Authentik Helm Values Use Secrets Instead of Clear Text Passwords

[ssyounger]

I am trying to deploy Authentik via a helm chart but I can't find any documentation on how to replace password string fields within the values file and use an existing secret such as a sealed-secret. This is a security product, I can't imagine this is not possible today. Can anyone please point me in the right direction or show me an example?

Here is a values example section:

  email:
    # -- SMTP Server emails are sent from, fully optional
    host: ""
    # -- SMTP server port
    port: 587
    # -- SMTP credentials, when left empty, no authentication will be done
    username: ""
    # -- SMTP credentials, when left empty, no authentication will be done
    **password: ""             <----- PASSWORD IN CLEAR TEXT**
    # -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
    use_tls: false
    # -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
    use_ssl: false
    # -- Connection timeout
    timeout: 30
    # -- Email from address, can either be in the format "foo@bar.baz" or "authentik <foo@bar.baz>"
    from: ""

Within the global section I can see a place to put a secret but I don't know how to fill out the password section for example on the SMTP email to use that secret.

  # -- Environment variables to pass to all deployed Deployments. Does not apply to GeoIP
  # See configuration options at https://goauthentik.io/docs/installation/configuration/
  # @default -- `[]` (See [values.yaml])
  env: []
    # - name: AUTHENTIK_VAR_NAME
    #   value: VALUE
    # - name: AUTHENTIK_VAR_OTHER
    #   valueFrom:
    #     secretKeyRef:
    #       name: secret-name
    #       key: secret-key
    # - name: AUTHENTIK_VAR_ANOTHER
    #   valueFrom:
    #     configMapKeyRef:
    #       name: config-map-name
    #       key: config-map-key

Thanks in advance!

[adamhurm]

Hey @ssyounger!

I ran into this same thing when incorporating the helm chart. When I tried the Advanced values examples from the helm chart README, the containers were getting literal "file:///authentik-creds/password" instead of the password even though the secrets volume was mounted correctly and readable.

What ended working for me is creating a kubernetes secret called authentik-creds which is controlled by an external secrets operator. I generated secure values for the following fields:

password: ""
postgres-password: ""
replication-password: ""
secret_key: ""

I chose the field names to match the default values.yaml from the bitnami chart because the chart passes postgresql.auth through. Then I referenced the same secret in environmental variables for server and worker using the variable names from the authentik docs.

postgresql:
  enabled: true
  auth:
    existingSecret: authentik-creds

redis:
  enabled: true

server:
  env:
    - name: AUTHENTIK_POSTGRESQL__PASSWORD
      valueFrom:
        secretKeyRef:
          name: authentik-creds
          key: password
    - name: AUTHENTIK_SECRET_KEY
      valueFrom:
        secretKeyRef:
          name: authentik-creds
          key: secret_key
  ingress:
    enabled: true
    hosts:
      - authentik.domain.tld

worker:
  env:
    - name: AUTHENTIK_POSTGRESQL__PASSWORD
      valueFrom:
        secretKeyRef:
          name: authentik-creds
          key: password
    - name: AUTHENTIK_SECRET_KEY
      valueFrom:
        secretKeyRef:
          name: authentik-creds
          key: secret_key

---

Kind of a silly workaround, but the authentik object in the helm chart does not have direct secrets support. I like to avoid forking helm charts wherever possible so this works for me. Hope this works for your scenario!

[rissson]

there are about a million issues with the same question. for instance goauthentik/helm#337