fix

2024-05-29 11:22:18 +02:00
parent 41d2b49246
commit 97e481a148
3 changed files with 37 additions and 299 deletions
--- a/apps/taiga/index.yaml
+++ b/apps/taiga/index.yaml
@@ -127,6 +127,11 @@ options:
    examples:
    - your-company.com
    type: string
  enable_registration:
    default: true
    examples:
    - true
    type: boolean
  images:
    default:
      back:
@@ -360,6 +365,11 @@ options:
    examples:
    - letsencrypt-prod
    type: string
  language:
    default: fr
    examples:
    - fr
    type: string
  postgres:
    default:
      replicas: 1
@@ -494,6 +504,26 @@ options:
    examples:
    - taiga
    type: string
  timezone:
    default: Europe/Paris
    examples:
    - Europe/Paris
    type: string
  webhook:
    default:
      allow_private_addr: true
      allow_redirect: true
    examples:
    - allow_private_addr: true
      allow_redirect: true
    properties:
      allow_private_addr:
        default: true
        type: boolean
      allow_redirect:
        default: true
        type: boolean
    type: object
 dependencies:
 - dist: null
  category: dbo
--- a/apps/taiga/taiga_ConfigMap.tf
+++ b/apps/taiga/taiga_ConfigMap.tf
@@ -15,13 +15,16 @@ resource "kubectl_manifest" "cm_env_back" {
      TAIGA_SITES_SCHEME: https
      TAIGA_ASYNC_RABBITMQ_HOST: ${kubectl_manifest.rabbit.name}
      TAIGA_EVENTS_RABBITMQ_HOST: ${kubectl_manifest.rabbit.name}
      CELERY_TIMEZONE: "${var.timezone}"
      LANGUAGE_CODE: "${var.language}"
      ENABLE_TELEMETRY: "False"
-      PUBLIC_REGISTER_ENABLED: "True"
+      PUBLIC_REGISTER_ENABLED: "${var.enable_registration?"True":"False"}"
      ENABLE_OPENID: "True"
      OPENID_SCOPE: "openid email profile"
      OPENID_TOKEN_URL: "${module.oauth2.sso_token_url}"
      OPENID_USER_URL: "${module.oauth2.sso_userinfo_url}"
-      DEBUG: "True"
+      WEBHOOKS_ALLOW_PRIVATE_ADDRESS: "${var.webhook.allow_private_addr?"True":"False"}"
      WEBHOOKS_ALLOW_REDIRECTS: "${var.webhook.allow_private_addr?"True":"False"}"
 EOF
 }
@@ -37,10 +40,8 @@ resource "kubectl_manifest" "cm_env_front" {
      TAIGA_URL: https://${local.dns_name}
      TAIGA_SITES_DOMAIN: ${local.dns_name}
      TAIGA_SITES_SCHEME: https
      SESSION_COOKIE_SECURE: "false"
      CSRF_COOKIE_SECURE: "false"
      ENABLE_TELEMETRY: "false"
-      PUBLIC_REGISTER_ENABLED: "true"
+      PUBLIC_REGISTER_ENABLED: "${jsonencode(var.enable_registration)}"
      ENABLE_GITHUB_AUTH: "false"
      ENABLE_GITLAB_AUTH: "false"
      ENABLE_SLACK: "false"
@@ -51,13 +52,9 @@ resource "kubectl_manifest" "cm_env_front" {
      ENABLE_OPENID_AUTH: "true"
      OPENID_URL: "${module.oauth2.sso_authorize_url}"
      OPENID_SCOPE: "openid email profile"
-      OPENID_NAME: "${var.domain}"
+      OPENID_NAME: "${var.domain_name}"
 EOF
 }
 # awk '/taiga-events-rabbitmq/||/taiga-async-rabbitmq/' < /taiga-back/settings/config.py
 #     EVENTS_PUSH_BACKEND_URL = f"amqp://{ os.getenv('RABBITMQ_USER') }:{ os.getenv('RABBITMQ_PASS') }@taiga-events-rabbitmq:5672/taiga"
 #     CELERY_BROKER_URL = f"amqp://{ os.getenv('RABBITMQ_USER') }:{ os.getenv('RABBITMQ_PASS') }@taiga-async-rabbitmq:5672/taiga"
 resource "kubectl_manifest" "cm_scripts" {
  yaml_body  = <<-EOF
@@ -68,287 +65,6 @@ resource "kubectl_manifest" "cm_scripts" {
      labels: ${jsonencode(local.postcfg_all_labels)}
      namespace: ${var.namespace}
    data:
      config.py: |-
        # -*- coding: utf-8 -*-
        # This Source Code Form is subject to the terms of the Mozilla Public
        # License, v. 2.0. If a copy of the MPL was not distributed with this
        # file, You can obtain one at http://mozilla.org/MPL/2.0/.
        #
        # Copyright (c) 2021-present Kaleidos INC
        from .common import *
        from ldap3 import Tls
        import os, sys, ssl
        #########################################
        ## GENERIC
        #########################################
        DEBUG = os.getenv('DEBUG', 'False') == 'True'
        DATABASES = {
            'default': {
                'ENGINE': 'django.db.backends.postgresql',
                'NAME': os.getenv('POSTGRES_DB'),
                'USER': os.getenv('POSTGRES_USER'),
                'PASSWORD': os.getenv('POSTGRES_PASSWORD'),
                'HOST': os.getenv('POSTGRES_HOST'),
                'PORT': os.getenv('POSTGRES_PORT','5432'),
                'OPTIONS': {'sslmode': os.getenv('POSTGRES_SSLMODE','disable')},
                'DISABLE_SERVER_SIDE_CURSORS': os.getenv('POSTGRES_DISABLE_SERVER_SIDE_CURSORS', 'False') == 'True',
            }
        }
        SECRET_KEY = os.getenv('TAIGA_SECRET_KEY')
        TAIGA_SITES_SCHEME = os.getenv('TAIGA_SITES_SCHEME', "http")
        TAIGA_SITES_DOMAIN = os.getenv('TAIGA_SITES_DOMAIN', "localhost")
        FORCE_SCRIPT_NAME = os.getenv('TAIGA_SUBPATH', '')
        TAIGA_URL = f"{ TAIGA_SITES_SCHEME }://{ TAIGA_SITES_DOMAIN }{ FORCE_SCRIPT_NAME }"
        SITES = {
                "api": { "name": "api", "scheme": TAIGA_SITES_SCHEME, "domain": TAIGA_SITES_DOMAIN },
                "front": { "name": "front", "scheme": TAIGA_SITES_SCHEME, "domain": f"{ TAIGA_SITES_DOMAIN }{ FORCE_SCRIPT_NAME }" }
        }
        LANGUAGE_CODE = os.getenv("LANGUAGE_CODE", "en-us")
        INSTANCE_TYPE = "D"
        WEBHOOKS_ENABLED = os.getenv('WEBHOOKS_ENABLED', 'True') == 'True'
        WEBHOOKS_ALLOW_PRIVATE_ADDRESS = os.getenv('WEBHOOKS_ALLOW_PRIVATE_ADDRESS', 'False') == 'True'
        WEBHOOKS_ALLOW_REDIRECTS = os.getenv('WEBHOOKS_ALLOW_REDIRECTS', 'False') == 'True'
        # Setting DEFAULT_PROJECT_SLUG_PREFIX to false
        # removes the username from project slug
        DEFAULT_PROJECT_SLUG_PREFIX = os.getenv('DEFAULT_PROJECT_SLUG_PREFIX', 'False') == 'True'
        #########################################
        ## MEDIA
        #########################################
        MEDIA_URL = f"{ TAIGA_URL }/media/"
        DEFAULT_FILE_STORAGE = "taiga_contrib_protected.storage.ProtectedFileSystemStorage"
        THUMBNAIL_DEFAULT_STORAGE = DEFAULT_FILE_STORAGE
        STATIC_URL = f"{ TAIGA_URL }/static/"
        #########################################
        ## EMAIL
        #########################################
        # https://docs.djangoproject.com/en/3.1/topics/email/
        EMAIL_BACKEND = os.getenv('EMAIL_BACKEND', 'django.core.mail.backends.console.EmailBackend')
        CHANGE_NOTIFICATIONS_MIN_INTERVAL = 120  # seconds
        DEFAULT_FROM_EMAIL = os.getenv('DEFAULT_FROM_EMAIL', 'system@taiga.io')
        EMAIL_USE_TLS = os.getenv('EMAIL_USE_TLS', 'False') == 'True'
        EMAIL_USE_SSL = os.getenv('EMAIL_USE_SSL', 'False') == 'True'
        EMAIL_HOST = os.getenv('EMAIL_HOST', 'localhost')
        EMAIL_PORT = os.getenv('EMAIL_PORT', 587)
        EMAIL_HOST_USER = os.getenv('EMAIL_HOST_USER', 'user')
        EMAIL_HOST_PASSWORD = os.getenv('EMAIL_HOST_PASSWORD', 'password')
        #########################################
        ## SESSION
        #########################################
        SESSION_COOKIE_SECURE = os.getenv('SESSION_COOKIE_SECURE', 'True') == 'True'
        CSRF_COOKIE_SECURE = os.getenv('CSRF_COOKIE_SECURE', 'True') == 'True'
        #########################################
        ## EVENTS
        #########################################
        EVENTS_PUSH_BACKEND = "taiga.events.backends.rabbitmq.EventsPushBackend"
        EVENTS_PUSH_BACKEND_URL = os.getenv('EVENTS_PUSH_BACKEND_URL')
        if not EVENTS_PUSH_BACKEND_URL:
            EVENTS_PUSH_BACKEND_URL = f"amqp://{ os.getenv('RABBITMQ_USER') }:{ os.getenv('RABBITMQ_PASS') }@{ os.getenv('TAIGA_EVENTS_RABBITMQ_HOST', 'taiga-events-rabbitmq') }:5672/taiga"
        EVENTS_PUSH_BACKEND_OPTIONS = {
            "url": EVENTS_PUSH_BACKEND_URL
        }
        #########################################
        ## TAIGA ASYNC
        #########################################
        CELERY_ENABLED = os.getenv('CELERY_ENABLED', 'True') == 'True'
        from kombu import Queue  # noqa
        CELERY_BROKER_URL = os.getenv('CELERY_BROKER_URL')
        if not CELERY_BROKER_URL:
            CELERY_BROKER_URL = f"amqp://{ os.getenv('RABBITMQ_USER') }:{ os.getenv('RABBITMQ_PASS') }@{ os.getenv('TAIGA_ASYNC_RABBITMQ_HOST', 'taiga-async-rabbitmq') }:5672/taiga"
        CELERY_RESULT_BACKEND = None # for a general installation, we don't need to store the results
        CELERY_ACCEPT_CONTENT = ['pickle', ]  # Values are 'pickle', 'json', 'msgpack' and 'yaml'
        CELERY_TASK_SERIALIZER = "pickle"
        CELERY_RESULT_SERIALIZER = "pickle"
        CELERY_TIMEZONE = os.getenv('CELERY_TIMEZONE', 'Europe/Madrid')
        CELERY_TASK_DEFAULT_QUEUE = 'tasks'
        CELERY_QUEUES = (
            Queue('tasks', routing_key='task.#'),
            Queue('transient', routing_key='transient.#', delivery_mode=1)
        )
        CELERY_TASK_DEFAULT_EXCHANGE = 'tasks'
        CELERY_TASK_DEFAULT_EXCHANGE_TYPE = 'topic'
        CELERY_TASK_DEFAULT_ROUTING_KEY = 'task.default'
        #########################################
        ##  REGISTRATION
        #########################################
        PUBLIC_REGISTER_ENABLED = os.getenv('PUBLIC_REGISTER_ENABLED', 'False') == 'True'
        #########################################
        ## CONTRIBS
        #########################################
        # SLACK
        ENABLE_SLACK = os.getenv('ENABLE_SLACK', 'False') == 'True'
        if ENABLE_SLACK:
            INSTALLED_APPS += [
                "taiga_contrib_slack"
            ]
        # GITHUB AUTH
        # WARNING: If PUBLIC_REGISTER_ENABLED == False, currently Taiga by default prevents the OAuth
        # buttons to appear for both login and register
        ENABLE_GITHUB_AUTH = os.getenv('ENABLE_GITHUB_AUTH', 'False') == 'True'
        if PUBLIC_REGISTER_ENABLED and ENABLE_GITHUB_AUTH:
            INSTALLED_APPS += [
                "taiga_contrib_github_auth"
            ]
            GITHUB_API_CLIENT_ID = os.getenv('GITHUB_API_CLIENT_ID')
            GITHUB_API_CLIENT_SECRET = os.getenv('GITHUB_API_CLIENT_SECRET')
        # GITLAB AUTH
        # WARNING: If PUBLIC_REGISTER_ENABLED == False, currently Taiga by default prevents the OAuth
        # buttons to appear for both login and register
        ENABLE_GITLAB_AUTH = os.getenv('ENABLE_GITLAB_AUTH', 'False') == 'True'
        if PUBLIC_REGISTER_ENABLED and ENABLE_GITLAB_AUTH:
            INSTALLED_APPS += [
                "taiga_contrib_gitlab_auth"
            ]
            GITLAB_API_CLIENT_ID = os.getenv('GITLAB_API_CLIENT_ID')
            GITLAB_API_CLIENT_SECRET = os.getenv('GITLAB_API_CLIENT_SECRET')
            GITLAB_URL = os.getenv('GITLAB_URL')
        # OIDC AUTH
        ENABLE_OIDC_AUTH = os.getenv('ENABLE_OIDC_AUTH', 'False') == 'True'
        if ENABLE_OIDC_AUTH:
            INSTALLED_APPS += [
                "mozilla_django_oidc",
                "taiga_contrib_oidc_auth",
            ]
            AUTHENTICATION_BACKENDS = list(AUTHENTICATION_BACKENDS) + [
                "taiga_contrib_oidc_auth.oidc.TaigaOIDCAuthenticationBackend",
