Compare commits
13 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 425365d22a | |||
| 63806bde22 | |||
| 96299e1386 | |||
| bf015c9238 | |||
| 589d447f19 | |||
| ddc09cca50 | |||
| ae2d4a573b | |||
| 5be05fe43e | |||
| f90df5c2c6 | |||
| 6bbcd95069 | |||
| b839c32b50 | |||
| 9b062aa27d | |||
| 4a2ece217b |
@@ -65,29 +65,9 @@ jobs:
|
||||
needs:
|
||||
- build-and-push
|
||||
steps:
|
||||
-
|
||||
uses: actions/create-github-app-token@v1
|
||||
id: app-token
|
||||
- uses: numerique-gouv/action-argocd-webhook-notification@main
|
||||
id: notify
|
||||
with:
|
||||
app-id: ${{ secrets.APP_ID }}
|
||||
private-key: ${{ secrets.PRIVATE_KEY }}
|
||||
owner: ${{ github.repository_owner }}
|
||||
repositories: "oidc2fer,secrets"
|
||||
-
|
||||
name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
submodules: recursive
|
||||
token: ${{ steps.app-token.outputs.token }}
|
||||
-
|
||||
name: Load sops secrets
|
||||
uses: rouja/actions-sops@main
|
||||
with:
|
||||
secret-file: secrets/numerique-gouv/oidc2fer/secrets.enc.env
|
||||
age-key: ${{ secrets.SOPS_PRIVATE }}
|
||||
-
|
||||
name: Call argocd github webhook
|
||||
run: |
|
||||
data='{"ref": "'$GITHUB_REF'","repository": {"html_url":"'$GITHUB_SERVER_URL'/'$GITHUB_REPOSITORY'"}}'
|
||||
sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${ARGOCD_WEBHOOK_SECRET}'' | awk '{print "X-Hub-Signature: sha1="$2}')
|
||||
curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_WEBHOOK_URL
|
||||
deployment_repo_path: "${{ github.repository }}"
|
||||
argocd_webhook_secret: "${{ secrets.ARGOCD_PREPROD_WEBHOOK_SECRET }}"
|
||||
argocd_url: "${{ vars.ARGOCD_PREPROD_WEBHOOK_URL }}"
|
||||
|
||||
@@ -10,7 +10,7 @@ jobs:
|
||||
helmfile-lint:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: ghcr.io/helmfile/helmfile:latest
|
||||
image: ghcr.io/helmfile/helmfile:v0.171.0
|
||||
steps:
|
||||
-
|
||||
uses: numerique-gouv/action-helmfile-lint@main
|
||||
|
||||
@@ -6,6 +6,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0),
|
||||
and this project adheres to
|
||||
[Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
||||
|
||||
## [1.0.7] - 2025-05-07
|
||||
- remove unused APT dependencies
|
||||
- upgrade to gunicorn 23.0.0
|
||||
|
||||
## [1.0.6] - 2025-03-11
|
||||
- upgrade to SATOSA 8.5.1
|
||||
- allow faculty, staff, employee, researcher, teacher affiliations
|
||||
|
||||
## [1.0.5] - 2025-03-06
|
||||
- add allowlist for URL paths to nginx ingress
|
||||
- allow customizing log levels per logger
|
||||
|
||||
+5
-11
@@ -1,17 +1,11 @@
|
||||
# ---- base image to inherit from ----
|
||||
FROM python:3.11-slim-bookworm as common
|
||||
FROM python:3.11.12-slim-bookworm AS common
|
||||
|
||||
# Install xmlsec1 dependencies required for xmlsec (for SAML)
|
||||
# Needs to be kept before the `pip install`
|
||||
RUN apt-get update && \
|
||||
apt-get -y upgrade && \
|
||||
apt-get install -y \
|
||||
pkg-config \
|
||||
gcc \
|
||||
xmlsec1 \
|
||||
libxml2-dev \
|
||||
libxmlsec1-dev \
|
||||
libxmlsec1-openssl && \
|
||||
apt-get install -qy --no-install-recommends xmlsec1 && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# We want the most up-to-date stable pip release
|
||||
@@ -19,7 +13,7 @@ RUN pip install --upgrade pip
|
||||
|
||||
ENV PYTHONUNBUFFERED=1
|
||||
|
||||
# Give the "root" group the same permissions as the "root" user on /etc/passwd
|
||||
# Give the "root" group the same permissions AS the "root" user on /etc/passwd
|
||||
# to allow a user belonging to the root group to add new users; typically the
|
||||
# docker user (see entrypoint).
|
||||
RUN chmod g=u /etc/passwd
|
||||
@@ -41,7 +35,7 @@ COPY docker/files/usr/local/etc/gunicorn/satosa.py /usr/local/etc/gunicorn/satos
|
||||
CMD ["gunicorn", "-c", "/usr/local/etc/gunicorn/satosa.py"]
|
||||
|
||||
# ---- Development image ----
|
||||
FROM common as development
|
||||
FROM common AS development
|
||||
|
||||
# Playwright browsers
|
||||
ENV PLAYWRIGHT_BROWSERS_PATH=/pw-browsers
|
||||
@@ -67,7 +61,7 @@ COPY ./src/satosa /app/
|
||||
USER ${DOCKER_USER}
|
||||
|
||||
# ---- Production image (keep last so it is the default target) ----
|
||||
FROM common as production
|
||||
FROM common AS production
|
||||
|
||||
# Copy oidc2fer application (see .dockerignore)
|
||||
COPY ./src/satosa /app/
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
image:
|
||||
repository: lasuite/oidc2fer
|
||||
pullPolicy: Always
|
||||
tag: "v1.0.4"
|
||||
tag: "v1.0.6"
|
||||
|
||||
satosa:
|
||||
replicas: 2
|
||||
|
||||
@@ -3,11 +3,11 @@ name: Saml2
|
||||
config:
|
||||
disco_srv: !ENV SAML2_DISCOVERY_URL
|
||||
entityid_endpoint: true
|
||||
mirror_force_authn: 'no'
|
||||
memorize_idp: 'no'
|
||||
use_memorized_idp_when_force_authn: 'no'
|
||||
send_requester_id: 'no'
|
||||
enable_metadata_reload: 'no'
|
||||
mirror_force_authn: false
|
||||
memorize_idp: false
|
||||
use_memorized_idp_when_force_authn: false
|
||||
send_requester_id: false
|
||||
enable_metadata_reload: false
|
||||
acs_selection_strategy: prefer_matching_host
|
||||
sp_config:
|
||||
name: Passerelle OIDC vers FER
|
||||
|
||||
@@ -13,4 +13,8 @@ config:
|
||||
# later in the PrimaryIdentifier processor.
|
||||
- ".+"
|
||||
eduPersonAffiliation:
|
||||
- "^faculty$"
|
||||
- "^staff$"
|
||||
- "^employee$"
|
||||
- "^researcher$"
|
||||
- "^teacher$"
|
||||
|
||||
@@ -23,8 +23,8 @@ license = { file = "LICENSE" }
|
||||
readme = "README.md"
|
||||
requires-python = ">=3.11"
|
||||
dependencies = [
|
||||
"SATOSA==8.4.0",
|
||||
"gunicorn==22.0.0",
|
||||
"SATOSA==8.5.1",
|
||||
"gunicorn==23.0.0",
|
||||
"redis==5.0.4",
|
||||
"JSON-log-formatter==1.0",
|
||||
"WhiteNoise==6.7.0",
|
||||
|
||||
Reference in New Issue
Block a user