authelia/docs/content/integration/kubernetes/secrets.md

232 lines
11 KiB
Markdown

---
title: "Secrets"
description: "A guide to using secrets when integrating Authelia with Kubernetes."
summary: "A guide to using secrets when integrating Authelia with Kubernetes."
date: 2022-06-22T22:58:23+10:00
draft: false
images: []
weight: 530
toc: true
seo:
title: "" # custom title (optional)
description: "" # custom description (recommended)
canonical: "" # custom canonical URL (optional)
noindex: false # false (default) or true
---
The following serve as examples of how to inject secrets into the Authelia container on [Kubernetes].
## Get started
It's __*strongly recommended*__ that users setting up *Authelia* for the first time take a look at our
[Get started](../prologue/get-started.md) guide. This takes you through various steps which are essential to
bootstrapping *Authelia*.
## Creation
The following section covers creating example secrets. See [Secret Usage](#usage) for usage details. These examples are
not intended to be used as is, you should only include secrets that you're actively using and some secrets may be
missing from these examples. You need to see the [secrets documentation](../../configuration/methods/secrets.md) and
appropriately adapt these examples to your use case.
### Helm Chart
The Helm [Chart](chart.md) automatically generates and injects secrets into an Authelia deployment.
### Manifest
The following manifest is an example which all of the other examples attempt to facilitate as closely as possible. You
can manually create a secret like this with `kubectl apply -f`.
##### String Data Example
##### secret.yaml
```yaml {title="secret.yml"}
---
kind: Secret
apiVersion: v1
metadata:
name: authelia
stringData:
JWT_SECRET: >-
NwsVsXv4YCAF9suxWZmT7N6PSzmouCDHqVpzbS5niBKo49b7rTREmwFe6roKswf4
SESSION_SECRET: >-
DkezH5zcMQsvaU38YVu673i6JDH4VPiik9xPmYsTN3KPNkxSiiyZ8ASFTdcBcu8q
REDIS_PASSWORD: >-
VfhdNhgFG5mLU9s3cjQn9im6dkiWNu3FEUPJRi9bqGm3UV6xzGBZgvdCJhoy26d9
REDIS_SENTINEL_PASSWORD: >-
sSJMfX9A6Q6vTpD6rHXcLn2j5kN557RwuohAeyZuGqH9P9LGfuSMnzi9woYZuNqU
LDAP_PASSWORD: >-
zafcAShEBfgc48DihdRnnb6UJEGKqzg3FdeZXZ3rhrg6tu2oDoYSBA88w9NPvDhZ
STORAGE_PASSWORD: >-
