feat(Config): Seed users via API

ref #OSS-1

Author: hypery2k

chart/README.md

@@ -20,11 +20,15 @@ A Helm chart for deploying Automatisch
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
 | app.config.APP_ENV | string | `"production"` | Automatisch Environment |
+| app.config.DISABLE_SEED_USER | bool | `true` | Don't use hardcoded initial admin user by default, see [here](https://automatisch.co/docs/advanced-configuration#disable-seed-user) for more information |
 | app.config.LOG_LEVEL | string | `"info"` | Can be used to configure log level such as error, warn, info, http, debug |
 | app.config.PROTOCOL | string | `"http"` | HTTP Protocol |
 | app.credentials.APP_SECRET_KEY | string | `nil` | Secret Key to authenticate the user |
 | app.credentials.ENCRYPTION_KEY | string | `nil` | Encryption Key to store credentials |
 | app.credentials.WEBHOOK_SECRET_KEY | string | `nil` | Webhook Secret Key to verify webhook requests |
+| app.seed | object | `{"admin":{"email":"admin@automatisch.io","fullName":"Admin User"}}` | Seed configuration, only done once! |
+| app.seed.admin | object | `{"email":"admin@automatisch.io","fullName":"Admin User"}` | admin user to configure during installation |
+| app.seed.admin.email | string | `"admin@automatisch.io"` | Admin User |
 | autoscaling.enabled | bool | `false` |  |
 | autoscaling.maxReplicas | int | `100` |  |
 | autoscaling.minReplicas | int | `1` |  |

chart/templates/NOTES.txt

@@ -7,3 +7,7 @@ Get the application URL by running these commands:
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
+{{- if .Values.app.config.DISABLE_SEED_USER }}
+To get the generated admin user credentials for user {{ .Values.app.seed.admin.fullName }} ({{ .Values.app.seed.admin.email }}), run the following command:
+  kubectl --namespace {{ .Release.Namespace }} get secret {{ include "ah.fullname" . }}-admin -o jsonpath="{.data.password}" | base64 --decode
+{{- end }}

chart/templates/config-job.yaml

@@ -0,0 +1,74 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "ah.fullname" . }}-config
+  labels:
+    {{- include "ah.labels" . | nindent 4 }}
+    app.kubernetes.io/component: automatisch-config
+  annotations:
+    helm.sh/hook: "post-install,post-upgrade,post-rollback"
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "5"
+spec:
+  backoffLimit: 3
+  {{- /* kubernetes secret to hold user details */}}
+  {{- $secretName :=  printf "%s-config" ( include "ah.fullname" . ) }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: automatisch-config
+        {{- include "ah.labels" . | nindent 8 }}
+      annotations:
+        {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace $secretName ) | default dict }}
+        {{- $secretData := (get $secretObj "data") | default dict }}
+        checksum/configuration: {{ ( printf "%s" $secretData | toJson ) | sha256sum }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      serviceAccountName: {{ include "ah.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      restartPolicy: Never
+      containers:
+        - name: init-config
+          image: alpine/k8s:1.30.0
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+            - |
+              function wait_for_it() {
+                host=${1}
+                prot=${2:-http}
+                port=${3:-3000}
+                code=${4:-200}
+                max_attempts=${5:-10}
+                opts=${6}
+                echo "Waiting for $host:$port"
+                no_proxy=$host,$no_proxy
+                attempt_counter=0
+                # shellcheck disable=SC2053
+                until [[ "$(curl --output /dev/null --silent --head -w '%{http_code}' --fail ${opts} ${prot}://${host}:${port})" == $code ]]; do
+                if [ ${attempt_counter} -eq ${max_attempts} ];then
+                    echo "Max attempts reached"
+                    curl -isv http://${host}:${port}
+                    exit 1
+                fi
+
+                echo -n '.'
+                attempt_counter=$((attempt_counter+1))
+                sleep 30
+                done
+               }
+              wait_for_it "{{ include "ah.fullname" . }}"
+
+              echo "Setting up users ..."
+              {{- $user := .Values.app.seed.admin }}
+              {{- $password :=  randAlphaNum 20 }}
+              curl -d '{"email":"{{ $user.email }}", "fullName":"{{ $user.fullName }}", "password": "{{ $password }}"}' -H "Content-Type: application/json" -X POST http://automatisch:3000/api/v1/installation/users
+
+              {{/* Save generated passwords in kubernetes secret */}}
+              echo "email={{ $user.email }}" > credentials.txt
+              echo "password={{ $password }}" >> credentials.txt
+              kubectl --namespace {{ .Release.Namespace }} create secret generic {{ .Release.Name }}-admin --from-env-file=credentials.txt

chart/templates/role-binding.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "ah.serviceAccountName" . }}
+  labels:
+    {{- include "ah.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "ah.serviceAccountName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "ah.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}

chart/templates/role.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "ah.serviceAccountName" . }}
+  labels:
+    {{- include "ah.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "create", "list", "update"]
+{{- end }}

chart/values.yaml

@@ -139,13 +139,22 @@ ingress:
   tls: []
 
 app:
+  # -- Seed configuration, only done once!
+  seed:
+    # -- admin user to configure during installation
+    admin:
+      # -- Admin User
+      email: admin@automatisch.io
+      fullName: Admin User
   config:
     # -- Automatisch Environment
     APP_ENV: production
     # -- Can be used to configure log level such as error, warn, info, http, debug
     LOG_LEVEL: info
     # -- HTTP Protocol
     PROTOCOL: http
+    # -- Don't use hardcoded initial admin user by default, see [here](https://automatisch.co/docs/advanced-configuration#disable-seed-user) for more information
+    DISABLE_SEED_USER: true
   credentials:
     # -- Encryption Key to store credentials
     ENCRYPTION_KEY: