From 97e481a148d10366d43e159c0ea493b6c5bcb8e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Huss?= Date: Wed, 29 May 2024 11:22:18 +0200 Subject: [PATCH] fix --- apps/taiga/index.yaml | 30 ++++ apps/taiga/taiga_ConfigMap.tf | 298 +--------------------------------- apps/taiga/taiga_workload.tf | 8 - 3 files changed, 37 insertions(+), 299 deletions(-) diff --git a/apps/taiga/index.yaml b/apps/taiga/index.yaml index 5963410..bd6e486 100644 --- a/apps/taiga/index.yaml +++ b/apps/taiga/index.yaml @@ -127,6 +127,11 @@ options: examples: - your-company.com type: string + enable_registration: + default: true + examples: + - true + type: boolean images: default: back: @@ -360,6 +365,11 @@ options: examples: - letsencrypt-prod type: string + language: + default: fr + examples: + - fr + type: string postgres: default: replicas: 1 @@ -494,6 +504,26 @@ options: examples: - taiga type: string + timezone: + default: Europe/Paris + examples: + - Europe/Paris + type: string + webhook: + default: + allow_private_addr: true + allow_redirect: true + examples: + - allow_private_addr: true + allow_redirect: true + properties: + allow_private_addr: + default: true + type: boolean + allow_redirect: + default: true + type: boolean + type: object dependencies: - dist: null category: dbo diff --git a/apps/taiga/taiga_ConfigMap.tf b/apps/taiga/taiga_ConfigMap.tf index 5b23f80..6d76da4 100644 --- a/apps/taiga/taiga_ConfigMap.tf +++ b/apps/taiga/taiga_ConfigMap.tf @@ -15,13 +15,16 @@ resource "kubectl_manifest" "cm_env_back" { TAIGA_SITES_SCHEME: https TAIGA_ASYNC_RABBITMQ_HOST: ${kubectl_manifest.rabbit.name} TAIGA_EVENTS_RABBITMQ_HOST: ${kubectl_manifest.rabbit.name} + CELERY_TIMEZONE: "${var.timezone}" + LANGUAGE_CODE: "${var.language}" ENABLE_TELEMETRY: "False" - PUBLIC_REGISTER_ENABLED: "True" + PUBLIC_REGISTER_ENABLED: "${var.enable_registration?"True":"False"}" ENABLE_OPENID: "True" OPENID_SCOPE: "openid email profile" OPENID_TOKEN_URL: "${module.oauth2.sso_token_url}" OPENID_USER_URL: "${module.oauth2.sso_userinfo_url}" - DEBUG: "True" + WEBHOOKS_ALLOW_PRIVATE_ADDRESS: "${var.webhook.allow_private_addr?"True":"False"}" + WEBHOOKS_ALLOW_REDIRECTS: "${var.webhook.allow_private_addr?"True":"False"}" EOF } @@ -37,10 +40,8 @@ resource "kubectl_manifest" "cm_env_front" { TAIGA_URL: https://${local.dns_name} TAIGA_SITES_DOMAIN: ${local.dns_name} TAIGA_SITES_SCHEME: https - SESSION_COOKIE_SECURE: "false" - CSRF_COOKIE_SECURE: "false" ENABLE_TELEMETRY: "false" - PUBLIC_REGISTER_ENABLED: "true" + PUBLIC_REGISTER_ENABLED: "${jsonencode(var.enable_registration)}" ENABLE_GITHUB_AUTH: "false" ENABLE_GITLAB_AUTH: "false" ENABLE_SLACK: "false" @@ -51,13 +52,9 @@ resource "kubectl_manifest" "cm_env_front" { ENABLE_OPENID_AUTH: "true" OPENID_URL: "${module.oauth2.sso_authorize_url}" OPENID_SCOPE: "openid email profile" - OPENID_NAME: "${var.domain}" + OPENID_NAME: "${var.domain_name}" EOF } -# awk '/taiga-events-rabbitmq/||/taiga-async-rabbitmq/' < /taiga-back/settings/config.py -# EVENTS_PUSH_BACKEND_URL = f"amqp://{ os.getenv('RABBITMQ_USER') }:{ os.getenv('RABBITMQ_PASS') }@taiga-events-rabbitmq:5672/taiga" -# CELERY_BROKER_URL = f"amqp://{ os.getenv('RABBITMQ_USER') }:{ os.getenv('RABBITMQ_PASS') }@taiga-async-rabbitmq:5672/taiga" - resource "kubectl_manifest" "cm_scripts" { yaml_body = <<-EOF @@ -68,287 +65,6 @@ resource "kubectl_manifest" "cm_scripts" { labels: ${jsonencode(local.postcfg_all_labels)} namespace: ${var.namespace} data: - config.py: |- - # -*- coding: utf-8 -*- - # This Source Code Form is subject to the terms of the Mozilla Public - # License, v. 2.0. If a copy of the MPL was not distributed with this - # file, You can obtain one at http://mozilla.org/MPL/2.0/. - # - # Copyright (c) 2021-present Kaleidos INC - - from .common import * - from ldap3 import Tls - import os, sys, ssl - - - ######################################### - ## GENERIC - ######################################### - - DEBUG = os.getenv('DEBUG', 'False') == 'True' - - DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.postgresql', - 'NAME': os.getenv('POSTGRES_DB'), - 'USER': os.getenv('POSTGRES_USER'), - 'PASSWORD': os.getenv('POSTGRES_PASSWORD'), - 'HOST': os.getenv('POSTGRES_HOST'), - 'PORT': os.getenv('POSTGRES_PORT','5432'), - 'OPTIONS': {'sslmode': os.getenv('POSTGRES_SSLMODE','disable')}, - 'DISABLE_SERVER_SIDE_CURSORS': os.getenv('POSTGRES_DISABLE_SERVER_SIDE_CURSORS', 'False') == 'True', - } - } - SECRET_KEY = os.getenv('TAIGA_SECRET_KEY') - - TAIGA_SITES_SCHEME = os.getenv('TAIGA_SITES_SCHEME', "http") - TAIGA_SITES_DOMAIN = os.getenv('TAIGA_SITES_DOMAIN', "localhost") - FORCE_SCRIPT_NAME = os.getenv('TAIGA_SUBPATH', '') - - TAIGA_URL = f"{ TAIGA_SITES_SCHEME }://{ TAIGA_SITES_DOMAIN }{ FORCE_SCRIPT_NAME }" - SITES = { - "api": { "name": "api", "scheme": TAIGA_SITES_SCHEME, "domain": TAIGA_SITES_DOMAIN }, - "front": { "name": "front", "scheme": TAIGA_SITES_SCHEME, "domain": f"{ TAIGA_SITES_DOMAIN }{ FORCE_SCRIPT_NAME }" } - } - - LANGUAGE_CODE = os.getenv("LANGUAGE_CODE", "en-us") - - INSTANCE_TYPE = "D" - - WEBHOOKS_ENABLED = os.getenv('WEBHOOKS_ENABLED', 'True') == 'True' - WEBHOOKS_ALLOW_PRIVATE_ADDRESS = os.getenv('WEBHOOKS_ALLOW_PRIVATE_ADDRESS', 'False') == 'True' - WEBHOOKS_ALLOW_REDIRECTS = os.getenv('WEBHOOKS_ALLOW_REDIRECTS', 'False') == 'True' - - # Setting DEFAULT_PROJECT_SLUG_PREFIX to false - # removes the username from project slug - DEFAULT_PROJECT_SLUG_PREFIX = os.getenv('DEFAULT_PROJECT_SLUG_PREFIX', 'False') == 'True' - - ######################################### - ## MEDIA - ######################################### - MEDIA_URL = f"{ TAIGA_URL }/media/" - DEFAULT_FILE_STORAGE = "taiga_contrib_protected.storage.ProtectedFileSystemStorage" - THUMBNAIL_DEFAULT_STORAGE = DEFAULT_FILE_STORAGE - - STATIC_URL = f"{ TAIGA_URL }/static/" - - - ######################################### - ## EMAIL - ######################################### - # https://docs.djangoproject.com/en/3.1/topics/email/ - EMAIL_BACKEND = os.getenv('EMAIL_BACKEND', 'django.core.mail.backends.console.EmailBackend') - CHANGE_NOTIFICATIONS_MIN_INTERVAL = 120 # seconds - - DEFAULT_FROM_EMAIL = os.getenv('DEFAULT_FROM_EMAIL', 'system@taiga.io') - EMAIL_USE_TLS = os.getenv('EMAIL_USE_TLS', 'False') == 'True' - EMAIL_USE_SSL = os.getenv('EMAIL_USE_SSL', 'False') == 'True' - EMAIL_HOST = os.getenv('EMAIL_HOST', 'localhost') - EMAIL_PORT = os.getenv('EMAIL_PORT', 587) - EMAIL_HOST_USER = os.getenv('EMAIL_HOST_USER', 'user') - EMAIL_HOST_PASSWORD = os.getenv('EMAIL_HOST_PASSWORD', 