vynil/domain-incoming
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix

Browse Source
This commit is contained in:
Sébastien Huss
2024-05-28 13:44:20 +02:00
parent e9e7950d9d
commit 4a80c26a41
3 changed files with 23 additions and 330 deletions
Download Patch File Download Diff File Expand all files Collapse all files

333
apps/taiga/taiga_ConfigMap.tf
View File

@@ -25,13 +25,11 @@ resource "kubectl_manifest" "cm_env_back" {
ENABLE_GITHUB_IMPORTER: "False"
ENABLE_JIRA_IMPORTER: "False"
ENABLE_TRELLO_IMPORTER: "False"
ENABLE_OIDC_AUTH: "True"
OIDC_RP_SCOPES: "openid email profile"
OIDC_BASE_URL: "${module.oauth2.sso_configuration_url}"
OIDC_OP_JWKS_ENDPOINT: "${module.oauth2.sso_configuration_url}jwks/"
OIDC_OP_AUTHORIZATION_ENDPOINT: "${module.oauth2.sso_authorize_url}"
OIDC_OP_TOKEN_ENDPOINT: "${module.oauth2.sso_token_url}"
OIDC_OP_USER_ENDPOINT: "${module.oauth2.sso_userinfo_url}"
ENABLE_OIDC_AUTH: "False"
ENABLE_OPENID_AUTH: "True"
OPENID_SCOPE: "openid email profile"
OPENID_TOKEN_URL: "${module.oauth2.sso_token_url}"
OPENID_USER_URL: "${module.oauth2.sso_userinfo_url}"
EOF
}
@@ -57,9 +55,11 @@ resource "kubectl_manifest" "cm_env_front" {
ENABLE_GITHUB_IMPORTER: "false"
ENABLE_JIRA_IMPORTER: "false"
ENABLE_TRELLO_IMPORTER: "false"
ENABLE_OIDC_AUTH: "true"
OIDC_BUTTON_TEXT: "${var.domain}"
OIDC_MOUNT_POINT: "/api/oidc"
ENABLE_OIDC_AUTH: "false"
ENABLE_OPENID_AUTH: "true"
OPENID_URL: "${module.oauth2.sso_configuration_url}"
OPENID_SCOPE: "openid email profile"
OPENID_NAME: "${var.domain}"
EOF
}
@@ -100,319 +100,6 @@ resource "kubectl_manifest" "cm_scripts" {
if str(subprocess.check_output(['python', 'manage.py', 'dumpdata', 'users.user'], cwd='/taiga-back')).find('\"is_superuser\": true') == -1:
print(subprocess.check_output(['python', 'manage.py', 'loaddata', 'initial_user'], cwd='/taiga-back'))
config.py: |-
# -*- coding: utf-8 -*-
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# Copyright (c) 2021-present Kaleidos INC
from .common import *
import os
#########################################
## GENERIC
#########################################
DEBUG = os.getenv('DEBUG', 'False') == 'True'
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': os.getenv('POSTGRES_DB'),
'USER': os.getenv('POSTGRES_USER'),
'PASSWORD': os.getenv('POSTGRES_PASSWORD'),
'HOST': os.getenv('POSTGRES_HOST'),
'PORT': os.getenv('POSTGRES_PORT','5432'),
'OPTIONS': {'sslmode': os.getenv('POSTGRES_SSLMODE','disable')},
'DISABLE_SERVER_SIDE_CURSORS': os.getenv('POSTGRES_DISABLE_SERVER_SIDE_CURSORS', 'False') == 'True',
}
}
SECRET_KEY = os.getenv('TAIGA_SECRET_KEY')
TAIGA_SITES_SCHEME = os.getenv('TAIGA_SITES_SCHEME', "http")
TAIGA_SITES_DOMAIN = os.getenv('TAIGA_SITES_DOMAIN', "localhost")
FORCE_SCRIPT_NAME = os.getenv('TAIGA_SUBPATH', '')
TAIGA_URL = f"{ TAIGA_SITES_SCHEME }://{ TAIGA_SITES_DOMAIN }{ FORCE_SCRIPT_NAME }"
SITES = {
"api": { "name": "api", "scheme": TAIGA_SITES_SCHEME, "domain": TAIGA_SITES_DOMAIN },
"front": { "name": "front", "scheme": TAIGA_SITES_SCHEME, "domain": f"{ TAIGA_SITES_DOMAIN }{ FORCE_SCRIPT_NAME }" }
}
LANGUAGE_CODE = os.getenv("LANGUAGE_CODE", "en-us")
INSTANCE_TYPE = "D"
WEBHOOKS_ENABLED = os.getenv('WEBHOOKS_ENABLED', 'True') == 'True'
WEBHOOKS_ALLOW_PRIVATE_ADDRESS = os.getenv('WEBHOOKS_ALLOW_PRIVATE_ADDRESS', 'False') == 'True'
WEBHOOKS_ALLOW_REDIRECTS = os.getenv('WEBHOOKS_ALLOW_REDIRECTS', 'False') == 'True'
# Setting DEFAULT_PROJECT_SLUG_PREFIX to false
# removes the username from project slug
DEFAULT_PROJECT_SLUG_PREFIX = os.getenv('DEFAULT_PROJECT_SLUG_PREFIX', 'False') == 'True'
#########################################
## MEDIA
#########################################
MEDIA_URL = f"{ TAIGA_URL }/media/"
DEFAULT_FILE_STORAGE = "taiga_contrib_protected.storage.ProtectedFileSystemStorage"
THUMBNAIL_DEFAULT_STORAGE = DEFAULT_FILE_STORAGE
