coop-cloud/kimai
1
0
Fork 1
Code Issues 2 Pull Requests Releases Wiki Activity

Compare commits

base: coop-cloud:main
Branches Tags
coop-cloud:main coop-cloud:keycloak
coop-cloud:1.4.0+apache-2.34.0 coop-cloud:1.3.0+apache-2.26.0 coop-cloud:1.2.0+apache-2.19.1-prod coop-cloud:1.1.3+apache-2.15.0-prod coop-cloud:1.1.2+apache-2.15.0-prod coop-cloud:1.1.1+apache-2.15.0-prod coop-cloud:1.1.0+apache-2.15.0-prod coop-cloud:1.0.0+apache-2.15.0-prod coop-cloud:0.3.0+apache-1.29.1-prod coop-cloud:0.2.0+apache-debian-1.29.1-prod coop-cloud:0.1.0+apache-debian-1.26.0-prod
..
compare: coop-cloud:keycloak
Branches Tags
coop-cloud:main coop-cloud:keycloak
coop-cloud:1.4.0+apache-2.34.0 coop-cloud:1.3.0+apache-2.26.0 coop-cloud:1.2.0+apache-2.19.1-prod coop-cloud:1.1.3+apache-2.15.0-prod coop-cloud:1.1.2+apache-2.15.0-prod coop-cloud:1.1.1+apache-2.15.0-prod coop-cloud:1.1.0+apache-2.15.0-prod coop-cloud:1.0.0+apache-2.15.0-prod coop-cloud:0.3.0+apache-1.29.1-prod coop-cloud:0.2.0+apache-debian-1.29.1-prod coop-cloud:0.1.0+apache-debian-1.26.0-prod

3 Commits
main ... keycloak

Author SHA1 Message Date
knoflook
915a3e83e7 feat: support both authentik and keycloak 2023-03-14 13:50:21 +01:00
knoflook
0c691d8f40 Merge branch 'main' into keycloak 2023-03-14 12:56:11 +01:00
knoflook
9e087bda4a switch to keycloak as oauth method
Some checks failed
continuous-integration/drone/push Build is failing
Details
2022-11-08 16:41:39 +01:00
10 changed files with 66 additions and 79 deletions
Expand all files Collapse all files

7
.drone.yml
View File

@ -17,12 +17,11 @@ steps:
DOMAIN: kimai.swarm-test.autonomic.zone DOMAIN: kimai.swarm-test.autonomic.zone
STACK_NAME: kimai STACK_NAME: kimai
LETS_ENCRYPT_ENV: production LETS_ENCRYPT_ENV: production
ENTRYPOINT_CONF_VERSION: v2 ENTRYPOINT_CONF_VERSION: v1
LOCAL_CONF_VERSION: v2 LOCAL_CONF_VERSION: v1
SECRET_DB_PASSWORD_VERSION: v1 SECRET_DB_PASSWORD_VERSION: v1
SECRET_DB_ROOT_PASSWORD_VERSION: v1 SECRET_DB_ROOT_PASSWORD_VERSION: v1
SECRET_ADMIN_PASSWORD_VERSION: v1 SECRET_ADMIN_PASSWORD_VERSION: v1
SECRET_SSO_CERT_VERSION: v1
trigger: trigger:
branch: branch:
- main - main
@ -38,7 +37,7 @@ steps:
from_secret: drone_abra-bot_token from_secret: drone_abra-bot_token
fork: true fork: true
repositories: repositories:
- toolshed/auto-recipes-catalogue-json - coop-cloud/auto-recipes-catalogue-json
trigger: trigger:
event: tag event: tag

