From 50a9eeee6fc705d121d98292a122e83f367ec4c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Wed, 11 Dec 2024 14:56:32 +0100
Subject: [PATCH] Allow setting the locked state of the admin user (#161)
---
.changeset/pretty-cups-fail.md | 5 ++
charts/openproject/templates/secret_core.yaml | 3 ++
charts/openproject/values.yaml | 5 +-
.../openproject/admin_user_seeding_spec.rb | 54 +++++++++++++++++++
4 files changed, 66 insertions(+), 1 deletion(-)
create mode 100644 .changeset/pretty-cups-fail.md
create mode 100644 spec/charts/openproject/admin_user_seeding_spec.rb
diff --git a/.changeset/pretty-cups-fail.md b/.changeset/pretty-cups-fail.md
new file mode 100644
index 0000000..49d280e
--- /dev/null
+++ b/.changeset/pretty-cups-fail.md
@@ -0,0 +1,5 @@
+---
+"@openproject/helm-charts": minor
+---
+
+Allow setting admin user seeder as locked
diff --git a/charts/openproject/templates/secret_core.yaml b/charts/openproject/templates/secret_core.yaml
index 61cd7f0..5c37a63 100644
--- a/charts/openproject/templates/secret_core.yaml
+++ b/charts/openproject/templates/secret_core.yaml
@@ -20,6 +20,9 @@ stringData:
OPENPROJECT_SEED_ADMIN_USER_PASSWORD_RESET: {{ .Values.openproject.admin_user.password_reset | quote }}
OPENPROJECT_SEED_ADMIN_USER_NAME: {{ .Values.openproject.admin_user.name | quote }}
OPENPROJECT_SEED_ADMIN_USER_MAIL: {{ .Values.openproject.admin_user.mail | quote }}
+ {{- if .Values.openproject.admin_user.locked }}
+ OPENPROJECT_SEED_ADMIN_USER_LOCKED: "true"
+ {{- end }}
OPENPROJECT_HTTPS: {{ (.Values.develop | ternary "false" .Values.openproject.https) | quote }}
OPENPROJECT_SEED_LOCALE: {{ .Values.openproject.seed_locale | quote }}
{{- if .Values.ingress.enabled }}
diff --git a/charts/openproject/values.yaml b/charts/openproject/values.yaml
index ffec7be..7ecf3d4 100644
--- a/charts/openproject/values.yaml
+++ b/charts/openproject/values.yaml
@@ -318,12 +318,15 @@ openproject:
## Define admin user details
# only applicable on first installation
- # Note: Only applicable for versions >= 13.0
+ # c.f. https://www.openproject.org/docs/installation-and-operations/configuration/#initial-admin-user-creation
admin_user:
password: "admin"
password_reset: "true"
name: "OpenProject Admin"
mail: "admin@example.net"
+ # Uncomment if you want to lock the user after creation
+ # Relevant for automated deployments that seed LDAP or SSO
+ # locked: true
## Define OpenID Connect providers
oidc:
diff --git a/spec/charts/openproject/admin_user_seeding_spec.rb b/spec/charts/openproject/admin_user_seeding_spec.rb
new file mode 100644
index 0000000..a6f2dbf
--- /dev/null
+++ b/spec/charts/openproject/admin_user_seeding_spec.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+require 'spec_helper'
+
+describe 'admin user seeder configuration' do
+ let(:template) { HelmTemplate.new(default_values) }
+
+ subject { template.dig('Secret/optest-openproject-core', 'stringData') }
+
+ context 'when setting the seeder' do
+ let(:default_values) do
+ HelmTemplate.with_defaults(<<~YAML
+ openproject:
+ admin_user:
+ name: "Foo Bar"
+ YAML
+ )
+ end
+
+ it 'adds a respective ENV', :aggregate_failures do
+ expect(subject)
+ .to include("OPENPROJECT_SEED_ADMIN_USER_NAME" => "Foo Bar")
+
+ expect(subject)
+ .not_to include("OPENPROJECT_SEED_ADMIN_USER_LOCKED" => "true")
+ end
+ end
+
+ context 'when setting the admin as locked' do
+ let(:default_values) do
+ HelmTemplate.with_defaults(<<~YAML
+ openproject:
+ admin_user:
+ locked: true
+ YAML
+ )
+ end
+
+ it 'adds a respective ENV', :aggregate_failures do
+ expect(subject)
+ .to include("OPENPROJECT_SEED_ADMIN_USER_LOCKED" => "true")
+ end
+ end
+
+ context 'when leaving defaults' do
+ let(:default_values) do
+ HelmTemplate.with_defaults({})
+ end
+
+ it 'the name is the default', :aggregate_failures do
+ expect(subject)
+ .to include("OPENPROJECT_SEED_ADMIN_USER_NAME" => "OpenProject Admin")
+ end
+ end
+end