feat: 0.9.0 beta2 (#229)

* feat: traefik api groups * fix: client secret rendering
authelia · Apr 19, 2024 · 6fb885b · 6fb885b
1 parent bbbd05d
commit 6fb885b
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 32 deletions.
diff --git a/charts/authelia/Chart.yaml b/charts/authelia/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: authelia
-version: 0.9.0-beta1
+version: 0.9.0-beta2
 kubeVersion: ">= 1.13.0-0"
 description: Authelia is a Single Sign-On Multi-Factor portal for web apps
 type: application

diff --git a/charts/authelia/files/configuration.oidc.client.yaml b/charts/authelia/files/configuration.oidc.client.yaml
@@ -1,8 +1,8 @@
 - client_id: {{ .Client.client_id | squote }}
-  {{- with include "authelia.config.oidc.client.client_secret.render" .Client }}
+  client_name: {{ .Client.client_name | default .Client.client_id | squote }}
+  {{- with (include "authelia.config.oidc.client.client_secret.render" .Client) }}
   client_secret: {{ . }}
   {{- end }}
-  client_name: {{ .Client.client_name | default .Client.client_id | squote }}
   {{- if .Client.sector_identifier_uri }}
   sector_identifier_uri: {{ .Client.sector_identifier_uri | default "" | squote }}
   {{- end }}

diff --git a/charts/authelia/templates/_capabilities.tpl b/charts/authelia/templates/_capabilities.tpl
@@ -137,38 +137,39 @@ PodDisruptionBudget API Version Releases: policy/v1 in 1.21, policy/v1beta1 prio
 {{/*
 
 */}}
-{{- define "capabilities.apiVersion.traefik.IngressRoute" -}}
-    {{- if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRoute" -}}
-        {{- print "traefik.io/v1alpha1" -}}
+{{- define "capabilities.apiVersion.traefik" -}}
+    {{- $group := "traefik.io" }}
+    {{- if .Values.ingress.traefikCRD.apiGroupOverride }}
+    {{- $group = .Values.ingress.traefikCRD.apiGroupOverride }}
+    {{- else if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRoute" -}}
+    {{- $group = "traefik.io" }}
     {{- else if .Capabilities.APIVersions.Has "traefik.containo.us/v1alpha1/IngressRoute" -}}
-        {{- print "traefik.containo.us/v1alpha1" -}}
-    {{- else -}}
-        {{- print "traefik.containo.us/v1alpha1" -}}
+    {{- $group = "traefik.containo.us" }}
     {{- end }}
+    {{- $version := "v1alpha1" }}
+    {{- if .Values.ingress.traefikCRD.apiVersionOverride }}
+    {{- $version = .Values.ingress.traefikCRD.apiVersionOverride }}
+    {{- end }}
+    {{- printf "%s/%s" $group $version }}
+{{- end -}}
+
+{{/*
+
+*/}}
+{{- define "capabilities.apiVersion.traefik.IngressRoute" -}}
+    {{- include "capabilities.apiVersion.traefik" . }}
 {{- end -}}
 
 {{/*
 
 */}}
 {{- define "capabilities.apiVersion.traefik.Middleware" -}}
-    {{- if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/Middleware" -}}
-        {{- print "traefik.io/v1alpha1" -}}
-    {{- else if .Capabilities.APIVersions.Has "traefik.containo.us/v1alpha1/Middleware" -}}
-        {{- print "traefik.containo.us/v1alpha1" -}}
-    {{- else -}}
-        {{- print "traefik.containo.us/v1alpha1" -}}
-    {{- end }}
+    {{- include "capabilities.apiVersion.traefik" . }}
 {{- end -}}
 
