RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated secrets.md with a functional DaemonSet (#1287) 

* Updated secrets.md with a functional DaemonSet

* changed TCP socket for API endpoints
pull/1340/head
thehedgefrog 2020-09-24 19:48:24 -04:00 committed by GitHub
parent 4aa6fef97e
commit 86ecc03640
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 21 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
docs/configuration/secrets.md
View File

@ -23,7 +23,7 @@ containing the secret data. This file must be readable by the
user the Authelia daemon is running as. user the Authelia daemon is running as.
For instance the LDAP password can be defined in the configuration For instance the LDAP password can be defined in the configuration
at the path **authentication_backend.ldap.password**, so this password at the path **authentication_backend.ldap.password**, so this password
could alternatively be set using the environment variable called could alternatively be set using the environment variable called
**AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE**. **AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE**.
@ -51,19 +51,19 @@ server. The UNIX permissions should probably be something like 600.
## Secrets exposed in an environment variable ## Secrets exposed in an environment variable
**DEPRECATION NOTICE:** This backwards compatibility feature **has been removed** in 4.18.0+. **DEPRECATION NOTICE:** This backwards compatibility feature **has been removed** in 4.18.0+.
Prior to implementing file secrets you were able to define the Prior to implementing file secrets you were able to define the
values of secrets in the environment variables themselves values of secrets in the environment variables themselves
in plain text instead of referencing a file. **This is no longer available in plain text instead of referencing a file. **This is no longer available
as an option**, please see the table above for the file based replacements. See as an option**, please see the table above for the file based replacements. See
[this article](https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/) [this article](https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/)
for reasons why this was removed. for reasons why this was removed.
## Docker ## Docker
Secrets can be provided in a `docker-compose.yml` either with Docker secrets or Secrets can be provided in a `docker-compose.yml` either with Docker secrets or
bind mounted secret files, examples of these are provided below. bind mounted secret files, examples of these are provided below.
### Compose with Docker secrets ### Compose with Docker secrets
@ -174,7 +174,7 @@ the same directory. You will need to edit the kustomization.yaml with your
desired secrets after the equal signs. If you change the value before the desired secrets after the equal signs. If you change the value before the
equal sign you'll have to adjust the volumes section of the daemonset equal sign you'll have to adjust the volumes section of the daemonset
template (or deployment template if you're using it). template (or deployment template if you're using it).
```yaml ```yaml
#filename: ./kustomization.yaml #filename: ./kustomization.yaml
generatorOptions: generatorOptions:
@ -211,6 +211,7 @@ apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
name: authelia name: authelia
namespace: authelia
labels: labels:
app: authelia app: authelia
spec: spec:
@ -239,32 +240,36 @@ spec:
value: /app/secrets/ldap_password value: /app/secrets/ldap_password
- name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE - name: AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
value: /app/secrets/smtp_password value: /app/secrets/smtp_password
- name: AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE - name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
value: /app/secrets/sql_password value: /app/secrets/sql_password
- name: AUTHELIA_SESSION_REDIS_PASSWORD_FILE
value: /app/secrets/redis_password
- name: TZ
value: America/Toronto
ports: ports:
- name: http - name: authelia-port
containerPort: 80 containerPort: 9091
startupProbe: startupProbe:
httpGet: httpGet:
path: /api/configuration path: /api/state
port: http port: authelia-port
initialDelaySeconds: 10 initialDelaySeconds: 15
timeoutSeconds: 5 timeoutSeconds: 5
periodSeconds: 5 periodSeconds: 5
failureThreshold: 4 failureThreshold: 4
livenessProbe: livenessProbe:
httpGet: httpGet:
path: /api/configuration path: /api/state
port: http port: authelia-port
initialDelaySeconds: 60 initialDelaySeconds: 60
timeoutSeconds: 5 timeoutSeconds: 5
periodSeconds: 30 periodSeconds: 30
failureThreshold: 2 failureThreshold: 2
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /api/configuration path: /api/state
port: http port: authelia-port
initialDelaySeconds: 10 initialDelaySeconds: 15
timeoutSeconds: 5 timeoutSeconds: 5
periodSeconds: 5 periodSeconds: 5
failureThreshold: 5 failureThreshold: 5
@ -274,9 +279,6 @@ spec:
- mountPath: /app/secrets - mountPath: /app/secrets
name: secrets name: secrets
readOnly: true readOnly: true
- mountPath: /etc/localtime
name: localtime
readOnly: true
volumes: volumes:
- name: config-volume - name: config-volume
configMap: configMap:
@ -302,7 +304,4 @@ spec:
path: ldap_password path: ldap_password
- key: smtp_password - key: smtp_password
path: smtp_password path: smtp_password
- name: localtime
hostPath:
path: /etc/localtime
``` ```