diff --git a/kubernetes/apps/default/authelia/app/config/configuration.yaml b/kubernetes/apps/default/authelia/app/config/configuration.yaml index f1116fbad..097b2266f 100644 --- a/kubernetes/apps/default/authelia/app/config/configuration.yaml +++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml @@ -74,8 +74,9 @@ access_control: identity_providers: oidc: - # jwks: - # - key: {{ secret "/config/secret/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }} + jwks: + - key: | + {{ secret "/config/secret/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }} cors: endpoints: [authorization, token, revocation, introspection] allowed_origins_from_client_redirect_uris: true @@ -84,7 +85,7 @@ identity_providers: # https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret - client_id: freshrss client_name: freshrss - client_secret: "$${FRESHRSS_OAUTH_DIGEST}" + client_secret: '{{ secret "/config/secret/FRESHRSS_OAUTH_DIGEST" }}' public: false authorization_policy: two_factor redirect_uris: ["https://freshrss.${SECRET_EXTERNAL_DOMAIN}:443/i/oidc/"] @@ -93,7 +94,7 @@ identity_providers: token_endpoint_auth_method: client_secret_basic - client_name: grafana client_id: grafana - client_secret: "$${GRAFANA_OAUTH_DIGEST}" + client_secret: '{{ secret "/config/secret/GRAFANA_OAUTH_DIGEST" }}' public: false authorization_policy: two_factor pre_configured_consent_duration: 1y @@ -102,7 +103,7 @@ identity_providers: userinfo_signed_response_alg: none - client_name: jellyfin client_id: jellyfin - client_secret: "$${JELLYFIN_OAUTH_DIGEST}" + client_secret: '{{ secret "/config/secret/JELLYFIN_OAUTH_DIGEST" }}' public: false authorization_policy: two_factor require_pkce: true @@ -114,7 +115,7 @@ identity_providers: token_endpoint_auth_method: client_secret_post - client_id: komga client_name: Komga - client_secret: "$${KOMGA_OAUTH_DIGEST}" + client_secret: '{{ secret "/config/secret/KOMGA_OAUTH_DIGEST" }}' public: false authorization_policy: two_factor pre_configured_consent_duration: 1y @@ -124,7 +125,7 @@ identity_providers: userinfo_signed_response_alg: none - client_id: outline client_name: Outline - client_secret: "$${OUTLINE_OAUTH_DIGEST}" + client_secret: '{{ secret "/config/secret/OUTLINE_OAUTH_DIGEST" }}' public: false authorization_policy: two_factor pre_configured_consent_duration: 1y @@ -134,7 +135,7 @@ identity_providers: token_endpoint_auth_method: client_secret_post - client_id: paperless client_name: Paperless - client_secret: "$${PAPERLESS_OAUTH_DIGEST}" + client_secret: '{{ secret "/config/secret/PAPERLESS_OAUTH_DIGEST" }}' public: false authorization_policy: one_factor pre_configured_consent_duration: 1y @@ -143,7 +144,7 @@ identity_providers: userinfo_signed_response_alg: none - client_id: pgadmin client_name: pgAdmin - client_secret: '$${PGADMIN_OAUTH_DIGEST}' + client_secret: '{{ secret "/config/secret/PGADMIN_OAUTH_DIGEST" }}' public: false authorization_policy: two_factor pre_configured_consent_duration: 1y @@ -153,7 +154,7 @@ identity_providers: token_endpoint_auth_method: client_secret_basic - client_id: windmill client_name: Windmill - client_secret: '$${WINDMILL_OAUTH_CLIENT_SECRET}' + client_secret: '{{ secret "/config/secret/WINDMILL_OAUTH_DIGEST" }}' authorization_policy: two_factor redirect_uris: ['https://windmill.${SECRET_EXTERNAL_DOMAIN}/user/login_callback/authelia'] scopes: [openid, profile, groups, email] diff --git a/kubernetes/apps/default/authelia/app/externalsecret.yaml b/kubernetes/apps/default/authelia/app/externalsecret.yaml index 082bbfd4a..70529115d 100644 --- a/kubernetes/apps/default/authelia/app/externalsecret.yaml +++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml @@ -26,9 +26,7 @@ spec: AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}" # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false" - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .OIDC_JWKS_KEY }}" OIDC_JWKS_KEY: "{{ .OIDC_JWKS_KEY }}" - OIDC_JWKS_CERT: "{{ .OIDC_JWKS_CERT }}" FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}" FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}" GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}" diff --git a/kubernetes/apps/default/authelia/app/helmrelease.yaml b/kubernetes/apps/default/authelia/app/helmrelease.yaml index 32cdb7bde..ecde1d441 100644 --- a/kubernetes/apps/default/authelia/app/helmrelease.yaml +++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml @@ -75,7 +75,6 @@ spec: X_AUTHELIA_CONFIG: /config/configuration.yaml X_AUTHELIA_CONFIG_FILTERS: template envFrom: *envFrom - args: [--config, /config/configuration.yaml, --config.experimental.filters, expand-env] probes: liveness: &probes enabled: true diff --git a/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml b/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml index 31bdf460d..75f542b7f 100644 --- a/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml +++ b/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml @@ -42,7 +42,7 @@ spec: client-body-buffer-size: "100M" client-body-timeout: 120 client-header-timeout: 120 - custom-http-errors: 400,403,404,500,501,502,503,504 + # custom-http-errors: 400,403,404,500,501,502,503,504 enable-brotli: "true" enable-real-ip: "true" hsts-max-age: "31449600" @@ -117,7 +117,7 @@ spec: # limits: # memory: 1Gi defaultBackend: - enabled: true + enabled: false image: repository: ghcr.io/tarampampam/error-pages tag: 3.3.1@sha256:8aa49143d301a8e43fb38578a21450567169c32068db7c43a05a67ac9f9283c8