From a64879c162c9b9fb28cd88571a6010c1658d6719 Mon Sep 17 00:00:00 2001 From: Nicholas Blumhardt Date: Wed, 18 Jun 2025 15:44:30 +1000 Subject: [PATCH 1/7] Update to Seq 2025.2, accept and require a default administrator password --- charts/seq/Chart.yaml | 6 +++--- charts/seq/templates/deployment.yaml | 10 ++++++++++ charts/seq/values.yaml | 16 ++++++++++------ 3 files changed, 23 insertions(+), 9 deletions(-) diff --git a/charts/seq/Chart.yaml b/charts/seq/Chart.yaml index 12ba99b..b6aedec 100644 --- a/charts/seq/Chart.yaml +++ b/charts/seq/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 name: seq -version: "2025.1.1" -appVersion: "2025.1" -description: Seq is the easiest way for development teams to capture, search and visualize structured log events! +version: "2025.2.1" +appVersion: "2025.2" +description: Seq is the easiest way for development teams to capture, search and visualize structured logs and traces keywords: - seq - structured diff --git a/charts/seq/templates/deployment.yaml b/charts/seq/templates/deployment.yaml index 7e42e91..01c0c44 100644 --- a/charts/seq/templates/deployment.yaml +++ b/charts/seq/templates/deployment.yaml @@ -39,6 +39,10 @@ spec: - name: "SEQ_FIRSTRUN_ADMINUSERNAME" value: "{{ .Values.firstRunAdminUsername }}" {{- end }} +{{- if .Values.firstRunAdminPassword }} + - name: "SEQ_FIRSTRUN_ADMINPASSWORD" + value: "{{ .Values.firstRunAdminPassword }}" +{{- end }} {{- if .Values.firstRunAdminPasswordHash }} - name: "SEQ_FIRSTRUN_ADMINPASSWORDHASH" value: "{{ .Values.firstRunAdminPasswordHash }}" @@ -169,3 +173,9 @@ spec: {{- if .Values.extraVolumes }} {{ toYaml .Values.extraVolumes | indent 8 }} {{- end }} + +# At least one of the default password variables must be set; note that this ignores SEQ_PASSWORD, but +# that variable is just a convenience alias for SEQ_FIRSTRUN_ADMINPASSWORD anyway. +{{- if not (or .Values.firstRunAdminPassword .Values.firstRunAdminPasswordHash) }} +{{- fail "At least one of firstRunAdminPassword or firstRunAdminPasswordHash must be specified." }} +{{- end }} diff --git a/charts/seq/values.yaml b/charts/seq/values.yaml index d275661..19f9df3 100644 --- a/charts/seq/values.yaml +++ b/charts/seq/values.yaml @@ -15,6 +15,16 @@ image: # that you intend to use. acceptEULA: "Y" +# Seq requires a default admin password in order to initialize a fresh container. Either +# specify this here, or see the `firstRunAdminPasswordHash` variant below for better confidentiality. +# firstRunAdminPassword: "" + +# Set this to create an admin user with given password hash at first run. +# See here for docs on how to create the password hash: https://blog.datalust.co/setting-an-initial-password-when-deploying-seq-to-docker/ +# firstRunAdminUsername: "admin" +# firstRunAdminPasswordHash: "" +# firstRunRequireAuthenticationForHttpIngestion: true + # Set this URL if you enable ingress and/or AAD authentication. # Without this URL set to include HTTPS, Seq will try to set a login redirect # URL with HTTP instead of HTTPS and AAD's registration requires HTTPS. @@ -26,12 +36,6 @@ acceptEULA: "Y" # will be used as the default when generating URIs for apps and notifications. # listenURI: "http://localhost:80,http://localhost:5341" -# Set this to create an admin user with given password hash at first run. -# See here for docs on how to create the password hash: https://blog.datalust.co/setting-an-initial-password-when-deploying-seq-to-docker/ -# firstRunAdminUsername: "admin" -# firstRunAdminPasswordHash: "" -# firstRunRequireAuthenticationForHttpIngestion: true - securityContext: runAsUser: 0 capabilities: From 88811136ceebfc0583ec2cf27d59497d7951b5ed Mon Sep 17 00:00:00 2001 From: Nicholas Blumhardt Date: Wed, 18 Jun 2025 15:57:20 +1000 Subject: [PATCH 2/7] Add the firstRunNoAuthentication opt-out --- charts/seq/templates/deployment.yaml | 8 ++++++-- charts/seq/values.yaml | 8 +++++--- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/charts/seq/templates/deployment.yaml b/charts/seq/templates/deployment.yaml index 01c0c44..7e79949 100644 --- a/charts/seq/templates/deployment.yaml +++ b/charts/seq/templates/deployment.yaml @@ -51,6 +51,10 @@ spec: - name: "SEQ_FIRSTRUN_REQUIREAUTHENTICATIONFORHTTPINGESTION" value: "{{ .Values.firstRunRequireAuthenticationForHttpIngestion }}" {{- end }} +{{- if .Values.firstRunNoAuthentication }} + - name: "SEQ_FIRSTRUN_NOAUTHENTICATION" + value: "True" +{{- end }} {{- if .Values.extraEnvs }} {{ toYaml .Values.extraEnvs | indent 12 }} {{- end }} @@ -176,6 +180,6 @@ spec: # At least one of the default password variables must be set; note that this ignores SEQ_PASSWORD, but # that variable is just a convenience alias for SEQ_FIRSTRUN_ADMINPASSWORD anyway. -{{- if not (or .Values.firstRunAdminPassword .Values.firstRunAdminPasswordHash) }} -{{- fail "At least one of firstRunAdminPassword or firstRunAdminPasswordHash must be specified." }} +{{- if not (or .Values.firstRunNoAuthentication .Values.firstRunAdminPassword .Values.firstRunAdminPasswordHash) }} +{{- fail "One of firstRunAdminPassword