From 86ecc036400968edbcba3182816c70b1ae27d42f Mon Sep 17 00:00:00 2001 From: thehedgefrog <38590447+thehedgefrog@users.noreply.github.com> Date: Thu, 24 Sep 2020 19:48:24 -0400 Subject: [PATCH] Updated secrets.md with a functional DaemonSet (#1287) * Updated secrets.md with a functional DaemonSet * changed TCP socket for API endpoints --- docs/configuration/secrets.md | 43 +++++++++++++++++------------------ 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/docs/configuration/secrets.md b/docs/configuration/secrets.md index ec677476..e9e56558 100644 --- a/docs/configuration/secrets.md +++ b/docs/configuration/secrets.md @@ -23,7 +23,7 @@ containing the secret data. This file must be readable by the user the Authelia daemon is running as. For instance the LDAP password can be defined in the configuration -at the path **authentication_backend.ldap.password**, so this password +at the path **authentication_backend.ldap.password**, so this password could alternatively be set using the environment variable called **AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE**. @@ -51,19 +51,19 @@ server. The UNIX permissions should probably be something like 600. ## Secrets exposed in an environment variable -**DEPRECATION NOTICE:** This backwards compatibility feature **has been removed** in 4.18.0+. +**DEPRECATION NOTICE:** This backwards compatibility feature **has been removed** in 4.18.0+. Prior to implementing file secrets you were able to define the values of secrets in the environment variables themselves in plain text instead of referencing a file. **This is no longer available -as an option**, please see the table above for the file based replacements. See +as an option**, please see the table above for the file based replacements. See [this article](https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/) for reasons why this was removed. ## Docker Secrets can be provided in a `docker-compose.yml` either with Docker secrets or -bind mounted secret files, examples of these are provided below. +bind mounted secret files, examples of these are provided below. ### Compose with Docker secrets @@ -174,7 +174,7 @@ the same directory. You will need to edit the kustomization.yaml with your desired secrets after the equal signs. If you change the value before the equal sign you'll have to adjust the volumes section of the daemonset template (or deployment template if you're using it). - + ```yaml #filename: ./kustomization.yaml generatorOptions: @@ -211,6 +211,7 @@ apiVersion: apps/v1 kind: DaemonSet metadata: name: authelia + namespace: authelia labels: app: authelia spec: @@ -239,32 +240,36 @@ spec: value: /app/secrets/ldap_password - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE value: /app/secrets/smtp_password - - name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE + - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE value: /app/secrets/sql_password + - name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE + value: /app/secrets/redis_password + - name: TZ + value: America/Toronto ports: - - name: http - containerPort: 80 + - name: authelia-port + containerPort: 9091 startupProbe: httpGet: - path: /api/configuration - port: http - initialDelaySeconds: 10 + path: /api/state + port: authelia-port + initialDelaySeconds: 15 timeoutSeconds: 5 periodSeconds: 5 failureThreshold: 4 livenessProbe: httpGet: - path: /api/configuration - port: http + path: /api/state + port: authelia-port initialDelaySeconds: 60 timeoutSeconds: 5 periodSeconds: 30 failureThreshold: 2 readinessProbe: httpGet: - path: /api/configuration - port: http - initialDelaySeconds: 10 + path: /api/state + port: authelia-port + initialDelaySeconds: 15 timeoutSeconds: 5 periodSeconds: 5 failureThreshold: 5 @@ -274,9 +279,6 @@ spec: - mountPath: /app/secrets name: secrets readOnly: true - - mountPath: /etc/localtime - name: localtime - readOnly: true volumes: - name: config-volume configMap: @@ -302,7 +304,4 @@ spec: path: ldap_password - key: smtp_password path: smtp_password - - name: localtime - hostPath: - path: /etc/localtime ``` \ No newline at end of file