feat: allow ldap password via secret

- Ensure penpot namespace is created in cluster created by kind
- Allow setting ldap bind password using the existing secret flow
- Allow setting adhoc environment variables outside the format provided
via the helm chart
- Fix issue where the default bindDN states it is an invalid format

charts/penpot/README.md

@@ -102,7 +102,7 @@ helm install my-release -f values.yaml penpot/penpot
 | config.providers.ldap.attributesPhoto | string | `"jpegPhoto"` | The LDAP attributes photo format to use. |
 | config.providers.ldap.attributesUsername | string | `"uid"` | The LDAP attributes username to use. |
 | config.providers.ldap.baseDN | string | `"ou=people,dc=planetexpress,dc=com"` | The LDAP base DN to use. |
-| config.providers.ldap.bindDN | string | `"cn=admin,dc=planetexpress,dc=com"` | The LDAP bind DN to use. |
+| config.providers.ldap.bindDN | string | `"uid=admin,ou=people,dc=planetexpress,dc=com"` | The LDAP bind DN to use. |
 | config.providers.ldap.bindPassword | string | `"GoodNewsEveryone"` | The LDAP bind password to use. |
 | config.providers.ldap.enabled | bool | `false` | Whether to enable LDAP configuration. To enable LDAP, also add `enable-login-with-ldap` to the flags. |
 | config.providers.ldap.host | string | `"ldap"` | The LDAP host to use. |
@@ -128,6 +128,7 @@ helm install my-release -f values.yaml penpot/penpot
 | config.providers.secretKeys.gitlabClientSecretKey | string | `""` | The GitLab client secret key to use from an existing secret. |
 | config.providers.secretKeys.googleClientIDKey | string | `""` | The Google client ID key to use from an existing secret. |
 | config.providers.secretKeys.googleClientSecretKey | string | `""` | The Google client secret key to use from an existing secret. |
+| config.providers.secretKeys.ldapBindPasswordKey | string | `""` | The LDAP admin bind password to use from an exsiting secret |
 | config.providers.secretKeys.oidcClientIDKey | string | `""` | The OpenID Connect client ID key to use from an existing secret. |
 | config.providers.secretKeys.oidcClientSecretKey | string | `""` | The OpenID Connect client secret key to use from an existing secret. |
 | config.publicUri | string | `"http://penpot.example.com"` | The public domain to serve Penpot on. **IMPORTANT:** Set `disable-secure-session-cookies` in the flags if you plan on serving it on a non HTTPS domain. |
@@ -159,6 +160,7 @@ helm install my-release -f values.yaml penpot/penpot
 | backend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) |
 | backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) |
 | backend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment |
+| backend.extraEnvs | list | `[]` | Specify any additional environment values you want to provide to the backend container in the deployment according to the [specification](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) |
 | backend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. |
 | backend.image.repository | string | `"penpotapp/backend"` | The Docker repository to pull the image from. |
 | backend.image.tag | string | `"2.4.3"` | The image tag to use. |

charts/penpot/templates/backend-deployment.yml

@@ -336,8 +336,8 @@ spec:
               value: {{ .Values.config.providers.oidc.userInfoSource | quote }}
             {{- end }}
           {{- end }}
-            # LDAP provider settings
           {{- if .Values.config.providers.ldap.enabled }}
+            # LDAP provider settings
             {{- if .Values.config.providers.ldap.host }}
             - name: PENPOT_LDAP_HOST
               value: {{ .Values.config.providers.ldap.host | quote }}
@@ -362,7 +362,13 @@ spec:
             - name: PENPOT_LDAP_BIND_DN
               value: {{ .Values.config.providers.ldap.bindDN | quote }}
             {{- end }}
-            {{- if .Values.config.providers.ldap.bindPassword }}
+            {{- if .Values.config.providers.secretKeys.ldapBindPasswordKey }}
+            - name: PENPOT_LDAP_BIND_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.ldapBindPasswordKey }}
+            {{- else if .Values.config.providers.ldap.bindPassword }}
             - name: PENPOT_LDAP_BIND_PASSWORD
               value: {{ .Values.config.providers.ldap.bindPassword | quote }}
             {{- end }}
@@ -392,6 +398,9 @@ spec:
               value: {{ .Values.config.autoFileSnapshot.every | quote }}
             - name: PENPOT_AUTO_FILE_SNAPSHOT_TIMEOUT
               value: {{ .Values.config.autoFileSnapshot.timeout | quote }}
+          {{- with .Values.backend.extraEnvs }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           volumeMounts:
             - mountPath: /opt/data/assets
               name: app-data