            ]
            ROOT_URLCONF = "settings.urls"
            OIDC_CALLBACK_CLASS = "taiga_contrib_oidc_auth.views.TaigaOIDCAuthenticationCallbackView"
            OIDC_BASE_URL = os.getenv("OIDC_BASE_URL", "https://id.fedoraproject.org/openidc")
            OIDC_RP_SCOPES = os.getenv("OIDC_RP_SCOPES", "openid profile email")
            OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO", "RS256")
            OIDC_OP_JWKS_ENDPOINT = os.getenv("OIDC_OP_JWKS_ENDPOINT", OIDC_BASE_URL + "/Jwks")
            OIDC_OP_AUTHORIZATION_ENDPOINT = os.getenv("OIDC_OP_AUTHORIZATION_ENDPOINT", OIDC_BASE_URL + "/Authorization")
            OIDC_OP_TOKEN_ENDPOINT = os.getenv("OIDC_OP_TOKEN_ENDPOINT", OIDC_BASE_URL + "/Token")
            OIDC_OP_USER_ENDPOINT = os.getenv("OIDC_OP_USER_ENDPOINT", OIDC_BASE_URL + "/UserInfo")
            OIDC_RP_CLIENT_ID = os.getenv("OIDC_RP_CLIENT_ID")
            OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET")
        if os.getenv('TAIGA_ENABLE_OPENID_AUTH', os.getenv('ENABLE_OPENID', 'False')).lower() == 'true':
            print("ENABLE_OPENID")
            INSTALLED_APPS += ["taiga_contrib_openid_auth"]
            OPENID_USER_URL = os.getenv('TAIGA_OPENID_AUTH_USER_URL', os.getenv('OPENID_USER_URL'))
            OPENID_TOKEN_URL = os.getenv('TAIGA_OPENID_AUTH_TOKEN_URL', os.getenv('OPENID_TOKEN_URL'))
            OPENID_CLIENT_ID = os.getenv('TAIGA_OPENID_AUTH_CLIENT_ID', os.getenv('OPENID_CLIENT_ID'))
            OPENID_CLIENT_SECRET = os.getenv('TAIGA_OPENID_AUTH_CLIENT_SECRET', os.getenv('OPENID_CLIENT_SECRET'))
            OPENID_SCOPE = os.getenv('TAIGA_OPENID_SCOPE', os.getenv('OPENID_SCOPE'))
        if os.getenv('TAIGA_ENABLE_LDAP', os.getenv('ENABLE_LDAP', 'False')).lower() == 'true':
            INSTALLED_APPS += ["taiga_contrib_ldap_auth_ext"]
            if os.getenv('TAIGA_LDAP_USE_TLS', os.getenv('LDAP_START_TLS', 'False')).lower() == 'true':
                # Flag to enable LDAP with STARTTLS before bind
                LDAP_START_TLS = True
                LDAP_TLS_CERTS = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1, ciphers='RSA+3DES')
            else:
                LDAP_START_TLS = False
            LDAP_SERVER = os.getenv('TAIGA_LDAP_SERVER', os.getenv('LDAP_SERVER'))
            LDAP_PORT = int(os.getenv('TAIGA_LDAP_PORT', os.getenv('LDAP_PORT', '389')))
            # Full DN of the service account use to connect to LDAP server and search for login user's account entry
            # If LDAP_BIND_DN is not specified, or is blank, then an anonymous bind is attempated
            LDAP_BIND_DN = os.getenv('TAIGA_LDAP_BIND_DN', os.getenv('LDAP_BIND_DN'))
            LDAP_BIND_PASSWORD = os.getenv('TAIGA_LDAP_BIND_PASSWORD', os.getenv('LDAP_BIND_PASSWORD'))
            # Starting point within LDAP structure to search for login user
            # Something like 'ou=People,dc=company,dc=com'
            LDAP_SEARCH_BASE = os.getenv('TAIGA_LDAP_BASE_DN', os.getenv('LDAP_SEARCH_BASE'))
            # Additional search criteria to the filter (will be ANDed)
            #LDAP_SEARCH_FILTER_ADDITIONAL = '(mail=*)'
            # Names of attributes to get username, e-mail and full name values from
            # These fields need to have a value in LDAP
            LDAP_USERNAME_ATTRIBUTE = os.getenv('TAIGA_LDAP_USERNAME_ATTRIBUTE', os.getenv('LDAP_USERNAME_ATTRIBUTE'))
            LDAP_EMAIL_ATTRIBUTE = os.getenv('TAIGA_LDAP_EMAIL_ATTRIBUTE', os.getenv('LDAP_EMAIL_ATTRIBUTE'))
            LDAP_FULL_NAME_ATTRIBUTE = os.getenv('TAIGA_LDAP_FULL_NAME_ATTRIBUTE', os.getenv('LDAP_FULL_NAME_ATTRIBUTE'))
            # Option to not store the passwords in the local db
            if os.getenv('TAIGA_LDAP_SAVE_LOGIN_PASSWORD', os.getenv('LDAP_SAVE_LOGIN_PASSWORD', 'False')).lower() == 'false':
