feat(authelia): secret lookups (#110)

This adds support for secret lookups and the upcoming 4.33.0 binary.

charts/authelia/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: authelia
-version: 0.6.4
+version: 0.7.0
 kubeVersion: ">= 1.13.0-0"
 description: Authelia is a Single Sign-On Multi-Factor portal for web apps
 type: application
@@ -23,6 +23,6 @@ maintainers:
     email: [email protected]
     url: https://github.com/james-d-elliott
 icon: https://avatars2.githubusercontent.com/u/59122411?s=200&v=4
-appVersion: 4.31.0
+appVersion: 4.33.0
 deprecated: false
 annotations: {}

charts/authelia/README.md

@@ -144,6 +144,7 @@ The `*` below can be one of any of the following values:
 - jwt
 - ldap
 - storage
+- storageEncryptionKey
 - session
 - duo
 - redis

charts/authelia/templates/NOTES.txt

@@ -1,10 +1,10 @@
-Thank you for installing the {{ include "authelia.chart" . }} Chart.
+Thank you for installing the {{ include "authelia.chart" . }} chart.
 
 Please report any chart issues at https://github.com/authelia/chartrepo/issues and any application issues at https://github.com/authelia/authelia/issues.
 
-The helm release name is {{ .Release.Name }}.
+IMPORTANT: This chart automatically generated an encryption key for sensitive data in your database. Please ensure you backup this key.
 
-{{- if (include "authelia.enabled.ingress.standard" .) }}
+{{ if (include "authelia.enabled.ingress.standard" .) -}}
 You have selected to use a regular ingress.
 
 You should be able to access Authelia soon via https://{{ include "authelia.ingressHostWithPath" . }} if everything is configured correctly in your values and the DNS record points to the correct location.
@@ -20,7 +20,7 @@ The following are the suggested annotations for 'ingress-nginx':
     nginx.ingress.kubernetes.io/configuration-snippet: |
       proxy_set_header X-Forwarded-Method $request_method;
 
-{{- else if (include "authelia.enabled.ingress.traefik" .) }}
+{{ else if (include "authelia.enabled.ingress.traefik" .) -}}
 You have selected the Traefik CRD to deploy the ingress.
 
 If you wish to protect an IngressRoute apply the following middleware:
@@ -35,8 +35,8 @@ If you wish to protect a regular Ingress apply the following annotation:
       traefik.ingress.kubernetes.io/router.middlewares: {{ (printf "%s-%s@kubernetescrd" .Release.Namespace (include "authelia.ingress.traefikCRD.middleware.name.chainIngress" .)) }}
 
 You should be able to access Authelia soon via https://{{ include "authelia.ingressHostWithPath" . }} if everything is configured correctly in your values and the DNS record points to the correct location.
-{{- else -}}
+{{ else -}}
 You have not installed an ingress which you can do manually by specifying {{ include "authelia.name" . }} as the service and {{ include "authelia.service.port" . }} as the port.
-{{- end -}}
+{{- end }}
 
 You can also direct your ingress to use the following path for forward auth: {{ include "authelia.forwardAuthPath" (merge (dict "Namespace" .Release.Namespace) .) }}.

charts/authelia/templates/_helpers.tpl

@@ -67,36 +67,6 @@ Returns true if pod is stateful.
     {{- end -}}
 {{- end -}}
 
-{{/*
-Returns true if smtp is enabled.
-*/}}
-{{- define "authelia.configured.smtp" -}}
-    {{- if .Values.configMap -}}
-        {{- if .Values.configMap.notifier -}}
-            {{- if .Values.configMap.notifier.smtp -}}
-                {{- if .Values.configMap.notifier.smtp.enabled -}}
-                    {{- true -}}
-                {{- end -}}
-            {{- end -}}
-        {{- end -}}
-    {{- end -}}
-{{- end -}}
-
-{{/*
-Returns true if smtp secret is configured.
-*/}}
-{{- define "authelia.configured.smtpSecret" -}}
-    {{- if .Values.secret -}}
-        {{- if .Values.secret.smtp -}}
-            {{- if hasKey .Values.secret.smtp "value" -}}
-                {{- if not (eq .Values.secret.smtp.value "") -}}
-                    {{- true -}}
-                {{- end -}}
-            {{- end -}}
-        {{- end -}}
-    {{- end -}}
-{{- end -}}
-
 {{/*
 Returns true if duo is enabled.
 */}}
@@ -386,6 +356,12 @@ Returns the value of .SecretValue or a randomly generated one
 {{- define "authelia.secret.standard" -}}
     {{- if and .SecretValue (not (eq .SecretValue "")) -}}
         {{- .SecretValue | b64enc -}}
+    {{- else if and .LookupValue -}}
+        {{- if (not (eq .LookupValue "")) -}}
+            {{- .LookupValue -}}
+        {{- else -}}
+            {{- randAlphaNum 128 | b64enc -}}
+        {{- end -}}
     {{- else -}}
         {{- randAlphaNum 128 | b64enc -}}
     {{- end -}}
@@ -403,6 +379,8 @@ Returns the mountPath of the secrets.
         {{- default "JWT_TOKEN" .Values.secret.jwt.filename -}}
     {{- else if eq .Secret "storage" -}}
         {{- default "STORAGE_PASSWORD" .Values.secret.storage.filename -}}
+    {{- else if eq .Secret "storageEncryptionKey" -}}
+        {{- default "STORAGE_ENCRYPTION_KEY" .Values.secret.storageEncryptionKey.filename -}}
     {{- else if eq .Secret "session" -}}
         {{- default "SESSION_ENCRYPTION_KEY" .Values.secret.session.filename -}}
     {{- else if eq .Secret "ldap" -}}
@@ -490,6 +468,13 @@ Returns the rollingUpdate spec
                 {{- $_ := set $result "partition" (default 0 .Values.pod.strategy.rollingUpdate.partition) -}}
             {{- end -}}
         {{- end -}}
+    {{- else if eq "DaemonSet" (include "authelia.pod.kind" .) -}}
+        {{ $result = dict "maxUnavailable" "25%" }}
+        {{- if .Values.pod.strategy -}}
+            {{- if .Values.pod.strategy.rollingUpdate -}}
+                {{- $_ := set $result "maxUnavailable" (default "25%" .Values.pod.strategy.rollingUpdate.maxUnavailable) -}}
+            {{- end -}}
+        {{- end -}}
     {{- else -}}
         {{ $result = dict "maxSurge" "25%" "maxUnavailable" "25%" }}
         {{- if .Values.pod.strategy -}}

charts/authelia/templates/configMap.yaml

@@ -152,9 +152,20 @@ data:
         host: {{ $storage.postgres.host }}
         port: {{ default 5432 $storage.postgres.port }}
         database: {{ default "authelia" $storage.postgres.database }}
+        schema: {{ default "public" $storage.postgres.schema }}
         username: {{ default "authelia" $storage.postgres.username }}
         timeout: {{ default "5s" $storage.postgres.timeout }}
-        sslmode: {{ default "disable" $storage.postgres.sslmode }}
+        ssl:
+          mode: {{ default "disable" $storage.postgres.sslmode }}
+          {{- if and $storage.postgres.ssl.root_certificate (not (eq $storage.postgres.ssl.root_certificate "")) }}
+          root_certificate: {{ $storage.postgres.ssl.root_certificate }}
+          {{- end }}
+          {{- if and $storage.postgres.ssl.certificate (not (eq $storage.postgres.ssl.certificate "")) }}
+          certificate: {{ $storage.postgres.ssl.certificate }}
+          {{- end }}
+          {{- if and $storage.postgres.ssl.key (not (eq $storage.postgres.ssl.key "")) }}
+          key: {{ $storage.postgres.ssl.key }}
+          {{- end }}
     {{- end }}
     {{- end }}
     {{- with $notifier := .Values.configMap.notifier }}

