feat(authelia): add "optional" secrets in config

2025-10-31 18:07:50 +00:00 · 2024-10-11 20:57:11 +02:00
parent 403d32b9ed
commit 0c19b80b75
4 changed files with 59 additions and 46 deletions
--- a/k8s/infra/auth/authelia/crypto.yaml
+++ b/k8s/infra/auth/authelia/crypto.yaml
@@ -0,0 +1,15 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: crypto
+  namespace: authelia
+spec:
+  encryptedData:
+    identity_providers.oidc.hmac.key: AgBR9JVg0J+8aSQ/LJUfmpTm6X8VjYBPt3OxkTcjwjNdtLgFCC67kzM42qUw2wsPwGWXCZjH4OXRojdvlEgKoKdTarDR+JsssWp+VN+xfPWMyeVGK/puH8I76MZ2htb5dN6VbaugQbUtXBqTZn7XW0H8B0jz4DSMKnRmy+UoD6DrBfi6o49a9GKAcGGE3JYBIgqGuxIYlvfcw0L6FVCNt+vzIKZcSiTg8ciWijEkmvvkpSVS5g7KTQLX6I33u1CS+SX2f/CUDcCjFfniTf+Sws+eDEYhx1pcIunNO+SpcZUhUXb6d3pzqbX5U76VBPCTCiuDWuZSt3Gl8TouJ6huUzWUThoJdUQrlwhbRNiRSD4Nzr+s3JiqhHfUn0lMhsu7PzkF6sNZB3zvKmFN1y105sEGMWjHNRli/0gE069y+n4t2A9yUuJV8cc7CiGwYn8C5QlrksnmwfkDZKw49Ollk1McqJwzIQCbkH7FMOvF6byQQry29pD3X8TBz69b69Sl/rQgSgVwl3lxd3jzEh305dgjVkxf5rsKNl6Hz1xVp3NU+3PeC20w6twKUJbAeS3W1+W1Kgdia6lT5dnhAbklqtEtrvV/LzrlXhkQBzuVqdUMIWBouJHu7pUkG+9uJh+sJJV23WwMefFCFwvit7TfWKqGISZOfyhbYV5sPcLdTgH2lZYkgOejW21tHOlv2rzc45aXPkRxyK5WiXt69n9CiZs5FTt6LcN4xCxItWEfuq4YRHqbw6sMAjKPwbK/15zbn936rJw5ATxqdLRl7iKalWranuDh70lONuxaklYiRDv6mlaBL6V8KbClyE81vwsraJdcDkXYo95+a32x2Sn5KmFmX1dXL+B3+rStzgDF6z0AwQ==
+    identity_validation.reset_password.jwt.hmac.key: AgAKex+JAIHXazRSQqiSmlkDkKrEbbRbx9vUYZAOeTBB/S1QvrJzr/nU/6D4FiWNwDWp9F5hNSiJntjDQ1RR0MJqX4TaHfdMvNFe/HvTt86UnhP5wzby0j5bkwZdhghkXT/aUFZjbl7QJjE1fHqvFgjiIvu96Russh32p52i7r+vBkDRH6ioUow7FOqXRAdIixxX4PFcxWO7GwXuAGn6gtgWuWJN+97rItFzLXISu0zbfz2S0d7N4UxJyi0VVu4EQs4d1NVaGmO2OV3zWaNg+YdRst23AozQ0mwA17AMNLKdMlIFnezQugeoECvHw7rbqNQspFWNPGx4eSs2mEJQQ+QNYue5/hHYy0ZHD/RDup7bQEyS1QNTRoFCQsfoonDlVpMKfJqryXUb7yuYUp5nJtum5zqbTOfElsR0JMcdw0PYP9tkjRNPND6eic2ku8c0GUQA0tyrx/bFrOc2XWBSo+LlnCIbGsImbibxgIC8X6a021cUKNqy1nJMer9ogiNcTqtWbBGN7sbabHD//NuaOWGQr7CbPBuDSNEEQC424wQGuu1RYQXkqecCPiQGWy6Ha6Kh7CKx9PVP3we2XVl6qZj6YT++fKtLNc2aSVhT12vlTjDip23uu9ADbLRAlBvS1laA3AiEkJAY4oAYntPubGQrX85InTg85LY9FodEHnWU8CySO2Mc/ky9i4HOuJ/yyIvRndi1op6W5U3hPmGINB+SRkFz2f0tBrgqekyhsR/1x7MhvNIWoY2i6Yo950bMG3Nb8DRkxn1x1wwx/se07Wge4KeFw4EcCf0L0oajCO8sBqz2zzqQx5DaPb4Tk1zm0OHzeqRgGlzxrxjN+bsR3CFWJQFuCZjQDP//2byXua3VqA==