                LDAP_SAVE_LOGIN_PASSWORD = False
            # Fallback on normal authentication method if this LDAP auth fails. Uncomment to enable.
            LDAP_FALLBACK = os.getenv('TAIGA_LDAP_FALLBACK', os.getenv('LDAP_FALLBACK', 'normal'))
            # Function to map LDAP username to local DB user unique identifier.
            # Upon successful LDAP bind, will override returned username attribute
            # value. May result in unexpected failures if changed after the database
            # has been populated.
            def _ldap_slugify(uid: str) -> str:
                # example: force lower-case
                uid = uid.lower()
                return uid
            LDAP_MAP_USERNAME_TO_UID = _ldap_slugify
        #########################################
        ## TELEMETRY
        #########################################
        ENABLE_TELEMETRY = os.getenv('ENABLE_TELEMETRY', 'True') == 'True'
        #########################################
        ##  IMPORTERS
        #########################################
        ENABLE_GITHUB_IMPORTER = os.getenv('ENABLE_GITHUB_IMPORTER', 'False') == 'True'
        if ENABLE_GITHUB_IMPORTER:
            IMPORTERS["github"] = {
                "active": True,
                "client_id": os.getenv('GITHUB_IMPORTER_CLIENT_ID'),
                "client_secret": os.getenv('GITHUB_IMPORTER_CLIENT_SECRET')
            }
        ENABLE_JIRA_IMPORTER = os.getenv('ENABLE_JIRA_IMPORTER', 'False') == 'True'
        if ENABLE_JIRA_IMPORTER:
            IMPORTERS["jira"] = {
                "active": True,
                "consumer_key": os.getenv('JIRA_IMPORTER_CONSUMER_KEY'),
                "cert": os.getenv('JIRA_IMPORTER_CERT'),
                "pub_cert": os.getenv('JIRA_IMPORTER_PUB_CERT')
            }
        ENABLE_TRELLO_IMPORTER = os.getenv('ENABLE_TRELLO_IMPORTER', 'False') == 'True'
        if ENABLE_TRELLO_IMPORTER:
            IMPORTERS["trello"] = {
                "active": True,
                "api_key": os.getenv('TRELLO_IMPORTER_API_KEY'),
                "secret_key": os.getenv('TRELLO_IMPORTER_SECRET_KEY')
            }
      certs.sh: |-
        #!/usr/bin/env bash
        if [ -f /etc/local-ca/ca.crt ];then
--- a/apps/taiga/taiga_workload.tf
+++ b/apps/taiga/taiga_workload.tf
@@ -248,9 +248,6 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
            - name: taiga-back
              containerPort: 8000
            volumeMounts:
            - name: scripts
              mountPath: /taiga-back/settings/config.py
              subPath: config.py
            - name: scripts
              mountPath: /docker-entrypoint.d/certs.sh
              subPath: certs.sh
@@ -319,9 +316,6 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
            - name: scripts
              mountPath: /docker-entrypoint.d/certs.sh
              subPath: certs.sh
            - name: scripts
              mountPath: /taiga-back/settings/config.py
              subPath: config.py
            - name: data
              mountPath: /taiga-back/static
              subPath: static
@@ -373,8 +367,6 @@ resource "kubectl_manifest" "Deployment_taiga-back" {
              items:
              - key: certs.sh
                path: certs.sh
              - key: config.py
                path: config.py
          - name: data
            persistentVolumeClaim:
              claimName: ${kubectl_manifest.pvc.name}