chore(penpot): Added OIDC configuration for SSO
All checks were successful
Validate K8s manifests / validate-manifests (push) Successful in 2m8s
All checks were successful
Validate K8s manifests / validate-manifests (push) Successful in 2m8s
This commit is contained in:
Daniël Groothuis
@@ -56,14 +56,14 @@ It'll add a `.placeholder` file where the manifests will live.
|
|||||||
|
|
||||||
## Important URLs
|
## Important URLs
|
||||||
- [ArgoCD](https://cd.dgse.cloud) (SSO Authentication required)
|
- [ArgoCD](https://cd.dgse.cloud) (SSO Authentication required)
|
||||||
- [Gitea](https://git.dgse.cloud) (Basic Authentication required)
|
- [Gitea](https://git.dgse.cloud) (SSO Authentication required)
|
||||||
- [Vault](https://sealed.dgse.cloud) (Token Based Authentication required)
|
- [Vault](https://sealed.dgse.cloud) (Token Based Authentication required)
|
||||||
- [Vaultwarden](https://vault.dgse.cloud) (Basic Authentication required)
|
- [Vaultwarden](https://vault.dgse.cloud) (Basic Authentication required)
|
||||||
- [Mailu](https://mail.dgse.cloud) (Basic Authentication required)
|
- [Mailu](https://mail.dgse.cloud) (Basic Authentication required)
|
||||||
- [PocketID](https://auth.dgse.cloud) (SSO Authentication required)
|
- [PocketID](https://auth.dgse.cloud) (SSO Authentication required)
|
||||||
- [Uptime Kuma](https://uptime.dgse.cloud) (Basic Authentication required)
|
- [Uptime Kuma](https://uptime.dgse.cloud) (Basic Authentication required)
|
||||||
- [Ntfy](https://notifications.dgse.cloud) (Basic Authentication required)
|
- [Ntfy](https://notifications.dgse.cloud) (Basic Authentication required)
|
||||||
- [Penpot](https://penpot.dgse.cloud) (Basic Authentication required)
|
- [Penpot](https://penpot.dgse.cloud) (SSO Authentication required)
|
||||||
|
|
||||||
## Important Notes
|
## Important Notes
|
||||||
- When adding a new application, keep in mind that after push to main, ArgoCD will automatically sync the resources to the cluster.
|
- When adding a new application, keep in mind that after push to main, ArgoCD will automatically sync the resources to the cluster.
|
||||||
|
|||||||
@@ -4,6 +4,9 @@ kind: Kustomization
|
|||||||
metadata:
|
metadata:
|
||||||
name: penpot
|
name: penpot
|
||||||
|
|
||||||
|
resources:
|
||||||
|
- secret.yaml
|
||||||
|
|
||||||
helmCharts:
|
helmCharts:
|
||||||
- name: penpot
|
- name: penpot
|
||||||
repo: http://helm.penpot.app
|
repo: http://helm.penpot.app
|
||||||
|
|||||||
21
manifests/artemis/penpot/secret.yaml
Normal file
21
manifests/artemis/penpot/secret.yaml
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
apiVersion: external-secrets.io/v1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: oidc-secret
|
||||||
|
spec:
|
||||||
|
refreshInterval: 1h
|
||||||
|
secretStoreRef:
|
||||||
|
name: platform
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
target:
|
||||||
|
name: oidc-secret
|
||||||
|
data:
|
||||||
|
- secretKey: CLIENT_ID
|
||||||
|
remoteRef:
|
||||||
|
key: penpot/oidc
|
||||||
|
property: CLIENT_ID
|
||||||
|
- secretKey: CLIENT_SECRET
|
||||||
|
remoteRef:
|
||||||
|
key: penpot/oidc
|
||||||
|
property: CLIENT_SECRET
|
||||||
@@ -43,7 +43,7 @@ config:
|
|||||||
publicUri: "http://penpot.dgse.cloud"
|
publicUri: "http://penpot.dgse.cloud"
|
||||||
# -- The feature flags to enable. Check [the official docs](https://help.penpot.app/technical-guide/configuration/) for more info.
|
# -- The feature flags to enable. Check [the official docs](https://help.penpot.app/technical-guide/configuration/) for more info.
|
||||||
# @section -- Configuration parameters
|
# @section -- Configuration parameters
|
||||||
flags: "enable-registration enable-login-with-password disable-email-verification enable-smtp"
|
flags: "enable-login-with-password disable-email-verification enable-smtp"
|
||||||
# -- A random secret key needed for persistent user sessions. Generate with `python3 -c "import secrets; print(secrets.token_urlsafe(64))"` for example.
|
# -- A random secret key needed for persistent user sessions. Generate with `python3 -c "import secrets; print(secrets.token_urlsafe(64))"` for example.
|
||||||
# @section -- Configuration parameters
|
# @section -- Configuration parameters
|
||||||
apiSecretKey: ""
|
apiSecretKey: ""
|
||||||
@@ -232,16 +232,24 @@ config:
|
|||||||
oidc:
|
oidc:
|
||||||
# -- Whether to enable OIDC configuration. To enable OpenID Connect auth, also add `enable-login-with-oidc` to the flags.
|
# -- Whether to enable OIDC configuration. To enable OpenID Connect auth, also add `enable-login-with-oidc` to the flags.
|
||||||
# @section -- Configuration parameters
|
# @section -- Configuration parameters
|
||||||
enabled: false
|
enabled: true
|
||||||
# -- The OpenID Connect base URI to use.
|
# -- The OpenID Connect base URI to use.
|
||||||
# @section -- Configuration parameters
|
# @section -- Configuration parameters
|
||||||
baseURI: ""
|
baseURI: "https://auth.dgse.cloud"
|
||||||
# -- The OpenID Connect client ID to use.
|
# -- The OpenID Connect client ID to use.
|
||||||
# @section -- Configuration parameters
|
# @section -- Configuration parameters
|
||||||
clientID: ""
|
clientID:
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: oidc-client
|
||||||
|
key: CLIENT_ID
|
||||||
# -- The OpenID Connect client secret to use.
|
# -- The OpenID Connect client secret to use.
|
||||||
# @section -- Configuration parameters
|
# @section -- Configuration parameters
|
||||||
clientSecret: ""
|
clientSecret:
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: oidc-client
|
||||||
|
key: CLIENT_SECRET
|
||||||
# -- Optional OpenID Connect auth URI to use. Auto discovered if not provided.
|
# -- Optional OpenID Connect auth URI to use. Auto discovered if not provided.
|
||||||
# @section -- Configuration parameters
|
# @section -- Configuration parameters
|
||||||
authURI: ""
|
authURI: ""
|
||||||
@@ -253,13 +261,13 @@ config:
|
|||||||
userURI: ""
|
userURI: ""
|
||||||
# -- Optional OpenID Connect roles to use. If no role is provided, role checking is disabled (default role values are set below, to disable role verification, send an empty string).
|
# -- Optional OpenID Connect roles to use. If no role is provided, role checking is disabled (default role values are set below, to disable role verification, send an empty string).
|
||||||
# @section -- Configuration parameters
|
# @section -- Configuration parameters
|
||||||
roles: "designer developer"
|
roles: ""
|
||||||
# -- Optional OpenID Connect roles attribute to use. If not provided, the role checking will be disabled.
|
# -- Optional OpenID Connect roles attribute to use. If not provided, the role checking will be disabled.
|
||||||
# @section -- Configuration parameters
|
# @section -- Configuration parameters
|
||||||
rolesAttribute: ""
|
rolesAttribute: ""
|
||||||
# -- Optional OpenID Connect scopes to use. These settings allow overwriting the required scopes, use with caution because penpot requires at least `name` and `email` attrs found on the user info. Optional, defaults to `openid profile`.
|
# -- Optional OpenID Connect scopes to use. These settings allow overwriting the required scopes, use with caution because penpot requires at least `name` and `email` attrs found on the user info. Optional, defaults to `openid profile`.
|
||||||
# @section -- Configuration parameters
|
# @section -- Configuration parameters
|
||||||
scopes: "scope1 scope2"
|
scopes: ""
|
||||||
# -- Optional OpenID Connect name attribute to use. If not provided, the `name` prop will be used.
|
# -- Optional OpenID Connect name attribute to use. If not provided, the `name` prop will be used.
|
||||||
# @section -- Configuration parameters
|
# @section -- Configuration parameters
|
||||||
nameAttribute: ""
|
nameAttribute: ""
|
||||||
|
|||||||
Reference in New Issue
Block a user