chore(penpot): Added OIDC configuration for SSO
All checks were successful
Validate K8s manifests / validate-manifests (push) Successful in 2m8s
All checks were successful
Validate K8s manifests / validate-manifests (push) Successful in 2m8s
This commit is contained in:
Daniël Groothuis
@@ -56,14 +56,14 @@ It'll add a `.placeholder` file where the manifests will live.
|
||||
|
||||
## Important URLs
|
||||
- [ArgoCD](https://cd.dgse.cloud) (SSO Authentication required)
|
||||
- [Gitea](https://git.dgse.cloud) (Basic Authentication required)
|
||||
- [Gitea](https://git.dgse.cloud) (SSO Authentication required)
|
||||
- [Vault](https://sealed.dgse.cloud) (Token Based Authentication required)
|
||||
- [Vaultwarden](https://vault.dgse.cloud) (Basic Authentication required)
|
||||
- [Mailu](https://mail.dgse.cloud) (Basic Authentication required)
|
||||
- [PocketID](https://auth.dgse.cloud) (SSO Authentication required)
|
||||
- [Uptime Kuma](https://uptime.dgse.cloud) (Basic Authentication required)
|
||||
- [Ntfy](https://notifications.dgse.cloud) (Basic Authentication required)
|
||||
- [Penpot](https://penpot.dgse.cloud) (Basic Authentication required)
|
||||
- [Penpot](https://penpot.dgse.cloud) (SSO Authentication required)
|
||||
|
||||
## Important Notes
|
||||
- When adding a new application, keep in mind that after push to main, ArgoCD will automatically sync the resources to the cluster.
|
||||
|
||||
@@ -4,6 +4,9 @@ kind: Kustomization
|
||||
metadata:
|
||||
name: penpot
|
||||
|
||||
resources:
|
||||
- secret.yaml
|
||||
|
||||
helmCharts:
|
||||
- name: penpot
|
||||
repo: http://helm.penpot.app
|
||||
|
||||
21
manifests/artemis/penpot/secret.yaml
Normal file
21
manifests/artemis/penpot/secret.yaml
Normal file
@@ -0,0 +1,21 @@
|
||||
---
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: oidc-secret
|
||||
spec:
|
||||
refreshInterval: 1h
|
||||
secretStoreRef:
|
||||
name: platform
|
||||
kind: ClusterSecretStore
|
||||
target:
|
||||
name: oidc-secret
|
||||
data:
|
||||
- secretKey: CLIENT_ID
|
||||
remoteRef:
|
||||
key: penpot/oidc
|
||||
property: CLIENT_ID
|
||||
- secretKey: CLIENT_SECRET
|
||||
remoteRef:
|
||||
key: penpot/oidc
|
||||
property: CLIENT_SECRET
|
||||
@@ -43,7 +43,7 @@ config:
|
||||
publicUri: "http://penpot.dgse.cloud"
|
||||
# -- The feature flags to enable. Check [the official docs](https://help.penpot.app/technical-guide/configuration/) for more info.
|
||||
# @section -- Configuration parameters
|
||||
flags: "enable-registration enable-login-with-password disable-email-verification enable-smtp"
|
||||
flags: "enable-login-with-password disable-email-verification enable-smtp"
|
||||
# -- A random secret key needed for persistent user sessions. Generate with `python3 -c "import secrets; print(secrets.token_urlsafe(64))"` for example.
|
||||
# @section -- Configuration parameters
|
||||
apiSecretKey: ""
|
||||
@@ -232,16 +232,24 @@ config:
|
||||
oidc:
|
||||
# -- Whether to enable OIDC configuration. To enable OpenID Connect auth, also add `enable-login-with-oidc` to the flags.
|
||||
# @section -- Configuration parameters
|
||||
enabled: false
|
||||
enabled: true
|
||||
# -- The OpenID Connect base URI to use.
|
||||
# @section -- Configuration parameters
|
||||
baseURI: ""
|
||||
baseURI: "https://auth.dgse.cloud"
|
||||
# -- The OpenID Connect client ID to use.
|
||||
# @section -- Configuration parameters
|
||||
clientID: ""
|
||||
clientID:
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: oidc-client
|
||||
key: CLIENT_ID
|
||||
# -- The OpenID Connect client secret to use.
|
||||
# @section -- Configuration parameters
|
||||
clientSecret: ""
|
||||
clientSecret:
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: oidc-client
|
||||
key: CLIENT_SECRET
|
||||
# -- Optional OpenID Connect auth URI to use. Auto discovered if not provided.
|
||||
# @section -- Configuration parameters
|
||||
authURI: ""
|
||||
@@ -253,13 +261,13 @@ config:
|
||||
userURI: ""
|
||||
# -- Optional OpenID Connect roles to use. If no role is provided, role checking is disabled (default role values are set below, to disable role verification, send an empty string).
|
||||
# @section -- Configuration parameters
|
||||
roles: "designer developer"
|
||||
roles: ""
|
||||
# -- Optional OpenID Connect roles attribute to use. If not provided, the role checking will be disabled.
|
||||
# @section -- Configuration parameters
|
||||
rolesAttribute: ""
|
||||
# -- Optional OpenID Connect scopes to use. These settings allow overwriting the required scopes, use with caution because penpot requires at least `name` and `email` attrs found on the user info. Optional, defaults to `openid profile`.
|
||||
# @section -- Configuration parameters
|
||||
scopes: "scope1 scope2"
|
||||
scopes: ""
|
||||
# -- Optional OpenID Connect name attribute to use. If not provided, the `name` prop will be used.
|
||||
# @section -- Configuration parameters
|
||||
nameAttribute: ""
|
||||
|
||||
Reference in New Issue
Block a user