Put secrets in env variables of Kubernetes Deployment.

This is preliminary work to bootstrap the Helm chart and rely on the Kubernetes vault. WARNING: those variables should never be set in the configuration in a production environment. They have been set here for ease of deployment and because this is a showcase.
2020-01-21 22:03:55 +01:00 · 2020-01-21 22:03:55 +01:00 · c95c7210d8
parent e92d3ced3a
commit c95c7210d8
2 changed files with 11 additions and 4 deletions
--- a/example/kube/authelia/configs/configuration.yml
+++ b/example/kube/authelia/configs/configuration.yml
@ -4,7 +4,6 @@

 port: 80
 logs_level: debug
-jwt_secret: an_unsecure_secret

 default_redirection_url: https://home.example.com:8080

@ -20,7 +19,6 @@ authentication_backend:
    group_name_attribute: cn
    mail_attribute: mail
    user: cn=admin,dc=example,dc=com
-    password: password

 access_control:
  default_policy: deny
@ -74,7 +72,6 @@ access_control:
      policy: two_factor

 session:
-  secret: unsecure_password
  expiration: 3600 # 1 hour
  inactivity: 300 # 5 minutes
  domain: example.com
@ -93,7 +90,6 @@ storage:
    port: 3306
    database: authelia
    username: admin
-    password: password

 notifier:
  smtp:
--- a/example/kube/authelia/deployment.yml
+++ b/example/kube/authelia/deployment.yml
@ -24,6 +24,17 @@ spec:
          volumeMounts:
            - name: config-volume
              mountPath: /etc/authelia
+          env:
+            # We set secrets directly here for ease of deployment but all secrets
+            # should be stored in the Kube Vault in production.
+            - name: AUTHELIA_JWT_SECRET
+              value: an_unsecure_secret
+            - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
+              value: password
+            - name: AUTHELIA_SESSION_SECRET
+              value: unsecure_password
+            - name: AUTHELIA_STORAGE_MYSQL_PASSWORD
+              value: password
      volumes:
        - name: config-volume
          configMap: