Add SMTP credentials for Zitadel; Removing hookshot from matrix bridg…

…es (#288)

* remove hookshot as we never got it to work

* add zitadel SMTP credentials

* update zitadel docs to include env vars you can provide in the tui description

* adding examples of sensitive values for the zitadel smtp credentials to docs

* bump version to v5.13.0

* add from address, from name, and reply to address for zitadel smtp secret generation

* add note about mail server and port, make sure default config reflects new smtp values

* fix copypasta

docs/k8s_apps/zitadel.md

@@ -38,11 +38,40 @@ In addition to those one time init values, we also require a hostname to use for
 
 ## Sensitive values
 
-Sensitive values can be provided via environment variables using a `value_from` map on any value under `init.values` or `backups`. Example of providing s3 credentials and restic repo password via sensitive values:
+Sensitive values can be provided via environment variables using a `value_from` map on any value under `init.values` or `backups`. Example of both providing s3 credentials and restic repo password as well as smtp credentials via sensitive values:
 
 ```yaml
 apps:
   zitadel:
+    init:
+      # Switch to false if you don't want to create initial secrets or use the
+      # API via a service account to create the above described resources
+      enabled: true
+      values:
+        # mail server, must include port! e.g. mymailserver.com:587
+        smtp_host:
+          value_from:
+            env: ZITADEL_SMTP_HOST
+        # mail user
+        smtp_user:
+          value_from:
+            env: ZITADEL_SMTP_USER
+        # mail password
+        smtp_password:
+          value_from:
+            env: ZITADEL_SMTP_PASSWORD
+        # mail from address
+        smtp_from_address:
+          value_from:
+            env: ZITADEL_SMTP_FROM_ADDRESS
+        # mail from name
+        smtp_from_name:
+          value_from:
+            env: ZITADEL_SMTP_FROM_NAME
+        # mail reply to address
+        smtp_reply_to_address:
+          value_from:
+            env: ZITADEL_SMTP_REPLY_TO_ADDRESS
     backups:
       s3:
         secret_access_key:
@@ -152,24 +181,54 @@ apps:
         - ZITADEL_S3_BACKUP_ACCESS_ID
         - ZITADEL_S3_BACKUP_SECRET_KEY
         - ZITADEL_RESTIC_REPO_PASSWORD
+        - ZITADEL_SMTP_HOST
+        - ZITADEL_SMTP_USER
+        - ZITADEL_SMTP_PASSWORD
+        - ZITADEL_SMTP_FROM_ADDRESS
+        - ZITADEL_SMTP_FROM_NAME
+        - ZITADEL_SMTP_REPLY_TO_ADDRESS
     init:
       # Switch to false if you don't want to create initial secrets or use the
       # API via a service account to create the above described resources
       enabled: true
       values:
+        # login username of admin user
         username: 'certainlynotadog'
+        # email of admin user
         email: '[email protected]'
+        # first name of admin user
         first_name: 'Dogsy'
+        # last name of admin user
         last_name: 'Dogerton'
         # options: GENDER_UNSPECIFIED, GENDER_MALE, GENDER_FEMALE, GENDER_DIVERSE
         # more coming soon, see: https://github.com/zitadel/zitadel/issues/6355
         gender: GENDER_UNSPECIFIED
         # name of the default project to create OIDC applications in
         project: core
-        # coming soon after we refactor a bit
-        # smtp_password:
-        #   value_from:
-        #     env: ZITADEL_SMTP_PASSWORD
+        # mail server, must include port! e.g. mymailserver.com:587
+        smtp_host:
+          value_from:
+            env: ZITADEL_SMTP_HOST
+        # mail user
+        smtp_user:
+          value_from:
+            env: ZITADEL_SMTP_USER
+        # mail password
+        smtp_password:
+          value_from:
+            env: ZITADEL_SMTP_PASSWORD
+        # mail from address
+        smtp_from_address:
