Configure OpenID via environment

I currently struggle configuring OpenID by using environment variables.

Here’s what I tried:

VIKUNJA_AUTH_OPENID_PROVIDERS: KEYCLOAK
VIKUNJA_AUTH_OPENID_PROVIDERS_KEYCLOAK_NAME: KeyCloak
VIKUNJA_AUTH_OPENID_PROVIDERS_KEYCLOAK_AUTHURL: ...
VIKUNJA_AUTH_OPENID_PROVIDERS_KEYCLOAK_CLIENTID: vikunja
VIKUNJA_AUTH_OPENID_PROVIDERS_KEYCLOAK_CLIENTSECRET: ...

This however causes the backend to panic with
interface conversion: interface {} is string, not []interface {}

Can someone show me how this should be properly configured?

Configuring openid via env variables is currently not supported. You’ll need to use a config file for that. It is possible to use both env and config files at the same time, that way you could put only the openid config in the config file and use env variables for the rest.

Thanks for the reply. Any plans on implementing this? It would be handy to have for docker-compose deployments.

I think this would make sense, but would be a breaking change. As such, I don’t plan to implement it in the near future but added it to the backlog.

Just one follow-up question: is it possible to expand environment variables in the config file? The point is that I don’t want to put the openid clientsecret into the config file (I’m using a docker-compose setup with all files but .env in git).

Like this:

auth:
  local:
    enabled: false
  openid:
    enabled: true
    providers:
      - name: "KeyCloak"
        authurl: "https://auth..."
        clientid: "vikunja"
        clientsecret: $OPENID_SECRET

and then passing OPENID_SECRET via environment?

Right now that won’t work.

I am hitting the exact same issue wouldn’t it be possible to simply add an extra environment variable for the meantime?

Either way, the documentation should reflect the current state, it says:

You can […] set all config option with environment variables.

It should at least be mentioned at Config options | Vikunja

I’ve added a notice to the doc you mentioned.

I would also be interested in this.
In nixos, the config file will be world readable in the nix store. Using environment variables is the only secure way of passing those secrets to the service.

I’m also interested. Also installed Vikunja with NixOS and the client secret is world readable

Are there any updates?

It would be really great to have this.

This is my config (values.yaml) for HELM deployed in K8S:

vikunja:
  api:
    env:
      VIKUNJA_SERVICE_PUBLICURL: https://vikunja.host.com/
      VIKUNJA_DATABASE_TYPE: "postgres"
      VIKUNJA_DATABASE_HOST: "vikunja-db-cluster.postgres-cluster.svc.cluster.local"
      VIKUNJA_DATABASE_SSLMODE: "require"
      VIKUNJA_DATABASE_USER:
        valueFrom:
          secretKeyRef:
            name: vikunja.user.vikunja-db-cluster.credentials.postgresql.acid.zalan.do
            key: username
      VIKUNJA_DATABASE_NAME: "vikunja"
      VIKUNJA_DATABASE_PASSWORD:
        valueFrom:
          secretKeyRef:
            name: vikunja.user.vikunja-db-cluster.credentials.postgresql.acid.zalan.do
            key: password
      VIKUNJA_OIDC_CLIENT_SECRET:
        valueFrom:
          secretKeyRef:
            name: vikunja-secret
            key: keycloak.client.secret
    enabled: true
    persistence:
      data:
        enabled: true
        size: 10Gi
    ingress:
      main:
        enabled: true
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-production
          nginx.ingress.kubernetes.io/proxy-body-size: "100m"
          cert-manager.io/private-key-algorithm: ECDSA
          cert-manager.io/private-key-size: "384"
        hosts:
          - host: vikunja.host.com
            paths:
              - path: "/api/v1"
        tls:
          - hosts:
              - vikunja.host.com
            secretName: vikunja-tls
    configMaps:
      config:
        enabled: true
        data:
          config.yml: |
            service:
              enableregistration: false
              timezone: Europe/Vienna
              frontendUrl: https://vikunja.host.com
            auth:
              local:
                enabled: false
              openid:
                enabled: true
                redirecturl: https://vikunja.host.com/auth/openid/
                providers:
                  - name: Keycloak
                    authurl: https://keycloak.host.com/auth/realms/REALM
                    logouturl: https://keycloak.host.com/auth/realms/REALM/protocol/openid-connect/logout
                    clientid: vikunja
                    clientsecret: XXXX
  frontend:
    env:
      VIKUNJA_API_URL: https://vikunja.host.com/api/v1
    enabled: true
    ingress:
      main:
        enabled: true
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-production
          nginx.ingress.kubernetes.io/proxy-body-size: "100m"
          cert-manager.io/private-key-algorithm: ECDSA
          cert-manager.io/private-key-size: "384"
        hosts:
          - host: vikunja.host.com
            paths:
              - path: "/"
        tls:
          - hosts:
              - vikunja.host.com
            secretName: vikunja-tls
  postgresql:
    enabled: false

  typesense:
    enabled: true
    persistence:
      data:
        size: 1Gi

Basically the secret is already prepared. It would be great to either have it as ENV eg

(Maybe the K8S Helm Values is useful for someone!)

A possible workaround for sops-nix users could be using a template for the configuration file: GitHub - Mic92/sops-nix: Atomic secret provisioning for NixOS based on sops

@Rohmilchkaese that helm you pasted, are the envs like VIKUNJA_OIDC_CLIENT_SECRET being used anywhere? It looks like below a ConfigMap is generated with the raw clientsecret.

I’m using flux w/ sealed secrets so I can put them in git. However, I cannot figure out a way to deploy this app without exposing the clientsecret in my repository. The environment variables would be perfect, I can set them, but I’m not sure how I can get clientsecret set to them.