Manual outpost env var AUTHENTIK_TOKEN not respecting secrets _FILE suffix

Question

Manual outpost env var AUTHENTIK_TOKEN not respecting secrets _FILE suffix

rarobert opened this issue 15 days ago · 1 comments

Describe the bug
When using Docker secrets _FILE mechanism with Docker compose, AUTHENTIK_TOKEN is not respecting the value in the container.

To Reproduce

Create a docker-compose.yml

# Modified from:
# https://docs.goauthentik.io/docs/installation/docker-compose
# https://docs.goauthentik.io/docs/outposts/manual-deploy-docker-compose
services:
  postgresql:
    image: docker.io/library/postgres:16-alpine
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 5s
    volumes:
      - database:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
      POSTGRES_USER: ${PG_USER:-authentik}
      POSTGRES_DB: ${PG_DB:-authentik}

  redis:
    image: docker.io/library/redis:alpine
    command: --save 60 1 --loglevel warning
    restart: unless-stopped
    healthcheck:
      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
      start_period: 20s
      interval: 30s
      retries: 5
      timeout: 3s
    volumes:
      - redis:/data

  server:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
    restart: unless-stopped
    command: server
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    volumes:
      - ./media:/media
      - ./custom-templates:/templates
    ports:
      - "${COMPOSE_PORT_HTTP:-9000}:9000"
      - "${COMPOSE_PORT_HTTPS:-9443}:9443"
    depends_on:
      - postgresql
      - redis

  worker:
    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.4.2}
    restart: unless-stopped
    command: worker
    environment:
      AUTHENTIK_REDIS__HOST: redis
      AUTHENTIK_POSTGRESQL__HOST: postgresql
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
    # `user: root` and the docker socket volume are optional.
    # See more for the docker socket integration here:
    # https://goauthentik.io/docs/outposts/integrations/docker
    # Removing `user: root` also prevents the worker from fixing the permissions
    # on the mounted folders, so when removing this make sure the folders have the correct UID/GID
    # (1000:1000 by default)
    user: root
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./media:/media
      - ./certs:/certs
      - ./custom-templates:/templates
    env_file:
      - .env
    depends_on:
      - postgresql
      - redis

  authentik_ldap:
    image: ghcr.io/goauthentik/ldap
    ports:
      - 389:3389
      - 636:6636
    environment:
      AUTHENTIK_HOST: https://your-authentik.tld
      AUTHENTIK_INSECURE: 'true'
      AUTHENTIK_TOKEN_FILE: /run/secrets/AUTHENTIK_TOKEN
    secrets:
      - AUTHENTIK_TOKEN

secrets:
  AUTHENTIK_TOKEN:
    file: /mnt/user/secrets/authentik/AUTHENTIK_TOKEN # Contains: token-generated-by-authentik

volumes:
  database:
    driver: local
  redis:
    driver: local

Create the stack from the docker-compose.yml
The ldap outpost reports env AUTHENTIK_TOKEN not set!

DBG event=Loaded config path=inbuilt-default timestamp=2024-06-11T08:30:32Z
DBG event=Loaded config from environment timestamp=2024-06-11T08:30:32Z
env AUTHENTIK_TOKEN not set!
authentik ldap
Required environment variables:
INF event=not enabling debug server, set `AUTHENTIK_DEBUG` to `true` to enable it. logger=authentik.go_debugger timestamp=2024-06-11T08:30:32Z
- AUTHENTIK_HOST: URL to connect to (format "http://authentik.company")
- AUTHENTIK_TOKEN: Token to authenticate with
- AUTHENTIK_INSECURE: Skip SSL Certificate verification

Expected behavior
The value from the /mnt/user/secrets/authentik/AUTHENTIK_TOKEN file on the host is stored in the ldap outpost containers /run/secrets/AUTHENTIK_TOKEN file and loaded into the AUTHENTIK_TOKEN environment variable.

Version and Deployment (please complete the following information):

authentik version: latest
authentik worker: latest
authentik outpost: latest
Deployment: docker-compose

Additional context
I have other containers in the stack on this host using the same mechanism to load secrets from the host into containers, all of them are working fine.

When I duplicate this specific container, modify the environment variable to remove the _FILE suffix and assign the token value, the ldap outpost boots successfully.

I've also tried using:

*_FILE
*__FILE
FILE_*
FILE__*

Answer 1 · 2024-06-16T22:21:18.000Z

Set AUTHENTIK_TOKEN to file:///run/secrets/AUTHENTIK_TOKEN