feat: allow setting oidc client secret as a secret #6
@ -14,10 +14,13 @@ steps:
|
||||
networks:
|
||||
- proxy
|
||||
environment:
|
||||
DOMAIN: mealie.swarm-test.autonomic.zone # UPDATE ME
|
||||
DOMAIN: mealie.swarm-test.autonomic.zone
|
||||
STACK_NAME: mealie
|
||||
LETS_ENCRYPT_ENV: staging
|
||||
LOG_CONFIG_VERSION: v1
|
||||
OIDC_CLIENT_SECRET_VERSION: v1
|
||||
APP_ENTRYPOINT_VERSION: v1
|
||||
|
||||
trigger:
|
||||
branch:
|
||||
- main
|
||||
|
||||
@ -20,6 +20,7 @@ LOG_CONFIG_OVERRIDE=/app/logconf-override.json
|
||||
# DEFAULT_PASSWORD=MyPassword
|
||||
|
||||
## OIDC Authentication with Keycloak: https://docs.mealie.io/documentation/getting-started/authentication/oidc/
|
||||
# COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
|
||||
# OIDC_AUTH_ENABLED=true
|
||||
# ALLOW_PASSWORD_LOGIN=false
|
||||
# OIDC_SIGNUP_ENABLED=true
|
||||
@ -30,4 +31,4 @@ LOG_CONFIG_OVERRIDE=/app/logconf-override.json
|
||||
# OIDC_USER_CLAIM=email
|
||||
# OIDC_NAME_CLAIM=preferred_username
|
||||
# OIDC_CLIENT_ID=
|
||||
# OIDC_CLIENT_SECRET=
|
||||
# OIDC_CLIENT_SECRET_VERSION=v1 # generate=false
|
||||
|
||||
@ -27,7 +27,7 @@ For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech) and [`docs.me
|
||||
|
||||
## Single Sign On (SSO)
|
||||
|
||||
The default config contains commented-out lines for setting up SSO with [Keycloak](https://recipes.coopcloud.tech/keycloak).
|
||||
The default config contains commented-out lines for setting up SSO with [Keycloak](https://recipes.coopcloud.tech/keycloak). Uncomment those lines and edit as needed. To set the client secret, run `abra app secret insert <app-name> oidc_client_secret v1`
|
||||
|
||||
During the first-time setup, you'll want to ensure `ALLOW_PASSWORD_LOGIN=true` so you can login as the default admin to perform the initial setup and change the local admin password. You can set it back to false after that.
|
||||
|
||||
|
||||
20
compose.oidc.yml
Normal file
20
compose.oidc.yml
Normal file
@ -0,0 +1,20 @@
|
||||
services:
|
||||
app:
|
||||
secrets:
|
||||
- oidc_client_secret
|
||||
configs:
|
||||
- source: app_entrypoint
|
||||
target: /abra-entrypoint.sh
|
||||
mode: 0555
|
||||
entrypoint: /abra-entrypoint.sh
|
||||
|
||||
secrets:
|
||||
oidc_client_secret:
|
||||
name: ${STACK_NAME}_oidc_client_secret_${OIDC_CLIENT_SECRET_VERSION}
|
||||
external: true
|
||||
|
||||
configs:
|
||||
app_entrypoint:
|
||||
name: ${STACK_NAME}_app_entrypoint_${APP_ENTRYPOINT_VERSION}
|
||||
file: entrypoint.sh.tmpl
|
||||
template_driver: golang
|
||||
@ -1,9 +1,6 @@
|
||||
---
|
||||
version: "3.8"
|
||||
|
||||
services:
|
||||
app:
|
||||
image: ghcr.io/mealie-recipes/mealie:v3.1.2
|
||||
image: ghcr.io/mealie-recipes/mealie:v3.3.0
|
||||
networks:
|
||||
- proxy
|
||||
volumes:
|
||||
@ -20,7 +17,7 @@ services:
|
||||
- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.scheme=https"
|
||||
- "traefik.http.middlewares.${STACK_NAME}-redirect.redirectscheme.permanent=true"
|
||||
- "coop-cloud.${STACK_NAME}.version=1.2.2+v3.1.2"
|
||||
- "coop-cloud.${STACK_NAME}.version=2.0.0+v3.3.0"
|
||||
- "backupbot.backup=true"
|
||||
- "backupbot.backup.path=/app/data/"
|
||||
# Upstream dockerfile specifies a healthcheck
|
||||
|
||||
33
entrypoint.sh.tmpl
Normal file
33
entrypoint.sh.tmpl
Normal file
@ -0,0 +1,33 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e
|
||||
|
||||
# Inspiration: https://git.coopcloud.tech/coop-cloud/peertube/src/branch/main/entrypoint.sh.tmpl
|
||||
file_env() {
|
||||
local var="$1"
|
||||
local fileVar="${var}_FILE"
|
||||
local def="${2:-}"
|
||||
|
||||
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
||||
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
local val="$def"
|
||||
|
||||
if [ "${!var:-}" ]; then
|
||||
val="${!var}"
|
||||
elif [ "${!fileVar:-}" ]; then
|
||||
val="$(< "${!fileVar}")"
|
||||
fi
|
||||
|
||||
export "$var"="$val"
|
||||
unset "$fileVar"
|
||||
}
|
||||
|
||||
{{ if not (eq (env "OIDC_CLIENT_SECRET_VERSION") "") }}
|
||||
file_env "OIDC_CLIENT_SECRET_VERSION"
|
||||
{{ end }}
|
||||
|
||||
# Must match https://github.com/mealie-recipes/mealie/blob/3ba2227bc79bc857d4b04f9d9878045b7a098af4/docker/Dockerfile#L164
|
||||
/app/run.sh "$@"
|
||||
12
release/next
Normal file
12
release/next
Normal file
@ -0,0 +1,12 @@
|
||||
BREAKING CHANGE: TOKEN_TIME now maxes out at 87600 (10 years) in v3.3.0 of mealie.
|
||||
|
||||
BREAKING CHANGE (if you use SSO): We added the ability to store the oidc client secret in docker secrets.
|
||||
|
||||
To migrate, add the following lines to your config:
|
||||
|
||||
COMPOSE_FILE="$COMPOSE_FILE:compose.oidc.yml"
|
||||
OIDC_CLIENT_SECRET_VERSION=v1
|
||||
|
||||
Then remove the client secret from your config and insert it as a secret using this command:
|
||||
|
||||
abra app secret insert <app-name> oidc_client_secret v1
|
||||
Reference in New Issue
Block a user