+          value_from:
+            env: ZITADEL_SMTP_FROM_ADDRESS
+        # mail from name
+        smtp_from_name:
+          value_from:
+            env: ZITADEL_SMTP_FROM_NAME
+        # mail reply to address
+        smtp_reply_to_address:
+          value_from:
+            env: ZITADEL_SMTP_REPLY_TO_ADDRESS
       restore:
         enabled: false
         cnpg_restore: true

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name          = "smol_k8s_lab"
-version       = "5.12.0"
+version       = "5.13.0"
 description   = "CLI and TUI to quickly install slimmer Kubernetes distros and then manage apps declaratively using Argo CD"
 authors       = ["Jesse Hitch <[email protected]>",
                  "Max Roby <[email protected]>"]

smol_k8s_lab/config/default_config.yaml

@@ -1748,6 +1748,30 @@ apps:
         gender: GENDER_UNSPECIFIED
         # name of the default project to create OIDC applications in
         project: core
+        # mail server, must include port! e.g. mymailserver.com:587
+        smtp_host:
+          value_from:
+            env: ZITADEL_SMTP_HOST
+        # mail user
+        smtp_user:
+          value_from:
+            env: ZITADEL_SMTP_USER
+        # mail password
+        smtp_password:
+          value_from:
+            env: ZITADEL_SMTP_PASSWORD
+        # mail from address
+        smtp_from_address:
+          value_from:
+            env: ZITADEL_SMTP_FROM_ADDRESS
+        # mail from name
+        smtp_from_name:
+          value_from:
+            env: ZITADEL_SMTP_FROM_NAME
+        # mail reply to address
+        smtp_reply_to_address:
+          value_from:
+            env: ZITADEL_SMTP_REPLY_TO_ADDRESS
     backups:
       # cronjob syntax schedule to run zitadel seaweedfs pvc backups
       pvc_schedule: 10 0 * * *

smol_k8s_lab/k8s_apps/identity_provider/zitadel.py

@@ -6,7 +6,7 @@
 from smol_k8s_lab.k8s_apps.operators.minio import create_minio_alias
 from smol_k8s_lab.k8s_tools.argocd_util import ArgoCD
 from smol_k8s_lab.k8s_tools.restores import restore_seaweedfs, restore_cnpg_cluster
-from smol_k8s_lab.utils.value_from import process_backup_vals
+from smol_k8s_lab.utils.value_from import process_backup_vals, extract_secret
 from smol_k8s_lab.utils.passwords import create_password
 from smol_k8s_lab.utils.rich_cli.console_logging import sub_header, header
 
@@ -80,6 +80,22 @@ def configure_zitadel(argocd: ArgoCD,
         # first we make sure the namespace exists
         argocd.k8s.create_namespace(zitadel_namespace)
 
+        # get the mail credentials
+        smtp_host = extract_secret(init_values.get("smtp_host",
+                                                   "not applicable"))
+        smtp_user = extract_secret(init_values.get("smtp_user",
+                                                   "not applicable"))
+        smtp_password = extract_secret(init_values.get("smtp_password",
+                                                       "not applicable"))
+        smtp_from_address = extract_secret(init_values.get("smtp_from_address",
+                                                           "not applicable"))
+        smtp_from_name = extract_secret(init_values.get("smtp_from_name",
+                                                        "not applicable"))
+        smtp_reply_to_address = extract_secret(
+                init_values.get("smtp_reply_to_address",
+                                "not applicable")
+                )
+
         if bitwarden and not restore_enabled:
             setup_bitwarden_items(argocd,
                                   zitadel_hostname,
@@ -88,6 +104,12 @@ def configure_zitadel(argocd: ArgoCD,
                                   backup_vals['s3_user'],
                                   backup_vals['s3_password'],
                                   backup_vals['restic_repo_pass'],
