Leaked secrets in environment variables about helm HOT 4 CLOSED

Firstly I would like to thank the Authentik team, their work is great.

However if its any help to you I do it like this to keep things generalized as much as possible. I created my own version of the helm chart from scratch for this very reason. Feel free to export the ideas, I was thinking of starting a big PR as the chart is cool, but has a few deficiencies (like secrets, and theming). Please don't use mine for now at-least it is still majorly changing and is likely not as supported as their own.

A secret to hold the data (by default auto-generates secrets unless disabled):
https://gitlab.com/GeorgeRaven/authentik-helm/-/blob/master/charts/auth/templates/auth.secret.yaml (my secret is a bit heavy you dont need any way near as many). This also allows you to sideload a secret with bitnami sealed secrets by disabling autogeneration in production, but is really useful in testing.

E.G:

...
kind: Secret
...
data:
    postgresUserPassword: {{ default 30 .Values.secret.randLength | int | randAlphaNum | b64enc }}
    authJwtToken: {{ default 30 .Values.secret.randLength | int | randAlphaNum | b64enc }}
    redisPassword: {{ default 30 .Values.secret.randLength | int | randAlphaNum | b64enc }}
...

A table which keeps track of the each key value in the secret above, what the filename it creates is, and what environment variable should be generated to point to that file. https://gitlab.com/GeorgeRaven/authentik-helm/-/blob/master/charts/auth/values.yaml#L161 I call my table lookup.

authentik:
  ...
  # authentik expects its secrets as files in the same directory
  # so we tell kube where to get secret data and where to put it
  secrets:
    basePath: /secrets
    lookup:
    # this lookup will mount a secret data to a file basePath/files
    # this will also then create an env variable pointing to this secret file
    # thus we have no env variables with secrets in them but files are permed
    # https://www.authentik.com/integration/kubernetes/secrets/
    - key: postgresUserPassword
      file: postgresql-pass
      env: AUTHENTIK_POSTGRESQL__PASSWORD
    - key: redisPassword
      file: redis-pass
      env: AUTHENTIK_REDIS__PASSWORD
    - key: authJwtToken
      file: secret-key
      env: AUTHENTIK_SECRET_KEY
   ...

A templated deployment that automatically defines mounts and env variables. All according to the table specification and creates the env variables to let Authentik know where to look for these mounts. https://gitlab.com/GeorgeRaven/authentik-helm/-/blob/master/charts/auth/values.yaml#L161

kind: deployment
...
spec:
    containers:
        - name: authentik
          env:
          {{- range .Values.authentik.secrets.lookup }}
          - name: {{ .env }}
             value: {{ printf "file://%s/%s" $.Values.authentik.secrets.basePath .file }}
          {{- end }}
          volumeMounts:
          # secrets mount
          - mountPath: {{ .Values.authentik.secrets.basePath }}
            name: secrets
            readOnly: true
          ...
     volumes:
     - name: secrets
       secret:
         secretName: {{ .Values.secret.name }}
         optional: false
         items:
         {{- range .Values.authentik.secrets.lookup }}
         - key: {{ .key }}
           path: {{ .file }}
         {{- end }}
      ...

Authentik is a little more complex in practice since it has both servers and workers, but that is the general gist. If there is strong desire for this I can also put in a PR sometime soon to support this kind of secret passing although not exactly like this.

P.S for anyone wondering how themeing works, the fastest way is to mount over the top of existing files in the containers. For instance to overwrite the background I believe is /web/dist/assets/images/flow_background.jpg but you can edit the path in the default flows like "welcome to authentik" flow has a background path option. You still need to get your image into the container tho.

P.P.S my implementation is OSLv3

from helm.

an alternative option would be to pass the authentik: yaml as a config file to authentik instead of parsing it to env vars. What do you think @BeryJu ?

from helm.

is there any update on this?

from helm.

This has been resolved for some time now. Authentik's config (under the authentik key in the values) is now stored as a secret. Plus, if you don't want to specify secret values in your values, we have several ways for you to do so:

• global.env and/or global.envFrom to load directly for a secret you provide
• global.volumes and global.volumeMounts to mount a secret somewhere and then setting the config value that needs this secret to file:///path/to/secret.

from helm.