atuhelia update and secret fix

infrastructure/authelia/authelia-internal.sealedsecret.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: authelia-internal
+  namespace: authelia
+spec:
+  encryptedData:
+    identity_providers.oidc.hmac.key: AgBiAFMdVNGubsvfYu9oi6SE1AF8ZmiSbiSPjZhrSjpw8J8vN0Zjm/4TQX+I+qD7GQu0zO72D2hF/26fBZrLx2N1IJAj0va1NYEkmGgAaYa3lVC948n5OzyNPpOwfFCMBKo/BJwh0VeZ0wa7gm6L7+Gfk+YutGmkNa7Cuf+F/e8LxlT0MHlyoj+YGzeNEWkm2uUv73f74ND+a15AnBkvGMfm5A8vt/EdN3IOqD8EUCwRpf+lqhrJe9Mwp28kHp4NdO2W97I40BWA7LFXQco7CuhjNafHkpaNMZ1bkbYLjlpqyC6Xs7bCZU9wMIPOHL9cGt2QvfQG5gMWrJmJsyes9qadBk/TKmqPi3iPH2DzUYO2vMETI765RVrL6IVOwxXc663JxfpZVQTiCSXz8oCVYZ7Ka7gcjXSPTMSxwD2cBVG9KDwjntYaXTairO/Kyx0HiPbbXzhENYkqY7oZvJde/l83l5TvPi+M4/a0Pa8COq8voRw+Fkrfw/qhPDn4AZnuanceOLog3xfrXw0Z45rZ34unovKP+3NjTdBUX5YB8OgGd5tXc4Ur6oK8nxt5IhQ1EzJkh1VEUU8pbDaw9EX1xCKZxVk86MEzW7zqFZWRve5Sp34CJdwHcUk8hLs2PweEzyvibLJIACn1mQoM6nC+Wep5iYXjUzQ9qobItzKFpw/mGsceCu8VqNoBtQBws+I47EF2NkzT45szvxF9tvSzmgmRBHtzES11bqePopHvye4310pywFYJ/WeiWOLEn1IEd4rrTJ6zIoqU1QH9qHShT4SoT0uC5wqz+Tgl64OdMIHKwQLcWih7A5lcDMv+jPV1Xvd52g3EYx13epNTPHtHwi4sBlFi1VuDrwXgTAlnpvM6N5Ij0qNNK5NMcWHerbLyOaMzng1pOtRfYA5UKGG4KYQd49vh5Fw9mHsk9/lelT+iyTs4GhA=
+    identity_validation.reset_password.jwt.hmac.key: AgCOsW1JBwnAB7BEIkEwqTLNHX5N/HrqHoxz7axdr3ppES7BnPKGRak846aKHrUVEykAV470SCgdwomTh/KBVAvHtml9L8h+FBu24rDbqZjHnL/BVy+2SkukNoVq6A2vDQRI521HBZntQQljhG0XTFTMMyI7tUhhM/PwmzeyZpKsDPcw6EJAMk9ERxdYtM7iaYEIAAcn0N2NPI7+I/A7nMKYpx4oGr79tobQyM1aDQF2VFwlRq1vqCrkEzBtPUPa9SrfnFE2GrIJlIR3xh/h5SmXCaAjF0uZFjPBPMrHSU4XtZVqtmwIEXpXFqjf+M6N5LTA5rKEviHV5oSJ4sDbMC1GMzwYw8u1Z2gvi/sP87ncbtSbW6ereAXC/5i7/bkOiyBlwVbNV+YcY6RlHG6DzEO/4Fqx9ET6XJhms1TcNb8Cp/VA7NS79IYbtnnZozefHnZAKQa7k/SR8tUVcVET2LhW6/j4QhxhFsASbws/yaZkEKdQnDqCpDlMkXKWxAt/7wlu/URTKlYTtCV5tvhrDj14Hdvs2CtpbXsYuf9FEn6OkRjFFXtr2c8tlOgh63qLoDfgmc+NlfLmkOGEtfEi9KCt9UY4qBAh2bc0PkkKod5JhMoiBUCwc2H8WlXAeUj2v7UmB5fvaP+IbeNKGf6+v8adVW3m7tckFeARG71QHkv049EKVfNyIP+CvBhEFZwTMNtzYGhr280zpEuvKowVXYlLp9pSBA/3vEIFcsnNzQfg2eFzsETOVtHXd7KnPoRKk29fTXmgIKdMThaSgvs72LoGdiYpYPaVrRKgCeqCah697bsOo6q2gv/jAeofRkcoaUx3sMb8nZJ3fnijr5Z5DFq6PM2VyJy8PlgfoIKO/w1nkQ==
