[GH-ISSUE #2197] Blueprint overwriting non configured settings #32162

Open
opened 2026-06-15 09:28:50 -05:00 by GiteaMirror · 2 comments
Owner

Originally created by @Hutch79 on GitHub (Jan 1, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2197

Describe the Bug

I use these labels on my compose stacks:

- pangolin.public-resources.linkwarden.auth.sso-enabled=true
- pangolin.public-resources.linkwarden.auth.auto-login-idp=1

Since it states in the wiki, that configured blueprint settings will not overwrite UI settings, I'd expect this to not overwrite my UI role and sso-user configuration.
Unfortunately, on every redeploy, my roles and users get cleared out.
It may off course be that I misinterpreted the Docs.

I understand that these settings belong to each other, but when I have never set these labels, I'd still expect blueprints to not overwrite UI settings.

Docs AI Answer regarding this (I know AI is nowhere perfect and loves to invent stuff ^^')

If you only set sso-enabled: true and auto-login-idp in your blueprint, it will NOT overwrite your existing sso-users list. Blueprints only overwrite the specific fields you define in the compose labels. Fields you don't specify in the blueprint will retain their existing values from the UI.


Some background unrelated to the issue itself

Personally, I don't want to version my access control. I also want to be able to change access quickly and without redeploying the service.
Therefore, I do not want to define users or groups in my compose.

Despite that, I want to enable/disable the SSO via GitOps, since this is a change not done often.

Environment

  • OS Type & Version: Debian 13 (Pangonlin, gerbil, traefik, postgres - Running on external VPS) - NixOS 25.11 (Newt - Running in VM)
  • Pangolin Version:1.14.1 (image: fosrl/pangolin:postgresql-1.14)
  • Gerbil Version: 1.3.0 (image: fosrl/gerbil:1.3.0)
  • Traefik Version: 3.5 (image: traefik:v3.5)
  • Newt Version: 1.8.1 (image: fosrl/newt)

To Reproduce

  1. Set up a compose and add blueprint labels to enable SSO.
  2. Verify blueprint got applied
  3. Set at least one sso-user
  4. Redeploy your compose
  5. Verify sso-users got removed

Expected Behavior

Only overwrite properties explicitly set in blueprints.
When the
sso-users array is left empty, don't overwrite it.

Advanced Solution

When removing all previously configured sso-users from the config, it should clear the list.
Basically do a diff from old and new blueprint and apply this.

Old config:

- pangolin.public-resources.linkwarden.auth.sso-enabled=true
- pangolin.public-resources.linkwarden.auth.auto-login-idp=1
- pangolin.public-resources.linkwardenauth.sso-users[0]=user1.example.ch
- pangolin.public-resources.linkwardenauth.sso-users[0]=user2.example.ch

new config:

- pangolin.public-resources.linkwarden.auth.sso-enabled=true
- pangolin.public-resources.linkwarden.auth.auto-login-idp=1
Originally created by @Hutch79 on GitHub (Jan 1, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2197 ### Describe the Bug I use these labels on my compose stacks: ```yaml - pangolin.public-resources.linkwarden.auth.sso-enabled=true - pangolin.public-resources.linkwarden.auth.auto-login-idp=1 ``` Since it states in the wiki, that configured blueprint settings will not overwrite UI settings, I'd expect this to not overwrite my UI role and sso-user configuration. Unfortunately, on every redeploy, my roles and users get cleared out. It may off course be that I misinterpreted the Docs. I understand that these settings belong to each other, but when I have never set these labels, I'd still expect blueprints to not overwrite UI settings. Docs AI Answer regarding this (I know AI is nowhere perfect and loves to invent stuff ^^') > If you only set sso-enabled: true and auto-login-idp in your blueprint, it will NOT overwrite your existing sso-users list. Blueprints only overwrite the specific fields you define in the compose labels. Fields you don't specify in the blueprint will retain their existing values from the UI. --- Some background unrelated to the issue itself Personally, I don't want to version my access control. I also want to be able to change access quickly and without redeploying the service. Therefore, I do not want to define users or groups in my compose. Despite that, I want to enable/disable the SSO via GitOps, since this is a change not done often. ### Environment - OS Type & Version: Debian 13 (Pangonlin, gerbil, traefik, postgres - Running on external VPS) - NixOS 25.11 (Newt - Running in VM) - Pangolin Version:1.14.1 (image: fosrl/pangolin:postgresql-1.14) - Gerbil Version: 1.3.0 (image: fosrl/gerbil:1.3.0) - Traefik Version: 3.5 (image: traefik:v3.5) - Newt Version: 1.8.1 (image: fosrl/newt) ### To Reproduce 1. Set up a compose and add blueprint labels to enable SSO. 2. Verify blueprint got applied 3. Set at least one sso-user 4. Redeploy your compose 5. Verify sso-users got removed ### Expected Behavior Only overwrite properties explicitly set in blueprints. When the sso-users array is left empty, don't overwrite it. ## Advanced Solution When removing all previously configured sso-users from the config, it should clear the list. Basically do a diff from old and new blueprint and apply this. Old config: ```yaml - pangolin.public-resources.linkwarden.auth.sso-enabled=true - pangolin.public-resources.linkwarden.auth.auto-login-idp=1 - pangolin.public-resources.linkwardenauth.sso-users[0]=user1.example.ch - pangolin.public-resources.linkwardenauth.sso-users[0]=user2.example.ch ``` new config: ```yaml - pangolin.public-resources.linkwarden.auth.sso-enabled=true - pangolin.public-resources.linkwarden.auth.auto-login-idp=1 ```
GiteaMirror added the enhancement label 2026-06-15 09:28:50 -05:00
Author
Owner

@github-actions[bot] commented on GitHub (Jan 16, 2026):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3757513755 --> @github-actions[bot] commented on GitHub (Jan 16, 2026): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
Author
Owner

@Hutch79 commented on GitHub (Jan 16, 2026):

This is a feature request. As long as there is no implementation or the devs say „not doing that“, you shall not close this.

<!-- gh-comment-id:3758446209 --> @Hutch79 commented on GitHub (Jan 16, 2026): This is a feature request. As long as there is no implementation or the devs say „not doing that“, you shall not close this.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#32162