+    session.encryption.key: AgA0cBRAzXYWcJGPbseSIPLjdAG6WMpBgde0lVpINKKgUfnYqYpz47QC4AZsqAaMDcE62C3jFxNAWQ/DWDpE7YnMKPR/3ymu70TxrcDT4tyex9Yf1zDOu3JnDbhgHtuPw24TCXfhFsRHchGVjIrepQOEHIm6DOrBpOYzhkKyXNn42Tv5mY1UrKbxc++9iIrofmAiRX9DhU4uZG3SZ3pSkXqNamiOL40jhoL7nwdsuV+4ow5ugXnyPDRvqjWUGc75rjzf1Agom8kRxLYCusB3LALsdKU/95NyYr6I9AtuLoR9iRjZTwUm0bq/OlDeedk3Ro6cZEkeFoD+4qmpmMFSFkVkf2tzns80d6esvdUZkFahu+i5ewpT6o9PEro1GuKRn5Wavl92okTGOVrnnxox4aGy/C1Cm7bUL4gkuLoNsljvg/ibudUj4J0gv3zG67ADtyrWkjW8lJ1SvNwyeXfQhGO1jvGcVxpU4zHg5T1BTOPrT0mMMeIRHT4jl+3ads+XjvqKKmjHBCKTiDBVW9fdYPkRp+Ly6tlaxZG/TPVd/BuewebjhMqMyQq3BNoYGCWrTEwWqfwgGYg86D09SltKY581UMrfmwQPeAAU8e1mSL7I/MdDCPYQbQl8jI2rpX/XkvNFucon7fd04jPVtdRXZ0JvoKSUZXYGGCafibJplT+CVKklR7oVNEHi+84cK78Ix8S8l1ciLBHMFujEINbKZ2kYm71RocUZ6PYktW2ye78oFybLjVJADEAlx8BG8rx9QUg4s/dw7XsUbDSp5mPgUCD2mxXT8biqfpabcVyxriBIXWaWxCswEepM3pqsRueJeNqonZDuL7FzNdcKxPGlrHNQPpElDMIYC782dII/5KIikw==
+    storage.encryption.key: AgB7AXRVTofOpVowdXFvpzZVF9RCVkAXiGD2lTsJUM6fFSX2jtVRK8fV9RWAquRW/qHHC5+/8S8ryR+GfCT/h4RmFPu+uFlwwG3QnrGNZniVBVL6zaOS80a1jtwXuZpi/onDK4CSH3Q4cD0ri8XcGCkgORPiUmhSMic51rY0U/CJth8WpejMYLVE2fHJhi9JwV3dDDZ8WbjqOW6zflE2Ak7ZPh1dbslq3sZXdSuUDgGUPkBR7Qxd0J4b1B7s/CCEKe/tIhFypc+Ohxnp9GvSwlBR97hgpeRBgAQ8JpWOamiZmEgBRpdgo74IiEn6bvMJMMAJfKgTHqZBqX0nXPyi/UT+KVTHtXsSbU9b72ABL2JcEImQ09NWxabIETF3RbLPmKayO8kPyjWK8nto+NzUYozu8rAG+WYSupAcFzVif9fDy9LmHONDPpAGcTzy2KAc6fXjJJi1ghHrZE3MCaqFiKyLasug4hQ3Y2/DYeIeOf+frJtbwYccoe/6QO7+lz5qk/KIuHeuC203LUH3SJuiECzwwMSdXKi/A/GU94JMF8q9U8+2oFjWwd+LZ2p2gdlH03wAAg69/JyulIr6wymQTOo7ngQy77MHEJivKTKXLmagHHsvmQkvtQG4iSfhazCkFrZ+SfxIKHkRr+c3kCenxg57YA1P6ahlR30z25FViI+kWTxnPKhBt809vpB2bX3WRfT/qduFFTkltOmPLmoqP8weDuFppiMlpdZHBSuvhsHM1H92NMj8tkXM+Kp3z+D6aw28qeKJwPX+vrRpSqiySEq82rnVdA+PICGh2K9f/+UQli2E/1r8PI+HUR2+UYnfibW6i1F3nhn/smhMyOVmdr7lEawdqcHDkQZTOVbsrgw11w==
+  template:
+    metadata:
