From 16574ea45598597330c5176040eeb55be4fc4cfc Mon Sep 17 00:00:00 2001 From: MzUgM <108896003+MzUgM@users.noreply.github.com> Date: Thu, 18 Sep 2025 22:15:36 -0700 Subject: [PATCH 1/3] fix: login method naming --- README-ENTERPRISE.md | 23 ++++++++++++++--------- README.md | 18 +++++++++--------- chart/templates/deployment/_icc.yaml | 4 ++-- chart/templates/secrets.yaml | 16 ++++++++++------ chart/values.yaml | 10 ++-------- 5 files changed, 37 insertions(+), 34 deletions(-) diff --git a/README-ENTERPRISE.md b/README-ENTERPRISE.md index ff35d32..f577ec6 100644 --- a/README-ENTERPRISE.md +++ b/README-ENTERPRISE.md @@ -96,12 +96,12 @@ Configure how the Intelligent Command Center can be accessed | Name | Description | Default Value | Required | | --- | --- | --- | --- | -| `services.icc.login_methods.google_oauth.enable` | Enable Google OAuth | false | Yes | -| `services.icc.login_methods.google_oauth.client_id` | Required when Google is enabled | "" | No | -| `services.icc.login_methods.google_oauth.client_secret` | Required when Google is enabled | "" | No | -| `services.icc.login_methods.github_oauth.enable` | Enable Github OAuth | false | Yes | -| `services.icc.login_methods.github_oauth.client_id` | Required when Github is enabled | "" | No | -| `services.icc.login_methods.github_oauth.client_secret` | Required when Github is enabled | "" | No | +| `services.icc.login_methods.google.enable` | Enable Google OAuth | false | Yes | +| `services.icc.login_methods.google.client_id` | Required when Google is enabled | "" | No | +| `services.icc.login_methods.google.client_secret` | Required when Google is enabled | "" | No | +| `services.icc.login_methods.github.enable` | Enable Github OAuth | false | Yes | +| `services.icc.login_methods.github.client_id` | Required when Github is enabled | "" | No | +| `services.icc.login_methods.github.client_secret` | Required when Github is enabled | "" | No | | `services.icc.login_methods.password.enable` | Enable password authentication. **Enterprise-only** | false | No | | `services.icc.login_methods.password.password` | Password will be stored in environment variables. **Enterprise-only** | "" | No | | `services.icc.login_methods.demo.enable` | Creates a fake super user to browse the dashboard. **Enterprise-only** | false | No | @@ -147,6 +147,9 @@ variables, and execute the script. # Name of the cloud provider being deployed to. Valid values are: aws, gcp, or left empty PLT_CLOUD_PROVIDER="" +# Image pull secret token +DOCKER_TOKEN="" + # Connection string to Postgres cluster PLT_DATABASE_URL="" @@ -171,6 +174,8 @@ helm install platformatic oci://ghcr.io/platformatic/helm \ --create-namespace \ --namespace platformatic \ --set "cloud=$PLT_CLOUD_PROVIDER" \ + --set "imagePullSecret.token=${DOCKER_TOKEN}" \ + --set "imagePullSecret.user=platformatic" \ --set "services.icc.database_url=$PLT_DATABASE_URL" \ --set "services.icc.public_url=$PLT_PUBLIC_URL" \ --set "services.icc.prometheus.url=$PLT_PROMETHEUS_URL" \ @@ -179,9 +184,9 @@ helm install platformatic oci://ghcr.io/platformatic/helm \ --set "services.icc.secrets.user_manager_session=$(openssl rand -base64 32)" \ --set "services.icc.secrets.icc_session=$(openssl rand -hex 32)" \ --set "services.icc.secrets.control_plane_keys=$(openssl rand -hex 32)" \ - --set "services.icc.login_methods.github_oauth.enable=true" \ - --set "services.icc.login_methods.github_oauth.client_id=$GITHUB_OAUTH_CLIENT_ID" \ - --set "services.icc.login_methods.github_oauth.client_secret=$GITHUB_OAUTH_CLIENT_SECRET" + --set "services.icc.login_methods.github.enable=true" \ + --set "services.icc.login_methods.github.client_id=$GITHUB_OAUTH_CLIENT_ID" \ + --set "services.icc.login_methods.github.client_secret=$GITHUB_OAUTH_CLIENT_SECRET" ``` ## Notes