fix(authelia): remove deprecated expand-env

kubernetes/apps/security/authelia/app/helmrelease.yaml

@@ -65,7 +65,7 @@ spec:
               AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
               AUTHELIA_THEME: dark
               X_AUTHELIA_CONFIG: /config/configuration.yaml
-              X_AUTHELIA_CONFIG_FILTERS: expand-env,template
+              X_AUTHELIA_CONFIG_FILTERS: template
             envFrom: *envFrom
             probes:
               liveness: &probes
@@ -131,10 +131,9 @@ spec:
           - path: /config/configuration.yaml
             subPath: configuration.yaml
             readOnly: true
-      oidc-jwks:
+      secrets:
         type: secret
-        name: authelia-oidc-jwks-key
+        name: authelia
         globalMounts:
-          - path: /config/oidc-jwks-key.pem
-            subPath: oidc-jwks-key.pem
+          - path: /config/secrets
             readOnly: true

kubernetes/apps/security/authelia/app/kustomization.yaml

@@ -5,7 +5,6 @@ kind: Kustomization
 resources:
   - ./helmrelease.yaml
   - ./secret.sops.yaml
-  - ./oidc-jwks-key-secret.sops.yaml
 configMapGenerator:
   - name: authelia
     files:

kubernetes/apps/security/authelia/app/resources/configuration.yaml

@@ -1,5 +1,4 @@
 ---
-# NOTE: Authelia vars should be escaped with $${VAR_NAME} to avoid interpolation by Flux
 authentication_backend:
   ldap:
     address: ldap://glauth.security.svc.cluster.local:389
@@ -52,8 +51,15 @@ access_control:
     - name: internal
       networks: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
   rules:
+    # bypass for authelia
     - domain: auth.${DOMAIN}
       policy: bypass
+    # one factor for local
+    - domain: "*.${DOMAIN}"
+      policy: one_factor
+      network:
+        - internal
+    # bypass for API access
     - domain:
         - audiobookshelf.${DOMAIN}
         - lidarr.${DOMAIN}
@@ -86,14 +92,14 @@ access_control:
 identity_providers:
   oidc:
     jwks:
-      # prettier-ignore
-      - key: {{ secret "/config/oidc-jwks-key.pem" | mindent 10 "|" | msquote }}
+      - key: |
+          {{ secret "/config/secrets/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}'
     cors:
       endpoints: ["authorization", "token", "revocation", "introspection"]
     clients:
       - client_name: Grafana
         client_id: grafana
-        client_secret: "$${GRAFANA_OAUTH_CLIENT_SECRET}"
+        client_secret: '{{ secret "/config/secrets/GRAFANA_OAUTH_CLIENT_SECRET" }}'
         public: false
         authorization_policy: two_factor
         scopes: ["openid", "profile", "groups", "email"]
@@ -102,7 +108,7 @@ identity_providers:
         userinfo_signed_response_alg: none
       - client_name: Jellyfin
         client_id: jellyfin
-        client_secret: "$${JELLYFIN_OAUTH_CLIENT_SECRET}"
+        client_secret: '{{ secret "/config/secrets/JELLYFIN_OAUTH_CLIENT_SECRET" }}'
         public: false
         authorization_policy: two_factor
         require_pkce: true
@@ -115,7 +121,7 @@ identity_providers:
         token_endpoint_auth_method: client_secret_post
       - client_name: Miniflux
         client_id: miniflux
-        client_secret: "$${MINIFLUX_OAUTH_CLIENT_SECRET}"
+        client_secret: '{{ secret "/config/secrets/MINIFLUX_OAUTH_CLIENT_SECRET" }}'
         public: false
         authorization_policy: two_factor
         scopes: ["openid", "profile", "groups", "email"]
@@ -135,7 +141,7 @@ identity_providers:
         token_endpoint_auth_method: none
       - client_name: Paperless
         client_id: paperless
-        client_secret: "$${PAPERLESS_OAUTH_CLIENT_SECRET}"
+        client_secret: '{{ secret "/config/secrets/PAPERLESS_OAUTH_CLIENT_SECRET" }}'
         public: false
         authorization_policy: two_factor
         scopes: ["openid", "profile", "groups", "email"]

kubernetes/apps/security/authelia/app/secret.sops.yaml

@@ -25,6 +25,8 @@ stringData:
     INIT_POSTGRES_USER: ENC[AES256_GCM,data:NBXkJO0sAzY=,iv:UAGOIw3JA14i7g+tkbZH0r9VpVfneovJikidJs7pduU=,tag:f9VTDF5ZKF5ZSaqHnh5I4g==,type:str]
     INIT_POSTGRES_PASS: ENC[AES256_GCM,data:oQmW3uZYd8mf9YLuxiAe8mc8Bd8=,iv:4OEdtaPFyEvA99MSkEfiSmEAPfAgmRsFVUVk4WAOC+s=,tag:dCLZ2B24ptJl80Im8zqAhg==,type:str]
     INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:UHoDjFcM50R+XtqMnR/dC1cfHhQ=,iv:eOtptQOu/mAWhuvIhuGjdoaeiWDcqhriUyS0A3auAWo=,tag:YYZD7MUN6nmnwkZiY2zBBQ==,type:str]
+    #ENC[AES256_GCM,data:BnQyu7ZWj3QZVohSM8Q=,iv:XD8QslqNspCTMVMhBsNRBW/1/MkDypdezTLV1qMHdC0=,tag:L1xMhSvF6BU+peFExVMxyg==,type:comment]
+    OIDC_JWKS_KEY: ENC[AES256_GCM,data:GJ/xjzOxLGB09ryBKs+Pw2+Q6FfU1+gWChyaDAo3Zh1rV4py1XidM/M54908AlZ3HwH1MOOhrDMupxlvicitvYiAPkAdxMycIuk/CL7mlPv8O8jTXlc1VPwA0kGoQwZ4ENmAw7Lmbq3IHwqwgQzlzS9G2T/kdjXb276M+XD6Qs80GGKdoYRDFE2OhqFam3wgNnEBJPRPfBptCJ/Okc99pFw8KVFVT+a/AwQzCgEciWhy0tiz7ATbu54fM81JO06NDGxcCVUru9OLEy/T7JTdpxdujsxBw94GoTzhq11xTBqPoqG4TnirCWlxrzJg3jgaKLJ3/n+nbFL/zdejVqS4dOpiv/2Ig9XZ+Dv16jND0OHKzX43rRiAuIx1bcoGhkVlngzvOKrCgCf22RR3md8CHWPiMIYuO9nhdSmfVN8qjp4d6b2D2wkwC22cyqKDrWuUlKmmWKQar5zg+Ank4KgAM3rXTpjajzzz/xaMxEXKWnZ9cbKLAPQbKxjCLLOVmd0s039e0EZyoF7+0yKnNp9V4kkcgQxvL05cDvNMjLybvfTtLxywUbTyeU3hIX1xyHlabLsnWTitPEa1HNxZkU1N7rENIvkVNTg/wkoBZCjEHOMynrT+LLSFokeW4TWHbumSN4TmYIeH3eyy6Xh46pxb8mu4Wf6q5HqCbvXp5Ppl6rD30Q8iB/i/zDZjMPoKFM7A7cfXO5LPEsv/MahHVTlbD/owew25N1sJ3QpSW1vTawsUHEFwVJQpIXvc5RmDp0+sfETKbjGzBwA0+BeQ5QvXTfk7zB8WsaTcPcih9ALq4wnZb8F2M8R5pGpcR2WI2eTdw2lDMPGklZl95W+AVbT8LXP9r2JUzlpP65c9njWTcYqMjachWl6237O91npiSDJEpgwNiZMQwSLi2HPdfBW0270QHhI1c86txv29Y4kXlcJ2G9s4jNRt908lfeWYukYDpyqEA8xKSDevRV5SeiEEWBMxQLaxacZHTyIKvbIWbuJYdUXpGAtfqxRRtLmeNdyZ9cU8jGwbXcNcF8JqrhKZgoVq4liQjO70tZskSCwEx1VWmetaKUUOJo3TuFu2n04TJgJVJzEN4u7ipKFENTSi/Lltl/8QqKDzSBh5lUqn+FQQNF83WhxLLSpWcuNGOqMWhDVSBGCTy8Q0cdVeor+eBoM5aQbw2CXCRbD2GaKfm/wDrwYSPbDaNXP/eHeLAhV444zABIbbR4JPt6WGXRWXz7M48vt9KGaVn2krywWg7KlUYjMuZKSD7EObgNk1VobCr3XU8JxbHiw7Z7LLekBRmA0U69hqt469iB/IZCTLoui/hzq+qV9a2vmN5M9tykeJg+jsaHvLVPTu0FtZajn5gY/IrrzWOFCk9uCdlLuAosSfJzq069vaLVZtFPZnwXUHCPxbvY94ppfmOMgCikLG4MmkCb+rpfpTk9U0JgY9ey5il+Tgsq+LASdXUV5Wyt38GsjKFzahdAr37jlPUE2Qx8luGCXncucgyBGQ5YMeTapRl88PXTmQP3lf0uuKzsXX8FBUhF/BcUi+mefRGPlEeHzVeZjcRwSatLQfDNZmSz69xrq2vZ+mnRbVKUUydGKjuAxKKqus3PABuQdZLKbfSqSQM22JD7pQITEpmnpaSUAyfNIAjY4JIItSLrK2Kq43103y6jnpsE9fZUpN7qcyPkNQ1W+SDb6v0oeIdNGh8VSNsV9q1ONZYYSoP5NO6vgHZfrTUT8fJ7o+obL9/cvNv/ZHdg/Vnmw+ZNNrN4yGDVqEMQQD5rjLr5ry4ohaNjzWyNpq4vSrWI5rwhhJOD6uh8Qenj3CERvalPvisaNwuRnOfVsoEMF2kVfaxjdQBPmGSdHlgsLadh/CYaFNgGWDo8NpHf+0A7Tfj2IJ5qoKUzQgsmBXa5RtsmsA66gUJdE+5lH0v/f8fFoLyuWmIuS2sr9qjFkox30RM1WLa1c5t1yyK7oIQ/HLdGMmihLLe05LPKCM0pl4I8uXMVSEbaxCX0QqmNJJYcicC3xUot/K7lp07ryh3V9jlTIDYcgftpSKMy2upDctF6YK/TuwmCyTXR9v3aEAc4rGk2FGV/LBln52+Qn4IDYJrEIQRlIL9Gx1yOhNGblM0FQO07I2wfpBGG5EttO0NKREw1iDzfBYbXJgQrRRRFju2pDTmeDOx3Ck3Xd9ZVoU/ae9FmDwk2bq4bOinntDS1hXGtLZ9v9SMSAkNCIuy2F11hVtwOD7zcWAKtcKxr1L3r6UNqTPB7MtxNYNq+BHXYgtJU9S40fUR+GnY2RcBuDEzIWB7CNUtnKpiWAuCM3NIbPtRPafP3+ojbpzjDZn46YPVRHmboWDeFB/CUCgVSAHvnOvTEW0o6VvLGRFKdu29aurJ4vPMG9PHcW5nRoHhaWfvOJ2D/hmhmV6LMHGXxHxyrNooZhuxGIJ1X8IIyDSVDHY9v3pcbvyfO6OdtwCwDmoU/TCt5ko0ip9jk/o/dN3TiDQFuqDkUXIGQ/L4GoT7cSYOFPj+QxW6Zur8I4/HAGduz9uASEaAYT8p1fEWroplwEHAcVTNt7zQaNFnRyV0IXhherBRBNgapSw8oJN+BQJMwOJ7sBswfYf52RuegKCDZkyjhnyot2qdQBClTko8PFodOnk+TI6dzZdL/D3Z2tXGzpWULG8Wlf9uEmFVjTII5+0w/jAmD8CT1pMV7k4del3XO9PoRwzHm9/6kHsfqOFpWk7wU/5+DnO33JkHgGi+zGi4Yru9NQjm90KwnRA+dc7N4DdeBLzQ3OfZcB1YtK27d9sABcp8hlsQWRo8fExN5Vs1/dpWMY0FqGI2o7bKIldN0JfyyGgWTXhaPdAAyG/qSpxqosEyCqxLXzMeHDvCbPzpJssHf63ECUgUXui4z51xXtOqAsxuqw7vtwMzHebAjZcuTvTrCgfAXaDChmnInkkydhNiRcYgMrMojbkrnxA0zdRKEjHkuu0/kAQ+bnP9HXUr+W6WKPwZRI/vIP3K1NTmcpw52zwBfvY1e2uSlr76X+0pOazocD7zLHyez4zPcblAxUith4DHult8Usu7DCd3E45dyf+4OT2yaYZ3dE/F5kfGKllCQElbXYC0to+PUDdy7VgzD7KgSntPE5wvpJlK3Li8kpmMW9+PNRaMxXEARE9bcW+GdD4LEUdneNFo28WYrXJXS4IuFrHe8O0gv2x+82AIBfrWXlkMbkgNsG52cdL97vJcMEA0ELlpYrILsWWii2kjQWKSdLlvn62/nM1Bw9aEZ4LlXXQJv9uTjf19oYZ3PdBxIv/bN4qjhOBEVwohS5P/Um1n5KAJ2bConYNZKM6rU0ujVj+GVyre3tY/nR643pXKP4IOuIf44Uo3TX5auHNNkYguma0OPAyZ60nchOhQ3HbUi9Hhaf9cHURU7XXDQ0npY9h1pJFgoV+5b1OPj3x9Q4qA4WNZ394WvdxwYo8eK1N8xECn2uwxRAfx9ssEPfCpYH0cXtHQ5JP2l2+6c31V12/u8naB9x0l/QMY7ysLuVxbTV6AUYRzmmZIrFqzvMB/vvn+lDQ8l864a2cOYmDnXjvuWbCjmYOCs71Gp0AeOJ58M3RJAkUgnUzfgOlDZbv4kfR/O5uzVOLzcOBZ0yEiJH0IFnFtAhoQ7YSVWBTx2ikao6MzSzXngMly6cFtK8TaCItBZ16V0MhEksGCEx0kG8ELBUOmUd2CiPLGzWyxVZJJAXKjfafn4cW+adNkf3yUsePYbO395h0V83QjUecGxQJ54CzRUxtzaCr+jA+BH2jLgy+M77YbKSOGywGHW6PEaThLfDsmoI7RcmR1p9SNW1IxzxakyGnP6Bhe0PHxzIFOh3i4JXTV14qFU0dV6MewCKflgkNvY4Eyj2f1BjfFYgL9QKEknC7JnSXd80TLfce5WweCB0RMiczyaygqKAHjegQqF80U7j8CYcLKUcxs2dcH+6TP0gYwzuc1JVlLFFTrJ/ZuKzl4kHeagrAvanYoUsj6/A7oWJ72IXr0Mi8zqdS+BPeH8F/4u/2bSlEgBPYXMNe0JLpRmaUILhUFI5JmsSoX4md91iaGJCYYfn1Tkd0HaBK+xdqmbUTpLsHHf5LIhI9SDSPYCppvuJNbDZPWsC/y8C6qPmzw7oUHb2oEMvN2hdGv+Y5nsnojSQM5XjLxGYQHSSqEyT5JjJ/YSDbEaBucTYQa6GKIf3Lvmzcv/gENYz7pvj82uER2bSspR2ZXo6MaCrFWVe9OqRz3j80wFr7yNP4avfTUozSRk3MTh2TBCZOy8UdMZ421LowZA5QwXPOPiIMfMYk9F1Y1r1v/XZyMtAVof4cM2hJdXnPEvY9RnA7wRBLCDrSVaG/BhvMdKc9P/SZkTc=,iv:dnZVeJK5l8cbikNsGmWakZTpzYLVtMMg7IxOZmOSeH8=,tag:fT39xgQ6NITl26KjWO56dA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -40,8 +42,8 @@ sops:
             TFp4WGhKYjg4Ti9abnNYcnEyQkQxa0UK3QcQPlb+nd04r35ckrYjSjngBlwJKDH7
             phPw0oyKu66Uo4Tfu+OQTvv4TVJuOAfP6nMOu5Wf5b2esX8cWy/XOg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-30T18:42:11Z"
-    mac: ENC[AES256_GCM,data:Fb4Z7+uxfoypjEvZAzwz8W9qduA17KUsiHoiRFNvFdeRxnkotAo8c+LhmtwRm7UGwolQJ3rcUar/YTwqjOHZBgQeXhCzeA7Fbz+cC8hpKftfBKTNQO+7Be6xHRrJk9jrs3XANFSTATwHbcHkVcs3pQLCM8T0Z1sNgzRUCpYhVW0=,iv:LNngGJ48cBifO570UpP96OvGw2AETquoj53XWixDrMA=,tag:2Eb6i9w1onmbP80t/U6SuA==,type:str]
+    lastmodified: "2025-01-12T16:23:10Z"
+    mac: ENC[AES256_GCM,data:Z2baKxzAqMaef05VoFQZTuppbmd5FJerRc1bwrB5O36InQasBtkdIwV6qS7Lh4RFAh7AFNCs+aEwLqGD3qol2fi/E7jV5tqONkp6PLZ7lEv7WVJFMmgWxT/Agpdo9r6rL4lB5WsjOSvdQeNhcmf9o+hqDGujr5YxDq/dvHIXSxE=,iv:XbZ1eCqqzFiSpgC7cEiRCZ3zv21eGo01kvwbAQakohg=,tag:FniPAa0pY8tuCYmppRn3oQ==,type:str]
     pgp:
         - created_at: "2024-06-21T22:45:08Z"
           enc: |-
@@ -55,4 +57,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 86170CE5CB464ADDC6BE8E597450F180356132B6
     encrypted_regex: ^(data|stringData)$
-    version: 3.8.1
+    version: 3.9.3