techies/authelia
1
0
Fork 0
mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00
Code Issues Projects Releases Wiki Activity
b2c60ef898
authelia/docs/content/en/configuration/methods/secrets.md

367 lines
13 KiB
Markdown
Raw Normal View History

[DOCS] Bootstrap new documentation website based on just-the-docs (#659)
2020-02-29 07:43:59 +07:00
---
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
title: "Secrets"
description: "Using the Secrets Configuration Method."
lead: "Authelia allows providing configuration via secrets method. This section describes how to implement this."
date: 2022-03-20T12:52:27+11:00
draft: false
images: []
menu:
configuration:
parent: "methods"
weight: 101400
toc: true
aliases:
- /c/secrets
- /docs/configuration/secrets.html
[DOCS] Bootstrap new documentation website based on just-the-docs (#659)
2020-02-29 07:43:59 +07:00
---
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
Configuration of *Authelia* requires several secrets and passwords. Even if they can be set in the configuration file or
standard environment variables, the recommended way to set secrets is to use this configuration method as described below.
[DOCS] Bootstrap new documentation website based on just-the-docs (#659)
2020-02-29 07:43:59 +07:00
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
See the [security](#security) section for more information.
## Layers
*__Important Note:__* While this method is the third layer of the layered configuration model as described by the
[introduction](introduction.md#layers), this layer is special in as much as *Authelia* will not start if you define
a secret as well as any other configuration method.
For example if you define `jwt_secret` in the [files method](files.md) and/or `AUTHELIA_JWT_SECRET` in the
[environment method](environment.md), as well as the `AUTHELIA_JWT_SECRET_FILE`, this will cause the aforementioned error.
## Security
This method is a slight improvement over the security of the other methods as it allows you to easily separate your
configuration in a logically secure way.
[DOCS] Bootstrap new documentation website based on just-the-docs (#659)
2020-02-29 07:43:59 +07:00
## Environment variables
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
A secret value can be loaded by *Authelia* when the configuration key ends with one of the following words: `key`,
`secret`, `password`, or `token`.
[DOCS] Bootstrap new documentation website based on just-the-docs (#659)
2020-02-29 07:43:59 +07:00
feat(configuration): replace viper with koanf (#2053) This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 16:55:21 +07:00
If you take the expected environment variable for the configuration option with the `_FILE` suffix at the end. The value
of these environment variables must be the path of a file that is readable by the Authelia process, if they are not,
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
*Authelia* will fail to load. Authelia will automatically remove the newlines from the end of the files contents.
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
For instance the LDAP password can be defined in the configuration
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
at the path __authentication_backend.ldap.password__, so this password
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
could alternatively be set using the environment variable called
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
__AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE__.
[DOCS] Bootstrap new documentation website based on just-the-docs (#659)
2020-02-29 07:43:59 +07:00
feat(configuration): replace viper with koanf (#2053) This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 16:55:21 +07:00
Here is the list of the environment variables which are considered secrets and can be defined. Please note that only
secrets can be loaded into the configuration if they end with one of the suffixes above, you can set the value of any
other configuration using the environment but instead of loading a file the value of the environment variable is used.
[DOCS] Bootstrap new documentation website based on just-the-docs (#659)
2020-02-29 07:43:59 +07:00
feat(configuration): configurable default second factor method (#3081) This allows configuring the default second factor method.