NMHf9Z7C5UQYuKKgh9BJTKeccoZt6c647FQqsEHhkapkkndPkPw3d8bnvkqLgiZ5
STORAGE_ENCRYPTION_KEY: >-
rH87rjVMQBvzVgj8vVGSxhop2PPwddrJ7B6oSkGcmoganMf4wqANp9AJwaMHt8RA
SMTP_PASSWORD: >-
oi4Yag5HX8Bhc5JTr49nRkdPEr4JcPMfLAPvXxNpHtHqiHXfx3isdWXuTg7yCtjk
DUO_SECRET_KEY: >-
d4ypk2UQXxuo86s7vJ2rYWPa5KoxDfU9JQWgEqtANiBaJVQSG8PJbD9U24eiVuPC
OIDC_HMAC_SECRET: >-
eSopMjbiuCMhEbXGFsm5B8KWKszxV3CJWSLYrWnBJja4rFNvDxti388WyBjdrsHb
OIDC_ISSUER_PRIVATE_KEY:
-----BEGIN RSA PRIVATE KEY-----
MXIEogIB$AKCAQEAxZVJP3WF//PG2fLQoEC9DtdiFG/+00vqlbVzz47nyxKONIPI
lmL3UdmqpGTKMe/5Brqse4ZAKlQHiDbwzK9ypnfigtHuvh/JO0S7ChP70RC67ed1
HV1nyfz5eW3llbtGJPrlYLqITNgctHp6zmRUFtSzPj9qFvozI93LJi492yL1+vu8
Un3Dm8+Qq6XM2tPdEcldB/dtBwOWoF+8eOOVsu0TDuB5bwlhBVGJuSAuzBPRS2bF
Ga4uk0JDdkDOMCEQxC5uWDFxgfERSMFyfLVWD47woDbuWEBq10c0z+dpWPMp7Ain
YnnkqicwCN88Z0zid6MmMQ65F4+9Hc+qC/p6xwIDAQABAoIBAGlhaAHKor+Su3o/
AXqXTL5/rbYMzbLQiLt0XeJT69jpeqMTroZXHmWvXE3128mqnf0yzw/K2Ko6yxGh
i+j/onya8FqpsVYCCgfsbn2/js1AyRJeIp6Y1ORsYnqbXJnxmkXa80AV/OBPW2/+
60TtSdQrebY3iFPc+i2k+9bPTvpyyDLKlz8UwdZG+k5uyYNIyQTccz+PjwsIvDij
7tKYamhhLN3QXt3/aZTFpjTgezP4WyriZxjWrddHowc47q2rwNS95ND39JcysJAc
0Pcbu8A5lVa7Fx33uOtzDfKWIW7xVEN+OtPgN+FbTjXcXk5IZedl+pW5lU5P++G/
ZPvz+WECgYEA9g6HwdODW3e68bOqsFoKg35+vfUFMzlyMF8HFylNVfnLpTEDr637
owzMFvcUxVd71b+gV5nnnbI+riUFIgyR8vhCjhy4moopDPahC4/KwN4NG6uz+i1h
AB6D5+zn2BjnO/5xMMFGlApWtRNmJVGYlNDj3bXKh2VXzzy03VNeD8kCgYEAzZFL
OlzoRB1HKpTWIECcuvxofMxLOLb3zs0k2t/FYNYIpovmGWCCAULz13y53e5+/+5m
7I9VUZJFaIhaZ36qVBApCKdru69pZMkWCcQO9jELFcx51Ez7OgJWzu7GS1QJCPKC
fEDxI0rZK21j93/Sl/nUnEir7CYpQ+wvCaGuHg8CgYAXgbncfY1+DokwkB6NbHy2
pT4Mfbz6cNGE538w6kQ2I4AeDvmwLentYMqaow478CinegAiflSPTzkHwAemghbr
ZGZPV1UXhn13fJRUG2+eT1hnPVcbXnx223N0k8Bud6qXo65CnyRT/kzcTbcjd5Eh
Hne2daicmMTzynPo9Q72aQKBgBmobO9X8VWvIdbaxO85oVZlctVA2pK1o7CYQmVf
UM+JZ4MCKzI3rYJizPS0iK5+ujNPmmEkcs2/qBIoEsCgOrpLWhPOcc/3UPxXbPzD
D+sCrBOIdhxdj23qJNOnUfDNCGOpgUfpAzAYg4q8GKInvi1h7XukRnEvQi9MJ4LY
P1dZAoGASGcGnTMkmeSXP8ux+dvQJAiJskn/sJIgBZ5uq5GRCeLBUosRSVxM75UK
vAh/c/RBj+pYXVKuPuHGZCQJxsdcRXzXNGouUtgbaYML5Me/Hagt20QzDRBfuGBg
qeZBJaXhjElvw6PUWtg4x+LYRCBpq/bS3LK3ozZrSTukVkKDegw=
-----END RSA PRIVATE KEY-----
...
```
##### Base64 Data Example
This is the same manifest as above but encoded in base64.
```yaml {title="secret.yml"}
---
kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: authelia
data:
DUO_SECRET_KEY: ZDR5cGsyVVFYeHVvODZzN3ZKMnJZV1BhNUtveERmVTlKUVdnRXF0QU5pQmFKVlFTRzhQSmJEOVUyNGVpVnVQQw==
JWT_SECRET: TndzVnNYdjRZQ0FGOXN1eFdabVQ3TjZQU3ptb3VDREhxVnB6YlM1bmlCS280OWI3clRSRW13RmU2cm9Lc3dmNA==
LDAP_PASSWORD: emFmY0FTaEVCZmdjNDhEaWhkUm5uYjZVSkVHS3F6ZzNGZGVaWFozcmhyZzZ0dTJvRG9ZU0JBODh3OU5QdkRoWg==
OIDC_HMAC_SECRET: ZVNvcE1qYml1Q01oRWJYR0ZzbTVCOEtXS3N6eFYzQ0pXU0xZclduQkpqYTRyRk52RHh0aTM4OFd5QmpkcnNIYg==
OIDC_ISSUER_PRIVATE_KEY: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLSBNWElFb2dJQiRBS0NBUUVBeFpWSlAzV0YvL1BHMmZMUW9FQzlEdGRpRkcvKzAwdnFsYlZ6ejQ3bnl4S09OSVBJIGxtTDNVZG1xcEdUS01lLzVCcnFzZTRaQUtsUUhpRGJ3eks5eXBuZmlndEh1dmgvSk8wUzdDaFA3MFJDNjdlZDEgSFYxbnlmejVlVzNsbGJ0R0pQcmxZTHFJVE5nY3RIcDZ6bVJVRnRTelBqOXFGdm96STkzTEppNDkyeUwxK3Z1OCBVbjNEbTgrUXE2WE0ydFBkRWNsZEIvZHRCd09Xb0YrOGVPT1ZzdTBURHVCNWJ3bGhCVkdKdVNBdXpCUFJTMmJGIEdhNHVrMEpEZGtET01DRVF4QzV1V0RGeGdmRVJTTUZ5ZkxWV0Q0N3dvRGJ1V0VCcTEwYzB6K2RwV1BNcDdBaW4gWW5ua3FpY3dDTjg4WjB6aWQ2TW1NUTY1RjQrOUhjK3FDL3A2eHdJREFRQUJBb0lCQUdsaGFBSEtvcitTdTNvLyBBWHFYVEw1L3JiWU16YkxRaUx0MFhlSlQ2OWpwZXFNVHJvWlhIbVd2WEUzMTI4bXFuZjB5encvSzJLbzZ5eEdoIGkrai9vbnlhOEZxcHNWWUNDZ2ZzYm4yL2pzMUF5UkplSXA2WTFPUnNZbnFiWEpueG1rWGE4MEFWL09CUFcyLysgNjBUdFNkUXJlYlkzaUZQYytpMmsrOWJQVHZweXlETEtsejhVd2RaRytrNXV5WU5JeVFUY2N6K1Bqd3NJdkRpaiA3dEtZYW1oaExOM1FYdDMvYVpURnBqVGdlelA0V3lyaVp4aldyZGRIb3djNDdxMnJ3TlM5NU5EMzlKY3lzSkFjIDBQY2J1OEE1bFZhN0Z4MzN1T3R6RGZLV0lXN3hWRU4rT3RQZ04rRmJUalhjWGs1SVplZGwrcFc1bFU1UCsrRy8gWlB2eitXRUNnWUVBOWc2SHdkT0RXM2U2OGJPcXNGb0tnMzUrdmZVRk16bHlNRjhIRnlsTlZmbkxwVEVEcjYzNyBvd3pNRnZjVXhWZDcxYitnVjVubm5iSStyaVVGSWd5Ujh2aENqaHk0bW9vcERQYWhDNC9Ld040Tkc2dXoraTFoIEFCNkQ1K3puMkJqbk8vNXhNTUZHbEFwV3RSTm1KVkdZbE5EajNiWEtoMlZYenp5MDNWTmVEOGtDZ1lFQXpaRkwgT2x6b1JCMUhLcFRXSUVDY3V2eG9mTXhMT0xiM3pzMGsydC9GWU5ZSXBvdm1HV0NDQVVMejEzeTUzZTUrLys1bSA3STlWVVpKRmFJaGFaMzZxVkJBcENLZHJ1NjlwWk1rV0NjUU85akVMRmN4NTFFejdPZ0pXenU3R1MxUUpDUEtDIGZFRHhJMHJaSzIxajkzL1NsL25VbkVpcjdDWXBRK3d2Q2FHdUhnOENnWUFYZ2JuY2ZZMStEb2t3a0I2TmJIeTIgcFQ0TWZiejZjTkdFNTM4dzZrUTJJNEFlRHZtd0xlbnRZTXFhb3c0NzhDaW5lZ0FpZmxTUFR6a0h3QWVtZ2hiciBaR1pQVjFVWGhuMTNmSlJVRzIrZVQxaG5QVmNiWG54MjIzTjBrOEJ1ZDZxWG82NUNueVJUL2t6Y1RiY2pkNUVoIEhuZTJkYWljbU1UenluUG85UTcyYVFLQmdCbW9iTzlYOFZXdklkYmF4Tzg1b1ZabGN0VkEycEsxbzdDWVFtVmYgVU0rSlo0TUNLekkzcllKaXpQUzBpSzUrdWpOUG1tRWtjczIvcUJJb0VzQ2dPcnBMV2hQT2NjLzNVUHhYYlB6RCBEK3NDckJPSWRoeGRqMjNxSk5PblVmRE5DR09wZ1VmcEF6QVlnNHE4R0tJbnZpMWg3WHVrUm5FdlFpOU1KNExZIFAxZFpBb0dBU0djR25UTWttZVNYUDh1eCtkdlFKQWlKc2tuL3NKSWdCWjV1cTVHUkNlTEJVb3NSU1Z4TTc1VUsgdkFoL2MvUkJqK3BZWFZLdVB1SEdaQ1FKeHNkY1JYelhOR291VXRnYmFZTUw1TWUvSGFndDIwUXpEUkJmdUdCZyBxZVpCSmFYaGpFbHZ3NlBVV3RnNHgrTFlSQ0JwcS9iUzNMSzNvelpyU1R1a1ZrS0RlZ3c9IC0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0t
REDIS_PASSWORD: VmZoZE5oZ0ZHNW1MVTlzM2NqUW45aW02ZGtpV051M0ZFVVBKUmk5YnFHbTNVVjZ4ekdCWmd2ZENKaG95MjZkOQ==
REDIS_SENTINEL_PASSWORD: c1NKTWZYOUE2UTZ2VHBENnJIWGNMbjJqNWtONTU3Und1b2hBZXladUdxSDlQOUxHZnVTTW56aTl3b1ladU5xVQ==
SESSION_SECRET: RGtlekg1emNNUXN2YVUzOFlWdTY3M2k2SkRINFZQaWlrOXhQbVlzVE4zS1BOa3hTaWl5WjhBU0ZUZGNCY3U4cQ==
SMTP_PASSWORD: b2k0WWFnNUhYOEJoYzVKVHI0OW5Sa2RQRXI0SmNQTWZMQVB2WHhOcEh0SHFpSFhmeDNpc2RXWHVUZzd5Q3Rqaw==
STORAGE_ENCRYPTION_KEY: ckg4N3JqVk1RQnZ6VmdqOHZWR1N4aG9wMlBQd2Rkcko3QjZvU2tHY21vZ2FuTWY0d3FBTnA5QUp3YU1IdDhSQQ==
STORAGE_PASSWORD: Tk1IZjlaN0M1VVFZdUtLZ2g5QkpUS2VjY29adDZjNjQ3RlFxc0VIaGthcGtrbmRQa1B3M2Q4Ym52a3FMZ2laNQ==
...
```
### Kustomize
The following example is a [Kustomize](https://kustomize.io/) example which can be utilized with `kubectl apply -k`. The
files listed in the `secretGenerator` section of the `kustomization.yaml` must exist and contain the contents of your
desired secret value.
```yaml {title="kustomization.yaml"}
---
generatorOptions:
disableNameSuffixHash: true
labels:
type: 'generated'
app: 'authelia'
secretGenerator:
- name: 'authelia'
files:
- 'DUO_SECRET_KEY'
- 'JWT_SECRET'
- 'LDAP_PASSWORD'
- 'OIDC_HMAC_SECRET'
- 'OIDC_ISSUER_PRIVATE_KEY'
- 'REDIS_PASSWORD'
- 'REDIS_SENTINEL_PASSWORD'
- 'SESSION_SECRET'
- 'SMTP_PASSWORD'
- 'STORAGE_ENCRYPTION_KEY'
- 'STORAGE_PASSWORD'
...
```
## Usage
The following section covers using the created example secrets. See [Creation](#creation) for creation
details.
The example is an excerpt for a manifest which can mount volumes. Examples of these are the [Pod], [Deployment],
[StatefulSet], and [DaemonSet].
```yaml {title="deployment.yml"}
---
spec:
containers:
- name: 'authelia'
env:
- name: 'AUTHELIA_DUO_API_SECRET_KEY_FILE'
value: '/app/secrets/DUO_SECRET_KEY'
- name: 'AUTHELIA_JWT_SECRET_FILE'
value: '/app/secrets/JWT_SECRET'
- name: 'AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE'
value: '/app/secrets/LDAP_PASSWORD'
- name: 'AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE'
value: '/app/secrets/OIDC_HMAC_SECRET'
- name: 'AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE'
value: '/app/secrets/OIDC_ISSUER_PRIVATE_KEY'
- name: 'AUTHELIA_SESSION_REDIS_PASSWORD_FILE'
value: '/app/secrets/REDIS_PASSWORD'
- name: 'AUTHELIA_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE'
value: '/app/secrets/REDIS_SENTINEL_PASSWORD'
- name: 'AUTHELIA_SESSION_SECRET_FILE'
value: '/app/secrets/SESSION_SECRET'
- name: 'AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE'
value: '/app/secrets/SMTP_PASSWORD'
- name: 'AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE'
value: '/app/secrets/STORAGE_ENCRYPTION_KEY'
- name: 'AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE'
value: '/app/secrets/STORAGE_ENCRYPTION_KEY'
volumeMounts:
- mountPath: '/app/secrets'
name: 'secrets'
readOnly: true
volumes:
- name: 'secrets'
secret:
secretName: 'authelia'
items:
- key: 'DUO_SECRET_KEY'
path: 'DUO_SECRET_KEY'
- key: 'JWT_SECRET'
path: 'JWT_SECRET'
- key: 'OIDC_HMAC_SECRET'
path: 'OIDC_HMAC_SECRET'
- key: 'OIDC_ISSUER_PRIVATE_KEY'
path: 'OIDC_ISSUER_PRIVATE_KEY'
- key: 'REDIS_PASSWORD'
path: 'REDIS_PASSWORD'
- key: 'REDIS_SENTINEL_PASSWORD'
path: 'REDIS_SENTINEL_PASSWORD'
- key: 'SESSION_SECRET'
path: 'SESSION_SECRET'
- key: 'SMTP_PASSWORD'
path: 'SMTP_PASSWORD'
- key: 'STORAGE_ENCRYPTION_KEY'
path: 'STORAGE_ENCRYPTION_KEY'
- key: 'STORAGE_PASSWORD'
path: 'STORAGE_PASSWORD'
...
```
[Kubernetes]: https://kubernetes.io/
[Pod]: https://kubernetes.io/docs/concepts/workloads/pods/
[DaemonSet]: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
[StatefulSet]: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
[Deployment]: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/