charts/penpot/values.yaml

@@ -64,7 +64,7 @@ config:
   postgresql:
     # -- The PostgreSQL host to connect to. Empty to use dependencies.
     # @section -- Configuration parameters
-    host: ""  # Ex.: "postgresql.penpot.svc.cluster.local"
+    host: "" # Ex.: "postgresql.penpot.svc.cluster.local"
     # -- The PostgreSQL host port to use.
     # @section -- Configuration parameters
     port: 5432
@@ -94,7 +94,7 @@ config:
   redis:
     # -- The Redis host to connect to. Empty to use dependencies
     # @section -- Configuration parameters
-    host: ""  # Ex.: "redis-headless.penpot.svc.cluster.local"
+    host: "" # Ex.: "redis-headless.penpot.svc.cluster.local"
     # -- The Redis host port to use.
     # @section -- Configuration parameters
     port: 6379
@@ -278,7 +278,7 @@ config:
       baseDN: "ou=people,dc=planetexpress,dc=com"
       # -- The LDAP bind DN to use.
       # @section -- Configuration parameters
-      bindDN: "cn=admin,dc=planetexpress,dc=com"
+      bindDN: "uid=admin,ou=people,dc=planetexpress,dc=com"
       # -- The LDAP bind password to use.
       # @section -- Configuration parameters
       bindPassword: "GoodNewsEveryone"
@@ -325,11 +325,14 @@ config:
       # -- The OpenID Connect client secret key to use from an existing secret.
       # @section -- Configuration parameters
       oidcClientSecretKey: ""
+      # -- The LDAP admin bind password to use from an exsiting secret
+      # @section -- Configuration parameters
+      ldapBindPasswordKey: ""
 
   autoFileSnapshot:
     # -- How many changes before generating a new snapshot. You also need to add the 'auto-file-snapshot' flag to the PENPOT_FLAGS variable.
     # @section -- Configuration parameters
-    every: 5  # Every 5 changes
+    every: 5 # Every 5 changes
     # -- If there isn't a snapshot during this time, the system will generate one automatically. You also need to add the 'auto-file-snapshot' flag to the PENPOT_FLAGS variable.
     # @section -- Configuration parameters
     timeout: "3h"
@@ -408,6 +411,9 @@ backend:
     # -- (int,string) The number or percentage of pods from that set that can be unavailable after the eviction (e.g.: 3, "10%").
     # @section -- Backend parameters
     maxUnavailable:
+  # -- Specify any additional environment values you want to provide to the backend container in the deployment according to the [specification](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables)
+  # @section -- Backend parameters
+  extraEnvs: []
 
 frontend:
   image:
@@ -666,7 +672,7 @@ postgresql:
       openshift:
         # -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
         # @section -- PostgreSQL Dependencie parameters
-        adaptSecurityContext: 'auto'
+        adaptSecurityContext: "auto"
 
   auth:
     # -- Name for a custom user to create.
@@ -686,7 +692,7 @@ redis:
       openshift:
         # -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
         # @section -- Redis Dependencie parameters
-        adaptSecurityContext: 'auto'
+        adaptSecurityContext: "auto"
   auth:
     # -- Whether to enable password authentication.
     # @section -- Redis Dependencie parameters

scripts/cluster_create.sh

@@ -4,7 +4,7 @@
 kind create cluster --name penpot-cluster --config devel/kind.config.yml
 
 # Create a namespace for Penpot
-kubectl apply -f devel/penpot-namespace.yml
+kubectl apply -f devel/penpot-namespace.yml --context=kind-penpot-cluster
 kubectl config set-context penpot --namespace=penpot --cluster=kind-penpot-cluster --user=kind-penpot-cluster
 kubectl config use-context penpot