+    oidc.jwks.key: AgCuYKmdCv3LcmH8zpNAuS5oeHjf/cEmcAlGjRfv2CtfXmlYhcysDLeo2Cyn9kMUEPyRwxhQ/b9G6ZfkfuIh83v4j8PFBitoyaAmDNLmhn/tEjxUG4ddRZ+X1m+Skqs/QyGSt8w4iCBv2tzVV8v9mbbh0GSEk4Nz/tOi8oyUBF/RF0Pgan7JubQ9E7uT2c2rD+hVeWJx9dL6Vv6z/OdbNEjpDvlMNjpQBqMj7H0dMXSnMIxoQHXn2TduI/2qoc84qfNf8diGaG9DN/lrm4rebPwQZvwkidSKEGCCca8ICwXEN2b2q2TijiaVGJPtpd+R9n3BDa8SHi94ptwxuWwHEQBA5QlkK5TMUT8SGLzUIJK5Z/sX7QQcTxxSX2pySA+3eKveBIiHJeLjiuABkioo9uZMoWsp/piwZBQy5xB7yF2WIGz6cAg1Y098Khw8ZYrnYrJSHG35/Ai9270eiJOvdXDvOdiXEbxUhI6EGwypl1E18AevE3Pe6OcthEfwErbYdEevSNSfUNthC6gFh/PM8qCEi9ZpX1IrbDq/4lyPltKNbhev7OJuci2CF4kc/kMu9Swdih2p4UV/FOHk6z0hfpjxuqXBwdQYcNOZvyZgnGNjb0fqtrKN953A8Skb8+g1XeWzOVxRYGLi/M/oUaWiy2ksLgxlEhKgSzlQ2al0qMBTdr+I+W3bm1HjITocnEFHR54x7+i6V9LydtWXqy08xH1p4LXi56+PtoUQ6901nE8vyofVcuoV1tqqrnVv+L7XHqsM2qGgdvsYlYBttt3zBy/JbOTcUhVe0KIjRGtuAF2MPJWSxcyFc0crfC7dYmKllV3sKO+MowyDjDQ7OQ3MxgPufLKMRJUAB1XsX5BUE5HyQketKHE5hYWzLR+PmQPShq6wc/Er36jPBLkGUsNVJhUdPewbEzZEcqeBdDsncXUwZjcjAlclWpM1VYxT71BLBT0SUL6YyoeesW0RZ+LG/reD9klfYQM5vfhXTDax5crOcp5BIo8T7mJEYIFBvUU0ruAi3Ur7GqgSCCE8AAcILTeqex22KP6JcFUB7nzFsn3PlUv1lJ+TJutmUe3aGXjVMQGD2B3s5cMHCcqMD302gj39gLVsCV4gQo2hb+UeZcfz7X2ltJ0H6ch/CHeLZbBQoCreVVDWBcoMl4tncdbrkdFK0Bo1tCjY+MScsYATswn4/fbEIKALBVO4gS/WI4NcbGl6HXyNnJvbYv+6l48EHcTHtMqER1hur7Wkso3YpC5zHx7RVfnuCTXP9kWPcCCr1VMj4Uth86LB5xi4FIs3X8DvoyOTVgUyu4T9tedldhMurOh8qt/kqxdxjKkREFk80sH2kb61xPypY/779hLXG9PeDHLFyETYgdHiJWSv8UhizVVOBErjKUljWZ2y5zZam8DNKI6QRislPE++pYsqQw2Pe0iyjjcSWMAriCVJW1klkgmOkEoweFjD98CIUWJUcJx/as1YOIc+QqtVRKH/1AA/CuPrPJWfPXzGBfNFXveQB/G9lvJ4MNfVLNdAz5kUv6bGnGaAyR2LFTl/ficNZv8IFBQvHi91CLe0PjMoq32SO/wCJMX9f7yESWgFnCWS/HfuzWJR+f30hbsM/JbE8hXQQ8/VPgzgRkaKPz3XW9j4w6Wb2mBX3GAYtRtGUKfWsOJWIOjKDlqd73HiIM31MUsiDMgo4DdSV9ocEuH+Y8EiAgtK8P1nSUp2Y6wRVZ5dMz471GC/qAtZS2eYEYzbe57sX2i+pjmA790O28fZauEipPs4d8tbUyef+wPD+aJLyYLRX+R19IU5y+Hk7VdFoi/o+5roDyqAESYfOKhY2dRV6MjLvgbb0g4spJBPefFppKxEW46pi/zMniqUmel+czm704i9/Hr8LrZHUwHQqPN+iLqLTvQQo9Uj0xNzeM+fF4BG+QpYPPl8hNlRFcz/H486i7z1qIRjDvCHko5nQx6nMjJgY3DVyCV6w92NvWKsuWtJ5S+LyCe3Mt2z3R+l7JVntf0xPcAaUjruEnPC9jkpiD7GtZJaeqqm9X6NwanPrTD9KRw3czDyN00H51tmqut/St0O9ThpCNDDO06TrtvWIGmbO3zuBLawOnYniISNhpwpCO1jfV5J8zg8iv57LclG1O7LcwqAbLg6fdYNRnViIn3FRmwrIunSjcL+KbQP6sPQRHqiRxUbO0jp8v48wfzrxc1V4hzvrzlMQzIFRwqGKRjRaHzsBVjln1Ec8Bbg3bvVVCr60rVNVQEy40ldTz22nNjecAUp88v5DXqslHgwD1jEA7rDAmjAIpdN0fVOZBHKxalXVzq/cYssuAMg8NgJXCoLvi+mZj+iR8LsV4OtrSd8nJSCADrVrLJwccHjRo0GnPBD3jJFchy77gPN+8OnzRXPVVuuMSOjrxfAfrjwCUkj3KybOH3MMLu5NUFz27DcpLRxBqACQOtSOshkuuJuk1FXIexssFMZvO2StYecv5R880WX0LqZwKNTJRqQOXTGaV1VWNEexSu4iegOtaX0UZQNyDyHygNU9JXsve4u/2Sd6VyTy/i69XouFCY21DE/fonqBGuIen+TqxshpPJGy3HZJ7Y044rFCcWyTjzz8XH5s836CUWmwri+DsGeT/L/E3C+zR17ImU1Na4IA8f11ThR5aaomfTEwbNseFr8L51dJrgQl/QgRJrViHwowLDVClCbhszVKFg7i0ERRjSNNxZ9tUluOyCHSeg4wP1DOERumYwj5oV9I0isAOpG5cCDUDMrrZP831YmeUgJsH5aciRZmho9/p+Q0R+s7v0PA2HKtRNOfIm1VWSL7y185LKvYO6DPfZNDnOFobwg9ANP7H7kdE1GOlsnEQYWTFlc8wtRLfENNCHlBUwrIGJUoNPlSHVG3PXGz4vah6wwJD/QBH+9TKtLvdV1+2T4+cdCIn08MbdlHDKvWLraMtmSOTJKNJxtXOuXfdAuGYIoqyc1Em7nbV/Oo4de/n1zWkrwZPeTx7d9D1Io/ana8+2LlJEjrIltr4IzdnuCtImbANCDA45VFmlq87s+2lYdbKDvDMNUviw//s80G3qTT3VpGFnnyEF6TsJzpTJ7PrpE1A0PMufNbg8kJTMBifBU+XzoBDTqBwPzim4VqwazuScOqzwZDTgLdQhGzeo1bKIJKHrLOEgZm1KCp+tjPPhnhK0zIGUjqB+UL2+3IvHDmVr9ly7buGub+kuyBiXnoIr4B6bwa7cpFgNU9zmTng+hFlTDgfSLBlz+69knYDlEpgE6BsVfTcXFpfVgS/eRHH04OrYB0t7kwUD0Ku+Ljpn6nd/x7/gcDOGaiQH7TpW1qKTF8E5+sfbn7f8j6fGYRT7dDQ0n4ljZ8qAYsPw3k+hY1MBIiNqAfQKpwTc88yB6EmB7Ul1N28tsLTuEGCCHtXvhTaQLTFzTVoKdtn5B8eNJDqOdBc5+g0qPgp1W8cVESH9nc80pcGo382GND/QllOEmmaKEasYEzPeMJAcPM4UxMuXF7SnadQweoCTIPXuQyZW+eKlMW4RlC5DHQ1m4NymrN6GFptQtTiG5v182BR2ibp4NogkEyZhHeMCtGXZV6QgGbnoJ24ii0vY4iO/08YgXOxDLcH83vvdiya/WxO/75rRVH052z0doEC4jLUleLEs398o59LBEolHSyPYOemzHLOkSB7w6acxiuujb9nujMuE2im5httFXKhq0cu6ytxlVKtKbVwB1y5lZigpTAh9FZXki8OBNIEa1FwtrYsoLz4hJP2CyRqUrHCY9WmCDTOUFTq7NrltBL2+wFvbPAtJbrzM0ALJYNaOb7J5N8R8sP3voXaL5DEEFoS57+xSvtx+lIOCNweJqzzZMoxZ2p9JL6qaJxG+EJIGTeHhWMxX9UJTJJACgB2W/cZyCaD43E5XIxSC6czgdOgwii27fFAJKJabmj+FsSwYBMiyHiFE=
