chore: publish 1.1.3+apache-2.15.0-prod release

chore: publish 1.1.2+apache-2.15.0-prod release
chore: publish 1.1.1+apache-2.15.0-prod release
2024-05-13 16:29:56 +02:00 · 2024-05-13 12:53:36 +02:00 · 2024-05-13 12:40:25 +02:00 · 2024-05-13 11:57:50 +02:00 · 2024-05-13 11:53:39 +02:00 · 2024-05-08 21:52:25 +02:00
7 changed files with 61 additions and 59 deletions
--- a/.env.sample
+++ b/.env.sample
@ -8,12 +8,12 @@ LETS_ENCRYPT_ENV=production
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_DB_ROOT_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
+SECRET_SSO_CERT_VERSION=v1

-# SSO_ENABLED=0
-## only set one of those depending on which SSO you're using
-# SSO_AUTHENTIK=1
-# SSO_KEYCLOAK=0
-# SSO_PROVIDER_URL=https://sso.example.org/
-# SSO_SAML_URL=https://sso.example.org/application/saml/<application-slug>/sso/binding/redirect/
-# SSO_LOGOUT_URL=https://sso.example.org/if/session-end/<application-slug>/
-# SSO_CERT="muchmuchbase64certificatefoobar=="
+# SSO_ENABLED=1
+# SSO_PROVIDER_URL=https://authentik.example.com/
+# SSO_SAML_URL=https://authentik.example.com/application/saml/kimai/sso/binding/redirect/
+# SSO_LOGOUT_URL=https://authentik.example.com/if/session-end/kimai/slo/binding/redirect/
+
+# MAILER_URL="smtp://<from>:<password>%3F@<mailserver>:587"
+# MAILER_FROM="Kimai Notifications noreply@example.com"
--- a/README.md
+++ b/README.md
@ -8,11 +8,11 @@ CoöpCloud [Kimai] ✊⏰
 * **Category**: Apps
 * **Status**: ?
 * **Image**: [`kimai/kimai2`](https://hub.docker.com/kimai/kimai2), 4, upstream
-* **Healthcheck**: No
-* **Backups**: No
-* **Email**: No
+* **Healthcheck**: Yes
+* **Backups**: Yes
+* **Email**: Yes
 * **Tests**: 2
-* **SSO**: No
+* **SSO**: Yes
 <!-- endmetadata -->

 Based on the recommended [`tobybatch/kimai2`] compose file.
@ -29,3 +29,8 @@ Based on the recommended [`tobybatch/kimai2`] compose file.
 [`tobybatch/kimai2`]: https://tobybatch.github.io/kimai2/docker-compose.html#docker-compose
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
 [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
+
+## SSO
+
+To enable SSO, after running the blueprint in Authentik and before deploying Kimai, you need to add the Authentik Self-Signed-Certificate as secret in Kimai via the following command:
+`abra app cmd -l kimai.tmp.dev.local-it.cloud insert_authentik_certificate`
--- a/abra.sh
+++ b/abra.sh
@ -1,7 +1,13 @@
 export ENTRYPOINT_CONF_VERSION=v1
-export LOCAL_CONF_VERSION=v3
+export LOCAL_CONF_VERSION=v2

