mirror of
https://github.com/penpot/penpot-helm.git
synced 2025-04-01 09:21:25 -05:00
feat: allow ldap password via secret
- Ensure penpot namespace is created in cluster created by kind - Allow setting ldap bind password using the existing secret flow - Allow setting adhoc environment variables outside the format provided via the helm chart - Fix issue where the default bindDN states it is an invalid format
This commit is contained in:
parent
b2d983a9f1
commit
5cb719cf91
4 changed files with 27 additions and 10 deletions
|
@ -102,7 +102,7 @@ helm install my-release -f values.yaml penpot/penpot
|
|||
| config.providers.ldap.attributesPhoto | string | `"jpegPhoto"` | The LDAP attributes photo format to use. |
|
||||
| config.providers.ldap.attributesUsername | string | `"uid"` | The LDAP attributes username to use. |
|
||||
| config.providers.ldap.baseDN | string | `"ou=people,dc=planetexpress,dc=com"` | The LDAP base DN to use. |
|
||||
| config.providers.ldap.bindDN | string | `"cn=admin,dc=planetexpress,dc=com"` | The LDAP bind DN to use. |
|
||||
| config.providers.ldap.bindDN | string | `"uid=admin,ou=people,dc=planetexpress,dc=com"` | The LDAP bind DN to use. |
|
||||
| config.providers.ldap.bindPassword | string | `"GoodNewsEveryone"` | The LDAP bind password to use. |
|
||||
| config.providers.ldap.enabled | bool | `false` | Whether to enable LDAP configuration. To enable LDAP, also add `enable-login-with-ldap` to the flags. |
|
||||
| config.providers.ldap.host | string | `"ldap"` | The LDAP host to use. |
|
||||
|
@ -128,6 +128,7 @@ helm install my-release -f values.yaml penpot/penpot
|
|||
| config.providers.secretKeys.gitlabClientSecretKey | string | `""` | The GitLab client secret key to use from an existing secret. |
|
||||
| config.providers.secretKeys.googleClientIDKey | string | `""` | The Google client ID key to use from an existing secret. |
|
||||
| config.providers.secretKeys.googleClientSecretKey | string | `""` | The Google client secret key to use from an existing secret. |
|
||||
| config.providers.secretKeys.ldapBindPasswordKey | string | `""` | The LDAP admin bind password to use from an exsiting secret |
|
||||
| config.providers.secretKeys.oidcClientIDKey | string | `""` | The OpenID Connect client ID key to use from an existing secret. |
|
||||
| config.providers.secretKeys.oidcClientSecretKey | string | `""` | The OpenID Connect client secret key to use from an existing secret. |
|
||||
| config.publicUri | string | `"http://penpot.example.com"` | The public domain to serve Penpot on. **IMPORTANT:** Set `disable-secure-session-cookies` in the flags if you plan on serving it on a non HTTPS domain. |
|
||||
|
@ -159,6 +160,7 @@ helm install my-release -f values.yaml penpot/penpot
|
|||
| backend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
|
||||
| backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
|
||||
| backend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
|
||||
| backend.extraEnvs | list | `[]` | Specify any additional environment values you want to provide to the backend container in the deployment according to the [specification](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) |
|
||||
| backend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
|
||||
| backend.image.repository | string | `"penpotapp/backend"` | The Docker repository to pull the image from. |
|
||||
| backend.image.tag | string | `"2.4.3"` | The image tag to use. |
|
||||
|
|
|
@ -336,8 +336,8 @@ spec:
|
|||
value: {{ .Values.config.providers.oidc.userInfoSource | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
# LDAP provider settings
|
||||
{{- if .Values.config.providers.ldap.enabled }}
|
||||
# LDAP provider settings
|
||||
{{- if .Values.config.providers.ldap.host }}
|
||||
- name: PENPOT_LDAP_HOST
|
||||
value: {{ .Values.config.providers.ldap.host | quote }}
|
||||
|
@ -362,7 +362,13 @@ spec:
|
|||
- name: PENPOT_LDAP_BIND_DN
|
||||
value: {{ .Values.config.providers.ldap.bindDN | quote }}
|
||||
{{- end }}
|
||||
{{- if .Values.config.providers.ldap.bindPassword }}
|
||||
{{- if .Values.config.providers.secretKeys.ldapBindPasswordKey }}
|
||||
- name: PENPOT_LDAP_BIND_PASSWORD
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ .Values.config.providers.existingSecret }}
|
||||
key: {{ .Values.config.providers.secretKeys.ldapBindPasswordKey }}
|
||||
{{- else if .Values.config.providers.ldap.bindPassword }}
|
||||
- name: PENPOT_LDAP_BIND_PASSWORD
|
||||
value: {{ .Values.config.providers.ldap.bindPassword | quote }}
|
||||
{{- end }}
|
||||
|
@ -392,6 +398,9 @@ spec:
|
|||
value: {{ .Values.config.autoFileSnapshot.every | quote }}
|
||||
- name: PENPOT_AUTO_FILE_SNAPSHOT_TIMEOUT
|
||||
value: {{ .Values.config.autoFileSnapshot.timeout | quote }}
|
||||
{{- with .Values.backend.extraEnvs }}
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- mountPath: /opt/data/assets
|
||||
name: app-data
|
||||
|
|
|
@ -64,7 +64,7 @@ config:
|
|||
postgresql:
|
||||
# -- The PostgreSQL host to connect to. Empty to use dependencies.
|
||||
# @section -- Configuration parameters
|
||||
host: "" # Ex.: "postgresql.penpot.svc.cluster.local"
|
||||
host: "" # Ex.: "postgresql.penpot.svc.cluster.local"
|
||||
# -- The PostgreSQL host port to use.
|
||||
# @section -- Configuration parameters
|
||||
port: 5432
|
||||
|
@ -94,7 +94,7 @@ config:
|
|||
redis:
|
||||
# -- The Redis host to connect to. Empty to use dependencies
|
||||
# @section -- Configuration parameters
|
||||
host: "" # Ex.: "redis-headless.penpot.svc.cluster.local"
|
||||
host: "" # Ex.: "redis-headless.penpot.svc.cluster.local"
|
||||
# -- The Redis host port to use.
|
||||
# @section -- Configuration parameters
|
||||
port: 6379
|
||||
|
@ -278,7 +278,7 @@ config:
|
|||
baseDN: "ou=people,dc=planetexpress,dc=com"
|
||||
# -- The LDAP bind DN to use.
|
||||
# @section -- Configuration parameters
|
||||
bindDN: "cn=admin,dc=planetexpress,dc=com"
|
||||
bindDN: "uid=admin,ou=people,dc=planetexpress,dc=com"
|
||||
# -- The LDAP bind password to use.
|
||||
# @section -- Configuration parameters
|
||||
bindPassword: "GoodNewsEveryone"
|
||||
|
@ -325,11 +325,14 @@ config:
|
|||
# -- The OpenID Connect client secret key to use from an existing secret.
|
||||
# @section -- Configuration parameters
|
||||
oidcClientSecretKey: ""
|
||||
# -- The LDAP admin bind password to use from an exsiting secret
|
||||
# @section -- Configuration parameters
|
||||
ldapBindPasswordKey: ""
|
||||
|
||||
autoFileSnapshot:
|
||||
# -- How many changes before generating a new snapshot. You also need to add the 'auto-file-snapshot' flag to the PENPOT_FLAGS variable.
|
||||
# @section -- Configuration parameters
|
||||
every: 5 # Every 5 changes
|
||||
every: 5 # Every 5 changes
|
||||
# -- If there isn't a snapshot during this time, the system will generate one automatically. You also need to add the 'auto-file-snapshot' flag to the PENPOT_FLAGS variable.
|
||||
# @section -- Configuration parameters
|
||||
timeout: "3h"
|
||||
|
@ -408,6 +411,9 @@ backend:
|
|||
# -- (int,string) The number or percentage of pods from that set that can be unavailable after the eviction (e.g.: 3, "10%").
|
||||
# @section -- Backend parameters
|
||||
maxUnavailable:
|
||||
# -- Specify any additional environment values you want to provide to the backend container in the deployment according to the [specification](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables)
|
||||
# @section -- Backend parameters
|
||||
extraEnvs: []
|
||||
|
||||
frontend:
|
||||
image:
|
||||
|
@ -666,7 +672,7 @@ postgresql:
|
|||
openshift:
|
||||
# -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
|
||||
# @section -- PostgreSQL Dependencie parameters
|
||||
adaptSecurityContext: 'auto'
|
||||
adaptSecurityContext: "auto"
|
||||
|
||||
auth:
|
||||
# -- Name for a custom user to create.
|
||||
|
@ -686,7 +692,7 @@ redis:
|
|||
openshift:
|
||||
# -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
|
||||
# @section -- Redis Dependencie parameters
|
||||
adaptSecurityContext: 'auto'
|
||||
adaptSecurityContext: "auto"
|
||||
auth:
|
||||
# -- Whether to enable password authentication.
|
||||
# @section -- Redis Dependencie parameters
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
kind create cluster --name penpot-cluster --config devel/kind.config.yml
|
||||
|
||||
# Create a namespace for Penpot
|
||||
kubectl apply -f devel/penpot-namespace.yml
|
||||
kubectl apply -f devel/penpot-namespace.yml --context=kind-penpot-cluster
|
||||
kubectl config set-context penpot --namespace=penpot --cluster=kind-penpot-cluster --user=kind-penpot-cluster
|
||||
kubectl config use-context penpot
|
||||
|
||||
|
|
Loading…
Add table
Reference in a new issue