[SRE-399] Retool Auth with OneLogin

Chart.yaml

@@ -2,7 +2,8 @@ apiVersion: v2
 name: retool
 description: A Helm chart for Kubernetes
 type: application
-version: 4.5.0
+version: 4.3.0
+appVersion: "2.70.21"
 maintainers:
   - name: Retool Engineering
     email: [email protected]

templates/deployment_backend.yaml

@@ -127,6 +127,16 @@ spec:
                 {{- end }}
           - name: RESTRICTED_DOMAIN
             value: {{ default "" .Values.config.auth.google.domain }}
+          - name: BASE_DOMAIN
+            value: {{ default "" .Values.config.baseDomain }}
+          - name: GITHUB_APP_ID
+            value: {{ .Values.config.githubAppId | default "" | quote }}
+          - name: GITHUB_APP_INSTALLATION_ID
+            value: {{ .Values.config.githubAppInstallationId | default "" | quote }}
+          - name: GITHUB_APP_PRIVATE_KEY
+            value: {{ .Values.config.githubAppPrivateKey | default "" | quote }}
+          - name: VERSION_CONTROL_LOCKED
+            value: {{ .Values.config.versionControlLocked | default "" | quote }}
           {{- end }}
           {{- range $key, $value := .Values.env }}
           - name: "{{ $key }}"

templates/deployment_jobs.yaml

@@ -64,70 +64,52 @@ spec:
             value: {{ template "retool.postgresql.port" . }}
           - name: POSTGRES_DB
             value: {{ template "retool.postgresql.db" . }}
-          - name: POSTGRES_SSL_ENABLED
-            value: {{ template "retool.postgresql.ssl_enabled" . }}
           {{- if not .Values.externalSecrets.enabled }}
           - name: LICENSE_KEY
             valueFrom:
               secretKeyRef:
-                {{- if .Values.config.licenseKeySecretName }}
-                name: {{ .Values.config.licenseKeySecretName }}
-                key: {{ .Values.config.licenseKeySecretKey | default "license-key" }}
-                {{- else }}
                 name: {{ template "retool.fullname" . }}
                 key: license-key
-                {{- end }}
           - name: JWT_SECRET
             valueFrom:
               secretKeyRef:
-                {{- if .Values.config.jwtSecretSecretName }}
-                name: {{ .Values.config.jwtSecretSecretName }}
-                key: {{ .Values.config.jwtSecretSecretKey | default "jwt-secret" }}
-                {{- else }}
                 name: {{ template "retool.fullname" . }}
                 key: jwt-secret
-                {{- end }}
           - name: ENCRYPTION_KEY
             valueFrom:
               secretKeyRef:
-                {{- if .Values.config.encryptionKeySecretName }}
-                name: {{ .Values.config.encryptionKeySecretName }}
-                key: {{ .Values.config.encryptionKeySecretKey | default "encryption-key" }}
-                {{- else }}
                 name: {{ template "retool.fullname" . }}
                 key: encryption-key
-                {{- end }}
           - name: POSTGRES_USER
             value: {{ template "retool.postgresql.user" . }}
           - name: POSTGRES_PASSWORD
             valueFrom:
               secretKeyRef:
           {{- if  .Values.postgresql.enabled }}
                 name: {{ template "retool.postgresql.fullname" . }}
-                key: postgresql-password
-          {{- else }}
-                {{- if .Values.config.postgresql.passwordSecretName }}
-                name: {{ .Values.config.postgresql.passwordSecretName }}
-                key: {{ .Values.config.postgresql.passwordSecretKey | default "postgresql-password" }}
-                {{- else }}
+          {{- else  }}
                 name: {{ template "retool.fullname" . }}
-                key: postgresql-password
-                {{- end }}
           {{- end }}
+                key: postgresql-password
           - name: CLIENT_ID
             value: {{ default "" .Values.config.auth.google.clientId }}
           - name: CLIENT_SECRET
             valueFrom:
               secretKeyRef:
-                {{- if .Values.config.auth.google.clientSecretSecretName }}
-                name: {{ .Values.config.auth.google.clientSecretSecretName }}
-                key: {{ .Values.config.auth.google.clientSecretSecretKey | default "google-client-secret" }}
-                {{- else }}
                 name: {{ template "retool.fullname" . }}
                 key: google-client-secret
-                {{- end }}
           - name: RESTRICTED_DOMAIN
             value: {{ default "" .Values.config.auth.google.domain }}
+          - name: BASE_DOMAIN
+            value: {{ .Values.config.baseDomain | quote }}
+          - name: GITHUB_APP_ID
+            value: {{ .Values.config.githubAppId | default "" | quote }}
+          - name: GITHUB_APP_INSTALLATION_ID
+            value: {{ .Values.config.githubAppInstallationId | default "" | quote }}
+          - name: GITHUB_APP_PRIVATE_KEY
+            value: {{ .Values.config.githubAppPrivateKey | default "" | quote }}
+          - name: VERSION_CONTROL_LOCKED
+            value: {{ .Values.config.versionControlLocked | default "" | quote }}
           {{- end }}
           {{- range $key, $value := .Values.env }}
           - name: "{{ $key }}"
@@ -185,4 +167,4 @@ spec:
 {{- if .Values.extraVolumes }}
 {{ toYaml .Values.extraVolumes | indent 8 }}
 {{- end }}
-{{- end }}
+{{- end }}

