0
Fork 0
mirror of https://github.com/penpot/penpot-helm.git synced 2025-04-01 09:21:25 -05:00

feat: allow ldap password via secret

- Ensure penpot namespace is created in cluster created by kind
- Allow setting ldap bind password using the existing secret flow
- Allow setting adhoc environment variables outside the format provided
via the helm chart
- Fix issue where the default bindDN states it is an invalid format
This commit is contained in:
Joel Dollarhide 2025-02-04 05:04:44 -05:00 committed by David Barragán Merino
parent b2d983a9f1
commit 5cb719cf91
4 changed files with 27 additions and 10 deletions

View file

@ -102,7 +102,7 @@ helm install my-release -f values.yaml penpot/penpot
| config.providers.ldap.attributesPhoto | string | `"jpegPhoto"` | The LDAP attributes photo format to use. |
| config.providers.ldap.attributesUsername | string | `"uid"` | The LDAP attributes username to use. |
| config.providers.ldap.baseDN | string | `"ou=people,dc=planetexpress,dc=com"` | The LDAP base DN to use. |
| config.providers.ldap.bindDN | string | `"cn=admin,dc=planetexpress,dc=com"` | The LDAP bind DN to use. |
| config.providers.ldap.bindDN | string | `"uid=admin,ou=people,dc=planetexpress,dc=com"` | The LDAP bind DN to use. |
| config.providers.ldap.bindPassword | string | `"GoodNewsEveryone"` | The LDAP bind password to use. |
| config.providers.ldap.enabled | bool | `false` | Whether to enable LDAP configuration. To enable LDAP, also add `enable-login-with-ldap` to the flags. |
| config.providers.ldap.host | string | `"ldap"` | The LDAP host to use. |
@ -128,6 +128,7 @@ helm install my-release -f values.yaml penpot/penpot
| config.providers.secretKeys.gitlabClientSecretKey | string | `""` | The GitLab client secret key to use from an existing secret. |
| config.providers.secretKeys.googleClientIDKey | string | `""` | The Google client ID key to use from an existing secret. |
| config.providers.secretKeys.googleClientSecretKey | string | `""` | The Google client secret key to use from an existing secret. |
| config.providers.secretKeys.ldapBindPasswordKey | string | `""` | The LDAP admin bind password to use from an exsiting secret |
| config.providers.secretKeys.oidcClientIDKey | string | `""` | The OpenID Connect client ID key to use from an existing secret. |
| config.providers.secretKeys.oidcClientSecretKey | string | `""` | The OpenID Connect client secret key to use from an existing secret. |
| config.publicUri | string | `"http://penpot.example.com"` | The public domain to serve Penpot on. **IMPORTANT:** Set `disable-secure-session-cookies` in the flags if you plan on serving it on a non HTTPS domain. |
@ -159,6 +160,7 @@ helm install my-release -f values.yaml penpot/penpot
| backend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
| backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
| backend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
| backend.extraEnvs | list | `[]` | Specify any additional environment values you want to provide to the backend container in the deployment according to the [specification](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) |
| backend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
| backend.image.repository | string | `"penpotapp/backend"` | The Docker repository to pull the image from. |
| backend.image.tag | string | `"2.4.3"` | The image tag to use. |

View file

@ -336,8 +336,8 @@ spec:
value: {{ .Values.config.providers.oidc.userInfoSource | quote }}
{{- end }}
{{- end }}
# LDAP provider settings
{{- if .Values.config.providers.ldap.enabled }}
# LDAP provider settings
{{- if .Values.config.providers.ldap.host }}
- name: PENPOT_LDAP_HOST
value: {{ .Values.config.providers.ldap.host | quote }}
@ -362,7 +362,13 @@ spec:
- name: PENPOT_LDAP_BIND_DN
value: {{ .Values.config.providers.ldap.bindDN | quote }}
{{- end }}
{{- if .Values.config.providers.ldap.bindPassword }}
{{- if .Values.config.providers.secretKeys.ldapBindPasswordKey }}
- name: PENPOT_LDAP_BIND_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.config.providers.existingSecret }}
key: {{ .Values.config.providers.secretKeys.ldapBindPasswordKey }}
{{- else if .Values.config.providers.ldap.bindPassword }}
- name: PENPOT_LDAP_BIND_PASSWORD
value: {{ .Values.config.providers.ldap.bindPassword | quote }}
{{- end }}
@ -392,6 +398,9 @@ spec:
value: {{ .Values.config.autoFileSnapshot.every | quote }}
- name: PENPOT_AUTO_FILE_SNAPSHOT_TIMEOUT
value: {{ .Values.config.autoFileSnapshot.timeout | quote }}
{{- with .Values.backend.extraEnvs }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /opt/data/assets
name: app-data

