EnvValueFrom Secret EMAIL Password Not being Used

[SystemFiles]

Error Message:

{"event": "Task published", "level": "info", "logger": "authentik.root.celery", "pid": 90, "task_id": "6d0b5841-aaa1-4706-918d-35a315e1eb7a", "task_name": "authentik.blueprints.v1.tasks.clear_failed_blueprints", "timestamp": "2023-02-20T20:47:51.000522"}
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/manage.py", line 31, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python3.11/site-packages/django/core/management/__init__.py", line 446, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python3.11/site-packages/django/core/management/__init__.py", line 440, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 402, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 448, in execute
    output = self.handle(*args, **options)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/core/management/base.py", line 96, in wrapped
    res = handle_func(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/stages/email/management/commands/test_email.py", line 37, in handle
    send_mail(message.__dict__, stage.pk)
  File "/usr/local/lib/python3.11/site-packages/celery/local.py", line 188, in __call__
    return self._get_current_object()(*a, **kw)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/celery/app/task.py", line 392, in __call__
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/celery/app/autoretry.py", line 54, in run
    ret = task.retry(exc=exc, **retry_kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/celery/app/task.py", line 701, in retry
    raise_with_context(exc or Retry('Task can be retried', None))
  File "/usr/local/lib/python3.11/site-packages/celery/app/autoretry.py", line 34, in run
    return task._orig_run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/stages/email/tasks.py", line 103, in send_mail
    raise exc
  File "/authentik/stages/email/tasks.py", line 73, in send_mail
    backend.open()
  File "/usr/local/lib/python3.11/site-packages/django/core/mail/backends/smtp.py", line 91, in open
    self.connection.login(self.username, self.password)
  File "/usr/local/lib/python3.11/smtplib.py", line 739, in login
    (code, resp) = self.auth(
                   ^^^^^^^^^^
  File "/usr/local/lib/python3.11/smtplib.py", line 642, in auth
    (code, resp) = self.docmd("AUTH", mechanism + " " + response)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/smtplib.py", line 432, in docmd
    return self.getreply()
           ^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/smtplib.py", line 405, in getreply
    raise SMTPServerDisconnected("Connection unexpectedly closed")
smtplib.SMTPServerDisconnected: Connection unexpectedly closed

My configuration:

authentik:
    # -- Secret key used for cookie singing and unique user IDs,
    # don't change this after the first install
    # pulled in from secrets
    secret_key: ""
    # -- Mode for the avatars. Defaults to gravatar. Possible options 'gravatar' and 'none'
    avatars: none
    email:
      # -- SMTP Server emails are sent from, fully optional
      host: "smtp.sendgrid.net"
      port: 587
      # -- SMTP credentials, when left empty, not authentication will be done
      username: "apikey"
      # -- SMTP credentials, when left empty, no authentication will be done (can use ENVFrom)
      password: "" # <-- This is where I suspect the error is
      # -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
      use_tls: true
      # -- Enable either use_tls or use_ssl, they can't be enabled at the same time.
      use_ssl: false
      # -- Connection timeout
      timeout: 30
      # -- Email from address, can either be in the format "[email protected]" or "authentik <[email protected]>"
      from: "[email protected]"
    outposts:
      # -- Template used for managed outposts. The following placeholders can be used
      # %(type)s - the type of the outpost
      # %(version)s - version of your authentik install
      # %(build_hash)s - only for beta versions, the build hash of the image
      container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
    error_reporting:
      # -- This sends anonymous usage-data, stack traces on errors and
      # performance data to sentry.beryju.org, and is fully opt-in
      enabled: false
      # -- This is a string that is sent to sentry with your error reports
      environment: "k3s"
    postgresql:
      port: 5432
    redis:
      # -- set the redis hostname to talk to
      # @default -- `{{ .Release.Name }}-redis-master`
      host: '{{ .Release.Name }}-redis-master'

  envValueFrom:
    AUTHENTIK_SECRET_KEY:
      secretKeyRef:
        name: authentik-secrets
        key: secret-key
    AUTHENTIK_POSTGRESQL__PASSWORD:
      secretKeyRef:
        name: authentik-postgresql
        key: postgresql-password
    AUTHENTIK_EMAIL__PASSWORD:
      secretKeyRef:
        name: authentik-secrets
        key: email-password

The strange thing is that when I pass the email.password value directly in plain text to the config, it works. However, when I leave the email.password value empty and instead pass the value from a secret using the envValueFrom construct, it will still show up that the environment variable is correct on the Pod, but when I attempt to send the email I get the above error message.

Can anyone with more knowledge help me out here? I am new to Authentik.

Thanks :)

[channel-42]

Hey, I just came across this issue while trying to figure out how to pass env vars from secret in this helm chart. I don't know why you're using envValueFrom, since I can't see it in values.yaml 🤔

Try using global.env or global.envFrom (or configure the environment separately for server and worker with the corresponding fields).

For example, I have it setup to get the environment variables from a secret using

global:
  envFrom:
    - secretRef:
        name: authentik-config

and then specifying the required variables in the secret like so

apiVersion: v1
kind: Secret
type: Opaque
metadata:
    name: authentik-config
stringData:
   AUTHENTIK_SECRET_KEY: "MySecretKey"
   AUTHENTIK_EMAIL__PASSWORD: "MySuperSecureEmailPassword"
   ...

Hope this get's it working for you 😄

[XA21X]

I had the same issue with envValueFrom. global.envFrom was added in a newer version that's fixed the bug. :) #230

env, envValueFrom and envFrom have been removed and replaced by global.env and global.envFrom. global.env now puts the configured list directly into the deployment, without modifications as the previous setting used to do.

[rissson]

I'll go ahead and close this since it seems fixed. Feel free to re-open an issue for any further issues.