2022-04-18 06:58:24 +07:00
| Configuration Key | Environment Variable |
|:-------------------------------------------------:|:--------------------------------------------------------:|
| tls_key | AUTHELIA_TLS_KEY_FILE |
| jwt_secret | AUTHELIA_JWT_SECRET_FILE |
| duo_api.secret_key | AUTHELIA_DUO_API_SECRET_KEY_FILE |
| session.secret | AUTHELIA_SESSION_SECRET_FILE |
| session.redis.password | AUTHELIA_SESSION_REDIS_PASSWORD_FILE |
| session.redis.high_availability.sentinel_password | AUTHELIA_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE |
| storage.encryption_key | AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE |
| storage.mysql.password | AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE |
| storage.postgres.password | AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE |
| notifier.smtp.password | AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE |
| authentication_backend.ldap.password | AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE |
| identity_providers.oidc.issuer_private_key | AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE |
| identity_providers.oidc.hmac_secret | AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE |
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
[DOCS] Bootstrap new documentation website based on just-the-docs (#659)
2020-02-29 07:43:59 +07:00
## Secrets in configuration file
feat(configuration): replace viper with koanf (#2053) This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 16:55:21 +07:00
If for some reason you decide on keeping the secrets in the configuration file, it is strongly recommended that you
ensure the permissions of the configuration file are appropriately set so that other users or processes cannot access
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
this file. Generally the UNIX permissions that are appropriate are 0600.
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
[DEPRECATE] Environment Variable Secrets (#905) * remove ENV usages * fix reader unit tests * fix standalone suite * fix k8s suite * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-08 08:01:57 +07:00
## Secrets exposed in an environment variable
feat(configuration): replace viper with koanf (#2053) This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 16:55:21 +07:00
In all versions 4.30.0+ you can technically set secrets using the environment variables without the `_FILE` suffix by
setting the value to the value you wish to set in configuration, however we strongly urge people not to use this option
and instead use the file-based secrets above.
[DEPRECATE] Environment Variable Secrets (#905) * remove ENV usages * fix reader unit tests * fix standalone suite * fix k8s suite * apply suggestions from code review Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2020-05-08 08:01:57 +07:00
feat(configuration): replace viper with koanf (#2053) This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 16:55:21 +07:00
Prior to implementing file secrets the only way you were able to define secret values was either via configuration or
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
via environment variables in plain text.
feat(configuration): replace viper with koanf (#2053) This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 16:55:21 +07:00
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
See [this article](https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/) for reasons
feat(configuration): replace viper with koanf (#2053) This commit replaces github.com/spf13/viper with github.com/knadh/koanf. Koanf is very similar library to viper, with less dependencies and several quality of life differences. This also allows most config options to be defined by ENV. Lastly it also enables the use of split configuration files which can be configured by setting the --config flag multiple times. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2021-08-03 16:55:21 +07:00
why setting them via the file counterparts is highly encouraged.
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
[DOCS] Update secrets examples for Docker Compose (#948) * [DOCS] Update secrets examples for Docker Compose * Fix typo * Include examples for Docker Secrets and bind mounted secret files
2020-05-01 13:58:40 +07:00
## Docker
Secrets can be provided in a `docker-compose.yml` either with Docker secrets or
Updated secrets.md with a functional DaemonSet (#1287) * Updated secrets.md with a functional DaemonSet * changed TCP socket for API endpoints
2020-09-25 06:48:24 +07:00
bind mounted secret files, examples of these are provided below.