+                                  smtp_host,
+                                  smtp_user,
+                                  smtp_password,
+                                  smtp_from_address,
+                                  smtp_from_name,
+                                  smtp_reply_to_address,
                                   bitwarden)
 
         elif not bitwarden and not restore_enabled:
@@ -107,6 +129,15 @@ def configure_zitadel(argocd: ArgoCD,
                                      {"username": 'zitadel',
                                       "password": 'we-use-tls-instead-of-password'})
 
+            # smtp credentials creation
+            argocd.k8s.create_secret('zitadel-smtp-credentials', 'zitadel',
+                                     {"host": smtp_host,
+                                      "user": smtp_user,
+                                      "password": smtp_password,
+                                      "from_address": smtp_from_address,
+                                      "from_name": smtp_from_name,
+                                      "reply_to_address": smtp_reply_to_address})
+
     if not app_installed and restore_enabled:
         restore_zitadel(argocd,
                         zitadel_hostname,
@@ -328,6 +359,12 @@ def setup_bitwarden_items(argocd: ArgoCD,
                           backups_s3_user: str,
                           backups_s3_password: str,
                           restic_repo_pass: str,
+                          smtp_host: str,
+                          smtp_user: str,
+                          smtp_password: str,
+                          smtp_from_address: str,
+                          smtp_from_name: str,
+                          smtp_reply_to_address: str,
                           bitwarden: BwCLI) -> None:
     """
     setup all zitadel related bitwarden items and refresh the appset secret plugin
@@ -366,6 +403,22 @@ def setup_bitwarden_items(argocd: ArgoCD,
             password="using-tls-now-so-we-do-not-need-a-password"
             )
 
+    # zitadel smtp credentials creation
+    smtp_host_obj = create_custom_field('host', smtp_host)
+    smtp_from_address_obj = create_custom_field('from_address', smtp_from_address)
+    smtp_from_name_obj = create_custom_field('from_name', smtp_from_name)
+    smtp_reply_to_address_obj = create_custom_field('reply_to_address', smtp_reply_to_address)
+    smtp_id = bitwarden.create_login(
+            name='zitadel-smtp-credentials',
+            item_url=zitadel_hostname,
+            user=smtp_user,
+            password=smtp_password,
+            fields=[smtp_host_obj,
+                    smtp_from_address_obj,
+                    smtp_from_name_obj,
+                    smtp_reply_to_address_obj]
+            )
+
     # create zitadel core key
     new_key = bitwarden.generate()
     core_id = bitwarden.create_login(name="zitadel-core-key",
@@ -376,6 +429,7 @@ def setup_bitwarden_items(argocd: ArgoCD,
     # update the zitadel values for the argocd appset
     argocd.update_appset_secret(
             {'zitadel_core_bitwarden_id': core_id,
+             'zitadel_smtp_credentials_bitwarden_id': smtp_id,
              'zitadel_postgres_credentials_bitwarden_id': db_id,
              'zitadel_s3_postgres_credentials_bitwarden_id': s3_id,
              'zitadel_s3_admin_credentials_bitwarden_id': s3_admin_id,
@@ -415,6 +469,14 @@ def refresh_bitwarden(argocd: ArgoCD,
             f"zitadel-postgres-s3-credentials-{zitadel_hostname}", False
             )[0]['id']
 
+    try:
+        smtp_id = bitwarden.get_item(
+                f"zitadel-smtp-credentials-{zitadel_hostname}", False
+                )[0]['id']
+    except Exception as e:
+        log.warn(e)
+        smtp_id = "Not applicable"
+
     core_id = bitwarden.get_item(
             f"zitadel-core-key-{zitadel_hostname}", False