templates/secret.yaml

@@ -11,31 +11,32 @@ metadata:
 {{- end }}
 type: Opaque
 data:
-  license-key: {{ .Values.config.licenseKey | default "" | b64enc | quote }}
+  license-key: {{ .Values.config.licenseKey | b64enc | quote }}
+  custom_oauth2_sso_client_id: {{ .Values.config.auth.onelogin.customOauth2SsoClientId | b64enc | quote }}
+  custom_oauth2_sso_client_secret: {{ .Values.config.auth.onelogin.customOauth2SsoClientSecret | b64enc | quote }}
+  custom_oauth2_sso_auth_url: {{ .Values.config.auth.onelogin.customOauth2SsoAuthUrl | b64enc | quote }}
+  trigger_oauth_2_sso_login_automatically: {{ .Values.config.auth.onelogin.triggerOauth2SsoLoginAutomatically | b64enc | quote }}
+  trigger_saml_login_automatically: {{ .Values.config.auth.onelogin.triggerSamlLoginAutomatically | b64enc | quote }}  
 
-  {{ if not .Values.config.jwtSecretSecretName }}
   {{ if .Values.config.jwtSecret }}
   jwt-secret: {{ .Values.config.jwtSecret | b64enc | quote }}
   {{ else  }}
   jwt-secret: {{ randAlphaNum 20 | b64enc | quote }}
   {{ end }}
-  {{ end }}
 
-  {{ if not .Values.config.encryptionKeySecretName }}
   {{ if .Values.config.encryptionKey }}
   encryption-key: {{ .Values.config.encryptionKey | b64enc | quote }}
   {{ else  }}
   encryption-key: {{ randAlphaNum 20 | b64enc | quote }}
   {{ end }}
-  {{ end }}
 
   {{ if .Values.config.auth.google.clientSecret }}
-  google-client-secret: {{ .Values.config.auth.google.clientSecret | b64enc | quote }}
+  google-client-secret: {{ .Values.config.auth.google.clientSecret | b64enc |quote }}
   {{ else  }}
-  google-client-secret: ""
+  google-client-secret: "" 
   {{ end }}
 
   {{ if not .Values.postgresql.enabled }}
   postgresql-password: {{ .Values.config.postgresql.password | default "" | b64enc | quote }}
   {{ end }}
-{{- end }}
+{{- end }}

values.yaml

@@ -3,30 +3,24 @@
 
 config:
   licenseKey: "EXPIRED-LICENSE-KEY-TRIAL"
-  # licenseKeySecretName is the name of the secret where the Retool license key is stored (can be used instead of licenseKey)
-  # licenseKeySecretName:
-  # licenseKeySecretKey is the key in the k8s secret, default: license-key
-  # licenseKeySecretKey:
-  useInsecureCookies: false
+  useInsecureCookies: true
   auth:
     google:
       clientId:
       clientSecret:
-      # clientSecretSecretName is the name of the secret where the google client secret is stored (can be used instead of clientSecret)
-      # clientSecretSecretName:
-      # clientSecretSecretKey is the key in the k8s secret, default: google-client-secret
-      # clientSecretSecretKey:
       domain:
+    onelogin:
+      customOauth2SsoClientId:
+      customOauth2SsoClientSecret:
+      customOauth2SsoAuthUrl:
+      triggerOauth2SsoLoginAutomatically:
+      triggerSamlLoginAutomatically:      
   encryptionKey:
-  # encryptionKeySecretName is the name of the secret where the encryption key is stored (can be used instead of encryptionKey)
-  # encryptionKeySecretName:
-  # encryptionKeySecretKey is the key in the k8s secret, default: encryption-key
-  # encryptionKeySecretKey:
   jwtSecret:
-  # jwtSecretSecretName is the name of the secret where the jwt secret is stored (can be used instead of jwtSecret)
-  # jwtSecretSecretName:
-  # jwtSecretSecretKey is the key in the k8s secret, default: jwt-secret
-  # jwtSecretSecretKey:
+  baseDomain:
+  githubAppId:
+  githubAppInstallationId:
+  githubAppPrivateKey:
 
   postgresql: {}
     # Specify if postgresql subchart is disabled
@@ -35,15 +29,11 @@ config:
     # db:
     # user:
     # password:
-    # passwordSecretName is the name of the secret where the pg password is stored (can be used instead of password)
-    # passwordSecretName:
-    # passwordSecretKey is the key in the k8s secret, default: postgresql-password
-    # passwordSecretKey:
 
 image:
   repository: "tryretool/backend"
   # Will default to Chart AppVersion if left empty
-  tag: "X.Y.Z"
+  tag:
   pullPolicy: "IfNotPresent"
 
 commandline:
@@ -125,7 +115,6 @@ livenessProbe:
   path: /api/checkHealth
   initialDelaySeconds: 30
   timeoutSeconds: 10
-  failureThreshold: 3
 
 readinessProbe:
   enabled: true
@@ -169,15 +158,6 @@ podAnnotations: {}
 replicaCount: 1
 revisionHistoryLimit: 3
 
-# Optional pod disruption budget, for ensuring higher availability of the
-# Retool application.  Specify either minAvailable or maxUnavailable, as
-# either an integer pod count (1) or a string percentage ("50%").
-# Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
-#
-# Example:
-# podDisruptionBudget:
-#   maxUnavailable: 1
-
 # Custom labels for pod assignment
 podLabels: {}
 
@@ -208,4 +188,4 @@ securityContext:
 
 extraConfigMapMounts: []
 
-initContainers: {}
+initContainers: {}