+    session.encryption.key: AgB6LuT3btnwlDtP19iS6TAA6hz5t2gtXn93/sKI+ANzRvDtAUEJf934pWS0xhWu8Zfqwe5YuPy6Hb7CYG1Xk76Z3IFAEKcENcAA4Ngl6f80yBPgaL+6pzkeHyouYhpuRFenPoCcoa60OuusnDBUvBO0v6Mtqd39nACDJwdrJH0VzoLiWlMPzNsqJSkX+qNumrFlahqEtpswgoQBFtgljfMh8jCfAiqtwwe4Gx77B3GHNDuRQ7tSKhq5pSPUfDE9i/a1fb5yd1z8mlDkbivb0/yhvBsUi7stV9TE7HpBcsxtd6vSzt+MgXsflFfHZ9HU7oVVS0PuDzeDEXac9r2XDA96eUdhz/9NF3d9BvBMZqsi4YlF9tvsODNR7BofF5axxuRb2sptVwM5HuexXhG6S2PPpjLWi0BnY2P4Y12rXUhtYTisKgk7J1H5kZ1XYdjySFIQpMnWvdQD4TDmvqCi2YbnDts5labuFPQmgdrguRbqb1W94Pwg3SOuhJdsNJkfvXFBOOPf2eJBdGsrv4hOFiWt87pNh5Idzi9DAsV9CHZyLwxchwSpNre3yb1TnrTUE9xuQexY/xviAKAc1XjLsKyapryyAtv1AF6UnZMECDyElyenWblPBlWyOYTAWk8yiYl11C/2cipP6+pv8/XpbHKaQKGVQLIQdixXVGKRZwChTo5b3wliSJD2FXiC7ZkWfjOHlgXa+1DNYEoAlUfIU+IMdTP+x82QIjeYRH5wmhujd0JrYu4AygU1Zg==
+    storage.encryption.key: AgBOR7VfqNstwSBQ3pZIuHUo6m6bcbqTRluZ+G52d2djiyYm2E6FEfzeNrVgPSyw/9CuWXnzzQRyyGVvwP9FwtF6wWqNByhtY4sHd4xoHLEv3L4ZNRvNCf/iCGw0yI46k7nGifvIGw7BNWMkzGVOY+926aa9CAahxh27nQf0dztuFM3DPX4ASKpJ7c3IRGbMi0x0gPTU+Z1/3JLlhn+WvM95UpbPq75LHSzo4A2YfdluZEOpvvo8M5NnPgvHIvRC3tjZuXsDJwRQhqLVa8oFdrjJ7DvMonScKyv4IF/fttd4K0h+g/WZqCRix1dw/7LburKVicYBLl4IQJDIDORKXIUqU1M7i28UVF6DBe/r6jBTGDJcqv9Zor5hoQHuswyC0p+2+sm0EGUvGJLGJ4aqq5UBSsZyD98vMwGT3H3sofIqESHJo4O6rOSo+NFag2P/E1Ij2PFN2+wJTMRJ467CPnzEC85/mm3Tii+NRRb4CKEuxh+zfmVB/Bpny+7zjL7atS3BFR95PbI1jM5yI4uu1uHaVJaXjI3nQKYKjYetS3POOdxae5YRs8CywtZWkv+wUnlbPlzB7XRObQ2yzwNj8tZL8/846TykafDsvPB51B4wAnY8w1LaxNYBTZHQGco/rO7fUNEbuwPyDcbDtUaNxbUD7Yfu1pUY2fay0YtTLDlm1FEZePm9LLKQVj2K703Hu4YA2F/wKhcWKfjtijaC6z8KTaPQiVpjhA==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: authelia-internal
+      namespace: authelia
+    type: Opaque

