Allow setting the locked state of the admin user (#161)

opf · Dec 11, 2024 · 50a9eee · 50a9eee
1 parent 7978221
commit 50a9eee
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 1 deletion.
diff --git a/.changeset/pretty-cups-fail.md b/.changeset/pretty-cups-fail.md
@@ -0,0 +1,5 @@
+---
+"@openproject/helm-charts": minor
+---
+
+Allow setting admin user seeder as locked
diff --git a/charts/openproject/templates/secret_core.yaml b/charts/openproject/templates/secret_core.yaml
@@ -20,6 +20,9 @@ stringData:
   OPENPROJECT_SEED_ADMIN_USER_PASSWORD_RESET: {{ .Values.openproject.admin_user.password_reset | quote }}
   OPENPROJECT_SEED_ADMIN_USER_NAME: {{ .Values.openproject.admin_user.name | quote }}
   OPENPROJECT_SEED_ADMIN_USER_MAIL: {{ .Values.openproject.admin_user.mail | quote }}
+  {{- if .Values.openproject.admin_user.locked }}
+  OPENPROJECT_SEED_ADMIN_USER_LOCKED: "true"
+  {{- end }}
   OPENPROJECT_HTTPS: {{ (.Values.develop | ternary "false" .Values.openproject.https) | quote }}
   OPENPROJECT_SEED_LOCALE: {{ .Values.openproject.seed_locale | quote }}
   {{- if .Values.ingress.enabled }}

diff --git a/charts/openproject/values.yaml b/charts/openproject/values.yaml
@@ -318,12 +318,15 @@ openproject:
 
   ## Define admin user details
   # only applicable on first installation
-  # Note: Only applicable for versions >= 13.0
+  # c.f. https://www.openproject.org/docs/installation-and-operations/configuration/#initial-admin-user-creation
   admin_user:
     password: "admin"
     password_reset: "true"
     name: "OpenProject Admin"
     mail: "[email protected]"
+    # Uncomment if you want to lock the user after creation
+    # Relevant for automated deployments that seed LDAP or SSO
+    # locked: true
 
   ## Define OpenID Connect providers
   oidc:

diff --git a/spec/charts/openproject/admin_user_seeding_spec.rb b/spec/charts/openproject/admin_user_seeding_spec.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+require 'spec_helper'
+
+describe 'admin user seeder configuration' do
+  let(:template) { HelmTemplate.new(default_values) }
+
+  subject { template.dig('Secret/optest-openproject-core', 'stringData') }
+
+  context 'when setting the seeder' do
+    let(:default_values) do
+      HelmTemplate.with_defaults(<<~YAML
+        openproject:
+          admin_user:
+            name: "Foo Bar"
+      YAML
+      )
+    end
+
+    it 'adds a respective ENV', :aggregate_failures do
+      expect(subject)
+        .to include("OPENPROJECT_SEED_ADMIN_USER_NAME" => "Foo Bar")
+
+      expect(subject)
+        .not_to include("OPENPROJECT_SEED_ADMIN_USER_LOCKED" => "true")
+    end
+  end
+
+  context 'when setting the admin as locked' do
+    let(:default_values) do
+      HelmTemplate.with_defaults(<<~YAML
+        openproject:
+          admin_user:
+            locked: true
+      YAML
+      )
+    end
+
+    it 'adds a respective ENV', :aggregate_failures do
+      expect(subject)
+        .to include("OPENPROJECT_SEED_ADMIN_USER_LOCKED" => "true")
+    end
+  end
+
+  context 'when leaving defaults' do
+    let(:default_values) do
+      HelmTemplate.with_defaults({})
+    end
+
+    it 'the name is the default', :aggregate_failures do
+      expect(subject)
+        .to include("OPENPROJECT_SEED_ADMIN_USER_NAME" => "OpenProject Admin")
+    end
+  end
+end