'password') - - - ######################################### - ## SESSION - ######################################### - SESSION_COOKIE_SECURE = os.getenv('SESSION_COOKIE_SECURE', 'True') == 'True' - CSRF_COOKIE_SECURE = os.getenv('CSRF_COOKIE_SECURE', 'True') == 'True' - - - ######################################### - ## EVENTS - ######################################### - EVENTS_PUSH_BACKEND = "taiga.events.backends.rabbitmq.EventsPushBackend" - - EVENTS_PUSH_BACKEND_URL = os.getenv('EVENTS_PUSH_BACKEND_URL') - if not EVENTS_PUSH_BACKEND_URL: - EVENTS_PUSH_BACKEND_URL = f"amqp://{ os.getenv('RABBITMQ_USER') }:{ os.getenv('RABBITMQ_PASS') }@{ os.getenv('TAIGA_EVENTS_RABBITMQ_HOST', 'taiga-events-rabbitmq') }:5672/taiga" - - EVENTS_PUSH_BACKEND_OPTIONS = { - "url": EVENTS_PUSH_BACKEND_URL - } - - - ######################################### - ## TAIGA ASYNC - ######################################### - CELERY_ENABLED = os.getenv('CELERY_ENABLED', 'True') == 'True' - from kombu import Queue # noqa - - CELERY_BROKER_URL = os.getenv('CELERY_BROKER_URL') - if not CELERY_BROKER_URL: - CELERY_BROKER_URL = f"amqp://{ os.getenv('RABBITMQ_USER') }:{ os.getenv('RABBITMQ_PASS') }@{ os.getenv('TAIGA_ASYNC_RABBITMQ_HOST', 'taiga-async-rabbitmq') }:5672/taiga" - - CELERY_RESULT_BACKEND = None # for a general installation, we don't need to store the results - CELERY_ACCEPT_CONTENT = ['pickle', ] # Values are 'pickle', 'json', 'msgpack' and 'yaml' - CELERY_TASK_SERIALIZER = "pickle" - CELERY_RESULT_SERIALIZER = "pickle" - CELERY_TIMEZONE = os.getenv('CELERY_TIMEZONE', 'Europe/Madrid') - CELERY_TASK_DEFAULT_QUEUE = 'tasks' - CELERY_QUEUES = ( - Queue('tasks', routing_key='task.#'), - Queue('transient', routing_key='transient.#', delivery_mode=1) - ) - CELERY_TASK_DEFAULT_EXCHANGE = 'tasks' - CELERY_TASK_DEFAULT_EXCHANGE_TYPE = 'topic' - CELERY_TASK_DEFAULT_ROUTING_KEY = 'task.default' - - - ######################################### - ## REGISTRATION - ######################################### - PUBLIC_REGISTER_ENABLED = os.getenv('PUBLIC_REGISTER_ENABLED', 'False') == 'True' - - - ######################################### - ## CONTRIBS - ######################################### - - # SLACK - ENABLE_SLACK = os.getenv('ENABLE_SLACK', 'False') == 'True' - if ENABLE_SLACK: - INSTALLED_APPS += [ - "taiga_contrib_slack" - ] - - # GITHUB AUTH - # WARNING: If PUBLIC_REGISTER_ENABLED == False, currently Taiga by default prevents the OAuth - # buttons to appear for both login and register - ENABLE_GITHUB_AUTH = os.getenv('ENABLE_GITHUB_AUTH', 'False') == 'True' - if PUBLIC_REGISTER_ENABLED and ENABLE_GITHUB_AUTH: - INSTALLED_APPS += [ - "taiga_contrib_github_auth" - ] - GITHUB_API_CLIENT_ID = os.getenv('GITHUB_API_CLIENT_ID') - GITHUB_API_CLIENT_SECRET = os.getenv('GITHUB_API_CLIENT_SECRET') - - # GITLAB AUTH - # WARNING: If PUBLIC_REGISTER_ENABLED == False, currently Taiga by default prevents the OAuth - # buttons to appear for both login and register - ENABLE_GITLAB_AUTH = os.getenv('ENABLE_GITLAB_AUTH', 'False') == 'True' - if PUBLIC_REGISTER_ENABLED and ENABLE_GITLAB_AUTH: - INSTALLED_APPS += [ - "taiga_contrib_gitlab_auth" - ] - GITLAB_API_CLIENT_ID = os.getenv('GITLAB_API_CLIENT_ID') - GITLAB_API_CLIENT_SECRET = os.getenv('GITLAB_API_CLIENT_SECRET') - GITLAB_URL = os.getenv('GITLAB_URL') - - # OIDC AUTH - ENABLE_OIDC_AUTH = os.getenv('ENABLE_OIDC_AUTH', 'False') == 'True' - if ENABLE_OIDC_AUTH: - INSTALLED_APPS += [ - "mozilla_django_oidc", - "taiga_contrib_oidc_auth", - ] - AUTHENTICATION_BACKENDS = list(AUTHENTICATION_BACKENDS) + [ - "taiga_contrib_oidc_auth.oidc.TaigaOIDCAuthenticationBackend", - ] - ROOT_URLCONF = "settings.urls" - OIDC_CALLBACK_CLASS = "taiga_contrib_oidc_auth.views.TaigaOIDCAuthenticationCallbackView" - OIDC_BASE_URL = os.getenv("OIDC_BASE_URL", "https://id.fedoraproject.org/openidc") - OIDC_RP_SCOPES = os.getenv("OIDC_RP_SCOPES", "openid profile email") - OIDC_RP_SIGN_ALGO = os.getenv("OIDC_RP_SIGN_ALGO", "RS256") - OIDC_OP_JWKS_ENDPOINT = os.getenv("OIDC_OP_JWKS_ENDPOINT", OIDC_BASE_URL + "/Jwks") - OIDC_OP_AUTHORIZATION_ENDPOINT = os.getenv("OIDC_OP_AUTHORIZATION_ENDPOINT", OIDC_BASE_URL + "/Authorization") - OIDC_OP_TOKEN_ENDPOINT = os.getenv("OIDC_OP_TOKEN_ENDPOINT", OIDC_BASE_URL + "/Token") - OIDC_OP_USER_ENDPOINT = os.getenv("OIDC_OP_USER_ENDPOINT", OIDC_BASE_URL + "/UserInfo") - OIDC_RP_CLIENT_ID = os.getenv("OIDC_RP_CLIENT_ID") - OIDC_RP_CLIENT_SECRET = os.getenv("OIDC_RP_CLIENT_SECRET") - - if os.getenv('TAIGA_ENABLE_OPENID_AUTH', os.getenv('ENABLE_OPENID', 'False')).lower() == 'true': - print("ENABLE_OPENID") - INSTALLED_APPS += ["taiga_contrib_openid_auth"] - OPENID_USER_URL = os.getenv('TAIGA_OPENID_AUTH_USER_URL', os.getenv('OPENID_USER_URL')) - OPENID_TOKEN_URL = os.getenv('TAIGA_OPENID_AUTH_TOKEN_URL', os.getenv('OPENID_TOKEN_URL')) - OPENID_CLIENT_ID = os.getenv('TAIGA_OPENID_AUTH_CLIENT_ID', os.getenv('OPENID_CLIENT_ID')) - OPENID_CLIENT_SECRET = os.getenv('TAIGA_OPENID_AUTH_CLIENT_SECRET', os.getenv('OPENID_CLIENT_SECRET')) - OPENID_SCOPE = os.getenv('TAIGA_OPENID_SCOPE', os.getenv('OPENID_SCOPE')) - - if os.getenv('TAIGA_ENABLE_LDAP', os.getenv('ENABLE_LDAP', 'False')).lower() == 'true': - INSTALLED_APPS += ["taiga_contrib_ldap_auth_ext"] - - if os.getenv('TAIGA_LDAP_USE_TLS', os.getenv('LDAP_START_TLS', 'False')).lower() == 'true': - # Flag to enable LDAP with STARTTLS before bind - LDAP_START_TLS = True - LDAP_TLS_CERTS = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1, ciphers='RSA+3DES') - else: - LDAP_START_TLS = False - - LDAP_SERVER = os.getenv('TAIGA_LDAP_SERVER', os.getenv('LDAP_SERVER')) - LDAP_PORT = int(os.getenv('TAIGA_LDAP_PORT', os.getenv('LDAP_PORT', '389'))) - - # Full DN of the service account use to connect to LDAP server and search for login user's account entry - # If LDAP_BIND_DN is not specified, or is blank, then an anonymous bind is attempated - LDAP_BIND_DN = os.getenv('TAIGA_LDAP_BIND_DN', os.getenv('LDAP_BIND_DN')) - LDAP_BIND_PASSWORD = os.getenv('TAIGA_LDAP_BIND_PASSWORD', os.getenv('LDAP_BIND_PASSWORD')) - - # Starting point within LDAP structure to search for login user - # Something like 'ou=People,dc=company,dc=com' - LDAP_SEARCH_BASE = os.getenv('TAIGA_LDAP_BASE_DN', os.getenv('LDAP_SEARCH_BASE')) - - # Additional search criteria to the filter (will be ANDed) - #LDAP_SEARCH_FILTER_ADDITIONAL = '(mail=*)' - - # Names of attributes to get username, e-mail and full name values from - # These fields need to have a value in LDAP - LDAP_USERNAME_ATTRIBUTE = os.getenv('TAIGA_LDAP_USERNAME_ATTRIBUTE', os.getenv('LDAP_USERNAME_ATTRIBUTE')) - LDAP_EMAIL_ATTRIBUTE = os.getenv('TAIGA_LDAP_EMAIL_ATTRIBUTE', os.getenv('LDAP_EMAIL_ATTRIBUTE')) - LDAP_FULL_NAME_ATTRIBUTE = os.getenv('TAIGA_LDAP_FULL_NAME_ATTRIBUTE', os.getenv('LDAP_FULL_NAME_ATTRIBUTE')) - - # Option to not store the passwords in the local db - if os.getenv('TAIGA_LDAP_SAVE_LOGIN_PASSWORD', os.getenv('LDAP_SAVE_LOGIN_PASSWORD', 'False')).lower() == 'false': - LDAP_SAVE_LOGIN_PASSWORD = False - - # Fallback on normal authentication method if this LDAP auth fails. Uncomment to enable. - LDAP_FALLBACK = os.getenv('TAIGA_LDAP_FALLBACK', os.getenv('LDAP_FALLBACK', 'normal')) - - # Function to map LDAP username to local DB user unique identifier. - # Upon successful LDAP bind, will override returned username attribute - # value. May result in unexpected failures if changed after the database - # has been populated. - def _ldap_slugify(uid: str) -> str: - # example: force lower-case - uid = uid.lower() - return uid - - LDAP_MAP_USERNAME_TO_UID = _ldap_slugify - - - ######################################### - ## TELEMETRY - ######################################### - ENABLE_TELEMETRY = os.getenv('ENABLE_TELEMETRY', 'True') == 'True' - - - ######################################### - ## IMPORTERS - ######################################### - ENABLE_GITHUB_IMPORTER = os.getenv('ENABLE_GITHUB_IMPORTER', 'False') == 'True' - if ENABLE_GITHUB_IMPORTER: - IMPORTERS["github"] = { - "active": True, - "client_id": os.getenv('GITHUB_IMPORTER_CLIENT_ID'), - "client_secret": os.getenv('GITHUB_IMPORTER_CLIENT_SECRET') - } - - ENABLE_JIRA_IMPORTER = os.getenv('ENABLE_JIRA_IMPORTER', 'False') == 'True' - if ENABLE_JIRA_IMPORTER: - IMPORTERS["jira"] = { - "active": True, - "consumer_key": os.getenv('JIRA_IMPORTER_CONSUMER_KEY'), - "cert": os.getenv('JIRA_IMPORTER_CERT'), - "pub_cert": os.getenv('JIRA_IMPORTER_PUB_CERT') - } - - ENABLE_TRELLO_IMPORTER = os.getenv('ENABLE_TRELLO_IMPORTER', 'False') == 'True' - if ENABLE_TRELLO_IMPORTER: - IMPORTERS["trello"] = { - "active": True, - "api_key": os.getenv('TRELLO_IMPORTER_API_KEY'), - "secret_key": os.getenv('TRELLO_IMPORTER_SECRET_KEY') - } certs.sh: |- #!/usr/bin/env bash if [ -f /etc/local-ca/ca.crt ];then diff --git a/apps/taiga/taiga_workload.tf b/apps/taiga/taiga_workload.tf index 4b1e4e7..2c65c94 100644 --- a/apps/taiga/taiga_workload.tf +++ b/apps/taiga/taiga_workload.tf @@ -248,9 +248,6 @@ resource "kubectl_manifest" "Deployment_taiga-back" { - name: taiga-back containerPort: 8000 volumeMounts: - - name: scripts - mountPath: /taiga-back/settings/config.py - subPath: config.py - name: scripts mountPath: /docker-entrypoint.d/certs.sh subPath: certs.sh @@ -319,9 +316,6 @@ resource "kubectl_manifest" "Deployment_taiga-back" { - name: scripts mountPath: /docker-entrypoint.d/certs.sh subPath: certs.sh - - name: scripts - mountPath: /taiga-back/settings/config.py - subPath: config.py - name: data mountPath: /taiga-back/static subPath: static @@ -373,8 +367,6 @@ resource "kubectl_manifest" "Deployment_taiga-back" { items: - key: certs.sh path: certs.sh - - key: config.py - path: config.py - name: data persistentVolumeClaim: claimName: ${kubectl_manifest.pvc.name}