+      name: crypto
+      namespace: authelia
--- a/k8s/infra/auth/authelia/kustomization.yaml
+++ b/k8s/infra/auth/authelia/kustomization.yaml
@@ -4,11 +4,11 @@ namespace: authelia

 resources:
  - ns.yaml
+  - crypto.yaml
  - lldap-credentials.yaml
-  - oidc-argocd.yaml
-  - oidc-jwks.yaml
  - cert-rsa-jwk.yaml
  - cert-ecdsa-jwk.yaml
+  - oidc-argocd.yaml
  - http-route.yaml

 helmCharts:
--- a/k8s/infra/auth/authelia/oidc-jwks.yaml
+++ b/k8s/infra/auth/authelia/oidc-jwks.yaml
@@ -1,14 +0,0 @@
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  name: oidc-jwks
-  namespace: authelia
-spec:
-  encryptedData:
-    default.RS256.private.pem: AgBKvWhhiwlTdFluyF/FwmW4PoAnrCahsN2ijQdLhxNP8rLrMurpjGk/ALp3E4KbaBa3yRxKwsKTtVH/KaaKuv4JibN8daEXtYMEg1ju/lcK7WJS8/tJhHYLf2lgQB3GL8usOI6a7WMCRFT3c/Mrc/+4FFPDiJuQlcFVNIvgcsMjZ86Hvx6lLX+vU9/M2WTDlqCsdxpJiiODgl3P1bcy0N7NxP3oUi1OjNhcMCOPO2t2uXfD49nMrhC9e7BvNv6n5bbSWXvpw8Cc1aUsHbD6kTmIaXqk1jGUl4Q7w85Qy8jryK3Eb1y9hoSGYNfGK1//YMK/usGLThoAh3wLTi0ArvaOewcx++aJuSxDaW9haMTxi1jPjcxrjTT7vuUu1aFgZDx7f70Fsp8Vy9xzQ5G76/h0oNdAIdpPn8jBLyFrBtkGDr+6XoO4zaShHyGK9eBYpmxByP/isfTe9kuMxyqZP+f8slYffxLk7VqIdd6lGpTmHNw8arHSEqrgBcq5N76Z4sXyXe1AIfi7Hdzo2wHnW2l3cJ+Udl4eIqOOAWAkU3ggFKwo/YBTmt8IvWDSQQPhBDjEzQSJEs2eweKV5Fnu5I0YEv2VIYFKmfmC35uISIqOv3oL3sDydbKujDofyE2zQi/ufcrduOR+0Qwa290azf36k+xUh8sd6c0hnY7wPLm3LlrrcYFVgkHY2bk425iF7J8D1LD4LCMjSYUFEZuQhJd4ik2f9AAyJGV4+jig2AwS8XQRbMYe97og5IhOYbvKqhZWMyXgrIaYbZVXT7LtbWCxQI4bhX0j52rBznq/wpWq5hGeVdrq1pZjsX9ni+Xw1tQQe07dMtERensq5v6b7AFH+Fou0yPPXX3+hOLHrDpsfwn1Zcm4VOf7Wwja6ZeQbu6ZmT3tTKENgdOzwovvEshYRkmYOJY3LUTckV6pkrEx78w+tIbGHxZSAFLz88JbZeS3+bNh44FUFDM4vpU8F35fD0gGl3Mmq7DF5Cp22zX4bl1wt/DI/s1snUd+3Fs7pOzINtVFpYJb/PAZ/fc7E49yOKR5nmtg1WZhNJ4vTo3RGJAML9m4ejBSs4ozpZq2BI5odzqMC52rq+jraVyzNbssBAiT+in8BlD5HJ7gDmSk02MF1s/9zc4FxIuAc1rxTB47MmuQCvHkG9uKcGcm/2KAjhnsOZKJ0vWpqn+ohVpUAqeoeQwict3yi8zUdtklfq93PW9AuOXIdpKv1rG5dP3x3nDhLHigRLvMNci7HPlCDZes4vkmSHshoSJyDz/gkOrC3p17jwGvzx1t9+LnKQh3gv37PG1iJ+ZVtfdFihpTRNU/Ai8ghNctPz1g2jzC8i32ZaUbcXOGYYD7w22VLwXe2vfIbyZZlH/XTeJ/kUNaaSkuKqOeIC1imOfrLZyPDOj1nIJpWHi48BmMxMqqtAdHUYHS4iP6qm6Uy9mxs9lwg5s8dVy33kWFZX0rD9YHwIbqkuJOKktznoAnQnCV933pLhVECdSCYXyZD7wyoMaGt+Ab7EqWnB4gFYUL1ki2vBRjN+M+20XpFCuCAdsBKxIYl56fA7RHYOOAgyEwKBgmYGzh6YC8pBtwiEBADk9vfCQ3WbQXQoEFPwliSk/7gU44OKuNFGVuCZ/wZMKBWC4RAmKDgXy596dCYwEdaIF50EFNn0DWFlDw+MOk2BHq3inK28icqQGAlGGxEqN73TyBb+LlRCY3rrsUZAiWYbNFBUGQWNua6Kl1/Uxr2i/0I9ovLoym+k1Hfdko9WoV4F5p63eVlNDYSJKINiSrIq7qVWMxceuelZCp3SmN6yvpV7EyydovsD6pHPY8HAW+dqjVL26vv1/7q3oaOBQBrSZL/VJmVvXPLbhlS3u4mL/M3XpxE7omr/9PLbVdGdRKnkCQ5AChw9CKGjGH9xfJ5ficfv7v5r/PE/YXamH2kA8XqaUwwGS0QrrcIkkR2eKIf3Ot5h6UTCrlgghawxYxM5XQF4G0LSQSUf1pAMhvvmCvflKxBnpdqHMCc2LS8GRu4ghrYZwi9kB+0eR/9P1VcTi9Hb+jNLXEASu5DdSPGM5bND3AmzYzIuTiQK2XOMB0XCVadZpPP1QRWddoL7Hngm2PMm6/kd1SpcW4tGCOUBTicqfB35ID7GPE1ZaUbd5KzSe1JknQpgO12V2qa18HSSpv6MJ8JiZky4SCutA+7oDacXzKIPj8l96QFRV5kjfjqOPUgNOLKIlOfQdlD0khM6HUIB2eV4ekmnmUsOwiE5/qvQKsR+rtd4bwLrmpZCwUqXR4JRpZQx+/2/5fKrGvzxOHewPR0PoPWCTCi71Bjj2jpLIyUZsT9KDTQgAjdiLas4eDTAVaRYH/cMJyjV+NDjqia/l3W0tMMxxgYPBn9xtSQo2sHBtu5RXPvsmQC2xzN9ebHnrvTxeinV+2f3P7JT+PJ+wN77RBFE5WtT0VZy5kB1WqlUjP6L7u7udnvap9JLPp4ADmpKzBeDIDlDgMxW4FFU2VlKUGdwxmyi1JzGckkueV2FqVmoG/gG0sZ4l9+d+yK4yfplNz9/5h3ImmPBgKgbLPq3yrLPhA++N3hSkSNIcCzWtffBLzsbYZB+yzM9j2nK9AjFdiAkg/ON7Heqv2ZiQbyjZ5iY5CjgdxQBW2Y1DMzH7/syHdnh4WM1tkmMtdk73LnwTFo2nDQ0R5ncbkzQOR0/kMo/rG1xo4uArBd2jjM/IeejAblSHPBgwaz82Ssqu/ZVEfRHsp/abmny2uFIdYcIF5hw9WoxeO6rrFwvq3gdC1AywQCiIDSdfLTRw1pLK1f/+p0mmzrnSKCDCl7Mb0PWGvIBRZNmBbCkj2hopLRmowc3A6RA3yHFIlmdhgo+lvNrhgY/Wz6mmNX+VaLIw/qmrkf5UZNsLQneaNNFN7E805YpUVsk9c8W88m0TvEIdTrBgjQ4M6pRoO72rk/3/bqVS9zuCoEdGMttvA0AKw8xcTfw5BPwY=
-    default.RS256.public.crt: AgA2ERlfToGEAzWK1R0EqfWthNp8iYocg83bBm+BhjUGahk3zSudHv9JAdsAJBGUX/F94hR1bEwf0zU43g30orfPUP3sMCrlRwC371d6sT1KVHSMt1MxHd9AO6XAI51B8NG5NsgtVEG9sjvSkYigyVEp/NfQ5LVZsYs8PzwZtQXQaNTsa1kWui7A1nWbFZ8yP1GxGomdmlvN/PCIHBwRAjSbcrWuNa6MIYcP1Ns5eTkFMXEe9PIQH/ZrcnwilD4cGw6QNTED1+2hHyh9P+NcsCcegWMVEjyo8keFFF9/oYrK/xC+yY1gSv1wgnVedkK7+Pn/W+w7rDlNYQazpN/ildThlxzOrDr73f8YGHQ11BfyzHxrUo/vaeDC71WH2hbKX3nkVbZJfCcZb98REaO4+jSnlw8n+yRNofFj7SS3UZa0etWU0utFSIsIlWsMFVXRr+K5PoICqDzRBxfW8QBFw+OT4eCKJmWC4AkoppLv/kATurUtmmGvCUSJUGfNU5jimUm15zUaWLH9xbj+mUGQBdFeOYcC33vinUJkz6Rq1U0HrbC6X1iMJZfTknbzzmXauxz0Hdior5EL/70m0+gt7vSBG91JbskRsvjkOQfloHQu2u24Woe+EVreIHobAKEf6QdpYC5FFb2FAxqljdazCmao5aEoLATNjy6Y2rlUk58JHnJ0zk/KHu3gxN4D92odqcOwsNBeD3Co44jPN7HnZSaAZt6ljE7hWW9PTqfeLJSZGpc/P1tcO1cOFITBA9GFQ4vrWRiHOO6w0jQtNKqbNEe72aTiphYgQhE86yel91HypO5LWO08CtPOaxeh1HdmK1NZZxYlSnQnkpMnP7RcPPMUl/gC+zu4iAzfPPJ4xNwlyth6ruCtDO943PAST5Aclu9oG9Wo4GoGMlhA/6KtKPA+V8kj28CWcxvML2oE533IMqFiccMVZj1DhMnJ5ZOawe9Kq8p7py+c4F0Znf73zG+Xgb7EhG02EK3o1n405pKtV/l5lm/a1V9lFWlYFflHVjcJ5A2CxR6MegG31Adxat2q7rQ8Q8RPPke8XA7aLG/NX9BSewiW9F/kXEUmGyMgfZKcjeQDU3XHAJHDb/pqteaPXEdLq3GJ0Y6IEGk6uwhZP/gApyP5xj1+kdfF9ho5KN0yIeomIdA1CHYJbo1yT3Se2pEsr6dh3h1aDu4DiQtp1Tj9LyKEp9LKMxapf54u5kXySEpN6qGOPTbnJav+j/kKJ4GvAJYA3Dtn8Lq1tERZUU061A+T0YC0zPeqkTar7oje7Fsvv+eVJXDBbOhYvcRwMuLbJtHp1l9q6o/hIY/fokFvn2CVfv74gkI5QmxfNxC1iss73djUxqrK4KP5vAPmUfFwgXMyPaQ2zS+CCvIP+wReNuR8Dbqn8/dmdDHVcWOy+nJRLClajjg/WCra2oXoDYxCMOEdPuHvzPBAzUTTzht2HlhiE0/8jq+LwK67XobliOUfonNIqOUgESgxLTPc/V+D9uh1wNHtkkImCJ3XqIWx/nMxzVF8VNUR8TH5YZWKb6zViCWdAD7WBQLnmRcgJlxyFyuqVEbrOZCss+PSYcdbDFPnlgxkcZdjEvFuJqSjvSwy3nkZEUHDCPVIqimZ/ySBU0TdzZiR+nd/wvZxkb6ANGMhVuBhiTlGVSOq8vrWHBEz8yMT4IZnDcOMpvMDuQZ3QNLPzoD7OsSp+5R8MQNUeB+vE/kefR22oP1Pp8IaVu/L7y3E5+q0yoVygvTZ+SZ6xrVL5os5X6MdDBMXQR9hYSqxTv/LKo5Z9L+C0DiAuj9CD0fkYx5B3BzvHN/he/xVw1Rmrf5as878u8KQGYzOg9f+OGRrM1IJn5LZnrMcQskCwMYrWSgsFts24/Ny4NdtjwRUFQR2gHqUcZ4ijE6vQjfHV+x5aoybjdv/vOASB8FlzX425FC1uFVx14R3qczonEKB+Tn7delfI8g8WYXRoZ8SGMaeVmB5NiD4nagMU6Mq+hhv/w2vJepTAZURJkKwvpLHYJW7GugPzUBZHK1P/jF8MWpLmz5gWpZdqDK7Akegxz6RfP2CWerEFuRpRuYdxN+urnexRdXXbEMc+sCUZ+K2zfsvai8QFHpX2wkPvVbyfh9bkjvdvRAJ2dZQzqRbYy2Mg/L6Ed0EsVJF9qgmfoQ/HvGZT7HoSP1SoOQK47km6nv8X7VrdyLC+Bo/uy+yZmNqaw==