STATIC_URL = f"{ TAIGA_URL }/static/"
#########################################
## EMAIL
#########################################
# https://docs.djangoproject.com/en/3.1/topics/email/
EMAIL_BACKEND = os.getenv('EMAIL_BACKEND', 'django.core.mail.backends.console.EmailBackend')
CHANGE_NOTIFICATIONS_MIN_INTERVAL = 120 # seconds
DEFAULT_FROM_EMAIL = os.getenv('DEFAULT_FROM_EMAIL', 'system@taiga.io')
EMAIL_USE_TLS = os.getenv('EMAIL_USE_TLS', 'False') == 'True'
EMAIL_USE_SSL = os.getenv('EMAIL_USE_SSL', 'False') == 'True'
EMAIL_HOST = os.getenv('EMAIL_HOST', 'localhost')
EMAIL_PORT = os.getenv('EMAIL_PORT', 587)
EMAIL_HOST_USER = os.getenv('EMAIL_HOST_USER', 'user')
EMAIL_HOST_PASSWORD = os.getenv('EMAIL_HOST_PASSWORD', 'password')
#########################################
## SESSION
#########################################
SESSION_COOKIE_SECURE = os.getenv('SESSION_COOKIE_SECURE', 'True') == 'True'
CSRF_COOKIE_SECURE = os.getenv('CSRF_COOKIE_SECURE', 'True') == 'True'
#########################################
## EVENTS
#########################################
EVENTS_PUSH_BACKEND = "taiga.events.backends.rabbitmq.EventsPushBackend"
EVENTS_PUSH_BACKEND_URL = os.getenv('EVENTS_PUSH_BACKEND_URL')
if not EVENTS_PUSH_BACKEND_URL:
EVENTS_PUSH_BACKEND_URL = f"amqp://{ os.getenv('RABBITMQ_USER') }:{ os.getenv('RABBITMQ_PASS') }@{ os.getenv('TAIGA_EVENTS_RABBITMQ_HOST', 'taiga-events-rabbitmq') }:5672/taiga"
EVENTS_PUSH_BACKEND_OPTIONS = {
"url": EVENTS_PUSH_BACKEND_URL
}
#########################################
## TAIGA ASYNC
#########################################
CELERY_ENABLED = os.getenv('CELERY_ENABLED', 'True') == 'True'
from kombu import Queue # noqa
CELERY_BROKER_URL = os.getenv('CELERY_BROKER_URL')
if not CELERY_BROKER_URL:
CELERY_BROKER_URL = f"amqp://{ os.getenv('RABBITMQ_USER') }:{ os.getenv('RABBITMQ_PASS') }@{ os.getenv('TAIGA_ASYNC_RABBITMQ_HOST', 'taiga-async-rabbitmq') }:5672/taiga"
CELERY_RESULT_BACKEND = None # for a general installation, we don't need to store the results
CELERY_ACCEPT_CONTENT = ['pickle', ] # Values are 'pickle', 'json', 'msgpack' and 'yaml'
CELERY_TASK_SERIALIZER = "pickle"
CELERY_RESULT_SERIALIZER = "pickle"
CELERY_TIMEZONE = os.getenv('CELERY_TIMEZONE', 'Europe/Madrid')
CELERY_TASK_DEFAULT_QUEUE = 'tasks'
CELERY_QUEUES = (
Queue('tasks', routing_key='task.#'),
Queue('transient', routing_key='transient.#', delivery_mode=1)
)
CELERY_TASK_DEFAULT_EXCHANGE = 'tasks'
CELERY_TASK_DEFAULT_EXCHANGE_TYPE = 'topic'
CELERY_TASK_DEFAULT_ROUTING_KEY = 'task.default'
#########################################
## REGISTRATION
#########################################
PUBLIC_REGISTER_ENABLED = os.getenv('PUBLIC_REGISTER_ENABLED', 'False') == 'True'
#########################################
## CONTRIBS
#########################################
# SLACK
ENABLE_SLACK = os.getenv('ENABLE_SLACK', 'False') == 'True'
if ENABLE_SLACK:
INSTALLED_APPS += [
"taiga_contrib_slack"
]
# GITHUB AUTH
# WARNING: If PUBLIC_REGISTER_ENABLED == False, currently Taiga by default prevents the OAuth
# buttons to appear for both login and register
ENABLE_GITHUB_AUTH = os.getenv('ENABLE_GITHUB_AUTH', 'False') == 'True'
if PUBLIC_REGISTER_ENABLED and ENABLE_GITHUB_AUTH:
INSTALLED_APPS += [
"taiga_contrib_github_auth"
]
GITHUB_API_CLIENT_ID = os.getenv('GITHUB_API_CLIENT_ID')
GITHUB_API_CLIENT_SECRET = os.getenv('GITHUB_API_CLIENT_SECRET')
# GITLAB AUTH
# WARNING: If PUBLIC_REGISTER_ENABLED == False, currently Taiga by default prevents the OAuth
# buttons to appear for both login and register
ENABLE_GITLAB_AUTH = os.getenv('ENABLE_GITLAB_AUTH', 'False') == 'True'
if PUBLIC_REGISTER_ENABLED and ENABLE_GITLAB_AUTH:
INSTALLED_APPS += [
"taiga_contrib_gitlab_auth"
]
GITLAB_API_CLIENT_ID = os.getenv('GITLAB_API_CLIENT_ID')
GITLAB_API_CLIENT_SECRET = os.getenv('GITLAB_API_CLIENT_SECRET')
GITLAB_URL = os.getenv('GITLAB_URL')
# OIDC AUTH
ENABLE_OIDC_AUTH = os.getenv('ENABLE_OIDC_AUTH', 'False') == 'True'
if ENABLE_OIDC_AUTH:
INSTALLED_APPS += [
"mozilla_django_oidc",
"taiga_contrib_oidc_auth",
]
AUTHENTICATION_BACKENDS = list(AUTHENTICATION_BACKENDS) + [
"taiga_contrib_oidc_auth.oidc.TaigaOIDCAuthenticationBackend",
]
ROOT_URLCONF = "settings.urls"
OIDC_CALLBACK_CLASS = "taiga_contrib_oidc_auth.views.TaigaOIDCAuthenticationCallbackView"
OIDC_BASE_URL = os.getenv("OIDC_BASE_URL", "https://id.fedoraproject.org/openidc")
OIDC_RP_SCOPES = os.getenv("OIDC_RP_SCOPES", "openid profile email")
OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO", "RS256")
OIDC_OP_JWKS_ENDPOINT = os.getenv("OIDC_OP_JWKS_ENDPOINT", OIDC_BASE_URL + "/Jwks")
OIDC_OP_AUTHORIZATION_ENDPOINT = os.getenv("OIDC_OP_AUTHORIZATION_ENDPOINT", OIDC_BASE_URL + "/Authorization")
OIDC_OP_TOKEN_ENDPOINT = os.getenv("OIDC_OP_TOKEN_ENDPOINT", OIDC_BASE_URL + "/Token")
OIDC_OP_USER_ENDPOINT = os.getenv("OIDC_OP_USER_ENDPOINT", OIDC_BASE_URL + "/UserInfo")
OIDC_RP_CLIENT_ID = os.getenv("OIDC_RP_CLIENT_ID")
OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET")
print("ENABLE_OIDC_AUTH:", OIDC_BASE_URL, OIDC_BASE_URL)
print("INSTALLED_APPS:", INSTALLED_APPS)
print("AUTHENTICATION_BACKENDS:", AUTHENTICATION_BACKENDS)
#########################################
## TELEMETRY
#########################################
ENABLE_TELEMETRY = os.getenv('ENABLE_TELEMETRY', 'True') == 'True'
#########################################
## IMPORTERS
#########################################
ENABLE_GITHUB_IMPORTER = os.getenv('ENABLE_GITHUB_IMPORTER', 'False') == 'True'
if ENABLE_GITHUB_IMPORTER:
IMPORTERS["github"] = {
"active": True,
"client_id": os.getenv('GITHUB_IMPORTER_CLIENT_ID'),
"client_secret": os.getenv('GITHUB_IMPORTER_CLIENT_SECRET')
}
ENABLE_JIRA_IMPORTER = os.getenv('ENABLE_JIRA_IMPORTER', 'False') == 'True'
if ENABLE_JIRA_IMPORTER:
IMPORTERS["jira"] = {
"active": True,
"consumer_key": os.getenv('JIRA_IMPORTER_CONSUMER_KEY'),
"cert": os.getenv('JIRA_IMPORTER_CERT'),
"pub_cert": os.getenv('JIRA_IMPORTER_PUB_CERT')
}
ENABLE_TRELLO_IMPORTER = os.getenv('ENABLE_TRELLO_IMPORTER', 'False') == 'True'
if ENABLE_TRELLO_IMPORTER:
IMPORTERS["trello"] = {
"active": True,
"api_key": os.getenv('TRELLO_IMPORTER_API_KEY'),
"secret_key": os.getenv('TRELLO_IMPORTER_SECRET_KEY')
}
EOF
}
resource "kubectl_manifest" "cm_nginx" {
yaml_body = <<-EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: "${var.instance}-${var.component}-nginx"
namespace: ${var.namespace}
labels: ${jsonencode(local.common_labels)}
data:
default.conf: |-
server {
listen 8080 default_server;
client_max_body_size 100M;
charset utf-8;
# Frontend
location / {
proxy_pass http://${kubectl_manifest.svc_front.name}/;
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
}
# Api
location /api {
proxy_pass http://${kubectl_manifest.svc_back.name}:8000/api;
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
}
# Admin
location /admin {
proxy_pass http://${kubectl_manifest.svc_back.name}:8000/admin;
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
}
# Static
location /static {
root /taiga;
}
# Media
location /_protected {
internal;
alias /taiga/media/;
add_header Content-disposition "attachment";
}
# Unprotected section
location /media/exports {
alias /taiga/media/exports/;
add_header Content-disposition "attachment";
}
location /media {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://${kubectl_manifest.svc_protected.name}:8003/;
proxy_redirect off;
}
# Events
location /events {
proxy_pass http://${kubectl_manifest.svc_events.name}:8888/events;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_connect_timeout 7d;
proxy_send_timeout 7d;
proxy_read_timeout 7d;
}
}
EOF
}

