From 6fb885bdbdd81f53dfcc17f7d0b4afa7b4c66da0 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Fri, 19 Apr 2024 11:34:20 +1000 Subject: [PATCH] feat: 0.9.0 beta2 (#229) * feat: traefik api groups * fix: client secret rendering --- charts/authelia/Chart.yaml | 2 +- .../files/configuration.oidc.client.yaml | 4 +- charts/authelia/templates/_capabilities.tpl | 41 ++++++++++--------- charts/authelia/templates/_oidc.tpl | 8 ++-- .../validations.configMap.check.yaml | 6 +-- charts/authelia/values.yaml | 9 +++- 6 files changed, 38 insertions(+), 32 deletions(-) diff --git a/charts/authelia/Chart.yaml b/charts/authelia/Chart.yaml index 0517521..1bdfb32 100644 --- a/charts/authelia/Chart.yaml +++ b/charts/authelia/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: authelia -version: 0.9.0-beta1 +version: 0.9.0-beta2 kubeVersion: ">= 1.13.0-0" description: Authelia is a Single Sign-On Multi-Factor portal for web apps type: application diff --git a/charts/authelia/files/configuration.oidc.client.yaml b/charts/authelia/files/configuration.oidc.client.yaml index 34e9445..22d59db 100644 --- a/charts/authelia/files/configuration.oidc.client.yaml +++ b/charts/authelia/files/configuration.oidc.client.yaml @@ -1,8 +1,8 @@ - client_id: {{ .Client.client_id | squote }} - {{- with include "authelia.config.oidc.client.client_secret.render" .Client }} + client_name: {{ .Client.client_name | default .Client.client_id | squote }} + {{- with (include "authelia.config.oidc.client.client_secret.render" .Client) }} client_secret: {{ . }} {{- end }} - client_name: {{ .Client.client_name | default .Client.client_id | squote }} {{- if .Client.sector_identifier_uri }} sector_identifier_uri: {{ .Client.sector_identifier_uri | default "" | squote }} {{- end }} diff --git a/charts/authelia/templates/_capabilities.tpl b/charts/authelia/templates/_capabilities.tpl index c768ae4..98c1697 100644 --- a/charts/authelia/templates/_capabilities.tpl +++ b/charts/authelia/templates/_capabilities.tpl @@ -137,38 +137,39 @@ PodDisruptionBudget API Version Releases: policy/v1 in 1.21, policy/v1beta1 prio {{/* */}} -{{- define "capabilities.apiVersion.traefik.IngressRoute" -}} - {{- if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRoute" -}} - {{- print "traefik.io/v1alpha1" -}} +{{- define "capabilities.apiVersion.traefik" -}} + {{- $group := "traefik.io" }} + {{- if .Values.ingress.traefikCRD.apiGroupOverride }} + {{- $group = .Values.ingress.traefikCRD.apiGroupOverride }} + {{- else if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRoute" -}} + {{- $group = "traefik.io" }} {{- else if .Capabilities.APIVersions.Has "traefik.containo.us/v1alpha1/IngressRoute" -}} - {{- print "traefik.containo.us/v1alpha1" -}} - {{- else -}} - {{- print "traefik.containo.us/v1alpha1" -}} + {{- $group = "traefik.containo.us" }} {{- end }} + {{- $version := "v1alpha1" }} + {{- if .Values.ingress.traefikCRD.apiVersionOverride }} + {{- $version = .Values.ingress.traefikCRD.apiVersionOverride }} + {{- end }} + {{- printf "%s/%s" $group $version }} +{{- end -}} + +{{/* + +*/}} +{{- define "capabilities.apiVersion.traefik.IngressRoute" -}} + {{- include "capabilities.apiVersion.traefik" . }} {{- end -}} {{/* */}} {{- define "capabilities.apiVersion.traefik.Middleware" -}} - {{- if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/Middleware" -}} - {{- print "traefik.io/v1alpha1" -}} - {{- else if .Capabilities.APIVersions.Has "traefik.containo.us/v1alpha1/Middleware" -}} - {{- print "traefik.containo.us/v1alpha1" -}} - {{- else -}} - {{- print "traefik.containo.us/v1alpha1" -}} - {{- end }} + {{- include "capabilities.apiVersion.traefik" . }} {{- end -}} {{/* */}} {{- define "capabilities.apiVersion.traefik.TLSOption" -}} - {{- if .Capabilities.APIVersions.Has "traefik.io/v1alpha1/TLSOption" -}} - {{- print "traefik.io/v1alpha1" -}} - {{- else if .Capabilities.APIVersions.Has "traefik.containo.us/v1alpha1/TLSOption" -}} - {{- print "traefik.containo.us/v1alpha1" -}} - {{- else -}} - {{- print "traefik.containo.us/v1alpha1" -}} - {{- end }} + {{- include "capabilities.apiVersion.traefik" . }} {{- end -}} \ No newline at end of file diff --git a/charts/authelia/templates/_oidc.tpl b/charts/authelia/templates/_oidc.tpl index 92edbd2..04e89f8 100644 --- a/charts/authelia/templates/_oidc.tpl +++ b/charts/authelia/templates/_oidc.tpl @@ -14,10 +14,8 @@ Returns the OpenID Connect 1.0 clients token endpoint authentication method. Returns the OpenID Connect 1.0 clients secret. */}} {{- define "authelia.config.oidc.client.client_secret" -}} - {{- if or .public (not .client_secret) }} + {{- if or .public (and (not .client_secret) (not .client_secret.value) (not .client_secret.path)) }} {{- "" }} - {{- else if kindIs "string" .client_secret }} - {{- .client_secret }} {{- else if hasKey .client_secret "value" }} {{- .client_secret.value }} {{- end }} @@ -26,9 +24,9 @@ Returns the OpenID Connect 1.0 clients secret. {{- define "authelia.config.oidc.client.client_secret.render" -}} {{- if not .public }} {{- if and (not (kindIs "string" .client_secret)) .client_secret.path }} - {{- printf "{{ client_secret %s | squote }}" .client_secret.path }} + {{- printf "'{{ secret \"%s\" }}'" .client_secret.path }} {{- else }} - {{- (include "authelia.config.oidc.client.client_secret" .) | squote }} + {{- (include "authelia.config.oidc.client.client_secret.value" .) | squote }} {{- end }} {{- end }} {{- end -}} diff --git a/charts/authelia/templates/validations.configMap.check.yaml b/charts/authelia/templates/validations.configMap.check.yaml index 78d88e7..5274225 100644 --- a/charts/authelia/templates/validations.configMap.check.yaml +++ b/charts/authelia/templates/validations.configMap.check.yaml @@ -88,9 +88,9 @@ */}} {{ $secret := include "authelia.config.oidc.client.client_secret" $client }} {{ if and .public $secret }} -{{ fail "The 'configMap.identity_providers.oidc.clients' which have the Public Client Type must not have a secret defined." }} -{{ else if and (not .public) (not $secret) (or (not $client.secret) (not $client.secret.path)) }} -{{ fail "The 'configMap.identity_providers.oidc.clients' which have the Confidential Client Type must have a secret." }} +{{ fail (printf "The 'configMap.identity_providers.oidc.clients' which have the Public Client Type must not have a secret defined. The client with id '%s' does have a secret but has the Public Client Type." $client.client_id) }} +{{ else if and (not .public) (not $secret) (or (not $client.client_secret) (not $client.client_secret.path)) }} +{{ fail (printf "The 'configMap.identity_providers.oidc.clients' which have the Confidential Client Type must have a secret. The client with id '%s' does not have a secret but is Confidential." $client.client_id) }} {{ else if $secret }} {{ if (not (include "authelia.hashes.prefix.has" $secret)) }} {{ if eq "client_secret_jwt" $client.token_endpoint_auth_method }} diff --git a/charts/authelia/values.yaml b/charts/authelia/values.yaml index d769b95..e5081a9 100644 --- a/charts/authelia/values.yaml +++ b/charts/authelia/values.yaml @@ -122,6 +122,11 @@ ingress: # matchOverride: Host(`auth.example.com`) && PathPrefix(`/`) + ## The TraefikCRD apiVersion Overrides. The apiGroupOverride controls the first part, apiVersionOverride controls + ## the second. + # apiGroupOverride: 'traefik.io' + # apiVersionOverride: 'v1alpha1' + entryPoints: [] # entryPoints: # - 'http' @@ -1626,7 +1631,9 @@ configMap: # client_id: 'myapp' ## The client secret is a shared secret between Authelia and the consumer of this client. - # client_secret: '$plaintext$apple123' + # client_secret: + # value: '$plaintext$apple123' + # path: '/secrets/oidc.client.myapp.value' ## The description to show to users when they end up on the consent screen. Defaults to the ID above. # client_name: 'My Application'