search

authelia / chartrepo

Authelia Helm Charts
https://charts.authelia.com
Apache License 2.0
69 stars 52 forks source link

Issue working with v0.9 and up #262

Open thamudi opened 4 days ago

thamudi commented 4 days ago

Hello.

Recently we decided to upgrade to from v0.8.54 to v0.9.5. After reading and following the BREAKING.md guidelines on the major changes we are still unable to install the chart due to the following error:

level=error msg="Configuration: storage: postgres: option 'username' and 'password' are required"                                                                                        
level=error msg="Configuration: storage: option 'encryption_key' is required"                                                                                                            
level=error msg="Configuration: identity_validation: reset_password: option 'jwt_secret' is required when the reset password functionality isn't disabled"

The error message shows that the username and the password are not being detected for the postgres configuration. This could be for multiple reasons:

  1. The Chart is not able to map the secrets to the pod. However after checking the pod the secrets are being mounted as expected to /secrets/authelia-secrets
  2. The path to the secret is not being propagated properly or it doesnt have the proper permission policy to it.
  3. Wrong configuration on our end. And this is where I am hoping if you can shed some light since we followed everything possible in your documentation and the breaking changes note.

Here are the configuration for these storage section:

 storage:

        encryption_key:
          ## Disables this secret and leaves configuring it entirely up to you.
          disabled: false

          ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the
          ## secret_value option below.
          secret_name: authelia-secrets

          ## The value of a generated secret when using the ~ secret_name.
          value: ''

          ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise
          ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath'
          ## value, '{secret_name}' is the secret_name above, and '{path}' is this value.
          path: 'storage.encryption.key'
        local:
          enabled: false
          path: /config/db.sqlite3
        ##
        ## PostgreSQL (Storage Provider)
        ##
        postgres:
          enabled: true
          deploy: false
          address: 'tcp://postgresql-db-do-user-0000000-0.b.db.ondigitalocean.com:22222'
          timeout: '5 seconds'
          database: 'authelia'
          schema: 'public'
          username: 'authelia_admin'
          password:
            ## Disables this secret and leaves configuring it entirely up to you.
            disabled: true

            ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the
            ## secret_value option below.
            secret_name: authelia-secrets

            ## The value of a generated secret when using the ~ secret_name.
            value: ''

            ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise
            ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath'
            ## value, '{secret_name}' is the secret_name above, and '{path}' is this value.
            path: 'storage.postgres.password.txt'
          tls:
            enabled: false

            ## The server subject name to check the servers certificate against during the validation process.
            ## This option is not required if the certificate has a SAN which matches the host option.
            server_name: ''

            ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
            ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
            ## defined by the `certificates_directory` option at the top of the configuration.
            ## It's important to note the public key should be added to the directory, not the private key.
            ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
            ## important to the administrator.
            skip_verify: false

            ## Minimum TLS version for the connection.
            minimum_version: 'TLS1.2'

            ## Maximum TLS version for the connection.
            maximum_version: 'TLS1.3'

And the secrets are applied and mapped properly as well.

    ##
    ## Authelia Secret Configuration.
    ##
    secret:
      disabled: true
      existingSecret: 'authelia-secrets'
      annotations: {}
      labels: {}
      mountPath: '/secrets'
      additionalSecrets:
        authelia-secrets: {}

authelia-secrets

apiVersion: v1
kind: Secret
metadata:
    name: authelia-secrets
    namespace: test
type: Opaque
data:
    identity_validation.reset_password.jwt.hmac.key: UXVpc3F1ZSBhbGlxdWV0IHBsYWNlcmF0IG9yY2kgdXQgdWx0cmljZXMuIFBoYXNlbGx1cyBldSBuZXF1ZSBsb3JlbS4gRnVzY2UgZmluaWJ1cyBhbnRlIGF0IG1hZ25hIGVmZmljaXR1ciwgdm9sdXRwYXQgZGljdHVtIHF1YW0gbWFsZXN1YWRhLiBBZW5lYW4gdmVoaWN1bGEgcGVsbGVudGVzcXVlIG1pIHZlbCBmYXVjaWJ1cy4gTWF1cmlzIGxhY2luaWEgZXUgZmVsaXMgYXVjdG9yIGVsZWlmZW5kLiBEb25lYyBwcmV0aXVtIHRlbXBvciBkaWN0dW0uIFByYWVzZW50IGEgbG9yZW0gdml0YWUgZGlhbSBtb2xsaXMgdGluY2lkdW50LiBDbGFzcyBhcHRlbnQgdGFjaXRpIHNvY2lvc3F1IGFkIGxpdG9yYSB0b3JxdWVudCBwZXIgY29udWJpYSBub3N0cmEsIHBlciBpbmNlcHRvcyBoaW1lbmFlb3MuIEN1cmFiaXR1ciBpZCB2dWxwdXRhdGUgbnVuYy4gRG9uZWMgZWdldCBtYWduYSBhcmN1LiBJbnRlZ2VyIHZpdGFlIG5pYmggbm9uIG1hc3NhIGVsZW1lbnR1bSB2ZW5lbmF0aXMu
    session.redis.password.txt: YWRtaW5Vc2VyaGVsbG8=
    storage.postgres.password.txt: YWRtaW5Vc2VyaGVsbG8=
    storage.encryption.key: UXVpc3F1ZSBhbGlxdWV0IHBsYWNlcmF0IG9yY2kgdXQgdWx0cmljZXMuIFBoYXNlbGx1cyBldSBuZXF1ZSBsb3JlbS4gRnVzY2UgZmluaWJ1cyBhbnRlIGF0IG1hZ25hIGVmZmljaXR1ciwgdm9sdXRwYXQgZGljdHVtIHF1YW0gbWFsZXN1YWRhLiBBZW5lYW4gdmVoaWN1bGEgcGVsbGVudGVzcXVlIG1pIHZlbCBmYXVjaWJ1cy4gTWF1cmlzIGxhY2luaWEgZXUgZmVsaXMgYXVjdG9yIGVsZWlmZW5kLiBEb25lYyBwcmV0aXVtIHRlbXBvciBkaWN0dW0uIFByYWVzZW50IGEgbG9yZW0gdml0YWUgZGlhbSBtb2xsaXMgdGluY2lkdW50LiBDbGFzcyBhcHRlbnQgdGFjaXRpIHNvY2lvc3F1IGFkIGxpdG9yYSB0b3JxdWVudCBwZXIgY29udWJpYSBub3N0cmEsIHBlciBpbmNlcHRvcyBoaW1lbmFlb3MuIEN1cmFiaXR1ciBpZCB2dWxwdXRhdGUgbnVuYy4gRG9uZWMgZWdldCBtYWduYSBhcmN1LiBJbnRlZ2VyIHZpdGFlIG5pYmggbm9uIG1hc3NhIGVsZW1lbnR1bSB2ZW5lbmF0aXMu
    session.encryption.key: SW4gc2l0IGFtZXQgZXggbG9yZW0uIFN1c3BlbmRpc3NlIHBvdGVudGkuIE1hdXJpcyBzZWQgdmFyaXVzIG5pc2wuIFV0IGhlbmRyZXJpdCB0dXJwaXMgdml0YWUgdGVtcG9yIGZldWdpYXQuIFBoYXNlbGx1cyBwdWx2aW5hciBldSBzYXBpZW4gZWdldCBjb25kaW1lbnR1bS4=
    notifier.smtp.password.txt: YWRtaW5Vc2VyaGVsbG8=
    authentication.ldap.password.txt: YWRtaW5Vc2VyaGVsbG8=
james-d-elliott commented 2 days ago

You have disabled the management of the postgres password secret entirely. You'd need to either enable that or set the volume mount and relevant env vars manually.

thamudi commented 1 day ago

I have just tried enabling the postgres password secret management. And disabled the secret mounting. Same issues remains.

I took a look at the templates and I couldn't find any references of Values.configMap.storage.postgres.password.disabled

james-d-elliott commented 23 hours ago

The authelia.secret.generate template handles this logic.

Why did you change values additional to what was requested?

thamudi commented 22 hours ago

Ah okay, it makes sense now.

I only changed what is needed in order provide secrets to run my postgres RDS.

EDIT: I am still missing what is needed in order establish a connection with postgres using my secrets.