5
apps/taiga/taiga_Secret.tf
View File

@@ -3,6 +3,10 @@ resource "random_password" "system" {
special = false
}
resource "random_password" "admin" {
length = 16
special = false
}
resource "random_password" "rabbit" {
length = 32
special = false
@@ -19,6 +23,7 @@ resource "kubectl_manifest" "secret" {
type: Opaque
stringData:
TAIGA_SECRET_KEY: "${random_password.system.result}"
TAIGA_ADMIN_PASSWORD: "${random_password.admin.result}"
EOF
}

15
apps/taiga/taiga_workload.tf
View File

@@ -98,6 +98,12 @@ resource "kubectl_manifest" "Deployment_taiga-front" {
- name: taiga-front
image: "${var.images.front.registry}/${var.images.front.repository}:${var.images.front.tag}"
imagePullPolicy: ${var.images.front.pull_policy}
env:
- name: OPENID_CLIENT_ID
valueFrom:
secretKeyRef:
name: ${module.oauth2.secret_client_id_name}
key: ${module.oauth2.secret_client_id_key}
envFrom:
- configMapRef:
name: ${kubectl_manifest.cm_env_front.name}
@@ -218,12 +224,12 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
secretKeyRef:
name: ${kubectl_manifest.rabbit_user_secret.name}
key: password
- name: OIDC_RP_CLIENT_ID
- name: OPENID_CLIENT_ID
valueFrom:
secretKeyRef:
name: ${module.oauth2.secret_client_id_name}
key: ${module.oauth2.secret_client_id_key}
- name: OIDC_RP_CLIENT_SECRET
- name: OPENID_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: ${module.oauth2.secret_client_secret_name}
@@ -245,9 +251,6 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
- name: scripts
mountPath: /docker-entrypoint.d/certs.sh
subPath: certs.sh
- name: scripts
mountPath: /taiga-back/settings/config.py
subPath: config.py
- name: data
mountPath: /taiga-back/static
subPath: static
@@ -364,8 +367,6 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
items:
- key: certs.sh
path: certs.sh
- key: config.py
path: config.py
- name: data
persistentVolumeClaim:
claimName: ${kubectl_manifest.pvc.name}