             )[0]['id']
@@ -430,6 +492,7 @@ def refresh_bitwarden(argocd: ArgoCD,
     argocd.update_appset_secret(
             {
             'zitadel_core_bitwarden_id': core_id,
+            'zitadel_smtp_credentials_bitwarden_id': smtp_id,
             'zitadel_postgres_credentials_bitwarden_id': db_id,
             'zitadel_s3_postgres_credentials_bitwarden_id': s3_id,
             'zitadel_s3_backups_credentials_bitwarden_id': s3_backup_id,

smol_k8s_lab/k8s_apps/social/matrix.py

@@ -269,22 +269,6 @@ def refresh_bweso(argocd: ArgoCD, matrix_hostname: str, bitwarden: BwCLI):
 
     ## BEGIN BRIDGES
 
-    try:
-        hookshot_id = bitwarden.get_item(
-                f"matrix-hookshot-bridge-{matrix_hostname}", False
-                )[0]['id']
-    except TypeError:
-        log.info("No matrix hookshot bridge id found")
-        hookshot_id = "Not Applicable"
-
-    try:
-        hookshot_github_id = bitwarden.get_item(
-                f"matrix-hookshot-bridge-github-{matrix_hostname}", False
-                )[0]['id']
-    except TypeError:
-        log.info("No matrix hookshot github bridge id found")
-        hookshot_github_id = "Not Applicable"
-
     try:
         alertmanager_id = bitwarden.get_item(
                 f"matrix-alertmanager-bridge-{matrix_hostname}", False
@@ -382,8 +366,6 @@ def refresh_bweso(argocd: ArgoCD, matrix_hostname: str, bitwarden: BwCLI):
              'matrix_oidc_credentials_bitwarden_id': oidc_id['id'],
              'matrix_discord_bitwarden_id': discord_id,
              'matrix_alertmanager_bitwarden_id': alertmanager_id,
-             'matrix_hookshot_bitwarden_id': hookshot_id,
-             'matrix_hookshot_github_bitwarden_id': hookshot_github_id,
              'matrix_idp_name': idp_name,
              'matrix_idp_id': idp_id})
 
@@ -534,32 +516,6 @@ def setup_bitwarden_items(argocd: ArgoCD,
             password=matrix_registration_key
             )
 
-    # hookshot bot passkey.pem and as_token + hs_token
-    hookshot_passkey_pem = bitwarden.generate()
-    hookshot_as_token = bitwarden.generate()
-    hookshot_as_token_obj = create_custom_field("as_token", hookshot_as_token)
-    hookshot_hs_token = bitwarden.generate()
-    hookshot_hs_token_obj = create_custom_field("hs_token", hookshot_hs_token)
-    hookshot_id = bitwarden.create_login(
-            name='matrix-hookshot-bridge',
-            item_url=matrix_hostname,
-            user="none",
-            note=hookshot_passkey_pem,
-            fields=[hookshot_as_token_obj, hookshot_hs_token_obj]
-            )
-
-    # hookshot bot github credentials
-    github_client_id_obj = create_custom_field("oauth_client_id", github_client_id)
-    github_client_secret_obj = create_custom_field("oauth_client_secret", github_client_secret)
-    hookshot_github_id = bitwarden.create_login(
-            name='matrix-hookshot-bridge',
-            item_url=matrix_hostname,
-            user=github_app_id,
-            password=github_webhook_secret,
-            note=github_private_key,
-            fields=[github_client_id_obj, github_client_secret_obj]
-            )
-
     # alert manager bot as_token + hs_token
     alertmanager_as_token = bitwarden.generate()
     alertmanager_as_token_obj = create_custom_field("as_token", alertmanager_as_token)
@@ -650,8 +606,6 @@ def setup_bitwarden_items(argocd: ArgoCD,
              'matrix_oidc_credentials_bitwarden_id': oidc_id,
              'matrix_authentication_service_bitwarden_id': mas_id,
              'matrix_alertmanager_bitwarden_id': alertmanager_id,
-             'matrix_hookshot_bitwarden_id': hookshot_id,
-             'matrix_hookshot_github_bitwarden_id': hookshot_github_id,
              'matrix_discord_bitwarden_id': discord_id,
              'matrix_idp_name': idp_name,
              'matrix_idp_id': idp_id}