From 4a80c26a41b434b3b17ad2902c4649b190bdec18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Huss?= Date: Tue, 28 May 2024 13:44:20 +0200 Subject: [PATCH] fix --- apps/taiga/taiga_ConfigMap.tf | 333 +--------------------------------- apps/taiga/taiga_Secret.tf | 5 + apps/taiga/taiga_workload.tf | 15 +- 3 files changed, 23 insertions(+), 330 deletions(-) diff --git a/apps/taiga/taiga_ConfigMap.tf b/apps/taiga/taiga_ConfigMap.tf index e58b67a..21d7d94 100644 --- a/apps/taiga/taiga_ConfigMap.tf +++ b/apps/taiga/taiga_ConfigMap.tf @@ -25,13 +25,11 @@ resource "kubectl_manifest" "cm_env_back" { ENABLE_GITHUB_IMPORTER: "False" ENABLE_JIRA_IMPORTER: "False" ENABLE_TRELLO_IMPORTER: "False" - ENABLE_OIDC_AUTH: "True" - OIDC_RP_SCOPES: "openid email profile" - OIDC_BASE_URL: "${module.oauth2.sso_configuration_url}" - OIDC_OP_JWKS_ENDPOINT: "${module.oauth2.sso_configuration_url}jwks/" - OIDC_OP_AUTHORIZATION_ENDPOINT: "${module.oauth2.sso_authorize_url}" - OIDC_OP_TOKEN_ENDPOINT: "${module.oauth2.sso_token_url}" - OIDC_OP_USER_ENDPOINT: "${module.oauth2.sso_userinfo_url}" + ENABLE_OIDC_AUTH: "False" + ENABLE_OPENID_AUTH: "True" + OPENID_SCOPE: "openid email profile" + OPENID_TOKEN_URL: "${module.oauth2.sso_token_url}" + OPENID_USER_URL: "${module.oauth2.sso_userinfo_url}" EOF } @@ -57,9 +55,11 @@ resource "kubectl_manifest" "cm_env_front" { ENABLE_GITHUB_IMPORTER: "false" ENABLE_JIRA_IMPORTER: "false" ENABLE_TRELLO_IMPORTER: "false" - ENABLE_OIDC_AUTH: "true" - OIDC_BUTTON_TEXT: "${var.domain}" - OIDC_MOUNT_POINT: "/api/oidc" + ENABLE_OIDC_AUTH: "false" + ENABLE_OPENID_AUTH: "true" + OPENID_URL: "${module.oauth2.sso_configuration_url}" + OPENID_SCOPE: "openid email profile" + OPENID_NAME: "${var.domain}" EOF } @@ -100,319 +100,6 @@ resource "kubectl_manifest" "cm_scripts" { if str(subprocess.check_output(['python', 'manage.py', 'dumpdata', 'users.user'], cwd='/taiga-back')).find('\"is_superuser\": true') == -1: print(subprocess.check_output(['python', 'manage.py', 'loaddata', 'initial_user'], cwd='/taiga-back')) - config.py: |- - # -*- coding: utf-8 -*- - # This Source Code Form is subject to the terms of the Mozilla Public - # License, v. 2.0. If a copy of the MPL was not distributed with this - # file, You can obtain one at http://mozilla.org/MPL/2.0/. - # - # Copyright (c) 2021-present Kaleidos INC - - from .common import * - import os - - - ######################################### - ## GENERIC - ######################################### - - DEBUG = os.getenv('DEBUG', 'False') == 'True' - - DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.postgresql', - 'NAME': os.getenv('POSTGRES_DB'), - 'USER': os.getenv('POSTGRES_USER'), - 'PASSWORD': os.getenv('POSTGRES_PASSWORD'), - 'HOST': os.getenv('POSTGRES_HOST'), - 'PORT': os.getenv('POSTGRES_PORT','5432'), - 'OPTIONS': {'sslmode': os.getenv('POSTGRES_SSLMODE','disable')}, - 'DISABLE_SERVER_SIDE_CURSORS': os.getenv('POSTGRES_DISABLE_SERVER_SIDE_CURSORS', 'False') == 'True', - } - } - SECRET_KEY = os.getenv('TAIGA_SECRET_KEY') - - TAIGA_SITES_SCHEME = os.getenv('TAIGA_SITES_SCHEME', "http") - TAIGA_SITES_DOMAIN = os.getenv('TAIGA_SITES_DOMAIN', "localhost") - FORCE_SCRIPT_NAME = os.getenv('TAIGA_SUBPATH', '') - - TAIGA_URL = f"{ TAIGA_SITES_SCHEME }://{ TAIGA_SITES_DOMAIN }{ FORCE_SCRIPT_NAME }" - SITES = { - "api": { "name": "api", "scheme": TAIGA_SITES_SCHEME, "domain": TAIGA_SITES_DOMAIN }, - "front": { "name": "front", "scheme": TAIGA_SITES_SCHEME, "domain": f"{ TAIGA_SITES_DOMAIN }{ FORCE_SCRIPT_NAME }" } - } - - LANGUAGE_CODE = os.getenv("LANGUAGE_CODE", "en-us") - - INSTANCE_TYPE = "D" - - WEBHOOKS_ENABLED = os.getenv('WEBHOOKS_ENABLED', 'True') == 'True' - WEBHOOKS_ALLOW_PRIVATE_ADDRESS = os.getenv('WEBHOOKS_ALLOW_PRIVATE_ADDRESS', 'False') == 'True' - WEBHOOKS_ALLOW_REDIRECTS = os.getenv('WEBHOOKS_ALLOW_REDIRECTS', 'False') == 'True' - - # Setting DEFAULT_PROJECT_SLUG_PREFIX to false - # removes the username from project slug - DEFAULT_PROJECT_SLUG_PREFIX = os.getenv('DEFAULT_PROJECT_SLUG_PREFIX', 'False') == 'True' - - ######################################### - ## MEDIA - ######################################### - MEDIA_URL = f"{ TAIGA_URL }/media/" - DEFAULT_FILE_STORAGE = "taiga_contrib_protected.storage.ProtectedFileSystemStorage" - THUMBNAIL_DEFAULT_STORAGE = DEFAULT_FILE_STORAGE - - STATIC_URL = f"{ TAIGA_URL }/static/" - - - ######################################### - ## EMAIL - ######################################### - # https://docs.djangoproject.com/en/3.1/topics/email/ - EMAIL_BACKEND = os.getenv('EMAIL_BACKEND', 'django.core.mail.backends.console.EmailBackend') - CHANGE_NOTIFICATIONS_MIN_INTERVAL = 120 # seconds - - DEFAULT_FROM_EMAIL = os.getenv('DEFAULT_FROM_EMAIL', 'system@taiga.io') - EMAIL_USE_TLS = os.getenv('EMAIL_USE_TLS', 'False') == 'True' - EMAIL_USE_SSL = os.getenv('EMAIL_USE_SSL', 'False') == 'True' - EMAIL_HOST = os.getenv('EMAIL_HOST', 'localhost') - EMAIL_PORT = os.getenv('EMAIL_PORT', 587) - EMAIL_HOST_USER = os.getenv('EMAIL_HOST_USER', 'user') - EMAIL_HOST_PASSWORD = os.getenv('EMAIL_HOST_PASSWORD', 'password') - - - ######################################### - ## SESSION - ######################################### - SESSION_COOKIE_SECURE = os.getenv('SESSION_COOKIE_SECURE', 'True') == 'True' - CSRF_COOKIE_SECURE = os.getenv('CSRF_COOKIE_SECURE', 'True') == 'True' - - - ######################################### - ## EVENTS - ######################################### - EVENTS_PUSH_BACKEND = "taiga.events.backends.rabbitmq.EventsPushBackend" - - EVENTS_PUSH_BACKEND_URL = os.getenv('EVENTS_PUSH_BACKEND_URL') - if not EVENTS_PUSH_BACKEND_URL: - EVENTS_PUSH_BACKEND_URL = f"amqp://{ os.getenv('RABBITMQ_USER') }:{ os.getenv('RABBITMQ_PASS') }@{ os.getenv('TAIGA_EVENTS_RABBITMQ_HOST', 'taiga-events-rabbitmq') }:5672/taiga" - - EVENTS_PUSH_BACKEND_OPTIONS = { - "url": EVENTS_PUSH_BACKEND_URL - } - - - ######################################### - ## TAIGA