From dff6e22868bf6e405d69f3cbf2d379ffbcc652fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dani=C3=ABl=20Groothuis?= <daniel.groothuis@trimm.nl>
Date: Mon, 27 Oct 2025 19:04:41 +0100
Subject: [PATCH] chore(penpot): Added OIDC configuration for SSO

---
 README.md                                   |  4 ++--
 manifests/artemis/penpot/kustomization.yaml |  3 +++
 manifests/artemis/penpot/secret.yaml        | 21 ++++++++++++++++++++
 manifests/artemis/penpot/values.yaml        | 22 ++++++++++++++-------
 4 files changed, 41 insertions(+), 9 deletions(-)
 create mode 100644 manifests/artemis/penpot/secret.yaml

diff --git a/README.md b/README.md
index fcc8260..ecdc1f4 100644
--- a/README.md
+++ b/README.md
@@ -56,14 +56,14 @@ It'll add a `.placeholder` file where the manifests will live.
 
 ## Important URLs
 - [ArgoCD](https://cd.dgse.cloud) (SSO Authentication required)
-- [Gitea](https://git.dgse.cloud) (Basic Authentication required)
+- [Gitea](https://git.dgse.cloud) (SSO Authentication required)
 - [Vault](https://sealed.dgse.cloud) (Token Based Authentication required)
 - [Vaultwarden](https://vault.dgse.cloud) (Basic Authentication required)
 - [Mailu](https://mail.dgse.cloud) (Basic Authentication required)
 - [PocketID](https://auth.dgse.cloud) (SSO Authentication required)
 - [Uptime Kuma](https://uptime.dgse.cloud) (Basic Authentication required)
 - [Ntfy](https://notifications.dgse.cloud) (Basic Authentication required)
-- [Penpot](https://penpot.dgse.cloud) (Basic Authentication required)
+- [Penpot](https://penpot.dgse.cloud) (SSO Authentication required)
 
 ## Important Notes
 - When adding a new application, keep in mind that after push to main, ArgoCD will automatically sync the resources to the cluster.
diff --git a/manifests/artemis/penpot/kustomization.yaml b/manifests/artemis/penpot/kustomization.yaml
index 18d2f3c..529cb58 100644
--- a/manifests/artemis/penpot/kustomization.yaml
+++ b/manifests/artemis/penpot/kustomization.yaml
@@ -4,6 +4,9 @@ kind: Kustomization
 metadata:
   name: penpot
 
+resources:
+  - secret.yaml
+
 helmCharts:
   - name: penpot
     repo: http://helm.penpot.app
diff --git a/manifests/artemis/penpot/secret.yaml b/manifests/artemis/penpot/secret.yaml
new file mode 100644
index 0000000..86456b0
--- /dev/null
+++ b/manifests/artemis/penpot/secret.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: oidc-secret
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: platform
+    kind: ClusterSecretStore
+  target:
+    name: oidc-secret
+  data:
+    - secretKey: CLIENT_ID
+      remoteRef:
+        key: penpot/oidc
+        property: CLIENT_ID
+    - secretKey: CLIENT_SECRET
+      remoteRef:
+        key: penpot/oidc
+        property: CLIENT_SECRET
diff --git a/manifests/artemis/penpot/values.yaml b/manifests/artemis/penpot/values.yaml
index 85a6f8b..72971c5 100644
--- a/manifests/artemis/penpot/values.yaml
+++ b/manifests/artemis/penpot/values.yaml
@@ -43,7 +43,7 @@ config:
   publicUri: "http://penpot.dgse.cloud"
   # -- The feature flags to enable. Check [the official docs](https://help.penpot.app/technical-guide/configuration/) for more info.
   # @section -- Configuration parameters
-  flags: "enable-registration enable-login-with-password disable-email-verification enable-smtp"
+  flags: "enable-login-with-password disable-email-verification enable-smtp"
   # -- A random secret key needed for persistent user sessions. Generate with `python3 -c "import secrets; print(secrets.token_urlsafe(64))"` for example.
   # @section -- Configuration parameters
   apiSecretKey: ""
@@ -232,16 +232,24 @@ config:
     oidc:
       # -- Whether to enable OIDC configuration. To enable OpenID Connect auth, also add `enable-login-with-oidc` to the flags.
       # @section -- Configuration parameters
-      enabled: false
+      enabled: true
       # -- The OpenID Connect base URI to use.
       # @section -- Configuration parameters
-      baseURI: ""
+      baseURI: "https://auth.dgse.cloud"
       # -- The OpenID Connect client ID to use.
       # @section -- Configuration parameters
-      clientID: ""
+      clientID:
+        valueFrom:
+          secretKeyRef:
+            name: oidc-client
+            key: CLIENT_ID
       # -- The OpenID Connect client secret to use.
       # @section -- Configuration parameters
-      clientSecret: ""
+      clientSecret:
+        valueFrom:
+          secretKeyRef:
+            name: oidc-client
+            key: CLIENT_SECRET
       # -- Optional OpenID Connect auth URI to use. Auto discovered if not provided.
       # @section -- Configuration parameters
       authURI: ""
@@ -253,13 +261,13 @@ config:
       userURI: ""
       # -- Optional OpenID Connect roles to use. If no role is provided, role checking is  disabled (default role values are set below, to disable role verification, send an empty string).
       # @section -- Configuration parameters
-      roles: "designer developer"
+      roles: ""
       # -- Optional OpenID Connect roles attribute to use. If not provided, the role checking will be disabled.
       # @section -- Configuration parameters
       rolesAttribute: ""
       # -- Optional OpenID Connect scopes to use. These settings allow overwriting the required scopes, use with caution because penpot requires at least `name` and `email` attrs found on the user info. Optional, defaults to `openid profile`.
       # @section -- Configuration parameters
-      scopes: "scope1 scope2"
+      scopes: ""
       # -- Optional OpenID Connect name attribute to use. If not provided, the `name` prop will be used.
       # @section -- Configuration parameters
       nameAttribute: ""