[DOCS] Update secrets examples for Docker Compose (#948) * [DOCS] Update secrets examples for Docker Compose * Fix typo * Include examples for Docker Secrets and bind mounted secret files
2020-05-01 13:58:40 +07:00
### Compose with Docker secrets
This example assumes secrets are stored in `/path/to/authelia/secrets/{secretname}`
on the host and are exposed with Docker secrets in a `docker-compose.yml` file:
```yaml
version: '3.8'
networks:
net:
driver: bridge
secrets:
jwt:
file: /path/to/authelia/secrets/jwt
duo:
file: /path/to/authelia/secrets/duo
session:
file: /path/to/authelia/secrets/session
redis:
file: /path/to/authelia/secrets/redis
mysql:
file: /path/to/authelia/secrets/mysql
smtp:
file: /path/to/authelia/secrets/smtp
ldap:
file: /path/to/authelia/secrets/ldap
services:
authelia:
image: authelia/authelia
container_name: authelia
secrets:
- jwt
- duo
- session
- redis
- mysql
- smtp
- ldap
volumes:
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 13:25:35 +07:00
- /path/to/authelia:/config
[DOCS] Update secrets examples for Docker Compose (#948) * [DOCS] Update secrets examples for Docker Compose * Fix typo * Include examples for Docker Secrets and bind mounted secret files
2020-05-01 13:58:40 +07:00
networks:
- net
expose:
- 9091
restart: unless-stopped
environment:
- AUTHELIA_JWT_SECRET_FILE=/run/secrets/jwt
- AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/duo
- AUTHELIA_SESSION_SECRET_FILE=/run/secrets/session
- AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/run/secrets/redis
- AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/mysql
- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/smtp
- AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/run/secrets/ldap
- TZ=Australia/Melbourne
```
### Compose with bind mounted secret files
This example assumes secrets are stored in `/path/to/authelia/secrets/{secretname}`
on the host and are exposed with bind mounted secret files in a `docker-compose.yml` file
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 13:25:35 +07:00
at `/config/secrets/`:
[DOCS] Update secrets examples for Docker Compose (#948) * [DOCS] Update secrets examples for Docker Compose * Fix typo * Include examples for Docker Secrets and bind mounted secret files
2020-05-01 13:58:40 +07:00
```yaml
version: '3.8'
networks:
net:
driver: bridge
services:
authelia:
image: authelia/authelia
container_name: authelia
volumes:
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 13:25:35 +07:00
- /path/to/authelia:/config
[DOCS] Update secrets examples for Docker Compose (#948) * [DOCS] Update secrets examples for Docker Compose * Fix typo * Include examples for Docker Secrets and bind mounted secret files
2020-05-01 13:58:40 +07:00
networks:
- net
expose:
- 9091
restart: unless-stopped
environment:
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 13:25:35 +07:00
- AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwt
- AUTHELIA_DUO_API_SECRET_KEY_FILE=/config/secrets/duo
- AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session
- AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/config/secrets/redis
- AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/config/secrets/mysql
- AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/config/secrets/smtp
- AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/config/secrets/ldap
[DOCS] Update secrets examples for Docker Compose (#948) * [DOCS] Update secrets examples for Docker Compose * Fix typo * Include examples for Docker Secrets and bind mounted secret files
2020-05-01 13:58:40 +07:00
- TZ=Australia/Melbourne
```
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
## Kubernetes
Secrets can be mounted as files using the following sample manifests.
docs: update and enhance oidc documentation (#2142) Update and adjust OIDC documentation. This also adds information for users about RP's that have been tested. Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-07-14 08:36:07 +07:00
To create a secret, the following manifest can be used
```yaml
---
kind: Secret
apiVersion: v1
metadata:
name: a-nice-name
namespace: your-authelia-namespace
data:
duo_key: >-
UXE1WmM4S0pldnl6eHRwQ3psTGpDbFplOXFueUVyWEZhYjE0Z01IRHN0RT0K
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
docs: update and enhance oidc documentation (#2142) Update and adjust OIDC documentation. This also adds information for users about RP's that have been tested. Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-07-14 08:36:07 +07:00
jwt_secret: >-
anotherBase64EncodedSecret
...
```
where `UXE1WmM4S0pldnl6eHRwQ3psTGpDbFplOXFueUVyWEZhYjE0Z01IRHN0RT0K` is Base64 encoded for
`Qq5Zc8KJevyzxtpCzlLjClZe9qnyErXFab14gMHDstE`, the actual content of the secret. You can generate these contents with
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
```console
docs: update and enhance oidc documentation (#2142) Update and adjust OIDC documentation. This also adds information for users about RP's that have been tested. Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> Co-authored-by: Amir Zarrinkafsh <nightah@me.com> Co-authored-by: James Elliott <james-d-elliott@users.noreply.github.com>
2021-07-14 08:36:07 +07:00
LENGTH=64
tr -cd '[:alnum:]' < /dev/urandom \
| fold -w "${LENGTH}" \
| head -n 1 \
| tr -d '\n' \
| tee actualSecretContent.txt \
| base64 --wrap 0 \
; echo
```
which writes the secret's content to the `actualSecretContent.txt` file and print the Base64 encoded version on `stdout`. `${LENGTH}` is the length in characters of the secret content generated by this pipe. If you don't want the contents to be written to `actualSecretContent.txt`, just delete the line with the `tee` command.
