New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support using environment variables in configuration #920
Comments
We're actively discussing this. There are a few factors which affect this.. we're looking towards a management UI which would introduce in database configuration. Additionally we are about to deprecate our current use of env variables to replace values in config. I think though based on your description it sounds like you want to add it so you can replace the contents of the YAML prior to reading it into a struct? I think we'd consider this (I can't speak for @clems4ever or @nightah so lets wait for them to comment) provided it had a CLI argument associated with it. I think a good design is to have an argument like --templates="/var/folder/file1.yaml,/var/folder/file2.yaml" - an array of files to replace using the template package prior to reading configuration. We could theoretically utilize this with a database preload in the future with little to no adjustment. Alternatively maybe --templates=/var/folder --templates-out=/var/folder2. Where --templates is a directory of *.tpl files, and --templates-out is the same file names with tpl removed (defaulting to either the /etc/authelia/ dir, or the same folder as the templates? |
If there were CLI arguments as an options, I would just use When parsing the YAML file to convert it into a configuration struct, for each option, if the option is in the format Looking at: reader.go, after this, my implementation for a PR would be: loop through all properties of the config struct (they're all public), if any For docker-compose/docker this would work fine with the |
Hello @J7mbo , there is no reservation on community PRs, they are actually very welcome and you did the right thing by coming and discuss the design first. I'd be interested to know the use case first though. That's important to decide whether we would accept that change because as mentioned by @james-d-elliott , this change can conflict with the migration of the configuration values in database if we decide to do so eventually. It's still under discussion because I'm wondering if doing so wouldn't make setup automation harder. Also please note that with viper, setting those config variables with env vars would be trivial if spf13/viper#761 was resolved. That would be the proper solution in order to delegate the config-specific complexity to the library instead of Authelia. In the meantime and for the reasons mentioned above, I'd like to hear more about the actual use case. Can you elaborate on your situation right now? |
@clems4ever Sure, happy to discuss the use-case. As a user, I don't want to hardcode my domain, password or other configuration options such as the port, sensitive or otherwise, in All my environment variables are stored in a Perhaps irrelevant, but other tools that work well alongside authelia such as traefik allow the passing in of configuration options on the command line, which by proxy enables environment variables to be used and it's a popular feature for 100% setup automation which is my goal. OpenLDAP has this feature. Elasticsearch and Kibana too. Seems to be quite common to allow for dynamic setups. Configuration values in a database (with the UI?) sounds great. I haven't looked at the PR and discussion for it, how having this addition would conflict with it? If configuration values were specified in a database, they will be used, with environment variables taking precedence if present, or the other way around. |
For reference: |
The main question here is - can a user set up and deploy their project with authelia, with their desired configuration, fully automatically in a script? At that time I could not. Bit of an old one now - May 2020, almost a whole year ago. Is there still interest here? |
I for one would definitely be interested in such an addition to the configuration options. |
I am working on a PR at present that supports this. Basically it's finished and just needs some tweaking and peer review. |
@RoboMagus @jlcummings @J7mbo @SeraphimSerapis @noizwaves @martinl88 @tomachristian @josephcomisi @mlavi @snesbittsea @Chuckame @dartunian @m1kl This is implemented in 4.30.0. The two things that don't currently work with it are I will aim to spend some time on getting that working in a couple weeks. |
@james-d-elliott Could you give an update on the possible progress you've made regarding |
Oops I forgot to report back here. So I did a lot of work trying to get this to work, it seems quite difficult to do right. The issue is order, we either need to introduce a priority field or something similar. I plan to do some more work on configuration after getting a few major things done, I'll add this to my list of things to attempt to resolve. The workaround to this would be to have a separate file that's meant to be used with envsubst or similar to configure it for just ACL's. |
Well in the meantime I ended up doing the following as a workaround, where in the Dockerfile I copy the initial configuration/user files, replace the placeholders and specify that the new config should be used instead.
