From 5cb719cf91df3db06a18de0fee52aa21a6ba513a Mon Sep 17 00:00:00 2001 From: Joel Dollarhide Date: Tue, 4 Feb 2025 05:04:44 -0500 Subject: [PATCH] feat: allow ldap password via secret - Ensure penpot namespace is created in cluster created by kind - Allow setting ldap bind password using the existing secret flow - Allow setting adhoc environment variables outside the format provided via the helm chart - Fix issue where the default bindDN states it is an invalid format --- charts/penpot/README.md | 4 +++- charts/penpot/templates/backend-deployment.yml | 13 +++++++++++-- charts/penpot/values.yaml | 18 ++++++++++++------ scripts/cluster_create.sh | 2 +- 4 files changed, 27 insertions(+), 10 deletions(-) diff --git a/charts/penpot/README.md b/charts/penpot/README.md index 20cf519..4941354 100644 --- a/charts/penpot/README.md +++ b/charts/penpot/README.md @@ -102,7 +102,7 @@ helm install my-release -f values.yaml penpot/penpot | config.providers.ldap.attributesPhoto | string | `"jpegPhoto"` | The LDAP attributes photo format to use. | | config.providers.ldap.attributesUsername | string | `"uid"` | The LDAP attributes username to use. | | config.providers.ldap.baseDN | string | `"ou=people,dc=planetexpress,dc=com"` | The LDAP base DN to use. | -| config.providers.ldap.bindDN | string | `"cn=admin,dc=planetexpress,dc=com"` | The LDAP bind DN to use. | +| config.providers.ldap.bindDN | string | `"uid=admin,ou=people,dc=planetexpress,dc=com"` | The LDAP bind DN to use. | | config.providers.ldap.bindPassword | string | `"GoodNewsEveryone"` | The LDAP bind password to use. | | config.providers.ldap.enabled | bool | `false` | Whether to enable LDAP configuration. To enable LDAP, also add `enable-login-with-ldap` to the flags. | | config.providers.ldap.host | string | `"ldap"` | The LDAP host to use. | @@ -128,6 +128,7 @@ helm install my-release -f values.yaml penpot/penpot | config.providers.secretKeys.gitlabClientSecretKey | string | `""` | The GitLab client secret key to use from an existing secret. | | config.providers.secretKeys.googleClientIDKey | string | `""` | The Google client ID key to use from an existing secret. | | config.providers.secretKeys.googleClientSecretKey | string | `""` | The Google client secret key to use from an existing secret. | +| config.providers.secretKeys.ldapBindPasswordKey | string | `""` | The LDAP admin bind password to use from an exsiting secret | | config.providers.secretKeys.oidcClientIDKey | string | `""` | The OpenID Connect client ID key to use from an existing secret. | | config.providers.secretKeys.oidcClientSecretKey | string | `""` | The OpenID Connect client secret key to use from an existing secret. | | config.publicUri | string | `"http://penpot.example.com"` | The public domain to serve Penpot on. **IMPORTANT:** Set `disable-secure-session-cookies` in the flags if you plan on serving it on a non HTTPS domain. | @@ -159,6 +160,7 @@ helm install my-release -f values.yaml penpot/penpot | backend.affinity | object | `{}` | Affinity for Penpot pods assignment. Check [the official doc](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) | | backend.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["all"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true,"runAsUser":1001}` | Configure Container Security Context. Check [the official doc](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) | | backend.deploymentAnnotations | object | `{}` | An optional map of annotations to be applied to the controller Deployment | +| backend.extraEnvs | list | `[]` | Specify any additional environment values you want to provide to the backend container in the deployment according to the [specification](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) | | backend.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy to use. | | backend.image.repository | string | `"penpotapp/backend"` | The Docker repository to pull the image from. | | backend.image.tag | string | `"2.4.3"` | The image tag to use. | diff --git a/charts/penpot/templates/backend-deployment.yml b/charts/penpot/templates/backend-deployment.yml index 7088ef1..d940de8 100644 --- a/charts/penpot/templates/backend-deployment.yml +++ b/charts/penpot/templates/backend-deployment.yml @@ -336,8 +336,8 @@ spec: value: {{ .Values.config.providers.oidc.userInfoSource | quote }} {{- end }} {{- end }} - # LDAP provider settings {{- if .Values.config.providers.ldap.enabled }} + # LDAP provider settings {{- if .Values.config.providers.ldap.host }} - name: PENPOT_LDAP_HOST value: {{ .Values.config.providers.ldap.host | quote }} @@ -362,7 +362,13 @@ spec: - name: PENPOT_LDAP_BIND_DN value: {{ .Values.config.providers.ldap.bindDN | quote }} {{- end }} - {{- if .Values.config.providers.ldap.bindPassword }} + {{- if .Values.config.providers.secretKeys.ldapBindPasswordKey }} + - name: PENPOT_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.config.providers.existingSecret }} + key: {{ .Values.config.providers.secretKeys.ldapBindPasswordKey }} + {{- else if .Values.config.providers.ldap.bindPassword }} - name: PENPOT_LDAP_BIND_PASSWORD value: {{ .Values.config.providers.ldap.bindPassword | quote }} {{- end }} @@ -392,6 +398,9 @@ spec: value: {{ .Values.config.autoFileSnapshot.every | quote }} - name: PENPOT_AUTO_FILE_SNAPSHOT_TIMEOUT value: {{ .Values.config.autoFileSnapshot.timeout | quote }} + {{- with .Values.backend.extraEnvs }} + {{- toYaml . | nindent 12 }} + {{- end }} volumeMounts: - mountPath: /opt/data/assets name: app-data diff --git a/charts/penpot/values.yaml b/charts/penpot/values.yaml index 46cb76b..e597f25 100644 --- a/charts/penpot/values.yaml +++ b/charts/penpot/values.yaml @@ -64,7 +64,7 @@ config: postgresql: # -- The PostgreSQL host to connect to. Empty to use dependencies. # @section -- Configuration parameters - host: "" # Ex.: "postgresql.penpot.svc.cluster.local" + host: "" # Ex.: "postgresql.penpot.svc.cluster.local" # -- The PostgreSQL host port to use. # @section -- Configuration parameters port: 5432 @@ -94,7 +94,7 @@ config: redis: # -- The Redis host to connect to. Empty to use dependencies # @section -- Configuration parameters - host: "" # Ex.: "redis-headless.penpot.svc.cluster.local" + host: "" # Ex.: "redis-headless.penpot.svc.cluster.local" # -- The Redis host port to use. # @section -- Configuration parameters port: 6379 @@ -278,7 +278,7 @@ config: baseDN: "ou=people,dc=planetexpress,dc=com" # -- The LDAP bind DN to use. # @section -- Configuration parameters - bindDN: "cn=admin,dc=planetexpress,dc=com" + bindDN: "uid=admin,ou=people,dc=planetexpress,dc=com" # -- The LDAP bind password to use. # @section -- Configuration parameters bindPassword: "GoodNewsEveryone" @@ -325,11 +325,14 @@ config: # -- The OpenID Connect client secret key to use from an existing secret. # @section -- Configuration parameters oidcClientSecretKey: "" + # -- The LDAP admin bind password to use from an exsiting secret + # @section -- Configuration parameters + ldapBindPasswordKey: "" autoFileSnapshot: # -- How many changes before generating a new snapshot. You also need to add the 'auto-file-snapshot' flag to the PENPOT_FLAGS variable. # @section -- Configuration parameters - every: 5 # Every 5 changes + every: 5 # Every 5 changes # -- If there isn't a snapshot during this time, the system will generate one automatically. You also need to add the 'auto-file-snapshot' flag to the PENPOT_FLAGS variable. # @section -- Configuration parameters timeout: "3h" @@ -408,6 +411,9 @@ backend: # -- (int,string) The number or percentage of pods from that set that can be unavailable after the eviction (e.g.: 3, "10%"). # @section -- Backend parameters maxUnavailable: + # -- Specify any additional environment values you want to provide to the backend container in the deployment according to the [specification](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) + # @section -- Backend parameters + extraEnvs: [] frontend: image: @@ -666,7 +672,7 @@ postgresql: openshift: # -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) # @section -- PostgreSQL Dependencie parameters - adaptSecurityContext: 'auto' + adaptSecurityContext: "auto" auth: # -- Name for a custom user to create. @@ -686,7 +692,7 @@ redis: openshift: # -- Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) # @section -- Redis Dependencie parameters - adaptSecurityContext: 'auto' + adaptSecurityContext: "auto" auth: # -- Whether to enable password authentication. # @section -- Redis Dependencie parameters diff --git a/scripts/cluster_create.sh b/scripts/cluster_create.sh index a5120f8..0fd7871 100755 --- a/scripts/cluster_create.sh +++ b/scripts/cluster_create.sh @@ -4,7 +4,7 @@ kind create cluster --name penpot-cluster --config devel/kind.config.yml # Create a namespace for Penpot -kubectl apply -f devel/penpot-namespace.yml +kubectl apply -f devel/penpot-namespace.yml --context=kind-penpot-cluster kubectl config set-context penpot --namespace=penpot --cluster=kind-penpot-cluster --user=kind-penpot-cluster kubectl config use-context penpot