diff --git a/README.md b/README.md index 2da0994..90009a3 100644 --- a/README.md +++ b/README.md @@ -97,12 +97,12 @@ Configure how the Intelligent Command Center can be accessed | Name | Description | Default Value | Required | | --- | --- | --- | --- | -| `services.icc.login_methods.google_oauth.enable` | Enable Google OAuth | false | Yes | -| `services.icc.login_methods.google_oauth.client_id` | Required when Google is enabled | "" | No | -| `services.icc.login_methods.google_oauth.client_secret` | Required when Google is enabled | "" | No | -| `services.icc.login_methods.github_oauth.enable` | Enable Github OAuth | false | Yes | -| `services.icc.login_methods.github_oauth.client_id` | Required when Github is enabled | "" | No | -| `services.icc.login_methods.github_oauth.client_secret` | Required when Github is enabled | "" | No | +| `services.icc.login_methods.google.enable` | Enable Google OAuth | false | Yes | +| `services.icc.login_methods.google.client_id` | Required when Google is enabled | "" | No | +| `services.icc.login_methods.google.client_secret` | Required when Google is enabled | "" | No | +| `services.icc.login_methods.github.enable` | Enable Github OAuth | false | Yes | +| `services.icc.login_methods.github.client_id` | Required when Github is enabled | "" | No | +| `services.icc.login_methods.github.client_secret` | Required when Github is enabled | "" | No | ### Machinist @@ -174,9 +174,9 @@ helm install platformatic oci://ghcr.io/platformatic/helm \ --set "services.icc.secrets.user_manager_session=$(openssl rand -base64 32)" \ --set "services.icc.secrets.icc_session=$(openssl rand -hex 32)" \ --set "services.icc.secrets.control_plane_keys=$(openssl rand -hex 32)" \ - --set "services.icc.login_methods.github_oauth.enable=true" \ - --set "services.icc.login_methods.github_oauth.client_id=$GITHUB_OAUTH_CLIENT_ID" \ - --set "services.icc.login_methods.github_oauth.client_secret=$GITHUB_OAUTH_CLIENT_SECRET" + --set "services.icc.login_methods.github.enable=true" \ + --set "services.icc.login_methods.github.client_id=$GITHUB_OAUTH_CLIENT_ID" \ + --set "services.icc.login_methods.github.client_secret=$GITHUB_OAUTH_CLIENT_SECRET" ``` ## Notes diff --git a/chart/templates/deployment/_icc.yaml b/chart/templates/deployment/_icc.yaml index 1ffdeda..9352e3f 100644 --- a/chart/templates/deployment/_icc.yaml +++ b/chart/templates/deployment/_icc.yaml @@ -151,7 +151,7 @@ spec: - name: PLT_COMPLIANCE_RULES_DIR value: "./rules" - {{- if .login_methods.github_oauth.enable }} + {{- if .login_methods.github.enable }} - name: PLT_GITHUB_OAUTH_CLIENT_ID valueFrom: secretKeyRef: @@ -164,7 +164,7 @@ spec: key: client_secret {{- end }} - {{- if .login_methods.google_oauth.enable }} + {{- if .login_methods.google.enable }} - name: PLT_GOOGLE_OAUTH_CLIENT_ID valueFrom: secretKeyRef: diff --git a/chart/templates/secrets.yaml b/chart/templates/secrets.yaml index 1e12067..6bf66f3 100644 --- a/chart/templates/secrets.yaml +++ b/chart/templates/secrets.yaml @@ -31,7 +31,8 @@ data: {{/* Add all enabled ICC login methods */}} -{{- if .Values.services.icc.login_methods.google_oauth.enable }} +{{- with .Values.services.icc.login_methods.google }} +{{- if .enable }} --- apiVersion: v1 kind: Secret @@ -43,11 +44,13 @@ metadata: {{- include "application.labels" $ | nindent 4 }} {{- include "application.selectorLabels" (merge (dict "name" "icc-google-oauth") $) | nindent 4 }} data: - client_id: {{ .Values.services.icc.login_methods.google_oauth.client_id | b64enc }} - client_secret: {{ .Values.services.icc.login_methods.google_oauth.client_secret | b64enc }} + client_id: {{ .client_id | b64enc }} + client_secret: {{ .client_secret | b64enc }} +{{- end }} {{- end }} -{{- if .Values.services.icc.login_methods.github_oauth.enable }} +{{- with .Values.services.icc.login_methods.github }} +{{- if .enable }} --- apiVersion: v1 kind: Secret @@ -59,8 +62,9 @@ metadata: {{- include "application.labels" $ | nindent 4 }} {{- include "application.selectorLabels" (merge (dict "name" "icc-github-oauth") $) | nindent 4 }} data: - client_id: {{ .Values.services.icc.login_methods.github_oauth.client_id | b64enc }} - client_secret: {{ .Values.services.icc.login_methods.github_oauth.client_secret | b64enc }} + client_id: {{ .client_id | b64enc }} + client_secret: {{ .client_secret | b64enc }} +{{- end }} {{- end }} {{/* Setup databases */}} diff --git a/chart/values.yaml b/chart/values.yaml index 0b2cd64..bde8913 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -77,20 +77,14 @@ services: # Change `enable` to `true` to use a method # At least one method must be enabled login_methods: - google_oauth: + google: enable: false #client_id: "" #client_secret: "" - github_oauth: + github: enable: false #client_id: "" #client_secret: "" - # These login methods are only supported in our Enterprise release - #password: - #enable: false - #password: "" - #demo: - # enable: false # The URL that ICC will be accessed from # Some examples: From f56c144fe5ee0cb1f06915e3e7b1036ee5ed9191 Mon Sep 17 00:00:00 2001 From: MzUgM <108896003+MzUgM@users.noreply.github.com> Date: Thu, 18 Sep 2025 22:16:34 -0700 Subject: [PATCH 2/3] bump --- chart/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 31b95f2..194c2b1 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: helm -version: 4.0.0-alpha.9 +version: 4.0.0-alpha.11 kubeVersion: ">= 1.30.0-0" description: Platformatic microservices type: application From 5413b76625fc646691a459f836850c835a8a146e Mon Sep 17 00:00:00 2001 From: MzUgM <108896003+MzUgM@users.noreply.github.com> Date: Thu, 18 Sep 2025 22:51:28 -0700 Subject: [PATCH 3/3] fix: needs whitelisted email list --- chart/templates/deployment/_icc.yaml | 10 ++++++++++ chart/templates/secrets.yaml | 2 ++ chart/values.yaml | 2 ++ 3 files changed, 14 insertions(+) diff --git a/chart/templates/deployment/_icc.yaml b/chart/templates/deployment/_icc.yaml index 9352e3f..75e1233 100644 --- a/chart/templates/deployment/_icc.yaml +++ b/chart/templates/deployment/_icc.yaml @@ -162,6 +162,11 @@ spec: secretKeyRef: name: icc-github-oauth key: client_secret + - name: PLT_USER_MANAGER_SUPER_ADMIN_EMAIL + valueFrom: + secretKeyRef: + name: icc-github-oauth + key: valid_emails {{- end }} {{- if .login_methods.google.enable }} @@ -175,6 +180,11 @@ spec: secretKeyRef: name: icc-google-oauth key: client_secret + - name: PLT_USER_MANAGER_SUPER_ADMIN_EMAIL + valueFrom: + secretKeyRef: + name: icc-google-oauth + key: valid_emails {{- end }} - name: PLT_ICC_SESSION_SECRET diff --git a/chart/templates/secrets.yaml b/chart/templates/secrets.yaml index 6bf66f3..5adb820 100644 --- a/chart/templates/secrets.yaml +++ b/chart/templates/secrets.yaml @@ -46,6 +46,7 @@ metadata: data: client_id: {{ .client_id | b64enc }} client_secret: {{ .client_secret | b64enc }} + valid_emails: {{ join "," .valid_emails | b64enc }} {{- end }} {{- end }} @@ -64,6 +65,7 @@ metadata: data: client_id: {{ .client_id | b64enc }} client_secret: {{ .client_secret | b64enc }} + valid_emails: {{ join "," .valid_emails | b64enc }} {{- end }} {{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index bde8913..09d8b39 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -81,10 +81,12 @@ services: enable: false #client_id: "" #client_secret: "" + #valid_emails: [] github: enable: false #client_id: "" #client_secret: "" + #valid_emails: [] # The URL that ICC will be accessed from # Some examples: