admin/felhom-controller
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: encrypt sensitive values in app.yaml with AES-256-GCM

Browse Source 
Passwords and secrets from deploy fields (type: password/secret) are now
encrypted at rest in app.yaml using a per-node 32-byte key. Values stored
as ENC:base64(nonce+ciphertext), decrypted transparently for docker-compose
and web UI. Key included in infra backup bundle for disaster recovery.
Existing plaintext values migrated automatically on startup.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
authentik Default Admin
2026-02-23 19:12:24 +01:00
parent 703dee15ab
commit 44f7fd2f19
11 changed files with 297 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
controller/internal/web/handlers.go
+9 -4
View File
@@ -12,6 +12,7 @@ import (
"time"
"gitea.dooplex.hu/admin/felhom-controller/internal/backup"
"gitea.dooplex.hu/admin/felhom-controller/internal/crypto"
"gitea.dooplex.hu/admin/felhom-controller/internal/scheduler"
"gitea.dooplex.hu/admin/felhom-controller/internal/settings"
"gitea.dooplex.hu/admin/felhom-controller/internal/stacks"
@@ -300,9 +301,13 @@ func (s *Server) deployHandler(w http.ResponseWriter, r *http.Request, name stri
data["AutoFields"] = meta.AutoGeneratedFields()
// Auto-generated field values: existing values for deployed apps, pre-generated for new deploys
autoFieldValues := make(map[string]string)
var decryptedEnv map[string]string
if appCfg != nil {
decryptedEnv = crypto.DecryptMap(s.encKey, appCfg.Env)
}
if alreadyDeployed && appCfg != nil {
for _, f := range meta.AutoGeneratedFields() {
if val, ok := appCfg.Env[f.EnvVar]; ok {
if val, ok := decryptedEnv[f.EnvVar]; ok {
autoFieldValues[f.EnvVar] = val
}
}
@@ -314,9 +319,9 @@ func (s *Server) deployHandler(w http.ResponseWriter, r *http.Request, name stri
}
}
data["AutoFieldValues"] = autoFieldValues
// For deployed apps, pass stored field values so subdomain and other user fields show current values
if alreadyDeployed && appCfg != nil {
data["DeployedFieldValues"] = appCfg.Env
// For deployed apps, pass stored field values (decrypted) so fields show current values
if alreadyDeployed && decryptedEnv != nil {
data["DeployedFieldValues"] = decryptedEnv
}
// Storage paths with free space info for deploy dropdown
var deployPaths []DeployStoragePath