fix: authelia

2025-09-17 18:24:14 +02:00 · 2025-01-02 15:05:07 +01:00
parent c2b81bd474
commit 65f206225a
4 changed files with 13 additions and 15 deletions
--- a/kubernetes/apps/default/authelia/app/config/configuration.yaml
+++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml
@@ -74,8 +74,9 @@ access_control:

 identity_providers:
  oidc:
-    # jwks:
-    #   - key: {{ secret "/config/secret/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
+    jwks:
+      - key: |
+          {{ secret "/config/secret/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
    cors:
      endpoints: [authorization, token, revocation, introspection]
      allowed_origins_from_client_redirect_uris: true
@@ -84,7 +85,7 @@ identity_providers:
    # https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
      - client_id: freshrss
        client_name: freshrss
-        client_secret: "$${FRESHRSS_OAUTH_DIGEST}"
+        client_secret: '{{ secret "/config/secret/FRESHRSS_OAUTH_DIGEST" }}'
        public: false
        authorization_policy: two_factor
        redirect_uris: ["https://freshrss.${SECRET_EXTERNAL_DOMAIN}:443/i/oidc/"]
@@ -93,7 +94,7 @@ identity_providers:
        token_endpoint_auth_method: client_secret_basic
      - client_name: grafana
        client_id: grafana
-        client_secret: "$${GRAFANA_OAUTH_DIGEST}"
+        client_secret: '{{ secret "/config/secret/GRAFANA_OAUTH_DIGEST" }}'
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
@@ -102,7 +103,7 @@ identity_providers:
        userinfo_signed_response_alg: none
      - client_name: jellyfin
        client_id: jellyfin
-        client_secret: "$${JELLYFIN_OAUTH_DIGEST}"
+        client_secret: '{{ secret "/config/secret/JELLYFIN_OAUTH_DIGEST" }}'
        public: false
        authorization_policy: two_factor
        require_pkce: true
@@ -114,7 +115,7 @@ identity_providers:
        token_endpoint_auth_method: client_secret_post
      - client_id: komga
        client_name: Komga
-        client_secret: "$${KOMGA_OAUTH_DIGEST}"
+        client_secret: '{{ secret "/config/secret/KOMGA_OAUTH_DIGEST" }}'
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
@@ -124,7 +125,7 @@ identity_providers:
        userinfo_signed_response_alg: none
      - client_id: outline
        client_name: Outline
-        client_secret: "$${OUTLINE_OAUTH_DIGEST}"
+        client_secret: '{{ secret "/config/secret/OUTLINE_OAUTH_DIGEST" }}'
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
@@ -134,7 +135,7 @@ identity_providers:
        token_endpoint_auth_method: client_secret_post
      - client_id: paperless
        client_name: Paperless
-        client_secret: "$${PAPERLESS_OAUTH_DIGEST}"
+        client_secret: '{{ secret "/config/secret/PAPERLESS_OAUTH_DIGEST" }}'
        public: false
        authorization_policy: one_factor
        pre_configured_consent_duration: 1y
@@ -143,7 +144,7 @@ identity_providers:
        userinfo_signed_response_alg: none
      - client_id: pgadmin
        client_name: pgAdmin
-        client_secret: '$${PGADMIN_OAUTH_DIGEST}'
+        client_secret: '{{ secret "/config/secret/PGADMIN_OAUTH_DIGEST" }}'
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
@@ -153,7 +154,7 @@ identity_providers:
        token_endpoint_auth_method: client_secret_basic
      - client_id: windmill
        client_name: Windmill
-        client_secret: '$${WINDMILL_OAUTH_CLIENT_SECRET}'
+        client_secret: '{{ secret "/config/secret/WINDMILL_OAUTH_DIGEST" }}'
        authorization_policy: two_factor
        redirect_uris: ['https://windmill.${SECRET_EXTERNAL_DOMAIN}/user/login_callback/authelia']
        scopes: [openid, profile, groups, email]
--- a/kubernetes/apps/default/authelia/app/externalsecret.yaml
+++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml
@@ -26,9 +26,7 @@ spec:
        AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}"
        # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost
        # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false"
-        AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .OIDC_JWKS_KEY }}"
        OIDC_JWKS_KEY: "{{ .OIDC_JWKS_KEY }}"
-        OIDC_JWKS_CERT: "{{ .OIDC_JWKS_CERT }}"
        FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
        FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}"
        GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
--- a/kubernetes/apps/default/authelia/app/helmrelease.yaml
+++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml
@@ -75,7 +75,6 @@ spec:
              X_AUTHELIA_CONFIG: /config/configuration.yaml
              X_AUTHELIA_CONFIG_FILTERS: template
            envFrom: *envFrom
-            args: [--config, /config/configuration.yaml, --config.experimental.filters, expand-env]
            probes:
              liveness: &probes
                enabled: true
--- a/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml
+++ b/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml
@@ -42,7 +42,7 @@ spec:
        client-body-buffer-size: "100M"
        client-body-timeout: 120
        client-header-timeout: 120
-        custom-http-errors: 400,403,404,500,501,502,503,504
+        # custom-http-errors: 400,403,404,500,501,502,503,504
        enable-brotli: "true"
        enable-real-ip: "true"
        hsts-max-age: "31449600"
@@ -117,7 +117,7 @@ spec:
      #   limits:
      #     memory: 1Gi
    defaultBackend:
-      enabled: true
+      enabled: false
      image:
        repository: ghcr.io/tarampampam/error-pages
        tag: 3.3.1@sha256:8aa49143d301a8e43fb38578a21450567169c32068db7c43a05a67ac9f9283c8