failed to parse PEM block containing the key

[leptonyu]

I use fluxv2 to deploy Authelia.

When I refresh helm-release I got this error.

You can get the Configuration below. I did not configure OIDC private key. Do I have to configure it?

---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: authelia
  namespace: networking
spec:
  interval: 5m
  chart:
    spec:
      chart: authelia
      version: 0.8.*
      sourceRef:
        kind: HelmRepository
        name: authelia
        namespace: flux-system
  values:
    domain: ${SECRET_CLUSTER_DOMAIN}
    default_redirection_url: https://dns.${SECRET_CLUSTER_DOMAIN}
    service:
      annotations:
        prometheus.io/probe: "true"
        prometheus.io/protocol: "http"

    ingress:
      enabled: true
      className: ${INGRESS_CLASS}
      subdomain: login

      tls:
        enabled: true
        secret: ${SECRET_CLUSTER_DEFAULT_CERT}

    pod:
      # Must be Deployment, DaemonSet, or StatefulSet.
      kind: Deployment

      env:
        - name: TZ
          value: ${TZ}

      securityContext:
        container:
          runAsUser: ${SECRET_PLEX_UID}
          runAsGroup: ${SECRET_PLEX_GID}
          fsGroup: ${SECRET_PLEX_GID}

      extraVolumeMounts:
        - name: authelia-user
          mountPath: /conf
      extraVolumes:
        - name: authelia-user
          configMap:
            name: authelia-user
            items:
            - key: users_database.yml
              path: users_database.yml
      resources:
        requests:
          cpu: 200m
          memory: 128Mi
        limits:
          memory: 1Gi

    persistence:
      enabled: true
      storageClass: authelia
      size: 100Mi

    ##
    ## Authelia Config Map Generator
    ##
    configMap:
      enabled: true
      log:
        level: trace
      telemetry:
        metrics:
          enabled: false
          serviceMonitor:
            enabled: fasle
      server:
        read_buffer_size: 8192
        write_buffer_size: 8192
      theme: light
      authentication_backend:
        disable_reset_password: true
        ldap:
          enabled: false
        file:
          enabled: true
          path: /conf/users_database.yml
          password:
            algorithm: argon2id
      identity_providers:
        oidc:
          enabled: true
          clients:
          - id: grafana
            secret: ${SECRET_GRAFANA_CLIENT}
            public: false
            authorization_policy: two_factor
            #pre_configured_consent_duration: 10y
            scopes:
            - openid
            - profile
            - groups
            - email
            redirect_uris:
            - https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth
            userinfo_signing_algorithm: none

      access_control:
        default_policy: deny

        networks:
          - name: private
            networks:
              - ${SECRET_VPN_NET}
              - ${SECRET_PRIVATE_NET}

        rules:
          # bypass Authelia WAN + LAN
          - domain:
              - login.${SECRET_CLUSTER_DOMAIN}
            policy: bypass

          - domain: jackett.${SECRET_CLUSTER_DOMAIN}
            resources:
            - "^/jackett/.*$"
            policy: bypass

          # Deny admin services to users
          - domain:
              - filebrowser.${SECRET_CLUSTER_DOMAIN}
              - alert.${SECRET_CLUSTER_DOMAIN}
              - prometheus.${SECRET_CLUSTER_DOMAIN}
              - hubble.${SECRET_CLUSTER_DOMAIN}
            subject: ["group:users"]
            policy: deny

          # One factor auth for LAN
          - domain:
              - "*.${SECRET_CLUSTER_DOMAIN}"
            policy: one_factor
            subject: ["group:admins", "group:users"]
            networks:
              - private

          # Two factors auth for WAN
          - domain:
              - "*.${SECRET_CLUSTER_DOMAIN}"
            subject: ["group:admins", "group:users"]
            policy: two_factor

      session:
        redis:
          enabled: false

      storage:
        local:
          enabled: true
          path: /config/db.sqlite3
        postgres:
          enabled: false

      notifier:
        smtp:
          enabled: false
        filesystem:
          enabled: true
          filename: /config/notification.txt

    secret:
      jwt:
        key: JWT_TOKEN
        value: "${SECRET_AUTHELIA_JWT_SECRET}"
        filename: JWT_TOKEN
      storageEncryptionKey:
        key: STORAGE_ENCRYPTION_KEY
        value: "${SECRET_AUTHELIA_STORAGE_ENCRYPTION_KEY}"

[james-d-elliott]

Can be set here: https://github.com/authelia/chartrepo/blob/master/charts/authelia/values.yaml#L1279

Will check asap as to why helm isn't generating this correctly or we're not using it correctly.

[james-d-elliott]

I can't see what's exactly wrong, it seems to work for me. Maybe this was fixed in a newer version of Authelia? Can you show the exact errors and the value helm is generating?

[leptonyu]

The title is the error log.

I fix the issue by using fixed private key.

Flux will upgrade helmchart when new version comes. And it seems that helm create new private key when upgrading. And old Authelia instance failed with this error.

I have delete the deployments to recover.

[james-d-elliott]

You have the option of configuring one. I still need to see the key that causes this error (as it's encoded raw in the secret) because I can't replicate it with vanilla helm. It outputs the properly encoded PEM and encodes that with base64 as expected.

[tarioch]

I accidentally encountered this as well. The problem seems to be that the first time it correctly generates a key and base64 encodes it. The second time a chart update is run, it unfortunately takes the previous base64 encoded value and encodes it once more with base64.

[james-d-elliott]

Thanks for clarifying, I can probably figure it out from this. Strange that helm doesn't decode it automatically when you do the lookup.