View file

@ -64,7 +64,7 @@ config:
postgresql:
# -- The PostgreSQL host to connect to. Empty to use dependencies.
# @section -- Configuration parameters
host: "" # Ex.: "postgresql.penpot.svc.cluster.local"
host: "" # Ex.: "postgresql.penpot.svc.cluster.local"
# -- The PostgreSQL host port to use.
# @section -- Configuration parameters
port: 5432
@ -94,7 +94,7 @@ config:
redis:
# -- The Redis host to connect to. Empty to use dependencies
# @section -- Configuration parameters
host: "" # Ex.: "redis-headless.penpot.svc.cluster.local"
host: "" # Ex.: "redis-headless.penpot.svc.cluster.local"
# -- The Redis host port to use.
# @section -- Configuration parameters
port: 6379
@ -278,7 +278,7 @@ config:
baseDN: "ou=people,dc=planetexpress,dc=com"
# -- The LDAP bind DN to use.
# @section -- Configuration parameters
bindDN: "cn=admin,dc=planetexpress,dc=com"
bindDN: "uid=admin,ou=people,dc=planetexpress,dc=com"
# -- The LDAP bind password to use.
# @section -- Configuration parameters
bindPassword: "GoodNewsEveryone"
@ -325,11 +325,14 @@ config:
# -- The OpenID Connect client secret key to use from an existing secret.
# @section -- Configuration parameters
oidcClientSecretKey: ""
# -- The LDAP admin bind password to use from an exsiting secret
# @section -- Configuration parameters
ldapBindPasswordKey: ""
autoFileSnapshot:
# -- How many changes before generating a new snapshot. You also need to add the 'auto-file-snapshot' flag to the PENPOT_FLAGS variable.
# @section -- Configuration parameters
every: 5 # Every 5 changes
every: 5 # Every 5 changes
# -- If there isn't a snapshot during this time, the system will generate one automatically. You also need to add the 'auto-file-snapshot' flag to the PENPOT_FLAGS variable.
# @section -- Configuration parameters
timeout: "3h"
@ -408,6 +411,9 @@ backend:
# -- (int,string) The number or percentage of pods from that set that can be unavailable after the eviction (e.g.: 3, "10%").
# @section -- Backend parameters
maxUnavailable:
# -- Specify any additional environment values you want to provide to the backend container in the deployment according to the [specification](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables)
# @section -- Backend parameters
extraEnvs: []
frontend:
image:
@ -666,7 +672,7 @@ postgresql:
openshift:
# -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
# @section -- PostgreSQL Dependencie parameters
adaptSecurityContext: 'auto'
adaptSecurityContext: "auto"
auth:
# -- Name for a custom user to create.
@ -686,7 +692,7 @@ redis:
openshift:
# -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
# @section -- Redis Dependencie parameters
adaptSecurityContext: 'auto'
adaptSecurityContext: "auto"
auth:
# -- Whether to enable password authentication.
# @section -- Redis Dependencie parameters

View file

@ -4,7 +4,7 @@
kind create cluster --name penpot-cluster --config devel/kind.config.yml
# Create a namespace for Penpot
kubectl apply -f devel/penpot-namespace.yml
kubectl apply -f devel/penpot-namespace.yml --context=kind-penpot-cluster
kubectl config set-context penpot --namespace=penpot --cluster=kind-penpot-cluster --user=kind-penpot-cluster
kubectl config use-context penpot