Manual outpost env var AUTHENTIK_TOKEN not respecting secrets _FILE suffix
rarobert opened this issue · 1 comments
Describe the bug
When using Docker secrets _FILE mechanism with Docker compose, AUTHENTIK_TOKEN is not respecting the value in the container.
To Reproduce
- Create a
docker-compose.yml
# Modified from:
# https://docs.goauthentik.io/docs/installation/docker-compose
# https://docs.goauthentik.io/docs/outposts/manual-deploy-docker-compose
services:
postgresql:
image: docker.io/library/postgres:16-alpine
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
volumes:
- database:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${PG_PASS:?database password required}
POSTGRES_USER: ${PG_USER:-authentik}
POSTGRES_DB: ${PG_DB:-authentik}
redis:
image: docker.io/library/redis:alpine
command: --save 60 1 --loglevel warning
restart: unless-stopped
healthcheck:
test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
volumes:
- redis:/data
server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
volumes:
- ./media:/media
- ./custom-templates:/templates
ports:
- "${COMPOSE_PORT_HTTP:-9000}:9000"
- "${COMPOSE_PORT_HTTPS:-9443}:9443"
depends_on:
- postgresql
- redis
worker:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
restart: unless-stopped
command: worker
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
user: root
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./media:/media
- ./certs:/certs
- ./custom-templates:/templates
env_file:
- .env
depends_on:
- postgresql
- redis
authentik_ldap:
image: ghcr.io/goauthentik/ldap
ports:
- 389:3389
- 636:6636
environment:
AUTHENTIK_HOST: https://your-authentik.tld
AUTHENTIK_INSECURE: 'true'
AUTHENTIK_TOKEN_FILE: /run/secrets/AUTHENTIK_TOKEN
secrets:
- AUTHENTIK_TOKEN
secrets:
AUTHENTIK_TOKEN:
file: /mnt/user/secrets/authentik/AUTHENTIK_TOKEN # Contains: token-generated-by-authentik
volumes:
database:
driver: local
redis:
driver: local
- Create the stack from the
docker-compose.yml
- The ldap outpost reports
env AUTHENTIK_TOKEN not set!
DBG event=Loaded config path=inbuilt-default timestamp=2024-06-11T08:30:32Z
DBG event=Loaded config from environment timestamp=2024-06-11T08:30:32Z
env AUTHENTIK_TOKEN not set!
authentik ldap
Required environment variables:
INF event=not enabling debug server, set `AUTHENTIK_DEBUG` to `true` to enable it. logger=authentik.go_debugger timestamp=2024-06-11T08:30:32Z
- AUTHENTIK_HOST: URL to connect to (format "http://authentik.company")
- AUTHENTIK_TOKEN: Token to authenticate with
- AUTHENTIK_INSECURE: Skip SSL Certificate verification
Expected behavior
The value from the /mnt/user/secrets/authentik/AUTHENTIK_TOKEN
file on the host is stored in the ldap outpost containers /run/secrets/AUTHENTIK_TOKEN
file and loaded into the AUTHENTIK_TOKEN
environment variable.
Version and Deployment (please complete the following information):
- authentik version: latest
- authentik worker: latest
- authentik outpost: latest
- Deployment: docker-compose
Additional context
I have other containers in the stack on this host using the same mechanism to load secrets from the host into containers, all of them are working fine.
When I duplicate this specific container, modify the environment variable to remove the _FILE suffix and assign the token value, the ldap outpost boots successfully.
I've also tried using:
*_FILE
*__FILE
FILE_*
FILE__*
Set AUTHENTIK_TOKEN
to file:///run/secrets/AUTHENTIK_TOKEN