authelia:
build:
context: docker/authelia
dockerfile: Dockerfile
args:
AUTHELIA_VERSION: ${AUTHELIA_VERSION}
APP_DOMAIN: ${APP_DOMAIN}
USER_NAME: ${AUTHELIA_ADMIN_NAME}
USER_EMAIL: ${AUTHELIA_ADMIN_EMAIL}
USER_DISPLAY_NAME: ${AUTHELIA_ADMIN_DISPLAY_NAME}
USER_PASSWORD_HASH: ${AUTHELIA_ADMIN_PASSWORD_HASH}
container_name: authelia Note:
ARG AUTHELIA_VERSION
FROM authelia/authelia:${AUTHELIA_VERSION}
ARG APP_DOMAIN
ARG USER_NAME
ARG USER_DISPLAY_NAME
ARG USER_PASSWORD_HASH
ARG USER_EMAIL
COPY ./config/configuration.yml /config/configuration.yml
COPY ./config/users.yml /config/users.yml
RUN sed "s:\$APP_DOMAIN:${APP_DOMAIN}:g" /config/configuration.yml > /app/configuration.yml
RUN sed -e "s:\$USER_NAME:${USER_NAME}:g" -e "s:\$USER_DISPLAY_NAME:${USER_DISPLAY_NAME}:g" -e "s:\$USER_PASSWORD_HASH:${USER_PASSWORD_HASH}:g" -e "s:\$USER_EMAIL:${USER_EMAIL}:g" /config/users.yml > /app/users.yml
ENTRYPOINT ["/app/entrypoint.sh"]
CMD ["--config", "/app/configuration.yml"]
...
authentication_backend:
file:
path: /app/users.yml
access_control:
default_policy: deny
rules:
- domain:
- "*.$APP_DOMAIN"
policy: two_factor
...
users:
$USER_NAME:
displayname: $USER_DISPLAY_NAME
password: $USER_PASSWORD_HASH
email: $USER_EMAIL
groups:
- admins |
It would be amazing if the configuration could handle a |
The configuration does not require hard coding of these values at all. They can be configured via secrets or via environment variables both of which can be utilized in docker-compose and .env. We're unlikely to implement configuration via .env especially without a compelling reason / use case, especially when it's likely to be complex to implement well. |
how about setting up secrets that are nested under an array-like structure? Eg. identity_providers:
oidc:
jwks:
- key:
clients:
- client_id: |
If it's an array, then it can only be done via the templating system. |
So I guess something like this? services:
authelia:
image: docker.io/authelia/authelia:latest
volumes:
- my_private_key_file:my_private_key_file
environment:
- X_AUTHELIA_CONFIG_FILTERS=expand-env,template
- CLIENT_SECRET_ID=mysecretid and then editing identity_providers:
oidc:
jwks:
- key: |
{{- fileContent '/my_private_key_file' | nindent 8 }}
clients:
- client_id: '{{ env "CLIENT_SECRET_ID" }}' |
Not |
Heya I looked at the linked resources but still can't make the templating work - can I pass env variables or do I need to use secrets?
services:
authelia:
image: docker.io/authelia/authelia:latest
environment:
- X_AUTHELIA_CONFIG_FILTERS=template
- MY_DOMAIN=website.com and session:
cookies:
- domain: '{{ env "MY_DOMAIN" }}'
authelia_url: 'https://auth.{{ env "MY_DOMAIN" }}'
default_redirection_url: 'https://www.{{ env "MY_DOMAIN" }}' If I run ---
##
## Authelia rendered configuration file (file filters).
##
## Filters: template
##
---
##
## File Source Path: /config/configuration.yml
##
session:
cookies:
- domain: ''
authelia_url: 'https://auth.'
default_redirection_url: 'https://www.' |
Seems like you may want to open a discussion to troubleshoot this, seems to work for me: services:
authelia:
image: docker.io/authelia/authelia:4.38.7
environment:
- X_AUTHELIA_CONFIG_FILTERS=template
- MY_DOMAIN=website.com
volumes:
- ./configuration.yml:/config/configuration.yml session:
cookies:
- domain: '{{ env "MY_DOMAIN" }}'
authelia_url: 'https://auth.{{ env "MY_DOMAIN" }}'
default_redirection_url: 'https://www.{{ env "MY_DOMAIN" }}' $ docker compose run authelia authelia config template
---
##
## Authelia rendered configuration file (file filters).
##
## Filters: template
##
---
##
## File Source Path: /config/configuration.yml
##
session:
cookies:
- domain: 'website.com'
authelia_url: 'https://auth.website.com'
default_redirection_url: 'https://www.website.com' |
done, thanks! #7059 |
Hi. #569 led me to creating a new task to discuss this.
Authelia's use of a configuration file currently requires all configuration to be hardcoded. Examples can be the
domain
underaccess_control
, theuser
underauthentication_backend.ldap
etc.Are there any reservations for a PR using the
template
package or similar to utilise environment variables in authelia configuration? Preferably without any unnecessary prefixes or suffixes like terraform does (these require users to use extra scripts just to use vendor-specific environment variables).No complexity with defaults - if the environment variable exists then place it otherwise it's an empty string.
The text was updated successfully, but these errors were encountered: