fix: using secrets only where required

charts/authelia/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: authelia
-version: 0.1.11
+version: 0.1.12
 kubeVersion: ">= 1.13.0"
 description: Authelia is a Single Sign-On Multi-Factor portal for web apps
 type: application

charts/authelia/templates/deployment.yaml

@@ -82,10 +82,12 @@ spec:
           env:
             - name: AUTHELIA_JWT_SECRET_FILE
               value: /usr/app/secrets/JWT_TOKEN
-            - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
-              value: /usr/app/secrets/LDAP_PASSWORD
             - name: AUTHELIA_SESSION_SECRET_FILE
               value: /usr/app/secrets/SESSION_ENCRYPTION_KEY
+            {{- if .Values.configMap.authentication_backend.ldap }}
+            - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
+              value: /usr/app/secrets/LDAP_PASSWORD
+            {{- end }}
             {{- if .Values.configMap.storage.postgres }}
             - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
               value: /usr/app/secrets/STORAGE_PASSWORD
@@ -94,15 +96,15 @@ spec:
             - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
               value: /usr/app/secrets/STORAGE_PASSWORD
             {{- end }}
-            {{- if .Values.secret.smtp.enabled }}
+            {{- if include "authelia.configured.smtp" . }}
             - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
               value: /usr/app/secrets/SMTP_PASSWORD
             {{- end }}
-            {{- if and (.Values.configMap.session.redis) (.Values.secret.redis.enabled) }}
+            {{- if and (include "authelia.configured.redisSecret" .) (include "authelia.configured.redis" .) }}
             - name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE
               value: /usr/app/secrets/REDIS_PASSWORD
             {{- end }}
-            {{- if .Values.configMap.duo_api }}
+            {{- if and (include "authelia.configured.duoSecret" .) (include "authelia.configured.duo" .) }}
             - name: AUTHELIA_DUO_API_SECRET_KEY_FILE
               value: /usr/app/secrets/DUO_API_KEY
           {{- end }}
@@ -176,12 +178,16 @@ spec:
             items:
               - key: {{ default "JWT_TOKEN" .Values.secret.jwt.key }}
                 path: JWT_TOKEN
-              - key: {{ default "LDAP_PASSWORD" .Values.secret.ldap.key }}
-                path: LDAP_PASSWORD
               - key: {{ default "SESSION_ENCRYPTION_KEY" .Values.secret.session.key }}
                 path: SESSION_ENCRYPTION_KEY
+              {{- if or .Values.configMap.storage.postgres .Values.configMap.storage.mysql }}
               - key: {{ default "STORAGE_PASSWORD" .Values.secret.storage.key }}
                 path: STORAGE_PASSWORD
+              {{- end }}
+              {{- if .Values.configMap.authentication_backend.ldap }}
+              - key: {{ default "LDAP_PASSWORD" .Values.secret.ldap.key }}
+                path: LDAP_PASSWORD
+              {{- end }}
               {{- if .Values.secret.smtp.enabled }}
               - key: {{ default "SMTP_PASSWORD" .Values.secret.smtp.key }}
                 path: SMTP_PASSWORD

charts/authelia/templates/secret.yaml

@@ -12,8 +12,12 @@ metadata:
 data:
   {{- .Values.secret.jwt.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.jwt.value) .) }}
     {{- .Values.secret.session.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.session.value) .) }}
-    {{- .Values.secret.ldap.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.ldap.value) .) }}
+    {{- if or .Values.configMap.storage.postgres .Values.configMap.storage.mysql }}
     {{- .Values.secret.storage.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.storage.value) .) }}
+    {{- end }}
+    {{- if .Values.configMap.authentication_backend.ldap }}
+    {{- .Values.secret.ldap.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.ldap.value) .) }}
+    {{- end }}
     {{- if and (include "authelia.configured.redis" .) (include "authelia.configured.redisSecret" .) }}
     {{- .Values.secret.redis.key | nindent 2 }}: {{ include "authelia.secret.standard" (merge (dict "SecretValue" .Values.secret.redis.value) .) }}
     {{- end }}

charts/authelia/values.local.yaml

@@ -701,11 +701,6 @@ configMap:
     ## spy or attack. Currently the default is 1M or 1 month.
     remember_me_duration: 1M
 
-    ## The domain to protect.
-    ## Note: the authenticator must also be in that domain.
-    ## If empty, the cookie is restricted to the subdomain of the issuer.
-    domain: example.com
-
     ##
     ## Redis Provider
     ##

charts/authelia/values.yaml

@@ -1,4 +1,5 @@
 ---
+## @formatter:off
 ## values.yaml
 ##
 ## Repository: authelia https://charts.authelia.com
@@ -459,7 +460,7 @@ configMap:
     ## This backend allows Authelia to be scaled to more
     ## than one instance and therefore is recommended for
     ## production.
-    ldap:
+    # ldap:
       ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
       ## Acceptable options are as follows:
       ## - 'activedirectory' - For Microsoft Active Directory.
@@ -469,27 +470,27 @@ configMap:
       ## Depending on the option here certain other values in this section have a default value, notably all of the
       ## attribute mappings have a default value that this config overrides, you can read more about these default values
       ## at https://www.authelia.com/docs/configuration/authentication/ldap.html#defaults
-      implementation: custom
+      # implementation: custom
 
       ## The url to the ldap server. Format: <scheme>://<address>[:<port>].
       ## Scheme can be ldap or ldaps in the format (port optional).
-      url: ldap://openldap.default.svc.cluster.local
+      # url: ldap://openldap.default.svc.cluster.local
 
       ## Use StartTLS with the LDAP connection.
-      start_tls: false
+      # start_tls: false
 
-      tls:
+      # tls:
         ## Server Name for certificate validation (in case it's not set correctly in the URL).
         # server_name: ldap.example.com
 
         ## Skip verifying the server certificate (to allow a self-signed certificate).
-        skip_verify: false
+        # skip_verify: false
 
         ## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
-        minimum_version: TLS1.2
+        # minimum_version: TLS1.2
 
       ## The base dn for every LDAP query.
-      base_dn: DC=example,DC=com
+      # base_dn: DC=example,DC=com
 
       ## The attribute holding the username of the user. This attribute is used to populate the username in the session
       ## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
@@ -551,7 +552,7 @@ configMap:
       # display_name_attribute: displayname
 
       ## The username of the admin user.
-      user: CN=Authelia,DC=example,DC=com
+      # user: CN=Authelia,DC=example,DC=com
 
     ##
     ## File (Authentication Provider)
@@ -607,77 +608,9 @@ configMap:
     ## resource if there is no policy to be applied to the user.
     default_policy: deny
 
-    networks:
-      - name: internal
-        networks:
-          - 10.10.0.0/16
-          - 192.168.2.0/24
-      - name: VPN
-        networks: 10.9.0.0/16
-
-    rules:
-      ## Rules applied to everyone
-      - domain: public.example.com
-        policy: bypass
-
-      - domain: secure.example.com
-        policy: one_factor
-        ## Network based rule, if not provided any network matches.
-        networks:
-          - internal
-          - VPN
-          - 192.168.1.0/24
-          - 10.0.0.1
-
-      - domain:
-          - secure.example.com
-          - private.example.com
-        policy: two_factor
-
-      - domain: singlefactor.example.com
-        policy: one_factor
-
-      ## Rules applied to 'admins' group
-      - domain: "mx2.mail.example.com"
-        subject: "group:admins"
-        policy: deny
-
-      - domain: "*.example.com"
-        subject:
-          - "group:admins"
-          - "group:moderators"
-        policy: two_factor
-
-      ## Rules applied to 'dev' group
-      - domain: dev.example.com
-        resources:
-          - "^/groups/dev/.*$"
-        subject: "group:dev"
-        policy: two_factor
-
-      ## Rules applied to user 'john'
-      - domain: dev.example.com
-        resources:
-          - "^/users/john/.*$"
-        subject: "user:john"
-        policy: two_factor
-
-      ## Rules applied to user 'harry'
-      - domain: dev.example.com
-        resources:
-          - "^/users/harry/.*$"
-        subject: "user:harry"
-        policy: two_factor
-
-      ## Rules applied to user 'bob'
-      - domain: "*.mail.example.com"
-        subject: "user:bob"
-        policy: two_factor
-      - domain: "dev.example.com"
-        resources:
-          - "^/users/bob/.*$"
-        subject: "user:bob"
-        policy: two_factor
+    networks: []
+
+    rules: []
 
   ##
   ## Session Provider Configuration
@@ -701,22 +634,16 @@ configMap:
     ## spy or attack. Currently the default is 1M or 1 month.
     remember_me_duration: 1M
 
-    ## The domain to protect.
-    ## Note: the authenticator must also be in that domain.
-    ## If empty, the cookie is restricted to the subdomain of the issuer.
-    domain: example.com
-
     ##
     ## Redis Provider
     ##
     ## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
     ##
-    redis:
-      host: redis.databases.svc.cluster.local
-      port: 6379
+    # redis:
+      # host: redis.databases.svc.cluster.local
+      # port: 6379
       ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
-      database_index: 0
-
+      # database_index: 0
 
   ##
   ## Regulation Configuration
@@ -741,7 +668,8 @@ configMap:
   ## Storage Provider Configuration
   ##
   ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
-  storage:
+  storage: {}
+  # storage:
     ##
     ## Local (Storage Provider)
     ##
@@ -758,11 +686,11 @@ configMap:
     ##
     ## Also supports MariaDB
     ##
-    mysql:
-      host: mysql.databases.svc.cluster.local
-      port: 3306
-      database: authelia
-      username: authelia
+    # mysql:
+    #   host: mysql.databases.svc.cluster.local
+    #   port: 3306
+    #   database: authelia
+    #   username: authelia
 
     ##
     ## PostgreSQL (Storage Provider)
@@ -802,31 +730,31 @@ configMap:
     ##        (only works for unauthenticated connections)
     ##   - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
     ##     (configure in tls section)
-    smtp:
-      username: test
-      host: smtp.mail.svc.cluster.local
-      port: 25
-      sender: [email protected]
+    # smtp:
+      # username: test
+      # host: smtp.mail.svc.cluster.local
+      # port: 25
+      # sender: [email protected]
       ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
-      identifier: localhost
+      # identifier: localhost
       ## Subject configuration of the emails sent.
       ## {title} is replaced by the text from the notifier
-      subject: "[Authelia] {title}"
+      # subject: "[Authelia] {title}"
       ## This address is used during the startup check to verify the email configuration is correct.
       ## It's not important what it is except if your email server only allows local delivery.
-      startup_check_address: [email protected]
-      disable_require_tls: false
-      disable_html_emails: false
+      # startup_check_address: [email protected]
+      # disable_require_tls: false
+      # disable_html_emails: false
 
-      tls:
+      # tls:
         ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
         # server_name: smtp.example.com
 
         ## Skip verifying the server certificate (to allow a self-signed certificate).
-        skip_verify: false
+        # skip_verify: false
 
         ## Minimum TLS version for either StartTLS or SMTPS.
-        minimum_version: TLS1.2
+        # minimum_version: TLS1.2
 
 ##
 ## Authelia Secret Generator.