SAML support (#123)

PostHog · Sep 21, 2021 · 176f4fe · 176f4fe
1 parent c1fbffd
commit 176f4fe
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 5 deletions.
diff --git a/charts/posthog/templates/web-deployment.yaml b/charts/posthog/templates/web-deployment.yaml
@@ -146,6 +146,28 @@ spec:
           value: {{ default "false" .Values.email.use_ssl | quote }}
         - name: DEFAULT_FROM_EMAIL
           value: {{ .Values.email.from_email | quote }}
+        - name: SAML_ENTITY_ID
+          value: {{ default "" .Values.saml.entity_id | quote }}
+        - name: SAML_ACS_URL
+          value: {{ default "" .Values.saml.acs_url | quote }}
+        - name: SAML_X509_CERT
+          value: {{ default "" .Values.saml.x509_cert | quote }}
+        - name: SAML_ATTR_PERMANENT_ID
+          value: {{ default "" .Values.saml.attr_permanent_id | quote }}
+        - name: SAML_ATTR_FIRST_NAME
+          value: {{ default "" .Values.saml.attr_first_name | quote }}
+        - name: SAML_ATTR_LAST_NAME
+          value: {{ default "" .Values.saml.attr_last_name | quote }}
+        - name: SAML_ATTR_EMAIL
+          value: {{ default "" .Values.saml.attr_email | quote }}
+        {{- if eq .Values.saml.enforced true }}
+        - name: SAML_ENFORCED
+          value: '1'
+        {{- end }}
+        {{- if eq .Values.saml.disabled true }}
+        - name: SAML_DISABLED
+          value: '1'
+        {{- end }}
         {{- if .Values.clickhouse.enabled }}
         - name: PRIMARY_DB
           value: clickhouse

diff --git a/charts/posthog/values.yaml b/charts/posthog/values.yaml
@@ -30,7 +30,6 @@ clickhouseOperator:
   # -- Service Type: LoadBalancer (allows external access) or NodePort (more secure, no extra cost)
   serviceType: NodePort
 
-
 # -- Env vars to throw into every deployment (web, beat, worker, and plugin server)
 env:
   - name: ASYNC_EVENT_PROPERTY_USAGE
@@ -242,6 +241,55 @@ email:
   # existingSecret: secret-name
   # existingSecretKey: smtp-password
 
+# SAML
+saml:
+  # -- Whether password-based login is disabled and users automatically redirected to SAML login. Requires SAML to be properly configured.
+  enforced: false
+  # -- Whether SAML should be completely disabled. If set at build time, this will also prevent SAML dependencies from being installed.
+  disabled: false
+  # -- Entity ID from your SAML IdP.
+  # entity_id: "id-from-idp-5f9d4e-47ca-5080"
+  entity_id:
+  # -- Assertion Consumer Service URL from your SAML IdP.
+  # acs_url: "https://mysamlidp.com/saml2"
+  acs_url:
+  # -- Public X509 certificate from your SAML IdP to validate SAML assertions
+  # x509_cert: |
+    # MIID3DCCAsSgAwIBAgIUdriHo8qmAU1I0gxsI7cFZHmna38wDQYJKoZIhvcNAQEF
+    # BQAwRTEQMA4GA1UECgwHUG9zdEhvZzEVMBMGA1UECwwMT25lTG9naW4gSWRQMRow
+    # GAYDVQQDDBFPbmVMb2dpbiBBY2NvdW50IDAeFw0yMTA4MTYyMTUyMzNaFw0yNjA4
+    # MTYyMTUyMzNaMEUxEDAOBgNVBAoMB1Bvc3RIb2cxFTATBgNVBAsMDE9uZUxvZ2lu
+    # IElkUDEaMBgGA1UEAwwRT25lTG9naW4gQWNjb3VudCAwggEiMA0GCSqGSIb3DQEB
+    # AQUAA4IBDwAwggEKAoIBAQDEfUWFIU38ztF2EgijVsIbnlB8OIwkjZU8c34B9VwZ
+    # BQQUSxbrkuT9AX/5O27G04TBCHFZsXRId+ABSjVo8daCPu0d38Quo9KS3V3627Nw
+    # YcTYsje95lB02E/PgfiEQ6ZGCOV0P4xY9C99d26PoYTcoMT1S73jDDMOFtoD5WXG
+    # ZsKqwBks1jbLkv6RYoFBlZX00aGzOXDzUXI59/0c15KR4EzgTad0t6CU7X0HZ2Qf
+    # xGUiRb7hDLvgSby0SzpQpYUyYDnN9aSNYzpu1hiyIqrhQ7kZNy7LyGBz0UIuIImF
+    # pF6A3bzzrR4wdacFY9U0vmqFXXcepxuT5p2UyAxwbLeDAgMBAAGjgcMwgcAwDAYD
+    # VR0TAQH/BAIwADAdBgNVHQ4EFgQURLVVKanZPoXGEfYr1HmlaCEoD54wgYAGA1Ud
+    # IwR5MHeAFES1VSmp2T6FxhH2K9R5pWghKA+eoUmkRzBFMRAwDgYDVQQKDAdQb3N0
+    # SG9nMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxGjAYBgNVBAMMEU9uZUxvZ2luIEFj
+    # Y291bnQgghR2uIejyqYBTUjSDGwjtwVkeadrfzAOBgNVHQ8BAf8EBAMCB4AwDQYJ
+    # KoZIhvcNAQEFBQADggEBALP5lhlcV8avbnVnqO7PBtlS2mVOJ2B7obm50OaJCbRh
+    # t0I/dcNssWhT31/zmtNfKtrFicNImlKhdirApxpIp1WLEFY01a40GLmO6FG/WVvB
+    # EzwXonWP+cP8jYQnqZ15JkuHjP3DYJuOak2GqAJAfaGO67q6IkRZzRq6UwEUgNJD
+    # TlcsJAFaJDrcw07TY3mRFragdzGC7Xt/CM6r/0seY3+VBwMUMiJlvawcyQxap7om
+    # EdgmQkJA8Dk6f+geI+U7jV3orkPiofBJi9K6cp5Fd9usut8jwi3GYg2wExNGbhF4
+    # wlMD1LOhymQGBnTXPk+000nkBnYdqEnqXzVpDiCG1Pc=
+  x509_cert:
+  # -- Name of attribute that contains the permanent ID of the user in SAML assertions.
+  # attr_permanent_id: "nameID"
+  attr_permanent_id:
+  # -- Name of attribute that contains the first name of the user in SAML assertions.
+  # attr_first_name: "firstName"
+  attr_first_name:
+  # -- Name of attribute that contains the last name of the user in SAML assertions.
+  # attr_last_name: "lastName"
+  attr_last_name:
+  # -- Name of attribute that contains the email of the user in SAML assertions.
+  # attr_email: "email"
+  attr_email:
+
 # -- Name of the service and what port to expose on the pod. Don't change these unless you know what you're doing
 service:
   name: posthog
@@ -411,8 +459,7 @@ clickhouse:
     # -- URL for zookeeper.
     # servers:
       # - host: posthog-posthog-zookeeper
-        # port: 2181
-
+      #   port: 2181
 
 ## Prometheus Exporter / Metrics
 ##
@@ -510,8 +557,7 @@ hooks:
     # -- Env variables for migate hooks
     env: []
     # -- Hook job resource limits/requests
-    resources:
-      {}
+    resources: {}
 
 serviceAccount:
   # -- Configures if a ServiceAccount with this name should be created