charts/authelia/templates/deployment.yaml

@@ -114,10 +114,12 @@ spec:
         - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
           value: {{ include "authelia.secret.fullPath" (merge (dict "Secret" "ldap") .) }}
           {{- end }}
-          {{- if or (include "authelia.configured.smtp" .) (include "authelia.configured.smtpSecret" .) }}
+          {{- if and .Values.configMap.notifier.smtp.enabled .Values.configMap.notifier.smtp.enabledSecret }}
         - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
           value: {{ include "authelia.secret.fullPath" (merge (dict "Secret" "smtp") .) }}
           {{- end }}
+        - name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
+          value: {{ include "authelia.secret.fullPath" (merge (dict "Secret" "storageEncryptionKey") .) }}
           {{- if .Values.configMap.storage.postgres.enabled }}
         - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
           value: {{ include "authelia.secret.fullPath" (merge (dict "Secret" "storage") .) }}
@@ -218,6 +220,8 @@ spec:
             path: {{ include "authelia.secret.path" (merge (dict "Secret" "jwt") .) }}
           - key: {{ default "SESSION_ENCRYPTION_KEY" .Values.secret.session.key }}
             path: {{ include "authelia.secret.path" (merge (dict "Secret" "session") .) }}
+          - key: {{ default "STORAGE_ENCRYPTION_KEY" .Values.secret.storageEncryptionKey.key }}
+            path: {{ include "authelia.secret.path" (merge (dict "Secret" "storageEncryptionKey") .) }}
             {{- if or .Values.configMap.storage.postgres.enabled .Values.configMap.storage.mysql.enabled }}
           - key: {{ default "STORAGE_PASSWORD" .Values.secret.storage.key }}
             path: {{ include "authelia.secret.path" (merge (dict "Secret" "storage") .) }}
@@ -226,7 +230,7 @@ spec:
           - key: {{ default "LDAP_PASSWORD" .Values.secret.ldap.key }}
             path: {{ include "authelia.secret.path" (merge (dict "Secret" "ldap") .) }}
             {{- end }}
-            {{- if or (include "authelia.configured.smtp" .) (include "authelia.configured.smtpSecret" .) }}
+            {{- if and .Values.configMap.notifier.smtp.enabled .Values.configMap.notifier.smtp.enabledSecret }}
           - key: {{ default "SMTP_PASSWORD" .Values.secret.smtp.key }}
             path: {{ include "authelia.secret.path" (merge (dict "Secret" "smtp") .) }}
             {{- end }}

charts/authelia/templates/secret.yaml

@@ -1,4 +1,6 @@
 {{ if (include "authelia.enabled.secret" .) -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "authelia.name" .)) | default dict -}}
+{{- $secretData := $secret.data | default dict -}}
 ---
 apiVersion: v1
 kind: Secret
@@ -10,28 +12,29 @@ metadata:
   annotations: {{ $annotations | nindent 4 }}
   {{- end }}
 data:
-  {{- .Values.secret.jwt.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.jwt.value) .) }}
-    {{- .Values.secret.session.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.session.value) .) }}
+    {{- .Values.secret.jwt.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "LookupValue" (get $secretData .Values.secret.jwt.key) "SecretValue" .Values.secret.jwt.value) .) }}
+    {{- .Values.secret.session.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "LookupValue" (get $secretData .Values.secret.session.key) "SecretValue" .Values.secret.session.value) .) }}
     {{- if or .Values.configMap.storage.postgres.enabled .Values.configMap.storage.mysql.enabled }}
-    {{- .Values.secret.storage.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.storage.value) .) }}
+    {{- .Values.secret.storage.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "LookupValue" (get $secretData .Values.secret.storage.key) "SecretValue" .Values.secret.storage.value) .) }}
     {{- end }}
+    {{- .Values.secret.storageEncryptionKey.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "LookupValue" (get $secretData .Values.secret.storageEncryptionKey.key) "SecretValue" .Values.secret.storageEncryptionKey.value) .) }}
     {{- if .Values.configMap.authentication_backend.ldap.enabled }}
-    {{- .Values.secret.ldap.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.ldap.value) .) }}
+    {{- .Values.secret.ldap.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "LookupValue" (get $secretData .Values.secret.ldap.key) "SecretValue" .Values.secret.ldap.value) .) }}
     {{- end }}
     {{- if and .Values.configMap.session.redis.enabled .Values.configMap.session.redis.enabledSecret }}
-    {{- .Values.secret.redis.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.redis.value) .) }}
+    {{- .Values.secret.redis.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "LookupValue" (get $secretData .Values.secret.redis.key) "SecretValue" .Values.secret.redis.value) .) }}
     {{- if and .Values.configMap.session.redis.high_availability.enabled .Values.configMap.session.redis.high_availability.enabledSecret }}
-    {{- .Values.secret.redisSentinel.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.redisSentinel.value) .) }}
+    {{- .Values.secret.redisSentinel.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "LookupValue" (get $secretData .Values.secret.redisSentinel.key) "SecretValue" .Values.secret.redisSentinel.value) .) }}
     {{- end }}
     {{- end }}
-    {{- if or (include "authelia.configured.smtp" .) (include "authelia.configured.smtpSecret" .) }}
-    {{- .Values.secret.smtp.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.smtp.value) .) }}
+    {{- if and .Values.configMap.notifier.smtp.enabled .Values.configMap.notifier.smtp.enabledSecret }}
+    {{- .Values.secret.smtp.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "LookupValue" (get $secretData .Values.secret.smtp.key) "SecretValue" .Values.secret.smtp.value) .) }}
     {{- end }}
     {{- if or (include "authelia.configured.duo" .) (include "authelia.configured.duoSecret" .) }}
     {{- .Values.secret.duo.key | nindent 2 }}: {{ .Values.secret.duo.value | b64enc }}
     {{- end }}
     {{- if .Values.configMap.identity_providers.oidc.enabled }}
-    {{- .Values.secret.oidcHMACSecret.key | nindent 2}}: {{ default (randAlphaNum 32) .Values.secret.oidcHMACSecret.value | b64enc }}
-    {{- .Values.secret.oidcPrivateKey.key | nindent 2}}: {{ default (genPrivateKey "rsa") .Values.secret.oidcPrivateKey.value | b64enc }}
+    {{- .Values.secret.oidcHMACSecret.key | nindent 2}}: {{ default (randAlphaNum 32) default (get $secretData .Values.secret.oidcHMACSecret.key) .Values.secret.oidcHMACSecret.value | b64enc }}
+    {{- .Values.secret.oidcPrivateKey.key | nindent 2}}: {{ default (genPrivateKey "rsa") default (get $secretData .Values.secret.oidcPrivateKey.key) .Values.secret.oidcPrivateKey.value | b64enc }}
   {{- end }}
 {{- end -}}

charts/authelia/values.local.yaml

@@ -19,7 +19,7 @@ image:
   # registry: docker.io
   registry: ghcr.io
   repository: authelia/authelia
-  tag: 4.31.0
+  tag: 4.33.0
   pullPolicy: IfNotPresent
   pullSecrets: []
   # pullSecrets:
@@ -1042,6 +1042,10 @@ secret:
     key: STORAGE_PASSWORD
     value: ""
     filename: STORAGE_PASSWORD
+  storageEncryptionKey:
+    key: STORAGE_ENCRYPTION_KEY
+    value: ""
+    filename: STORAGE_ENCRYPTION_KEY
   session:
     key: SESSION_ENCRYPTION_KEY
     value: ""

charts/authelia/values.yaml

@@ -18,7 +18,7 @@ image:
   # registry: docker.io
   registry: ghcr.io
   repository: authelia/authelia
-  tag: 4.31.0
+  tag: 4.33.0
   pullPolicy: IfNotPresent
   pullSecrets: []
   # pullSecrets:
@@ -872,8 +872,13 @@ configMap:
       host: 127.0.0.1
       port: 5432
       database: authelia
+      schema: public
       username: authelia
-      sslmode: disable
+      ssl:
+        mode: disable
+        root_certificate: ""
+        certificate: ""
+        key: ""
       timeout: 5s
 
   ##
@@ -1040,6 +1045,10 @@ secret:
     key: STORAGE_PASSWORD
     value: ""
     filename: STORAGE_PASSWORD
+  storageEncryptionKey:
+    key: STORAGE_ENCRYPTION_KEY
+    value: ""
+    filename: STORAGE_ENCRYPTION_KEY
   session:
     key: SESSION_ENCRYPTION_KEY
     value: ""