-    ecdsa.P256.private.pem: AgB9zinXvo3B79aIMUV08tkRpDxw0cgaQ88KjoSFZADkUl1nV2B1BPrUsx/17Ki00UcI79N38WfzvILBFq7nczISkAKg6k11G/6nQmrs/9RlEK0YA7B6VWF28W0/XMm3IVlsJ+Ky8DPS7tNlgypKB4iAt23PHkR67AORdCeoZgG2EmMyfQpRf3s+RIpnD1W840ZaAvKgWcQk4q5PUAT0+TFeC9HInqzc357z4TTeNiBHSUAcauzOMYDgavI/gITq8txp2bvC14+YXf5vpe38RwgZrKekGEIpkPS+MNUaYmUH6bPSAXfwRMD1lATgnOvX/CMRAwCtqfYkEpJ8U2SOW9QIwsrrL27k8BfpVeVSmDklMi4FAANEH1rQA1KMbOISajztQe8AoUiXgtbpBQ99DE2ZIEVyWlq+x9S14daIGda4WMMS/teG1KezVqnxex/b7ObmQARLuG+J1Hwi1eW5Il4d7dOQlRzC7ctz7hYZzFIDfL3Tl2PUQfR/979+Mp/7VpjppJwoElsbfF76nBlUAbvDJUln2JwPH+Ly9uGvQblncJOsWwibyLUMWb3UJjKlSZ1EllFt9elIHh73H5p/wllRW/l2NHG0G4AREG6Y0rA+ljH9s+r2hbbtgq9w16fKWUnE0Rx4PR+ro0EX02fHBdvTIZ9JqVBQI1faRRPB8bAI/aGsmY6k4hel4DDx9bgbetV5ElMQu1HN2LxR2kIrwzJhUE0UdSgnX3VbD2FuxP2eAZNryk3yxFPll5nNiDUGf3UMskSTmYnfX8wg384I/rBgQfnFJS/HhBosHU+7cc/6PavCyc7NZWetCIr8o9Ihrl/ZmNRCUrYjhqYepj2mEvAOStQC/ng5baJgLSvxgj6g2sS9MSK9o0o4tJ3Vvipqiycuo24zUUNMDdZU0v1oZOW8+cRjVXQwo3h2O6D4aP0rKi5uzKk8Kgw61LU7fKkjL9n7YR6eltKO4vi+ADfv69DcQNh8TsQBGXgAzAll0zMkoQb1bxzORUcTDAT3+txwV+UU
-  template:
-    metadata:
-      name: oidc-jwks
-      namespace: authelia
--- a/k8s/infra/auth/authelia/values.yaml
+++ b/k8s/infra/auth/authelia/values.yaml
@@ -12,12 +12,35 @@ configMap:
  default_2fa_method: totp
  theme: 'dark'

+  identity_validation:
+    reset_password:
+      secret: { secret_name: crypto }
+
  access_control:
    default_policy: 'two_factor'
    rules:
      - domain_regex: '^.*\.stonegarden.dev$'
        policy: 'two_factor'

+  session:
+    encryption_key: { secret_name: crypto }
+    cookies:
+      - subdomain: authelia
+        domain: stonegarden.dev
+
+  storage:
+    encryption_key: { secret_name: crypto }
+    postgres:
+      enabled: false
+      address: 'tcp://postgres.databases.svc.cluster.local:5432'
+    # Switch to Postgres later
+    local:
+      enabled: true
+
+  notifier:
+    filesystem:
+      enabled: true
+
  authentication_backend:
    ldap:
      enabled: true
@@ -29,45 +52,24 @@ configMap:
      groups_filter: '(member={dn})'
      additional_groups_dn: 'ou=groups'
      user: 'UID=authelia,OU=people,DC=stonegarden,DC=dev'
-      password:
-        secret_name: 'lldap-auth'
-
-  session:
-    cookies:
-      - subdomain: authelia
-        domain: stonegarden.dev
-
-  storage:
