From 8f2499b55e0ae12a836d2a34530f34a555776f7c Mon Sep 17 00:00:00 2001 From: Thumbscrew Date: Tue, 11 Mar 2025 13:09:24 +0000 Subject: [PATCH] feat: add OIDC config for Freshrss (#107) --- charts/freshrss/Chart.yaml | 2 +- charts/freshrss/README.md | 15 ++++++- charts/freshrss/templates/deployment.yaml | 55 +++++++++++++++++++++++ charts/freshrss/values.yaml | 36 +++++++++++++++ 4 files changed, 106 insertions(+), 2 deletions(-) diff --git a/charts/freshrss/Chart.yaml b/charts/freshrss/Chart.yaml index a0974dc..087511e 100644 --- a/charts/freshrss/Chart.yaml +++ b/charts/freshrss/Chart.yaml @@ -23,7 +23,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.5.0 +version: 1.6.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/freshrss/README.md b/charts/freshrss/README.md index 233b577..440df0f 100644 --- a/charts/freshrss/README.md +++ b/charts/freshrss/README.md @@ -1,6 +1,6 @@ # freshrss -![Version: 1.5.0](https://img.shields.io/badge/Version-1.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.25.0](https://img.shields.io/badge/AppVersion-1.25.0-informational?style=flat-square) +![Version: 1.6.0](https://img.shields.io/badge/Version-1.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.25.0](https://img.shields.io/badge/AppVersion-1.25.0-informational?style=flat-square) A Helm chart for FreshRSS @@ -30,6 +30,19 @@ A Helm chart for FreshRSS | freshrss.cron.cronMin | string | `"13,43"` | Minute(s) past the hour to run cron | | freshrss.cron.enabled | bool | `false` | Enable Cron to periodically refresh feeds | | freshrss.freshEnv | string | `"production"` | Enables additional development information if set to `development` (increases the level of logging and ensures that errors are displayed) | +| freshrss.oidc | object | `{"clientCryptoKey":"","clientId":"","clientSecret":"","enabled":false,"existingClientSecret":{"clientCryptoKeyKey":"clientCryptoKey","clientIdKey":"clientId","clientSecretKey":"clientSecret","name":""},"providerMetadataUrl":"","remoteUserClaim":"","scopes":[],"session":{"inactivityTimeout":300,"maxDuration":-1,"type":""},"xForwardedHeaders":[]}` | See Configuration Environment Variables at https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html | +| freshrss.oidc.clientCryptoKey | string | `""` | Sets OIDC_CLIENT_CRYPTO_KEY | +| freshrss.oidc.clientId | string | `""` | Sets OIDC_CLIENT_ID | +| freshrss.oidc.clientSecret | string | `""` | Sets OIDC_CLIENT_SECRET | +| freshrss.oidc.enabled | bool | `false` | Sets OIDC_ENABLED to true | +| freshrss.oidc.existingClientSecret | object | `{"clientCryptoKeyKey":"clientCryptoKey","clientIdKey":"clientId","clientSecretKey":"clientSecret","name":""}` | A Kubernetes secret that contains the clientId, clientSecret and clientCryptoKey | +| freshrss.oidc.providerMetadataUrl | string | `""` | Sets OIDC_PROVIDER_METADATA_URL | +| freshrss.oidc.remoteUserClaim | string | `""` | Sets OIDC_REMOTE_USER_CLAIM | +| freshrss.oidc.scopes | list | `[]` | Sets OIDC_SCOPES (list is concatenated) | +| freshrss.oidc.session.inactivityTimeout | int | `300` | Sets OIDC_SESSION_INACTIVITY_TIMEOUT | +| freshrss.oidc.session.maxDuration | int | `-1` | Sets OIDC_SESSION_MAX_DURATION | +| freshrss.oidc.session.type | string | `""` | Sets OIDC_SESSION_TYPE | +| freshrss.oidc.xForwardedHeaders | list | `[]` | Sets OIDC_X_FORWARDED_HEADERS (list is concatenated) | | freshrss.timezone | string | `"UTC"` | PHP Timezone - see https://www.php.net/timezones | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | | diff --git a/charts/freshrss/templates/deployment.yaml b/charts/freshrss/templates/deployment.yaml index d66db64..291c7cb 100644 --- a/charts/freshrss/templates/deployment.yaml +++ b/charts/freshrss/templates/deployment.yaml @@ -70,6 +70,61 @@ spec: {{- end }} --language {{ .Values.freshrss.autoInstall.language }} {{- end }} + {{- if .Values.freshrss.oidc.enabled }} + - name: OIDC_ENABLED + value: "true" + {{- with .Values.freshrss.oidc }} + - name: OIDC_PROVIDER_METADATA_URL + value: {{ .providerMetadataUrl }} + {{- if .existingClientSecret.name }} + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: {{ .existingClientSecret.name }} + key: {{ .existingClientSecret.clientIdKey }} + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: {{ .existingClientSecret.name }} + key: {{ .existingClientSecret.clientSecretKey }} + - name: OIDC_CLIENT_CRYPTO_KEY + valueFrom: + secretKeyRef: + name: {{ .existingClientSecret.name }} + key: {{ .existingClientSecret.clientCryptoKeyKey }} + {{- else }} + - name: OIDC_CLIENT_ID + value: {{ .clientId }} + - name: OIDC_CLIENT_SECRET + value: {{ .clientSecretKey }} + - name: OIDC_CLIENT_CRYPTO_KEY + value: {{ .clientCryptoKey }} + {{- end }} + {{- if .remoteUserClaim }} + - name: OIDC_REMOTE_USER_CLAIM + value: {{ .remoteUserClaim }} + {{- end }} + {{- if .scopes }} + - name: OIDC_SCOPES + value: {{ printf "%s" (join " " .scopes) }} + {{- end }} + {{- if .xForwardedHeaders }} + - name: OIDC_X_FORWARDED_HEADERS + value: {{ printf "%s" (join " " .xForwardedHeaders) }} + {{- end }} + - name: OIDC_SESSION_INACTIVITY_TIMEOUT + # value: {{ printf "%d" (add .session.inactivityTimeout) }} + value: "{{ .session.inactivityTimeout }}" + {{- if ge .session.maxDuration 0.0 }} + - name: OIDC_SESSION_MAX_DURATION + value: "{{ .session.maxDuration }}" + {{- end }} + {{- if .session.type }} + - name: OIDC_SESSION_TYPE + value: {{ .session.type }} + {{- end }} + {{- end }} + {{- end }} livenessProbe: httpGet: path: /i/ diff --git a/charts/freshrss/values.yaml b/charts/freshrss/values.yaml index 5b97211..be90f0b 100644 --- a/charts/freshrss/values.yaml +++ b/charts/freshrss/values.yaml @@ -78,6 +78,42 @@ freshrss: enabled: false # -- Minute(s) past the hour to run cron cronMin: "13,43" + # -- See Configuration Environment Variables at https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html + oidc: + # -- Sets OIDC_ENABLED to true + enabled: false + # -- Sets OIDC_PROVIDER_METADATA_URL + providerMetadataUrl: "" + # -- Sets OIDC_CLIENT_ID + clientId: "" + # -- Sets OIDC_CLIENT_SECRET + clientSecret: "" + # -- Sets OIDC_CLIENT_CRYPTO_KEY + clientCryptoKey: "" + # -- A Kubernetes secret that contains the clientId, clientSecret and clientCryptoKey + existingClientSecret: + name: "" + clientIdKey: clientId + clientSecretKey: clientSecret + clientCryptoKeyKey: clientCryptoKey + # -- Sets OIDC_REMOTE_USER_CLAIM + remoteUserClaim: "" + # -- Sets OIDC_SCOPES (list is concatenated) + scopes: [] + # - openid + # -- Sets OIDC_X_FORWARDED_HEADERS (list is concatenated) + xForwardedHeaders: [] + # - Forwarded + # - X-Forwarded-Host + # - X-Forwarded-Port + # - X-Forwarded-Proto + session: + # -- Sets OIDC_SESSION_INACTIVITY_TIMEOUT + inactivityTimeout: 300 + # -- Sets OIDC_SESSION_MAX_DURATION + maxDuration: -1 + # -- Sets OIDC_SESSION_TYPE + type: "" persistence: enabled: false