18
.env.sample
View File

@ -5,17 +5,15 @@ DOMAIN=kimai.example.com
#EXTRA_DOMAINS=', `www.kimai.example.com`' #EXTRA_DOMAINS=', `www.kimai.example.com`'
LETS_ENCRYPT_ENV=production LETS_ENCRYPT_ENV=production
ENABLE_BACKUPS=true
SECRET_DB_PASSWORD_VERSION=v1 SECRET_DB_PASSWORD_VERSION=v1
SECRET_DB_ROOT_PASSWORD_VERSION=v1 SECRET_DB_ROOT_PASSWORD_VERSION=v1
SECRET_ADMIN_PASSWORD_VERSION=v1 SECRET_ADMIN_PASSWORD_VERSION=v1
SECRET_SSO_CERT_VERSION=v1
# SSO_ENABLED=1 # SSO_ENABLED=0
# SSO_PROVIDER_URL=https://authentik.example.com/ ## only set one of those depending on which SSO you're using
# SSO_SAML_URL=https://authentik.example.com/application/saml/kimai/sso/binding/redirect/ # SSO_AUTHENTIK=1
# SSO_LOGOUT_URL=https://authentik.example.com/application/saml/kimai/slo/binding/redirect/ # SSO_KEYCLOAK=0
# SSO_PROVIDER_URL=https://sso.example.org/
# MAILER_URL="smtp://<from>:<password>%3F@<mailserver>:587" # SSO_SAML_URL=https://sso.example.org/application/saml/<application-slug>/sso/binding/redirect/
# MAILER_FROM="Kimai Notifications noreply@example.com" # SSO_LOGOUT_URL=https://sso.example.org/if/session-end/<application-slug>/
# SSO_CERT="muchmuchbase64certificatefoobar=="

15
README.md
View File

@ -8,11 +8,11 @@ CoöpCloud [Kimai] ✊⏰
* **Category**: Apps * **Category**: Apps
* **Status**: ? * **Status**: ?
* **Image**: [`kimai/kimai2`](https://hub.docker.com/kimai/kimai2), 4, upstream * **Image**: [`kimai/kimai2`](https://hub.docker.com/kimai/kimai2), 4, upstream
* **Healthcheck**: Yes * **Healthcheck**: No
* **Backups**: Yes * **Backups**: No
* **Email**: Yes * **Email**: No
* **Tests**: 2 * **Tests**: 2
* **SSO**: Yes * **SSO**: No
<!-- endmetadata --> <!-- endmetadata -->
Based on the recommended [`tobybatch/kimai2`] compose file. Based on the recommended [`tobybatch/kimai2`] compose file.
@ -23,14 +23,9 @@ Based on the recommended [`tobybatch/kimai2`] compose file.
4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to 4. `abra app config YOURAPPDOMAIN` - be sure to change `$DOMAIN` to something that resolves to
your Docker swarm box your Docker swarm box
5. `abra app deploy YOURAPPDOMAIN` 5. `abra app deploy YOURAPPDOMAIN`
6. Retrieve the admin password and username with this command `abra app run <DOMAIN> cat /run/secrets/admin_password` 6. `abra app run YOURAPPDOMAIN app create_admin`
[Kimai]: https://www.kimai.org/ [Kimai]: https://www.kimai.org/
[`tobybatch/kimai2`]: https://tobybatch.github.io/kimai2/docker-compose.html#docker-compose [`tobybatch/kimai2`]: https://tobybatch.github.io/kimai2/docker-compose.html#docker-compose
[`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
[`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik [`coop-cloud/traefik`]: https://git.autonomic.zone/coop-cloud/traefik
## SSO
To enable SSO, after running the blueprint in Authentik and before deploying Kimai, you need to add the Authentik Self-Signed-Certificate as secret in Kimai via the following command:
`abra app cmd -l YOURAPPDOMAIN insert_authentik_certificate`

10
abra.sh
View File

@ -1,13 +1,7 @@
export ENTRYPOINT_CONF_VERSION=v2 export ENTRYPOINT_CONF_VERSION=v1
export LOCAL_CONF_VERSION=v3 export LOCAL_CONF_VERSION=v3
create_admin () { create_admin () {
export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$(cat /run/secrets/db_password)@$DATABASE_HOST/$DATABASE_NAME" export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$(cat /run/secrets/db_password)@$DATABASE_HOST/$DATABASE_NAME"
/opt/kimai/bin/console kimai:create-user admin admin@example.org ROLE_SUPER_ADMIN /opt/kimai/bin/console kimai:create-user admin admin@example.org ROLE_SUPER_ADMIN
}
insert_authentik_certificate() {
SSO_PROVIDER_DOMAIN=$(echo $SSO_PROVIDER_URL | cut -d '/' -f 3)
CERT=$(abra app cmd -T $SSO_PROVIDER_DOMAIN worker get_certificate Kimai)
abra app secret insert $APP_NAME sso_cert v1 $CERT
} }