-    postgres:
-      enabled: false
-      address: 'tcp://postgres.databases.svc.cluster.local:5432'
-    # Switch to Postgres later
-    local:
-      enabled: true
-
-  notifier:
-    filesystem:
-      enabled: true
+      password: { secret_name: 'lldap-auth' }

  identity_providers:
    oidc:
      ## Currently in beta stage. See https://www.authelia.com/r/openid-connect/
      enabled: true
+      hmac_secret: { secret_name: crypto }
      jwks:
        - key_id: 'default'
          algorithm: 'RS256'
          use: 'sig'
-          key:
-            path: /secrets/rsa-jwk/tls.key
-          certificate_chain:
-            path: /secrets/rsa-jwk/tls.crt
+          key: { path: /secrets/rsa-jwk/tls.key }
+          certificate_chain: { path: /secrets/rsa-jwk/tls.crt }
        - key_id: 'ecdsa256'
          algorithm: 'ES256'
          use: 'sig'
-          key:
-            path: /secrets/ecdsa-jwk/tls.key
-          certificate_chain:
-            path: /secrets/ecdsa-jwk/tls.crt
+          key: { path: /secrets/ecdsa-jwk/tls.key }
+          certificate_chain: { path: /secrets/ecdsa-jwk/tls.crt }
      cors:
        allowed_origins_from_client_redirect_uris: true
      clients:
@@ -97,10 +99,16 @@ secret:
      items:
        - key: password
          path: authentication.ldap.password.txt
-    oidc-argocd:
+    crypto:
      items:
-        - key: clientSecret
-          path: clientSecret
+        - key: identity_providers.oidc.hmac.key
+          path: identity_providers.oidc.hmac.key
+        - key: identity_validation.reset_password.jwt.hmac.key
+          path: identity_validation.reset_password.jwt.hmac.key
+        - key: session.encryption.key
+          path: session.encryption.key
+        - key: storage.encryption.key
+          path: storage.encryption.key
    rsa-jwk:
      items:
        - key: tls.key
@@ -113,3 +121,7 @@ secret:
          path: tls.key
        - key: tls.crt
          path: tls.crt
+    oidc-argocd:
+      items:
+        - key: clientSecret
+          path: clientSecret