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
### Kustomization
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
* __Filename:__ ./kustomization.yaml
* __Command:__ kubectl apply -k
* __Notes:__ this kustomization expects the Authelia configuration.yml in the same directory. You will need to edit the
kustomization.yaml with your desired secrets after the equal signs. If you change the value before the equal sign
you'll have to adjust the volumes section of the daemonset template (or deployment template if you're using it).
Updated secrets.md with a functional DaemonSet (#1287) * Updated secrets.md with a functional DaemonSet * changed TCP socket for API endpoints
2020-09-25 06:48:24 +07:00
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
```yaml
#filename: ./kustomization.yaml
generatorOptions:
disableNameSuffixHash: true
labels:
type: generated
app: authelia
configMapGenerator:
- name: authelia
files:
- configuration.yml
secretGenerator:
- name: authelia
literals:
- jwt_secret=myverysecuresecret
- session_secret=mysessionsecret
- redis_password=myredispassword
- sql_password=mysqlpassword
- ldap_password=myldappassword
- duo_secret=myduosecretkey
- smtp_password=mysmtppassword
```
### DaemonSet
feat: major documentation refresh (#3475) This marks the launch of the new documentation website.
2022-06-15 14:51:47 +07:00
* __Filename:__ ./daemonset.yaml
* __Command:__ kubectl apply -f ./daemonset.yaml
* __Notes:__ assumes Kubernetes API 1.16 or greater
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
```yaml
#filename: daemonset.yaml
#command: kubectl apply -f daemonset.yaml
#notes: assumes kubernetes api 1.16+
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: authelia
Updated secrets.md with a functional DaemonSet (#1287) * Updated secrets.md with a functional DaemonSet * changed TCP socket for API endpoints
2020-09-25 06:48:24 +07:00
namespace: authelia
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
labels:
app: authelia
spec:
selector:
matchLabels:
app: authelia
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: authelia
spec:
containers:
- name: authelia
image: authelia/authelia:latest
imagePullPolicy: IfNotPresent
env:
- name: AUTHELIA_JWT_SECRET_FILE
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 13:25:35 +07:00
value: /app/secrets/jwt
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
- name: AUTHELIA_DUO_API_SECRET_KEY_FILE
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 13:25:35 +07:00
value: /app/secrets/duo
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
- name: AUTHELIA_SESSION_SECRET_FILE
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 13:25:35 +07:00
value: /app/secrets/session
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 13:25:35 +07:00
value: /app/secrets/ldap_password
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
- name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 13:25:35 +07:00
value: /app/secrets/smtp_password
Updated secrets.md with a functional DaemonSet (#1287) * Updated secrets.md with a functional DaemonSet * changed TCP socket for API endpoints
2020-09-25 06:48:24 +07:00
- name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 13:25:35 +07:00
value: /app/secrets/sql_password
Updated secrets.md with a functional DaemonSet (#1287) * Updated secrets.md with a functional DaemonSet * changed TCP socket for API endpoints
2020-09-25 06:48:24 +07:00
- name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE
value: /app/secrets/redis_password
- name: TZ
value: America/Toronto
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
ports:
Updated secrets.md with a functional DaemonSet (#1287) * Updated secrets.md with a functional DaemonSet * changed TCP socket for API endpoints
2020-09-25 06:48:24 +07:00
- name: authelia-port
containerPort: 9091
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
startupProbe:
httpGet:
Updated secrets.md with a functional DaemonSet (#1287) * Updated secrets.md with a functional DaemonSet * changed TCP socket for API endpoints
2020-09-25 06:48:24 +07:00
path: /api/state
port: authelia-port
initialDelaySeconds: 15
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
timeoutSeconds: 5
periodSeconds: 5
failureThreshold: 4
livenessProbe:
httpGet:
Updated secrets.md with a functional DaemonSet (#1287) * Updated secrets.md with a functional DaemonSet * changed TCP socket for API endpoints
2020-09-25 06:48:24 +07:00
path: /api/state
port: authelia-port
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
initialDelaySeconds: 60
timeoutSeconds: 5
periodSeconds: 30
failureThreshold: 2
readinessProbe:
httpGet:
Updated secrets.md with a functional DaemonSet (#1287) * Updated secrets.md with a functional DaemonSet * changed TCP socket for API endpoints
2020-09-25 06:48:24 +07:00
path: /api/state
port: authelia-port
initialDelaySeconds: 15
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
timeoutSeconds: 5
periodSeconds: 5
failureThreshold: 5
volumeMounts:
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 13:25:35 +07:00
- mountPath: /config
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
name: config-volume
[FEATURE] Docker simplification and configuration generation (#1113) * [FEATURE] Docker simplification and configuration generation The Authelia binary now will attempt to generate configuration based on the latest template assuming that the config location specified on startup does not exist. If a file based backend is selected and the backend cannot be found similarly it will generate a `user_database.yml` based a template. This will allow more seamless bootstrapping of an environment no matter the deployment method. We have also squashed the Docker volume requirement down to just `/config` thus removing the requirement for `/var/lib/authelia` this is primarily in attempts to simplify the Docker deployment. Users with the old volume mappings have two options: 1. Change their mappings to conform to `/config` 2. Change the container entrypoint from `authelia --config /config/configuration.yml` to their old mapping * Adjust paths relative to `/etc/authelia` and simplify to single volume for compose * Add generation for file backend based user database * Refactor Docker volumes and paths to /config * Refactor Docker WORKDIR to /app * Fix integration tests * Update BREAKING.md for v4.20.0 * Run go mod tidy * Fix log_file_path in miscellaneous.md docs * Generate config and userdb with 0600 permissions * Fix log_file_path in config.template.yml
2020-06-17 13:25:35 +07:00
- mountPath: /app/secrets
[FEATURE] File Secrets (#896) * [FEATURE] File Secret Loading * add a validator for secrets * run the secrets validator before the main config validator * only allow a secret to be defined in one of: config, env, file env * remove LF if found in file * update configuration before main config validation * fix unit tests * implement secret testing * refactor the secrets validator * make check os agnostic * update docs * add warning when user attempts to use ENV instead of ENV file * discourage ENV in docs * update config template * oxford comma * apply suggestions from code review * rename Validate to ValidateConfiguration * add k8s example * add deprecation notice in docs and warning * style changes
2020-04-23 08:11:32 +07:00
name: secrets
readOnly: true
volumes:
- name: config-volume
configMap:
name: authelia
items:
- key: configuration.yml
path: configuration.yml
- name: secrets
secret:
secretName: authelia
items:
- key: jwt_secret
path: jwt
- key: duo_secret
path: duo
- key: session_secret
path: session
- key: redis_password
path: redis_password
- key: sql_password
path: sql_password
- key: ldap_password
path: ldap_password
- key: smtp_password
path: smtp_password
docs: refactor several areas of documentation (#1726) Updated all links to use https://www.authelia.com/docs/. Removed all comment sections from documented configuration on the documentation site and replaced them with their own sections. Made all documentation inside config.template.yml double hashes, and made all commented configuration sections single quoted. Added .yamllint.yaml to express our desired YAML styles. Added a style guide. Refactored many documentation areas to be 120 char widths where possible. It's by no means exhaustive but is a large start. Added a statelessness guide for the pending Kubernetes chart introduction. Added labels to configuration documentation and made many areas uniform.
2021-04-11 18:25:03 +07:00
```
Reference in New Issue Copy Permalink