or firstRunAdminPasswordHash must be specified." }} {{- end }} diff --git a/charts/seq/values.yaml b/charts/seq/values.yaml index 19f9df3..5740612 100644 --- a/charts/seq/values.yaml +++ b/charts/seq/values.yaml @@ -16,11 +16,13 @@ image: acceptEULA: "Y" # Seq requires a default admin password in order to initialize a fresh container. Either -# specify this here, or see the `firstRunAdminPasswordHash` variant below for better confidentiality. +# specify this here, or opt out using `firstRunNoAuthentication: true` (not suitable for production +# deployment). See the `firstRunAdminPasswordHash` variant below for better confidentiality. +firstRunNoAuthentication: false # firstRunAdminPassword: "" -# Set this to create an admin user with given password hash at first run. -# See here for docs on how to create the password hash: https://blog.datalust.co/setting-an-initial-password-when-deploying-seq-to-docker/ +# Further customization of the default security settings. +# See here for docs on how to create a password hash: https://blog.datalust.co/setting-an-initial-password-when-deploying-seq-to-docker/ # firstRunAdminUsername: "admin" # firstRunAdminPasswordHash: "" # firstRunRequireAuthenticationForHttpIngestion: true From 996959ffa6ca2822c333acc633fd3cdac69a15eb Mon Sep 17 00:00:00 2001 From: Nicholas Blumhardt Date: Wed, 18 Jun 2025 16:08:30 +1000 Subject: [PATCH 3/7] Opt out of authentication in the sample config --- samples/seq/config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/samples/seq/config.yaml b/samples/seq/config.yaml index a8322eb..eef4ddb 100644 --- a/samples/seq/config.yaml +++ b/samples/seq/config.yaml @@ -1,3 +1,7 @@ +# This is an insecure default; don't use this for production deployments: instead specify +# the `firstRunAdminPassword` or `firstRunAdminPasswordHash` options. +firstRunNoAuthentication: true + image: tag: latest From bc28a404bf22435c313906b6fc82f42e2d513a0e Mon Sep 17 00:00:00 2001 From: Nicholas Blumhardt Date: Wed, 18 Jun 2025 16:15:15 +1000 Subject: [PATCH 4/7] Opt out of authentication when linting the chart --- .github/workflows/helm.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml index aab0eca..9ae2d89 100644 --- a/.github/workflows/helm.yml +++ b/.github/workflows/helm.yml @@ -26,10 +26,10 @@ jobs: uses: helm/chart-testing-action@v2.7.0 - name: Lint - run: ct lint --charts charts/seq + run: ct lint --charts charts/seq --helm-extra-args "--set firstRunNoAuthentication=true" - name: Create Cluster uses: helm/kind-action@v1.2.0 - name: Install - run: ct install --charts charts/seq + run: ct install --charts charts/seq --helm-extra-args "--set firstRunNoAuthentication=true" From a086700ae2f0ad25526cf5c22ac70ee4420334f8 Mon Sep 17 00:00:00 2001 From: Nicholas Blumhardt Date: Wed, 18 Jun 2025 16:18:26 +1000 Subject: [PATCH 5/7] Try helm lint style argument passing --- .github/workflows/helm.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml index 9ae2d89..0429841 100644 --- a/.github/workflows/helm.yml +++ b/.github/workflows/helm.yml @@ -26,10 +26,10 @@ jobs: uses: helm/chart-testing-action@v2.7.0 - name: Lint - run: ct lint --charts charts/seq --helm-extra-args "--set firstRunNoAuthentication=true" + run: ct lint --charts charts/seq --set firstRunNoAuthentication=true - name: Create Cluster uses: helm/kind-action@v1.2.0 - name: Install - run: ct install --charts charts/seq --helm-extra-args "--set firstRunNoAuthentication=true" + run: ct install --charts charts/seq --set firstRunNoAuthentication=true From 767895a242e9fee0ce4f8e84d107fcd1780c7f85 Mon Sep 17 00:00:00 2001 From: Nicholas Blumhardt Date: Wed, 18 Jun 2025 16:22:13 +1000 Subject: [PATCH 6/7] Try quoting my way out of this ;-) --- .github/workflows/helm.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml index 0429841..e880d77 100644 --- a/.github/workflows/helm.yml +++ b/.github/workflows/helm.yml @@ -26,10 +26,10 @@ jobs: uses: helm/chart-testing-action@v2.7.0 - name: Lint - run: ct lint --charts charts/seq --set firstRunNoAuthentication=true + run: "ct lint --charts charts/seq --helm-lint-extra-args '--set firstRunNoAuthentication=true'" - name: Create Cluster uses: helm/kind-action@v1.2.0 - name: Install - run: ct install --charts charts/seq --set firstRunNoAuthentication=true + run: "ct install --charts charts/seq --helm-extra-args '--set firstRunNoAuthentication=true'" From a743f758a3e470170ea9152be82dfaa51a009b57 Mon Sep 17 00:00:00 2001 From: Nicholas Blumhardt Date: Wed, 18 Jun 2025 16:26:57 +1000 Subject: [PATCH 7/7] Nearly there; switch to using --helm-extra-set-args for ct install --- .github/workflows/helm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml index e880d77..822872c 100644 --- a/.github/workflows/helm.yml +++ b/.github/workflows/helm.yml @@ -32,4 +32,4 @@ jobs: uses: helm/kind-action@v1.2.0 - name: Install - run: "ct install --charts charts/seq --helm-extra-args '--set firstRunNoAuthentication=true'" + run: "ct install --charts charts/seq --helm-extra-set-args '--set firstRunAdminPassword=YourP@55word'"