end }}
+        access_token_lifespan: {{ default "1h" .Values.configMap.identity_providers.oidc.access_token_lifespan }}
+        authorize_code_lifespan: {{ default "1m" .Values.configMap.identity_providers.oidc.authorize_code_lifespan }}
+        id_token_lifespan: {{ default "1h" .Values.configMap.identity_providers.oidc.id_token_lifespan }}
+        refresh_token_lifespan: {{ default "90m" .Values.configMap.identity_providers.oidc.refresh_token_lifespan }}
+        enable_client_debug_messages: {{ default false .Values.configMap.identity_providers.oidc.enable_client_debug_messages }}
+        minimum_parameter_entropy: {{ default 8 .Values.configMap.identity_providers.oidc.minimum_parameter_entropy }}
+        {{- if gt (len .Values.configMap.identity_providers.oidc.clients) 0 }}
         clients:
     {{- range $client := .Values.configMap.identity_providers.oidc.clients }}
         - id: {{ $client.id }}
@@ -191,9 +193,8 @@ data:
           {{- if hasKey $client "response_modes" }}
           response_modes: {{ toYaml $client.response_modes | nindent 10 }}
           {{- end }}
-          {{- if hasKey $client "userinfo_signing_algorithm" }}
-          userinfo_signing_algorithm: {{ $client.userinfo_signing_algorithm }}
-          {{- end }}
+          userinfo_signing_algorithm: {{ default "none" $client.userinfo_signing_algorithm }}
+    {{- end }}
     {{- end }}
     {{- end }}
     access_control:

diff --git a/charts/authelia/templates/deployment.yaml b/charts/authelia/templates/deployment.yaml
@@ -105,6 +105,8 @@ spec:
         resources: {{ toYaml $resources | nindent 10 }}
         {{- end }}
         env:
+        - name: AUTHELIA_SERVER_DISABLE_HEALTHCHECK
+          value: "true"
         - name: AUTHELIA_JWT_SECRET_FILE
           value: {{ include "authelia.secret.fullPath" (merge (dict "Secret" "jwt") .) }}
         - name: AUTHELIA_SESSION_SECRET_FILE

diff --git a/charts/authelia/values.local.yaml b/charts/authelia/values.local.yaml
@@ -19,7 +19,7 @@ image:
   # registry: docker.io
   registry: ghcr.io
   repository: authelia/authelia
-  tag: 4.29.4
+  tag: 4.30.0
   pullPolicy: IfNotPresent
   pullSecrets: []
   # pullSecrets:
@@ -411,13 +411,16 @@ configMap:
     ## Must be alphanumeric chars and should not contain any slashes.
     path: ""
 
-  ## Level of verbosity for logs: info, debug, trace.
-  log_level: info
-  ## Format the logs are written as: json, text.
-  log_format: text
-  ## TODO: Statefulness check should check if this is set, and the configMap should enable it.
-  ## File path where the logs will be written. If not set logs are written to stdout.
-  # log_file_path: /config/authelia.log
+  log:
+    ## Level of verbosity for logs: info, debug, trace.
+    level: info
+
+    ## Format the logs are written as: json, text.
+    format: text
+
+    ## TODO: Statefulness check should check if this is set, and the configMap should enable it.
+    ## File path where the logs will be written. If not set logs are written to stdout.
+    # file_path: /config/authelia.log
 
   ## Default redirection URL
   ##
@@ -904,18 +907,19 @@ configMap:
   identity_providers:
     oidc:
       ## Enables this in the config map. Currently in beta stage.
+      ## See https://www.authelia.com/docs/configuration/identity-providers/oidc.html#roadmap
       enabled: false
 
-      # access_token_lifespan: 1h
-      # authorize_code_lifespan: 1m
-      # id_token_lifespan: 1h
-      # refresh_token_lifespan: 720h
+      access_token_lifespan: 1h
+      authorize_code_lifespan: 1m
+      id_token_lifespan: 1h
+      refresh_token_lifespan: 90m
 
-      # enable_client_debug_messages: false
+      enable_client_debug_messages: false
 
       ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
       ## security reasons.
-      # minimum_parameter_entropy: 8
+      minimum_parameter_entropy: 8
 
       clients: []
       # clients:
@@ -935,10 +939,6 @@ configMap:
         ## The policy to require for this client; one_factor or two_factor.
         # authorization_policy: two_factor
 
-        ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
-        # redirect_uris:
-          # - https://oidc.example.com/oauth2/callback
-
         ## Audience this client is allowed to request.
         # audience: []
 
@@ -949,6 +949,10 @@ configMap:
         #   - email
         #   - groups
 
+        ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
+        # redirect_uris:
+        # - https://oidc.example.com/oauth2/callback
+
         ## Grant Types configures which grants this client can obtain.
         ## It's not recommended to configure this unless you know what you're doing.
         # grant_types:

diff --git a/charts/authelia/values.yaml b/charts/authelia/values.yaml
@@ -18,7 +18,7 @@ image:
   # registry: docker.io
   registry: ghcr.io
   repository: authelia/authelia
-  tag: 4.29.4
+  tag: 4.30.0
   pullPolicy: IfNotPresent
   pullSecrets: []
   # pullSecrets:
@@ -389,16 +389,16 @@ configMap:
 
   existingConfigMap: ""
 
-  ##
-  ## Port sets the configured port for the daemon, service, and the probes.
-  ## Default is 9091 and should not need to be changed.
-  ##
-  port: 9091
-
   ##
   ## Server Configuration
   ##
   server:
+    ##
+    ## Port sets the configured port for the daemon, service, and the probes.
+    ## Default is 9091 and should not need to be changed.
+    ##
+    port: 9091
+
     ## Buffers usually should be configured to be the same value.
     ## Explanation at https://www.authelia.com/docs/configuration/server.html
     ## Read buffer size adjusts the server's max incoming request size in bytes.
@@ -409,13 +409,16 @@ configMap:
     ## Must be alphanumeric chars and should not contain any slashes.
     path: ""
 
-  ## Level of verbosity for logs: info, debug, trace.
-  log_level: info
-  ## Format the logs are written as: json, text.
-  log_format: text
-  ## TODO: Statefulness check should check if this is set, and the configMap should enable it.
-  ## File path where the logs will be written. If not set logs are written to stdout.
-  # log_file_path: /config/authelia.log
+  log:
+    ## Level of verbosity for logs: info, debug, trace.
+    level: info
+
+    ## Format the logs are written as: json, text.
+    format: text
+
+    ## TODO: Statefulness check should check if this is set, and the configMap should enable it.
+    ## File path where the logs will be written. If not set logs are written to stdout.
+    # file_path: /config/authelia.log
 
   ## Default redirection URL
   ##
@@ -902,18 +905,19 @@ configMap:
   identity_providers:
     oidc:
       ## Enables this in the config map. Currently in beta stage.
-      enabled: true
+      ## See https://www.authelia.com/docs/configuration/identity-providers/oidc.html#roadmap
+      enabled: false
 
-      # access_token_lifespan: 1h
-      # authorize_code_lifespan: 1m
-      # id_token_lifespan: 1h
-      # refresh_token_lifespan: 720h
+      access_token_lifespan: 1h
+      authorize_code_lifespan: 1m
+      id_token_lifespan: 1h
+      refresh_token_lifespan: 90m
 
-      # enable_client_debug_messages: false
+      enable_client_debug_messages: false
 
       ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
       ## security reasons.
-      # minimum_parameter_entropy: 8
+      minimum_parameter_entropy: 8
 
       clients: []
       # clients:
@@ -933,10 +937,6 @@ configMap:
           ## The policy to require for this client; one_factor or two_factor.
           # authorization_policy: two_factor
 
-          ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
-          # redirect_uris:
-          #   - https://oidc.example.com/oauth2/callback
-
           ## Audience this client is allowed to request.
           # audience: []
 
@@ -947,6 +947,10 @@ configMap:
           #   - email
           #   - groups
 
+          ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
+          # redirect_uris:
+          #   - https://oidc.example.com/oauth2/callback
+
           ## Grant Types configures which grants this client can obtain.
           ## It's not recommended to configure this unless you know what you're doing.
           # grant_types: