fix: authelia

kubernetes/apps/default/authelia/app/config/configuration.yaml

@@ -74,8 +74,9 @@ access_control:
 
 identity_providers:
   oidc:
-    # jwks:
+    jwks:
-    #   - key: {{ secret "/config/secret/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
+      - key: |
+          {{ secret "/config/secret/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
     cors:
       endpoints: [authorization, token, revocation, introspection]
       allowed_origins_from_client_redirect_uris: true
@@ -84,7 +85,7 @@ identity_providers:
     # https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
       - client_id: freshrss
         client_name: freshrss
-        client_secret: "$${FRESHRSS_OAUTH_DIGEST}"
+        client_secret: '{{ secret "/config/secret/FRESHRSS_OAUTH_DIGEST" }}'
         public: false
         authorization_policy: two_factor
         redirect_uris: ["https://freshrss.${SECRET_EXTERNAL_DOMAIN}:443/i/oidc/"]
@@ -93,7 +94,7 @@ identity_providers:
         token_endpoint_auth_method: client_secret_basic
       - client_name: grafana
         client_id: grafana
-        client_secret: "$${GRAFANA_OAUTH_DIGEST}"
+        client_secret: '{{ secret "/config/secret/GRAFANA_OAUTH_DIGEST" }}'
         public: false
         authorization_policy: two_factor
         pre_configured_consent_duration: 1y
@@ -102,7 +103,7 @@ identity_providers:
         userinfo_signed_response_alg: none
       - client_name: jellyfin
         client_id: jellyfin
-        client_secret: "$${JELLYFIN_OAUTH_DIGEST}"
+        client_secret: '{{ secret "/config/secret/JELLYFIN_OAUTH_DIGEST" }}'
         public: false
         authorization_policy: two_factor
         require_pkce: true
@@ -114,7 +115,7 @@ identity_providers:
         token_endpoint_auth_method: client_secret_post
       - client_id: komga
         client_name: Komga
-        client_secret: "$${KOMGA_OAUTH_DIGEST}"
+        client_secret: '{{ secret "/config/secret/KOMGA_OAUTH_DIGEST" }}'
         public: false
         authorization_policy: two_factor
         pre_configured_consent_duration: 1y
@@ -124,7 +125,7 @@ identity_providers:
         userinfo_signed_response_alg: none
       - client_id: outline
         client_name: Outline
-        client_secret: "$${OUTLINE_OAUTH_DIGEST}"
+        client_secret: '{{ secret "/config/secret/OUTLINE_OAUTH_DIGEST" }}'
         public: false
         authorization_policy: two_factor
         pre_configured_consent_duration: 1y
@@ -134,7 +135,7 @@ identity_providers:
         token_endpoint_auth_method: client_secret_post
       - client_id: paperless
         client_name: Paperless
-        client_secret: "$${PAPERLESS_OAUTH_DIGEST}"
+        client_secret: '{{ secret "/config/secret/PAPERLESS_OAUTH_DIGEST" }}'
         public: false
         authorization_policy: one_factor
         pre_configured_consent_duration: 1y
@@ -143,7 +144,7 @@ identity_providers:
         userinfo_signed_response_alg: none
       - client_id: pgadmin
         client_name: pgAdmin
-        client_secret: '$${PGADMIN_OAUTH_DIGEST}'
+        client_secret: '{{ secret "/config/secret/PGADMIN_OAUTH_DIGEST" }}'
         public: false
         authorization_policy: two_factor
         pre_configured_consent_duration: 1y
@@ -153,7 +154,7 @@ identity_providers:
         token_endpoint_auth_method: client_secret_basic
       - client_id: windmill
         client_name: Windmill
-        client_secret: '$${WINDMILL_OAUTH_CLIENT_SECRET}'
+        client_secret: '{{ secret "/config/secret/WINDMILL_OAUTH_DIGEST" }}'
         authorization_policy: two_factor
         redirect_uris: ['https://windmill.${SECRET_EXTERNAL_DOMAIN}/user/login_callback/authelia']
         scopes: [openid, profile, groups, email]

kubernetes/apps/default/authelia/app/externalsecret.yaml

@@ -26,9 +26,7 @@ spec:
         AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}"
         # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost
         # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false"
-        AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: "{{ .OIDC_JWKS_KEY }}"
         OIDC_JWKS_KEY: "{{ .OIDC_JWKS_KEY }}"
-        OIDC_JWKS_CERT: "{{ .OIDC_JWKS_CERT }}"
         FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}"
         FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}"
         GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"

kubernetes/apps/default/authelia/app/helmrelease.yaml

@@ -75,7 +75,6 @@ spec:
               X_AUTHELIA_CONFIG: /config/configuration.yaml
               X_AUTHELIA_CONFIG_FILTERS: template
             envFrom: *envFrom
-            args: [--config, /config/configuration.yaml, --config.experimental.filters, expand-env]
             probes:
               liveness: &probes
                 enabled: true

kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml

@@ -42,7 +42,7 @@ spec:
         client-body-buffer-size: "100M"
         client-body-timeout: 120
         client-header-timeout: 120
-        custom-http-errors: 400,403,404,500,501,502,503,504
+        # custom-http-errors: 400,403,404,500,501,502,503,504
         enable-brotli: "true"
         enable-real-ip: "true"
         hsts-max-age: "31449600"
@@ -117,7 +117,7 @@ spec:
       #   limits:
       #     memory: 1Gi
     defaultBackend:
-      enabled: true
+      enabled: false
       image:
         repository: ghcr.io/tarampampam/error-pages
         tag: 3.3.1@sha256:8aa49143d301a8e43fb38578a21450567169c32068db7c43a05a67ac9f9283c8