 create_admin () {
    export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$(cat /run/secrets/db_password)@$DATABASE_HOST/$DATABASE_NAME"
-    /opt/kimai/bin/console kimai:create-user admin admin@example.org ROLE_SUPER_ADMIN
+    /opt/kimai/bin/console kimai:create-user admin admin@example.org ROLE_SUPER_ADMIN 
+}
+
+insert_authentik_certificate() {
+    SSO_PROVIDER_DOMAIN=$(echo $SSO_PROVIDER_URL | cut -d '/' -f 3)
+    CERT=$(abra app cmd -T $SSO_PROVIDER_DOMAIN worker get_certificate Kimai)
+    abra app secret insert $APP_NAME sso_cert v1 $CERT
 }
--- a/compose.yml
+++ b/compose.yml
@ -1,7 +1,7 @@
 version: '3.8'
 services:
  app:
-    image: kimai/kimai2:apache-1.29.1-prod
+    image: kimai/kimai2:apache-2.15.0-prod
    environment:
      - APP_ENV=prod
      - TRUSTED_HOSTS=localhost,traefik,${DOMAIN},127.0.0.1
@ -10,17 +10,16 @@ services:
      - ADMINPASS_FILE=/run/secrets/admin_password
      - DATABASE_TYPE=mysql
      - DATABASE_HOST=db
-      - DATABASE_NAME=kimai
+      - DATABASE_NAME=kimai?charset=utf8mb4&serverVersion=5.7
      - DATABASE_USER=kimai
      - DATABASE_PASSWORD_FILE=/run/secrets/db_password
      - DOMAIN
      - SSO_ENABLED
-      - SSO_KEYCLOAK
-      - SSO_AUTHENTIK
      - SSO_PROVIDER_URL
      - SSO_SAML_URL
      - SSO_LOGOUT_URL
-      - SSO_CERT
+      - MAILER_URL
+      - MAILER_FROM
    volumes:
      - kimai_public:/opt/kimai/public
      - kimai_var:/opt/kimai/var
@ -36,16 +35,16 @@ services:
    secrets:
      - db_password
      - admin_password
+      - sso_cert
    depends_on:
      - db
-    #entrypoint: ['tail', '-f', '/dev/null']
    entrypoint: /docker-entrypoint.sh
-    #healthcheck:
-    #  test: curl -s -o /dev/null http://localhost:8001 || exit 1
-    #  interval: 20s
-    #  start_period: 10s
-    #  timeout: 10s
-    #  retries: 3
+    healthcheck:
+     test: curl -s -o /dev/null http://localhost:8001 || exit 1
+     interval: 30s
+     start_period: 3m
+     timeout: 10s
+     retries: 10
    deploy:
      restart_policy:
        condition: on-failure
@ -59,7 +58,8 @@ services:
        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
-        - "coop-cloud.${STACK_NAME}.version=0.3.0+apache-1.29.1-prod"
+        - "coop-cloud.${STACK_NAME}.version=1.1.3+apache-2.15.0-prod"
+        - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
  db:
    image: mysql:5.7
    environment:
@ -75,24 +75,25 @@ services:
      - db_password
      - db_root_password
    command: --default-storage-engine innodb
-    #healthcheck:
-    #  test: mysqladmin -pchangemeplease ping -h localhost
-    #  interval: 20s
-    #  start_period: 10s
-    #  timeout: 10s
-    #  retries: 3
-
+    healthcheck:
+      test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)"  ping -h localhost']
+      interval: 30s
+      timeout: 10s
+      retries: 10
+      start_period: 1m
    deploy:
      labels:
-        - backupbot.backup="true"
-        - backupbot.backup.pre-hook='mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" kimai > /tmp/backup/backup.sql'
-        - backupbot.backup.post-hook="rm -rf /tmp/backup"
-        - backupbot.backup.path="/tmp/backup/"
+        - "backupbot.backup=true"
+        - "backupbot.backup.pre-hook=sh -c 'mysqldump --single-transaction -u root -p\"$$(cat /run/secrets/db_root_password)\" kimai > /var/lib/mysql/backup.sql'"
+        - "backupbot.backup.post-hook=rm -f /var/lib/mysql/backup.sql"
+        - "backupbot.backup.path=/var/lib/mysql/backup.sql"

 volumes:
  kimai_var:
  kimai_public:
  mariadb:
+
+
 secrets:
  db_password:
    external: true
@ -103,10 +104,16 @@ secrets:
  admin_password:
    external: true
    name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
+  sso_cert:
+    external: true
+    name: ${STACK_NAME}_sso_cert_${SECRET_SSO_CERT_VERSION}
+
 networks:
  proxy:
    external: true
  internal:
+
+
 configs:
  entrypoint_conf:
    name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
--- a/local.yaml.tmpl
+++ b/local.yaml.tmpl
@ -3,27 +3,16 @@ kimai:
  saml:
    activate: true
    title: Login with SAML
-    {{ if eq (env "SSO_AUTHENTIK") "1" }}
    mapping:
      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
      - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
    roles:
+      resetOnLogin: true
      attribute: http://schemas.xmlsoap.org/claims/Group
-      resetOnLogin: true
-      attribute: Roles
      mapping:
+      # Insert your roles here (ROLE_USER is added automatically)
        - { saml: admin.group, kimai: ROLE_ADMIN }
-    {{ else if eq (env "SSO_KEYCLOAK") "1" }}
-    mapping:
-      - { saml: $Email, kimai: email }
-      - { saml: $FirstName $LastName, kimai: alias }
-    roles:
-      resetOnLogin: true
-      attribute: Roles
-      mapping:
-        - { saml: Admins, kimai: ROLE_ADMIN }
-        - { saml: Management, kimai: ROLE_TEAMLEAD }
-    {{ end }}
+        - { saml: "authentik Admins", kimai: ROLE_ADMIN }
    connection:
      # You SAML provider
      # Your Authentik instance, replace https://authentik.company with your authentik URL
@ -32,12 +21,11 @@ kimai:
        singleSignOnService:
          url: "{{ env "SSO_SAML_URL" }}"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
-        # the "single logout" feature was not yet tested, if you want to help, please let me know!
        singleLogoutService:
          url: "{{ env "SSO_LOGOUT_URL" }}"
          binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        # Signing certificate from *Advanced protocol settings*
-        x509cert: "{{ env "SSO_CERT" }}"
+        x509cert: "{{ secret "sso_cert" }}"
      # Service Provider Data that we are deploying.
      # Your Kimai instance, replace https://kimai.dev.local-it.cloud with your Kimai URL
      sp:
--- a/release/0.3.0+apache-debian-1.29.1-prod
+++ b/release/0.3.0+apache-debian-1.29.1-prod
@ -1,5 +0,0 @@
-If you have SSO enabled this upgrade will break unless you add
-`SSO_KEYCLOAK=1` or `SSO_AUTHENTIK=1` in your env file for kimai!
-This allows us to support both SSO methods
-
-knoflook @ kotec.pl
--- a/release/1.0.0+apache-2.15.0-prod
+++ b/release/1.0.0+apache-2.15.0-prod
@ -0,0 +1 @@
+Make sure to have have a working backup before upgrading!
Author	SHA1	Message	Date
Simon	d50c448e2e	chore: publish 1.1.3+apache-2.15.0-prod release continuous-integration/drone/push Build is failing Details continuous-integration/drone/tag Build is passing Details	2024-05-13 16:29:56 +02:00
Simon	5fe82a2331	chore: publish 1.1.2+apache-2.15.0-prod release continuous-integration/drone/push Build is failing Details continuous-integration/drone/tag Build is passing Details	2024-05-13 12:53:36 +02:00
Simon	46ea1ef7dd	chore: publish 1.1.1+apache-2.15.0-prod release continuous-integration/drone/tag Build is passing Details continuous-integration/drone/push Build is failing Details	2024-05-13 12:40:25 +02:00
Simon	2db79ed046	chore: publish 1.1.0+apache-2.15.0-prod release continuous-integration/drone/push Build is failing Details continuous-integration/drone/tag Build is passing Details	2024-05-13 11:57:50 +02:00
Simon	cd0f4e743e	adjust healthcheck and timeouts continuous-integration/drone/push Build is failing Details	2024-05-13 11:53:39 +02:00
Moritz	7ec54e395d	add insert_authentik_certificate() function continuous-integration/drone/push Build is failing Details	2024-05-08 21:52:25 +02:00
Simon	7f73b1c79e	store authentik certificate as secret continuous-integration/drone/push Build is failing Details	2024-05-08 13:05:44 +02:00
Simon	5bd20ca185	add smtp config continuous-integration/drone/push Build is passing Details	2024-05-07 17:53:28 +02:00
Simon	dc2d7c7b99	map authentik admin group to kimai admins continuous-integration/drone/push Build is passing Details	2024-05-07 16:52:45 +02:00
Simon	aae873dfe5	activate healthchecks continuous-integration/drone/push Build is passing Details	2024-05-07 16:10:55 +02:00
Simon	028eb71e34	add release note continuous-integration/drone/push Build is passing Details	2024-04-24 15:58:47 +02:00
Simon	facbb958a5	chore: publish 1.0.0+apache-2.15.0-prod release continuous-integration/drone/tag Build is passing Details continuous-integration/drone/push Build is passing Details	2024-04-24 15:58:05 +02:00
Moritz	a4f02cf0a4	fix backup label path continuous-integration/drone/push Build is passing Details	2024-04-17 17:19:04 +02:00
Philipp Rothmann	92c3bcf27e	chore: cleanup continuous-integration/drone/push Build is passing Details	2023-04-24 11:50:41 +02:00
Philipp Rothmann	5c4f6098bf	fix: backupbot labels	2023-04-24 11:49:38 +02:00
				`@ -0,0 +1 @@`
				`Make sure to have have a working backup before upgrading!`