ASYNC - ######################################### - CELERY_ENABLED = os.getenv('CELERY_ENABLED', 'True') == 'True' - from kombu import Queue # noqa - - CELERY_BROKER_URL = os.getenv('CELERY_BROKER_URL') - if not CELERY_BROKER_URL: - CELERY_BROKER_URL = f"amqp://{ os.getenv('RABBITMQ_USER') }:{ os.getenv('RABBITMQ_PASS') }@{ os.getenv('TAIGA_ASYNC_RABBITMQ_HOST', 'taiga-async-rabbitmq') }:5672/taiga" - - CELERY_RESULT_BACKEND = None # for a general installation, we don't need to store the results - CELERY_ACCEPT_CONTENT = ['pickle', ] # Values are 'pickle', 'json', 'msgpack' and 'yaml' - CELERY_TASK_SERIALIZER = "pickle" - CELERY_RESULT_SERIALIZER = "pickle" - CELERY_TIMEZONE = os.getenv('CELERY_TIMEZONE', 'Europe/Madrid') - CELERY_TASK_DEFAULT_QUEUE = 'tasks' - CELERY_QUEUES = ( - Queue('tasks', routing_key='task.#'), - Queue('transient', routing_key='transient.#', delivery_mode=1) - ) - CELERY_TASK_DEFAULT_EXCHANGE = 'tasks' - CELERY_TASK_DEFAULT_EXCHANGE_TYPE = 'topic' - CELERY_TASK_DEFAULT_ROUTING_KEY = 'task.default' - - - ######################################### - ## REGISTRATION - ######################################### - PUBLIC_REGISTER_ENABLED = os.getenv('PUBLIC_REGISTER_ENABLED', 'False') == 'True' - - - ######################################### - ## CONTRIBS - ######################################### - - # SLACK - ENABLE_SLACK = os.getenv('ENABLE_SLACK', 'False') == 'True' - if ENABLE_SLACK: - INSTALLED_APPS += [ - "taiga_contrib_slack" - ] - - # GITHUB AUTH - # WARNING: If PUBLIC_REGISTER_ENABLED == False, currently Taiga by default prevents the OAuth - # buttons to appear for both login and register - ENABLE_GITHUB_AUTH = os.getenv('ENABLE_GITHUB_AUTH', 'False') == 'True' - if PUBLIC_REGISTER_ENABLED and ENABLE_GITHUB_AUTH: - INSTALLED_APPS += [ - "taiga_contrib_github_auth" - ] - GITHUB_API_CLIENT_ID = os.getenv('GITHUB_API_CLIENT_ID') - GITHUB_API_CLIENT_SECRET = os.getenv('GITHUB_API_CLIENT_SECRET') - - # GITLAB AUTH - # WARNING: If PUBLIC_REGISTER_ENABLED == False, currently Taiga by default prevents the OAuth - # buttons to appear for both login and register - ENABLE_GITLAB_AUTH = os.getenv('ENABLE_GITLAB_AUTH', 'False') == 'True' - if PUBLIC_REGISTER_ENABLED and ENABLE_GITLAB_AUTH: - INSTALLED_APPS += [ - "taiga_contrib_gitlab_auth" - ] - GITLAB_API_CLIENT_ID = os.getenv('GITLAB_API_CLIENT_ID') - GITLAB_API_CLIENT_SECRET = os.getenv('GITLAB_API_CLIENT_SECRET') - GITLAB_URL = os.getenv('GITLAB_URL') - - # OIDC AUTH - ENABLE_OIDC_AUTH = os.getenv('ENABLE_OIDC_AUTH', 'False') == 'True' - if ENABLE_OIDC_AUTH: - INSTALLED_APPS += [ - "mozilla_django_oidc", - "taiga_contrib_oidc_auth", - ] - AUTHENTICATION_BACKENDS = list(AUTHENTICATION_BACKENDS) + [ - "taiga_contrib_oidc_auth.oidc.TaigaOIDCAuthenticationBackend", - ] - ROOT_URLCONF = "settings.urls" - OIDC_CALLBACK_CLASS = "taiga_contrib_oidc_auth.views.TaigaOIDCAuthenticationCallbackView" - OIDC_BASE_URL = os.getenv("OIDC_BASE_URL", "https://id.fedoraproject.org/openidc") - OIDC_RP_SCOPES = os.getenv("OIDC_RP_SCOPES", "openid profile email") - OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO", "RS256") - OIDC_OP_JWKS_ENDPOINT = os.getenv("OIDC_OP_JWKS_ENDPOINT", OIDC_BASE_URL + "/Jwks") - OIDC_OP_AUTHORIZATION_ENDPOINT = os.getenv("OIDC_OP_AUTHORIZATION_ENDPOINT", OIDC_BASE_URL + "/Authorization") - OIDC_OP_TOKEN_ENDPOINT = os.getenv("OIDC_OP_TOKEN_ENDPOINT", OIDC_BASE_URL + "/Token") - OIDC_OP_USER_ENDPOINT = os.getenv("OIDC_OP_USER_ENDPOINT", OIDC_BASE_URL + "/UserInfo") - OIDC_RP_CLIENT_ID = os.getenv("OIDC_RP_CLIENT_ID") - OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET") - print("ENABLE_OIDC_AUTH:", OIDC_BASE_URL, OIDC_BASE_URL) - print("INSTALLED_APPS:", INSTALLED_APPS) - print("AUTHENTICATION_BACKENDS:", AUTHENTICATION_BACKENDS) - - - ######################################### - ## TELEMETRY - ######################################### - ENABLE_TELEMETRY = os.getenv('ENABLE_TELEMETRY', 'True') == 'True' - - - ######################################### - ## IMPORTERS - ######################################### - ENABLE_GITHUB_IMPORTER = os.getenv('ENABLE_GITHUB_IMPORTER', 'False') == 'True' - if ENABLE_GITHUB_IMPORTER: - IMPORTERS["github"] = { - "active": True, - "client_id": os.getenv('GITHUB_IMPORTER_CLIENT_ID'), - "client_secret": os.getenv('GITHUB_IMPORTER_CLIENT_SECRET') - } - - ENABLE_JIRA_IMPORTER = os.getenv('ENABLE_JIRA_IMPORTER', 'False') == 'True' - if ENABLE_JIRA_IMPORTER: - IMPORTERS["jira"] = { - "active": True, - "consumer_key": os.getenv('JIRA_IMPORTER_CONSUMER_KEY'), - "cert": os.getenv('JIRA_IMPORTER_CERT'), - "pub_cert": os.getenv('JIRA_IMPORTER_PUB_CERT') - } - - ENABLE_TRELLO_IMPORTER = os.getenv('ENABLE_TRELLO_IMPORTER', 'False') == 'True' - if ENABLE_TRELLO_IMPORTER: - IMPORTERS["trello"] = { - "active": True, - "api_key": os.getenv('TRELLO_IMPORTER_API_KEY'), - "secret_key": os.getenv('TRELLO_IMPORTER_SECRET_KEY') - } -EOF -} - -resource "kubectl_manifest" "cm_nginx" { - yaml_body = <<-EOF - apiVersion: v1 - kind: ConfigMap - metadata: - name: "${var.instance}-${var.component}-nginx" - namespace: ${var.namespace} - labels: ${jsonencode(local.common_labels)} - data: - default.conf: |- - server { - listen 8080 default_server; - - client_max_body_size 100M; - charset utf-8; - - # Frontend - location / { - proxy_pass http://${kubectl_manifest.svc_front.name}/; - proxy_pass_header Server; - proxy_set_header Host $http_host; - proxy_redirect off; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Scheme $scheme; - } - - # Api - location /api { - proxy_pass http://${kubectl_manifest.svc_back.name}:8000/api; - proxy_pass_header Server; - proxy_set_header Host $http_host; - proxy_redirect off; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Scheme $scheme; - } - - # Admin - location /admin { - proxy_pass http://${kubectl_manifest.svc_back.name}:8000/admin; - proxy_pass_header Server; - proxy_set_header Host $http_host; - proxy_redirect off; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Scheme $scheme; - } - - # Static - location /static { - root /taiga; - } - - # Media - location /_protected { - internal; - alias /taiga/media/; - add_header Content-disposition "attachment"; - } - - # Unprotected section - location /media/exports { - alias /taiga/media/exports/; - add_header Content-disposition "attachment"; - } - - location /media { - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://${kubectl_manifest.svc_protected.name}:8003/; - proxy_redirect off; - } - - # Events - location /events { - proxy_pass http://${kubectl_manifest.svc_events.name}:8888/events; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_connect_timeout 7d; - proxy_send_timeout 7d; - proxy_read_timeout 7d; - } - } EOF } diff --git a/apps/taiga/taiga_Secret.tf b/apps/taiga/taiga_Secret.tf index c106f27..057a6c0 100644 --- a/apps/taiga/taiga_Secret.tf +++ b/apps/taiga/taiga_Secret.tf @@ -3,6 +3,10 @@ resource "random_password" "system" { special = false } +resource "random_password" "admin" { + length = 16 + special = false +} resource "random_password" "rabbit" { length = 32 special = false @@ -19,6 +23,7 @@ resource "kubectl_manifest" "secret" { type: Opaque stringData: TAIGA_SECRET_KEY: "${random_password.system.result}" + TAIGA_ADMIN_PASSWORD: "${random_password.admin.result}" EOF } diff --git a/apps/taiga/taiga_workload.tf b/apps/taiga/taiga_workload.tf index 133b85f..2c65c94 100644 --- a/apps/taiga/taiga_workload.tf +++ b/apps/taiga/taiga_workload.tf @@ -98,6 +98,12 @@ resource "kubectl_manifest" "Deployment_taiga-front" { - name: taiga-front image: "${var.images.front.registry}/${var.images.front.repository}:${var.images.front.tag}" imagePullPolicy: ${var.images.front.pull_policy} + env: + - name: OPENID_CLIENT_ID + valueFrom: + secretKeyRef: + name: ${module.oauth2.secret_client_id_name} + key: ${module.oauth2.secret_client_id_key} envFrom: - configMapRef: name: ${kubectl_manifest.cm_env_front.name} @@ -218,12 +224,12 @@ resource "kubectl_manifest" "Deployment_taiga-back" { secretKeyRef: name: ${kubectl_manifest.rabbit_user_secret.name} key: password - - name: OIDC_RP_CLIENT_ID + - name: OPENID_CLIENT_ID valueFrom: secretKeyRef: name: ${module.oauth2.secret_client_id_name} key: ${module.oauth2.secret_client_id_key} - - name: OIDC_RP_CLIENT_SECRET + - name: OPENID_CLIENT_SECRET valueFrom: secretKeyRef: name: ${module.oauth2.secret_client_secret_name} @@ -245,9 +251,6 @@ resource "kubectl_manifest" "Deployment_taiga-back" { - name: scripts mountPath: /docker-entrypoint.d/certs.sh subPath: certs.sh - - name: scripts - mountPath: /taiga-back/settings/config.py - subPath: config.py - name: data mountPath: /taiga-back/static subPath: static @@ -364,8 +367,6 @@ resource "kubectl_manifest" "Deployment_taiga-back" { items: - key: certs.sh path: certs.sh - - key: config.py - path: config.py - name: data persistentVolumeClaim: claimName: ${kubectl_manifest.pvc.name}