8
alaconnect.yml
View File

@ -1,8 +0,0 @@
authentik:
uncomment:
- SSO_ENABLED
- SSO_PROVIDER_URL
- SSO_SAML_URL
- SSO_LOGOUT_URL
secret_hooks:
- insert_authentik_certificate

55
compose.yml
View File

@ -1,7 +1,7 @@
version: '3.8' version: '3.8'
services: services:
app: app:
image: kimai/kimai2:apache-2.34.0 image: kimai/kimai2:apache-1.29.1-prod
environment: environment:
- APP_ENV=prod - APP_ENV=prod
- TRUSTED_HOSTS=localhost,traefik,${DOMAIN},127.0.0.1 - TRUSTED_HOSTS=localhost,traefik,${DOMAIN},127.0.0.1
@ -10,16 +10,17 @@ services:
- ADMINPASS_FILE=/run/secrets/admin_password - ADMINPASS_FILE=/run/secrets/admin_password
- DATABASE_TYPE=mysql - DATABASE_TYPE=mysql
- DATABASE_HOST=db - DATABASE_HOST=db
- DATABASE_NAME=kimai?charset=utf8mb4&serverVersion=5.7 - DATABASE_NAME=kimai
- DATABASE_USER=kimai - DATABASE_USER=kimai
- DATABASE_PASSWORD_FILE=/run/secrets/db_password - DATABASE_PASSWORD_FILE=/run/secrets/db_password
- DOMAIN - DOMAIN
- SSO_ENABLED - SSO_ENABLED
- SSO_KEYCLOAK
- SSO_AUTHENTIK
- SSO_PROVIDER_URL - SSO_PROVIDER_URL
- SSO_SAML_URL - SSO_SAML_URL
- SSO_LOGOUT_URL - SSO_LOGOUT_URL
- MAILER_URL - SSO_CERT
- MAILER_FROM
volumes: volumes:
- kimai_public:/opt/kimai/public - kimai_public:/opt/kimai/public
- kimai_var:/opt/kimai/var - kimai_var:/opt/kimai/var
@ -35,16 +36,16 @@ services:
secrets: secrets:
- db_password - db_password
- admin_password - admin_password
- sso_cert
depends_on: depends_on:
- db - db
#entrypoint: ['tail', '-f', '/dev/null']
entrypoint: /docker-entrypoint.sh entrypoint: /docker-entrypoint.sh
healthcheck: #healthcheck:
test: curl -s -o /dev/null http://localhost:8001 || exit 1 # test: curl -s -o /dev/null http://localhost:8001 || exit 1
interval: 30s # interval: 20s
start_period: 3m # start_period: 10s
timeout: 10s # timeout: 10s
retries: 10 # retries: 3
deploy: deploy:
restart_policy: restart_policy:
condition: on-failure condition: on-failure
@ -58,8 +59,7 @@ services:
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect" - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}" - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
- "coop-cloud.${STACK_NAME}.version=1.4.0+apache-2.34.0" - "coop-cloud.${STACK_NAME}.version=0.3.0+apache-1.29.1-prod"
- "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
db: db:
image: mysql:5.7 image: mysql:5.7
environment: environment:
@ -75,25 +75,24 @@ services:
- db_password - db_password
- db_root_password - db_root_password
command: --default-storage-engine innodb command: --default-storage-engine innodb
healthcheck: #healthcheck:
test: ["CMD-SHELL", 'mysqladmin -p"$$(cat /run/secrets/db_root_password)" ping -h localhost'] # test: mysqladmin -pchangemeplease ping -h localhost
interval: 30s # interval: 20s
timeout: 10s # start_period: 10s
retries: 10 # timeout: 10s
start_period: 1m # retries: 3
deploy: deploy:
labels: labels:
backupbot.backup: "${ENABLE_BACKUPS:-true}" - backupbot.backup="true"
backupbot.backup.pre-hook: 'mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" kimai > /var/lib/mysql/backup.sql' - backupbot.backup.pre-hook='mkdir -p /tmp/backup/ && mysqldump --single-transaction -u root -p"$$(cat /run/secrets/db_root_password)" kimai > /tmp/backup/backup.sql'
backupbot.backup.volumes.mariadb.path: "backup.sql" - backupbot.backup.post-hook="rm -rf /tmp/backup"
backupbot.restore.post-hook: 'mysql -u root -p"$$(cat /run/secrets/db_root_password)" kimai < /var/lib/mysql/backup.sql' - backupbot.backup.path="/tmp/backup/"
volumes: volumes:
kimai_var: kimai_var:
kimai_public: kimai_public:
mariadb: mariadb:
secrets: secrets:
db_password: db_password:
external: true external: true
@ -104,16 +103,10 @@ secrets:
admin_password: admin_password:
external: true external: true
name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION} name: ${STACK_NAME}_admin_password_${SECRET_ADMIN_PASSWORD_VERSION}
sso_cert:
external: true
name: ${STACK_NAME}_sso_cert_${SECRET_SSO_CERT_VERSION}
networks: networks:
proxy: proxy:
external: true external: true
internal: internal:
configs: configs:
entrypoint_conf: entrypoint_conf:
name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION} name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}