infrastructure/authelia/authelia-smtp.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: authelia
 spec:
   encryptedData:
-    smtp.yml: AgAHiNwse+aFYVoun500VoUTUKg22yDSn+cD9pLO4HKG26nqmOxkiTSi5BELpzWouqHXiHNwYLEKPv13ZFJX6AFfFskspBfe+svLvLSzEvtH8kNCSJar0G5jcACEk27xcCxTN0nhmjc6L9lmZF8UUth7l5Mrsl0EG+79pCNYhUtjy16g7HdbmYgmgrY6d7VWCen2R4HZK4A9zPx+8HEsoMzUD0mG+uKKKfmqYaxJ563Gzp7trDcQRXd4tmea9MM8t+bk9TYCDvBj9JbsNuIdzFk8MArlvlesDYqiJj/8wny49NoVyX8vvGVDF3Y5s+OmKA9+MoBIYNc4oT4FLcc14wpnMnk5WgbKtTYfExcGTdTWuTTVWPsF18dvbKTU3C6dnf2kh9T8CydIdu27jwrBbChWffxNbh5nlLlQT3Xvogai8o6qhMn+EqTnw/u93OIxNzPEooVP349VVW/mlhGX3od/IlVzXiIlQIxL5EP2pRCXL2T1KONvkpbClJ/BTuwfjRZTXz3ZaRhaTPdBAZ+bpkRkt+kEAecjqaf9EF+pHy+dOaR4tIrwBWBbrAy47iV4e/Q60B97bRHzgo9N1uaYonGmyzmyVc9TXIkhf7PIlu/cSyDaHKdobVx0AA0p2usi5D1QYMcS9fngXyM1U9imO6QiYopysxQ9gJL8rfuySRJ/YQ6JJ71fLdMxsiQ0r21D7v7LEdJK5SKLovpnmPgk4PBoL9E4ZPE6g5zRXZFj1IxpKkOqRMpyBzBvas9Q1OFFs0Y79kGtyWIXb7Z2HGYmMU1us9Pm95xVF/V34sAtMIEz7qi+SaXQHFvyqbaiJ48U8qHhHL5y+lt9e8PGmQo0tRWfHMejs5BCcFAEZKDiif6zUEsjV/WC9WKO9NUjvRiu0CYCq5z9QzKaZQqWo0LPeM6DMY8pT3w4OqpJ/OLyMfbdoWT/uQ1JW5npApGifL0lhWRIkQHCG7oZA/BkJfbiexV8jwtToS+UX/s9HkbkuQ/O4zDte8qg/Xzh5TOj5AxlAPN6wGCwd6t1RTSITSKVMnTpFabkEvPYnGeiyWU8TrckvaKmhRUNoj2ZWQCCffHKp/bimEHxRqFnW6B+cu35reTjFc2dqp12EhCBR727G0EARx3Gt/LSdPh8OYt+Bs0rLaHiUrCJh4HRBJPmg0PARVwDL7OWx6pwtclnrALmfELKKaopy6yFctDogOtkvxHbL8DNhJqNuQJo6ttzlHhz4bnQcWb2K92HIw==
+    smtp.yml: AgCfZqHvV3N/S7C3BCeBZv5erYNnbc3yuhYswXBxJUmvfWt/oyEi0VM9830cV740zF532ZteMaEC47Yer1dm1zwBb8degsSPOnivTU3HVN1MQKMxB0T9roN7ytXnS48dIVLlZAy5/7AqU/+F081zJeGW/8lsQKJ7QVa3zG7BDGJmaExxttrB5ZsSiVmFldSQap1FNIcPFU1O4N1w59r29IsUNbOVpnb4NqONBBh7Lt/RoUwYVmdMT8OxOAtgovft1z+KuZN2ZnvBlm3EgY70wAWTs/tSmZLWuDGa8yo0M6LPIjO9zlc+l1YuI25AqGHDuhGU+H+gQWZhtIglwKHtU8oUuDchWxQpb4tJSokpyegkWrpty8vBEEGK9CtLk13EmPUHTPicv9XYgwxvROeXB7+6/gQC8Yc/PzjjZwSrNo8SC/rF4VJY9jXMJ2nS7UkubcfdOY/bKhu1jZENrav7Zd/z5hiy2stg2LFJ2rnzIrSKeYWN3ygR24KRGh/7Bpwz6LhCkPdrfJJyymA+Azwq06CoyyPTLkYRMpTdkzx8zLNCvfQfmEKYRxRcXVBDfSr/Wn/9QNmCAG/rp1Ep23xRYegQRTUyGD2JVVSjE0WcMRRnqb70IYfEPk4w5TS14RcO2/59Lvs+1mF8g9JfLhrxOjLDAvnSKjN5KZ3PgLdpqbkcVjUb0Hs18SAilmZhs5cQtNR++LqYePIe1r7R3V9IPIvPudCs7/2BrLLpuREhTdQIiA3catZ6kLZgHuh/KswFEDAcZ1NisSNvZZLAKTHupIe7XjBp+0zGHLZ7hgbA/Ojf4e6M4RLjqR41Uix+stkKuwWwdoXs/YAf2GUl6+4fb/8iPVUwPA7XHf92ALxv5neNEDlo4awXvuBQG8XdmaCqkYXBe1GE+vgmzfQhr1gjcO1VxvpsAJXT9/Ak1whQbs8kLfwxDfGp3CYQxx+eaxxm4Q2xumeQYXHFyhNZ5d5XOpmlx9EovRwM/uGoZdslykZ27ZbKRMYcqwhJ16CS/y5ptMcEbB1RkqodM55UCslR/fo+9aJejX0x8V91U2bm8eFrDFhFJsM6Z6oClxOXeAbSoE8m4KclRWTtF4+CIXq+qszdWzwqrHBWvKAtVwGo3L08Sxw24ajT9Rw1Ay2kvb4xO2SVzIRhHdzIFpF6iSiDqBJsSH7SL0kP1C07j3vl95qZBp01BW8BUnVxFyqOVMvVnXMaNQZdFrsq4MVEsxDftgciF9oE8rVv4Q==
   template:
     metadata:
       creationTimestamp: null

