[Authelia] multi node Authelia generates multi attach errors for config volume (Clustertool + Talos)

[JacobSartin]

Chart Name

Authelia

Operating System

other

Deployment Method

FluxCD

Chart Version

26.2.2

Kubernetes Events

Multi-Attach error for volume "pvc-5fe22aa2-4630-4cce-aada-8cc70c99802d" Volume is already used by pod(s) authelia-7ff4494fc6-l455z, authelia-7885864f59-k9fw9
(pvc-5fe22aa2-4630-4cce-aada-8cc70c99802d is the config volume)

Chart Logs

N/A, pods don't start if they can't mount the pvc

Chart Configuration

TZ: ${TZ}

domain: ${BASE_DOMAIN}
default_redirection_url: https://auth.${BASE_DOMAIN}
theme: dark

authentication_backend:
  file:
    enabled: false
  ldap:
    enabled: true
    implementation: custom
    # lldap-ldap because we are accessing the ldap service from the lldap chart
    url: ldap://lldap-ldap.lldap.svc.cluster.local:3890
    base_dn: ${LDAP_BASE_DN}
    # lldap specific
    additional_users_dn: ou=people
    # accept username or email
    users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
    additional_groups_dn: ou=groups
    groups_filter: (member={dn})
    # bind user for authelia, only for authelia, strict read only
    user: ${AUTHELIA_BIND_USER},ou=people,${LDAP_BASE_DN}
    plain_password: "${AUTHELIA_BIND_PASS}"

password_policy:
  enabled: true
  zxcvbn:
    enabled: true
    min_score: 3

access_control:
  default_policy: deny
  rules:
    - domain:
        - "*.${BASE_DOMAIN}"
        - ${BASE_DOMAIN}
      policy: one_factor
      subject:
        - group:lldap_admin

notifier:
  filesystem:
    enabled: false
  smtp:
    enabled: true
    host: ${SMTP_HOST}
    port: ${SMTP_PORT}
    username: ${EMAIL}
    plain_password: ${SMTP_PASS}
    sender: auth@${BASE_DOMAIN}

ingress:
  main:
    enabled: true
    hosts:
      - host: auth.${BASE_DOMAIN}
    integrations:
      traefik:
        enabled: true
    certManager:
      enabled: true
      certificateIssuer: wildcard

Describe the bug

When a multinode cluster deploys multiple pods of authelia, only one pod can claim the config pvc. I didn't really dig into it, but this did cause a bunch of problems with inconsistent serving of the auth page which could lock you out of services.

To Reproduce

1. Have a multi node cluster
2. Deploy authelia (with file notification and authentication disabled)
3. You will now see multiple main pods with only 1 succeeding

Expected Behavior

All pods deploy successfully

Screenshots

N/A

Additional Context

I'm not sure what the best choice is to fix it in general, but I use clustertool and therefore have longhorn to do ReadWriteMany. Setting the config PVC's accessModes to ReadWriteMany did fix the problem for me with all of the pods deploying successfully, but I understand this may not be desirable as a default in case people's CSIs do not support it.

I've read and agree with the following

• I've checked all open and closed issues and my issue is not there.
• I've understand TrueNAS SCALE Apps are deprecated and TrueCharts does not accept TrueNAS SCALE related issues
• I've prefixed my issue title with [Chart-Name]