4
entrypoint.sh.tmpl
View File

@ -38,8 +38,8 @@ export DATABASE_URL="$DATABASE_TYPE://$DATABASE_USER:$DATABASE_PASSWORD@$DATABAS
if [ ! "${1-}" == "-e" ]; then if [ ! "${1-}" == "-e" ]; then
# 3wc: upstream ENTRYPOINT # 3wc: upstream ENTRYPOINT
# https://github.com/kimai/kimai/blob/main/Dockerfile#L278 # https://github.com/tobybatch/kimai2/blob/main/Dockerfile#L226
/entrypoint.sh /startup.sh
fi fi
set +eu set +eu

22
local.yaml.tmpl
View File

@ -3,16 +3,27 @@ kimai:
saml: saml:
activate: true activate: true
title: Login with SAML title: Login with SAML
{{ if eq (env "SSO_AUTHENTIK") "1" }}
mapping: mapping:
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email } - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, kimai: email }
- { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias } - { saml: $http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, kimai: alias }
roles: roles:
resetOnLogin: true
attribute: http://schemas.xmlsoap.org/claims/Group attribute: http://schemas.xmlsoap.org/claims/Group
resetOnLogin: true
attribute: Roles
mapping: mapping:
# Insert your roles here (ROLE_USER is added automatically) - { saml: admin.group, kimai: ROLE_ADMIN }
- { saml: admin.group, kimai: ROLE_SUPER_ADMIN } {{ else if eq (env "SSO_KEYCLOAK") "1" }}
- { saml: "authentik Admins", kimai: ROLE_SUPER_ADMIN } mapping:
- { saml: $Email, kimai: email }
- { saml: $FirstName $LastName, kimai: alias }
roles:
resetOnLogin: true
attribute: Roles
mapping:
- { saml: Admins, kimai: ROLE_ADMIN }
- { saml: Management, kimai: ROLE_TEAMLEAD }
{{ end }}
connection: connection:
# You SAML provider # You SAML provider
# Your Authentik instance, replace https://authentik.company with your authentik URL # Your Authentik instance, replace https://authentik.company with your authentik URL
@ -21,11 +32,12 @@ kimai:
singleSignOnService: singleSignOnService:
url: "{{ env "SSO_SAML_URL" }}" url: "{{ env "SSO_SAML_URL" }}"
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
# the "single logout" feature was not yet tested, if you want to help, please let me know!
singleLogoutService: singleLogoutService:
url: "{{ env "SSO_LOGOUT_URL" }}" url: "{{ env "SSO_LOGOUT_URL" }}"
binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
# Signing certificate from *Advanced protocol settings* # Signing certificate from *Advanced protocol settings*
x509cert: "{{ secret "sso_cert" }}" x509cert: "{{ env "SSO_CERT" }}"
# Service Provider Data that we are deploying. # Service Provider Data that we are deploying.
# Your Kimai instance, replace https://kimai.dev.local-it.cloud with your Kimai URL # Your Kimai instance, replace https://kimai.dev.local-it.cloud with your Kimai URL
sp: sp:

5
release/0.3.0+apache-debian-1.29.1-prod Normal file
View File

@ -0,0 +1,5 @@
If you have SSO enabled this upgrade will break unless you add
`SSO_KEYCLOAK=1` or `SSO_AUTHENTIK=1` in your env file for kimai!
This allows us to support both SSO methods
knoflook @ kotec.pl

1
release/1.0.0+apache-2.15.0-prod
View File

@ -1 +0,0 @@
Make sure to have have a working backup before upgrading!