 {{/*
 
 */}}
 {{- define "capabilities.apiVersion.traefik.TLSOption" -}}
-    {{- if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/TLSOption" -}}
-        {{- print "traefik.io/v1alpha1" -}}
-    {{- else if .Capabilities.APIVersions.Has "traefik.containo.us/v1alpha1/TLSOption" -}}
-        {{- print "traefik.containo.us/v1alpha1" -}}
-    {{- else -}}
-        {{- print "traefik.containo.us/v1alpha1" -}}
-    {{- end }}
+    {{- include "capabilities.apiVersion.traefik" . }}
 {{- end -}}
diff --git a/charts/authelia/templates/_oidc.tpl b/charts/authelia/templates/_oidc.tpl
@@ -14,10 +14,8 @@ Returns the OpenID Connect 1.0 clients token endpoint authentication method.
 Returns the OpenID Connect 1.0 clients secret.
 */}}
 {{- define "authelia.config.oidc.client.client_secret" -}}
-    {{- if or .public (not .client_secret) }}
+    {{- if or .public (and (not .client_secret) (not .client_secret.value) (not .client_secret.path)) }}
         {{- "" }}
-    {{- else if kindIs "string" .client_secret }}
-        {{- .client_secret }}
     {{- else if hasKey .client_secret "value" }}
         {{- .client_secret.value }}
     {{- end }}
@@ -26,9 +24,9 @@ Returns the OpenID Connect 1.0 clients secret.
 {{- define "authelia.config.oidc.client.client_secret.render" -}}
     {{- if not .public }}
         {{- if and (not (kindIs "string" .client_secret)) .client_secret.path }}
-            {{- printf "{{ client_secret %s | squote }}" .client_secret.path }}
+            {{- printf "'{{ secret \"%s\" }}'" .client_secret.path }}
         {{- else }}
-            {{- (include "authelia.config.oidc.client.client_secret" .) | squote }}
+            {{- (include "authelia.config.oidc.client.client_secret.value" .) | squote }}
         {{- end }}
     {{- end }}
 {{- end -}}

diff --git a/charts/authelia/templates/validations.configMap.check.yaml b/charts/authelia/templates/validations.configMap.check.yaml
@@ -88,9 +88,9 @@
 */}}
 {{ $secret := include "authelia.config.oidc.client.client_secret" $client }}
 {{ if and .public $secret }}
-{{ fail "The 'configMap.identity_providers.oidc.clients' which have the Public Client Type must not have a secret defined." }}
-{{ else if and (not .public) (not $secret) (or (not $client.secret) (not $client.secret.path)) }}
-{{ fail "The 'configMap.identity_providers.oidc.clients' which have the Confidential Client Type must have a secret." }}
+{{ fail (printf "The 'configMap.identity_providers.oidc.clients' which have the Public Client Type must not have a secret defined. The client with id '%s' does have a secret but has the Public Client Type." $client.client_id) }}
+{{ else if and (not .public) (not $secret) (or (not $client.client_secret) (not $client.client_secret.path)) }}
+{{ fail (printf "The 'configMap.identity_providers.oidc.clients' which have the Confidential Client Type must have a secret. The client with id '%s' does not have a secret but is Confidential." $client.client_id) }}
 {{ else if $secret }}
 {{ if (not (include "authelia.hashes.prefix.has" $secret)) }}
 {{ if eq "client_secret_jwt" $client.token_endpoint_auth_method }}

diff --git a/charts/authelia/values.yaml b/charts/authelia/values.yaml
@@ -122,6 +122,11 @@ ingress:
 
     # matchOverride: Host(`auth.example.com`) && PathPrefix(`/`)
 
+    ## The TraefikCRD apiVersion Overrides. The apiGroupOverride controls the first part, apiVersionOverride controls
+    ## the second.
+    # apiGroupOverride: 'traefik.io'
+    # apiVersionOverride: 'v1alpha1'
+
     entryPoints: []
     # entryPoints:
     # - 'http'
@@ -1626,7 +1631,9 @@ configMap:
           # client_id: 'myapp'
 
           ## The client secret is a shared secret between Authelia and the consumer of this client.
-          # client_secret: '$plaintext$apple123'
+          # client_secret:
+            # value: '$plaintext$apple123'
+            # path: '/secrets/oidc.client.myapp.value'
 
           ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
           # client_name: 'My Application'