infrastructure/authelia/authelia.values.yaml

@@ -1,4 +1,3 @@
-
 ingress:
   enabled: false
 
@@ -6,44 +5,58 @@ ingress:
 pod:
   kind: 'Deployment'
   replicas: 1
-  extraVolumes:
-    - name: config-ldap
-      secret:
-        secretName: authelia-ldap
-    - name: config-oidc
-      secret:
-        secretName: authelia-oidc
-    - name: config-smtp
-      secret:
-        secretName: authelia-smtp
 
-  extraVolumeMounts:
-    - name: config-ldap
-      mountPath: /extra-config/ldap.yml
-      readOnly: true
-    - name: config-oidc
-      mountPath: /extra-config/oidc.yml
-      readOnly: true
-    - name: config-smtp
-      mountPath: /extra-config/smtp.yml
-      readOnly: true
 
 
 ##
 ## Authelia Config Map Generator
 ##
 configMap:
-
-  # Enable the configMap source for the Authelia config.
-  # If this is false you need to provide a volumeMount via PV/PVC or other means that mounts to /config.
-  disabled: false
   key: 'configuration.yml'
-  # do not use a pre-existing configMap
+  # include sub-maps wich OVERRIDE the values generated by the helm chart
-  # BUT, include sub-maps wich OVERRIDE the values generated by the helm chart
   extraConfigs:
-    - /extra-config/ldap.yml
+    - /secrets/authelia-smtp/smtp.yml
-    - /extra-config/oidc.yml
+
-    - /extra-config/smtp.yml
+
+  # many of the values remain default from the helm chart
+  authentication_backend:
+    ldap:
+      enabled: true
+      implementation: 'custom'
+      address: 'ldap://lldap:3890'
+      base_dn: 'DC=moll,DC=re'
+      additional_users_dn: 'OU=people'
+      users_filter: "(&({username_attribute}={input})(objectClass=person))"
+      additional_groups_dn: 'OU=groups'
+      groups_filter: "(member={dn})"
+
+      ## The username of the admin user.
+      user: 'uid=authelia,ou=people,dc=moll,dc=re'
+      password:
+        # ## Disables this secret and leaves configuring it entirely up to you.
+        # disabled: false
+
+        # ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the
+        # ## secret_value option below.
+        # secret_name: ~
+
+        # ## The value of a generated secret when using the ~ secret_name.
+        # value: ''
+
+        # ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise
+        # ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath'
+        # ## value, '{secret_name}' is the secret_name above, and '{path}' is this value.
+        path: 'authentication.ldap.password.txt'
+        secret_name: authelia-ldap
+
+      attributes:
+        display_name: displayName
+        username: uid
+        group_name: cn
+        mail: mail
+    file:
+      enabled: false
+
 
   session:
     inactivity: '2d'
@@ -52,37 +65,164 @@ configMap:
     cookies:
       - name: authelia_session
         domain: auth.kluster.moll.re
+    encryption_key:
+      secret_name: authelia-internal
+
+
   storage:
     encryption_key:
-      value: 'authelia-encryption-key'
+      secret_name: authelia-internal
+
     local:
       enabled: true
       file: /config/db.sqlite3
 
 
-##
+  # notifier:
-## Authelia Secret Configuration.
+  # notifier is configured via the smtp secret and merged by authelia upon startup
-##
-secret:
-
-  disabled: false
-
-  existingSecret: ''
 
 
-certificates:
+  identity_validation:
-  # don't use the pre-existing secret
+    reset_password:
-  existingSecret: ''
+      secret:
+        secret_name: authelia-internal
+        path: 'identity_validation.reset_password.jwt.hmac.key'
+
+
+  identity_providers:
+    oidc:
+      enabled: true
+      hmac_secret:
+        secret_name: authelia-internal
+        path: 'identity_providers.oidc.hmac.key'
+
+      # lifespans:
+      #   access_token: '1 hour'
+      #   authorize_code: '1 minute'
+      #   id_token: '1 hour'
+      #   refresh_token: '1 hour and 30 minutes'
+
+      jwks:
+        - algorithm: 'RS256'
+          key:
+            path: '/secrets/authelia-internal/oidc.jwks.key'
+
+      cors:
+        allowed_origins_from_client_redirect_uris: true
+      
+      clients:
+        - client_id: 'grafana'
+          client_name: 'Grafana'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.grafana'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: true
+          pkce_challenge_method: 'S256'
+          redirect_uris:
+            - 'https://grafana.kluster.moll.re/login/generic_oauth'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'groups'
+            - 'email'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+        - client_id: 'recipes'
+          client_name: 'Recipes'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.recipes'
+          public: false
+          authorization_policy: 'one_factor'
+          require_pkce: true
+          pkce_challenge_method: 'S256'
+          redirect_uris:
+            - 'https://recipes.kluster.moll.re/login'
+          scopes:
+            - 'openid'
+            - 'email'
+            - 'profile'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'gitea'
+          client_name: 'Gitea'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.gitea'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://git.kluster.moll.re/user/oauth2/authelia/callback'
+          scopes:
+            - 'openid'
+            - 'email'
+            - 'profile'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'argocd'
+          client_name: 'Argo CD'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.argocd'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://argocd.kluster.moll.re/auth/callback'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+        - client_id: 'paperless'
+          client_name: 'Paperless'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.paperless'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://paperless.kluster.moll.re/accounts/oidc/authelia/login/callback/'
+          scopes:
+            - 'openid'
+            - 'profile'
+            - 'email'
+            - 'groups'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_basic'
+          consent_mode: 'implicit'
+        - client_id: 'linkding'
+          client_name: 'LinkDing'
+          client_secret:
+            path: '/secrets/authelia-oidc/client.linkding'
+          public: false
+          authorization_policy: 'one_factor'
+          redirect_uris:
+            - 'https://linkding.kluster.moll.re/oidc/callback/'
+          scopes:
+            - 'openid'
+            - 'groups'
+            - 'email'
+            - 'profile'
+          userinfo_signed_response_alg: 'none'
+          token_endpoint_auth_method: 'client_secret_post'
+          consent_mode: 'implicit'
+
 
-##
-## Authelia Persistence Configuration.
-##
-## Useful in scenarios where you need persistent storage.
-## Auth Provider Use Case: file; we recommend you use the ldap provider instead.
-## Storage Provider Use Case: local; we recommend you use the mysql/mariadb or postgres provider instead.
-## Configuration Use Case: when you want to manually configure the configuration entirely (set configMap.enabled = false).
-##
 persistence:
   enabled: true
   storageClass: 'nfs-client'
 
+
+secret:
+  mountPath: '/secrets'
+  additionalSecrets:
+    # the oidc client secrets referenced in the oidc config
+    authelia-oidc: {}
+    authelia-internal: {}
+    authelia-ldap: {}
+    authelia-smtp: {}

infrastructure/authelia/kustomization.yaml

@@ -14,6 +14,7 @@ resources:
   - authelia-ldap.sealedsecret.yaml
   - authelia-oidc.sealedsecret.yaml
   - authelia-smtp.sealedsecret.yaml
+  - authelia-internal.sealedsecret.yaml
   - ingress.yaml
 
 
@@ -26,6 +27,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.9.9
+    version: 0.9.13
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml