From 0b1d3080672918b5d7b96ef8ab71d5cb2a69996b Mon Sep 17 00:00:00 2001 From: James Elliott Date: Thu, 5 Aug 2021 15:00:21 +1000 Subject: [PATCH] feat(authelia): authelia 4.30.0 (#90) Adds full support for Authelia 4.30.0. BREAKING CHANGE: This change breaks the old values file layout and requires you upgrade. See the chart README for details. --- charts/authelia/Chart.yaml | 4 +- charts/authelia/README.md | 17 +++++++ charts/authelia/templates/configMap.yaml | 55 ++++++++++++----------- charts/authelia/templates/deployment.yaml | 2 + charts/authelia/values.local.yaml | 40 +++++++++-------- charts/authelia/values.yaml | 54 +++++++++++----------- 6 files changed, 100 insertions(+), 72 deletions(-) diff --git a/charts/authelia/Chart.yaml b/charts/authelia/Chart.yaml index 8294e72..6fcbf17 100644 --- a/charts/authelia/Chart.yaml +++ b/charts/authelia/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: authelia -version: 0.4.19 +version: 0.5.0 kubeVersion: ">= 1.13.0-0" description: Authelia is a Single Sign-On Multi-Factor portal for web apps type: application @@ -23,6 +23,6 @@ maintainers: email: james-d-elliott@users.noreply.github.com url: https://github.com/james-d-elliott icon: https://avatars2.githubusercontent.com/u/59122411?s=200&v=4 -appVersion: 4.29.4 +appVersion: 4.30.0 deprecated: false annotations: {} diff --git a/charts/authelia/README.md b/charts/authelia/README.md index 8eb8f45..23d72d9 100644 --- a/charts/authelia/README.md +++ b/charts/authelia/README.md @@ -8,6 +8,23 @@ This chart uses api version 2 which is only supported by helm v3+. This is a *** deploy *Authelia* on its own. Eventually we may publish an `authelia-bundle` chart which includes `redis` and `postgresql`. +# Breaking Changes + +During the beta we will generally not be documenting breaking chart changes but there are exceptions and they are noted +below. + +## 0.5.0 + +- Does not support Authelia versions lower than 4.30.0 +- Had several changes to the values.yaml file, specifically: + - configMap.port is now configMap.server.port + - configMap.log_level is now configMap.log.level + - configMap.log_format is now configMap.log.format + - configMap.log_file_path is now configMap.log.file_path + +See the [official migration documentation](https://www.authelia.com/docs/configuration/migration.html#4300) +(not specific to Kubernetes) for more information. + # Getting Started 1. Visit https://charts.authelia.com and follow the instructions to install the chart repo. diff --git a/charts/authelia/templates/configMap.yaml b/charts/authelia/templates/configMap.yaml index 9a8c12a..7eaefb7 100644 --- a/charts/authelia/templates/configMap.yaml +++ b/charts/authelia/templates/configMap.yaml @@ -11,15 +11,28 @@ metadata: data: {{ default "configuration.yaml" .Values.configMap.key }}: | --- - host: 0.0.0.0 - port: {{ default 9091 .Values.configMap.port }} - theme: {{ default "light" .Values.configMap.theme }} - log_level: {{ default "info" .Values.configMap.log_level }} - default_redirection_url: {{ default (printf "https://www.%s" .Values.domain) .Values.configMap.default_redirection_url }} {{- if (include "authelia.enabled.certificatesSecret" .) }} certificates_directory: /certificates {{- end }} - server: {{ toYaml .Values.configMap.server | nindent 6 }} + theme: {{ default "light" .Values.configMap.theme }} + default_redirection_url: {{ default (printf "https://www.%s" .Values.domain) .Values.configMap.default_redirection_url }} + server: + host: 0.0.0.0 + port: {{ default 9091 .Values.configMap.server.port }} + {{- if not (eq "" (default "" .Values.configMap.server.path)) }} + path: {{ .Values.configMap.server.path }} + {{- end }} + read_buffer_size: {{ default 4096 .Values.configMap.server.read_buffer_size }} + write_buffer_size: {{ default 4096 .Values.configMap.server.write_buffer_size }} + enable_pprof: {{ default false .Values.configMap.server.enable_pprof }} + enable_expvars: {{ default false .Values.configMap.server.enable_expvars }} + log: + level: {{ default "info" .Values.configMap.log.level }} + format: {{ default "text" .Values.configMap.log.format }} + {{- if not (eq "" (default "" .Values.configMap.log.file_path)) }} + file_path: {{ .Values.configMap.log.file_path }} + keep_stdout: true + {{- end }} totp: issuer: {{ default .Values.domain .Values.configMap.totp.issuer }} period: {{ default 30 .Values.configMap.totp.period }} @@ -154,24 +167,13 @@ data: {{- if .Values.configMap.identity_providers.oidc.enabled }} identity_providers: oidc: - {{- if hasKey .Values.configMap.identity_providers.oidc "access_token_lifespan" }} - access_token_lifespan: {{ .Values.configMap.identity_providers.oidc.access_token_lifespan }} - {{- end }} - {{- if hasKey .Values.configMap.identity_providers.oidc "authorize_code_lifespan" }} - authorize_code_lifespan: {{ .Values.configMap.identity_providers.oidc.authorize_code_lifespan }} - {{- end }} - {{- if hasKey .Values.configMap.identity_providers.oidc "id_token_lifespan" }} - id_token_lifespan: {{ .Values.configMap.identity_providers.oidc.id_token_lifespan }} - {{- end }} - {{- if hasKey .Values.configMap.identity_providers.oidc "refresh_token_lifespan" }} - refresh_token_lifespan: {{ .Values.configMap.identity_providers.oidc.refresh_token_lifespan }} - {{- end }} - {{- if hasKey .Values.configMap.identity_providers.oidc "enable_client_debug_messages" }} - enable_client_debug_messages: {{ .Values.configMap.identity_providers.oidc.enable_client_debug_messages }} - {{- end }} - {{- if hasKey .Values.configMap.identity_providers.oidc "minimum_parameter_entropy" }} - minimum_parameter_entropy: {{ .Values.configMap.identity_providers.oidc.minimum_parameter_entropy }} - {{- end }} + access_token_lifespan: {{ default "1h" .Values.configMap.identity_providers.oidc.access_token_lifespan }} + authorize_code_lifespan: {{ default "1m" .Values.configMap.identity_providers.oidc.authorize_code_lifespan }} + id_token_lifespan: {{ default "1h" .Values.configMap.identity_providers.oidc.id_token_lifespan }} + refresh_token_lifespan: {{ default "90m" .Values.configMap.identity_providers.oidc.refresh_token_lifespan }} + enable_client_debug_messages: {{ default false .Values.configMap.identity_providers.oidc.enable_client_debug_messages }} + minimum_parameter_entropy: {{ default 8 .Values.configMap.identity_providers.oidc.minimum_parameter_entropy }} + {{- if gt (len .Values.configMap.identity_providers.oidc.clients) 0 }} clients: {{- range $client := .Values.configMap.identity_providers.oidc.clients }} - id: {{ $client.id }} @@ -191,9 +193,8 @@ data: {{- if hasKey $client "response_modes" }} response_modes: {{ toYaml $client.response_modes | nindent 10 }} {{- end }} - {{- if hasKey $client "userinfo_signing_algorithm" }} - userinfo_signing_algorithm: {{ $client.userinfo_signing_algorithm }} - {{- end }} + userinfo_signing_algorithm: {{ default "none" $client.userinfo_signing_algorithm }} + {{- end }} {{- end }} {{- end }} access_control: diff --git a/charts/authelia/templates/deployment.yaml b/charts/authelia/templates/deployment.yaml index b6ea067..e32e263 100644 --- a/charts/authelia/templates/deployment.yaml +++ b/charts/authelia/templates/deployment.yaml @@ -105,6 +105,8 @@ spec: resources: {{ toYaml $resources | nindent 10 }} {{- end }} env: + - name: AUTHELIA_SERVER_DISABLE_HEALTHCHECK + value: "true" - name: AUTHELIA_JWT_SECRET_FILE value: {{ include "authelia.secret.fullPath" (merge (dict "Secret" "jwt") .) }} - name: AUTHELIA_SESSION_SECRET_FILE diff --git a/charts/authelia/values.local.yaml b/charts/authelia/values.local.yaml index 0a1a819..53e1df8 100644 --- a/charts/authelia/values.local.yaml +++ b/charts/authelia/values.local.yaml @@ -19,7 +19,7 @@ image: # registry: docker.io registry: ghcr.io repository: authelia/authelia - tag: 4.29.4 + tag: 4.30.0 pullPolicy: IfNotPresent pullSecrets: [] # pullSecrets: @@ -411,13 +411,16 @@ configMap: ## Must be alphanumeric chars and should not contain any slashes. path: "" - ## Level of verbosity for logs: info, debug, trace. - log_level: info - ## Format the logs are written as: json, text. - log_format: text - ## TODO: Statefulness check should check if this is set, and the configMap should enable it. - ## File path where the logs will be written. If not set logs are written to stdout. - # log_file_path: /config/authelia.log + log: + ## Level of verbosity for logs: info, debug, trace. + level: info + + ## Format the logs are written as: json, text. + format: text + + ## TODO: Statefulness check should check if this is set, and the configMap should enable it. + ## File path where the logs will be written. If not set logs are written to stdout. + # file_path: /config/authelia.log ## Default redirection URL ## @@ -904,18 +907,19 @@ configMap: identity_providers: oidc: ## Enables this in the config map. Currently in beta stage. + ## See https://www.authelia.com/docs/configuration/identity-providers/oidc.html#roadmap enabled: false - # access_token_lifespan: 1h - # authorize_code_lifespan: 1m - # id_token_lifespan: 1h - # refresh_token_lifespan: 720h + access_token_lifespan: 1h + authorize_code_lifespan: 1m + id_token_lifespan: 1h + refresh_token_lifespan: 90m - # enable_client_debug_messages: false + enable_client_debug_messages: false ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for ## security reasons. - # minimum_parameter_entropy: 8 + minimum_parameter_entropy: 8 clients: [] # clients: @@ -935,10 +939,6 @@ configMap: ## The policy to require for this client; one_factor or two_factor. # authorization_policy: two_factor - ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. - # redirect_uris: - # - https://oidc.example.com/oauth2/callback - ## Audience this client is allowed to request. # audience: [] @@ -949,6 +949,10 @@ configMap: # - email # - groups + ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. + # redirect_uris: + # - https://oidc.example.com/oauth2/callback + ## Grant Types configures which grants this client can obtain. ## It's not recommended to configure this unless you know what you're doing. # grant_types: diff --git a/charts/authelia/values.yaml b/charts/authelia/values.yaml index f1be591..81c71ee 100644 --- a/charts/authelia/values.yaml +++ b/charts/authelia/values.yaml @@ -18,7 +18,7 @@ image: # registry: docker.io registry: ghcr.io repository: authelia/authelia - tag: 4.29.4 + tag: 4.30.0 pullPolicy: IfNotPresent pullSecrets: [] # pullSecrets: @@ -389,16 +389,16 @@ configMap: existingConfigMap: "" - ## - ## Port sets the configured port for the daemon, service, and the probes. - ## Default is 9091 and should not need to be changed. - ## - port: 9091 - ## ## Server Configuration ## server: + ## + ## Port sets the configured port for the daemon, service, and the probes. + ## Default is 9091 and should not need to be changed. + ## + port: 9091 + ## Buffers usually should be configured to be the same value. ## Explanation at https://www.authelia.com/docs/configuration/server.html ## Read buffer size adjusts the server's max incoming request size in bytes. @@ -409,13 +409,16 @@ configMap: ## Must be alphanumeric chars and should not contain any slashes. path: "" - ## Level of verbosity for logs: info, debug, trace. - log_level: info - ## Format the logs are written as: json, text. - log_format: text - ## TODO: Statefulness check should check if this is set, and the configMap should enable it. - ## File path where the logs will be written. If not set logs are written to stdout. - # log_file_path: /config/authelia.log + log: + ## Level of verbosity for logs: info, debug, trace. + level: info + + ## Format the logs are written as: json, text. + format: text + + ## TODO: Statefulness check should check if this is set, and the configMap should enable it. + ## File path where the logs will be written. If not set logs are written to stdout. + # file_path: /config/authelia.log ## Default redirection URL ## @@ -902,18 +905,19 @@ configMap: identity_providers: oidc: ## Enables this in the config map. Currently in beta stage. - enabled: true + ## See https://www.authelia.com/docs/configuration/identity-providers/oidc.html#roadmap + enabled: false - # access_token_lifespan: 1h - # authorize_code_lifespan: 1m - # id_token_lifespan: 1h - # refresh_token_lifespan: 720h + access_token_lifespan: 1h + authorize_code_lifespan: 1m + id_token_lifespan: 1h + refresh_token_lifespan: 90m - # enable_client_debug_messages: false + enable_client_debug_messages: false ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for ## security reasons. - # minimum_parameter_entropy: 8 + minimum_parameter_entropy: 8 clients: [] # clients: @@ -933,10 +937,6 @@ configMap: ## The policy to require for this client; one_factor or two_factor. # authorization_policy: two_factor - ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. - # redirect_uris: - # - https://oidc.example.com/oauth2/callback - ## Audience this client is allowed to request. # audience: [] @@ -947,6 +947,10 @@ configMap: # - email # - groups + ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. + # redirect_uris: + # - https://oidc.example.com/oauth2/callback + ## Grant Types configures which grants this client can obtain. ## It's not recommended to configure this unless you know what you're doing. # grant_types: