wip

Signed-off-by: Ahmed AbouZaid <[email protected]>
camunda · Aug 23, 2024 · b4b078e · b4b078e
1 parent cf50ee3
commit b4b078e
Show file tree

Hide file tree

Showing 14 changed files with 131 additions and 27 deletions.
diff --git a/charts/camunda-platform-alpha/templates/camunda/constraints.tpl b/charts/camunda-platform-alpha/templates/camunda/constraints.tpl
@@ -149,17 +149,19 @@ metadata:
   name: identity-secret-for-components
 type: Opaque
 data:
-  operate-secret: <base64-encoded-secret>
-  tasklist-secret: <base64-encoded-secret>
-  optimize-secret: <base64-encoded-secret>
+  # Ideneity apps auth.
   connectors-secret: <base64-encoded-secret>
   console-secret: <base64-encoded-secret>
-  keycloak-secret: <base64-encoded-secret>
+  operate-secret: <base64-encoded-secret>
+  optimize-secret: <base64-encoded-secret>
+  tasklist-secret: <base64-encoded-secret>
   zeebe-secret: <base64-encoded-secret>
-  admin-password: <base64-encoded-secret> # used for keycloak
-  management-password: <base64-encoded-secret> # used for keycloak
+  # Ideneity Keycloak.
+  admin-password: <base64-encoded-secret>.
+  # Ideneity Keycloak PostgreSQL.
   postgres-password: <base64-encoded-secret> # used for postgresql admin password
   password: <base64-encoded-secret> # used for postgresql user password
+  # Web Modeler.
   smtp-password: <base64-encoded-secret> # used for web modeler mail
 
 The following values inside your values.yaml need to be set but were not:
@@ -186,17 +188,19 @@ metadata:
   name: identity-secret-for-components
 type: Opaque
 data:
-  operate-secret: <base64-encoded-secret>
-  tasklist-secret: <base64-encoded-secret>
-  optimize-secret: <base64-encoded-secret>
+  # Ideneity apps auth.
   connectors-secret: <base64-encoded-secret>
   console-secret: <base64-encoded-secret>
-  keycloak-secret: <base64-encoded-secret>
+  operate-secret: <base64-encoded-secret>
+  optimize-secret: <base64-encoded-secret>
+  tasklist-secret: <base64-encoded-secret>
   zeebe-secret: <base64-encoded-secret>
-  admin-password: <base64-encoded-secret> # used for keycloak
-  management-password: <base64-encoded-secret> # used for keycloak
+  # Ideneity Keycloak.
+  admin-password: <base64-encoded-secret>.
+  # Ideneity Keycloak PostgreSQL.
   postgres-password: <base64-encoded-secret> # used for postgresql admin password
   password: <base64-encoded-secret> # used for postgresql user password
+  # Web Modeler.
   smtp-password: <base64-encoded-secret> # used for web modeler mail
 
 The following values inside your values.yaml need to be set but were not:

diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-camunda.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-camunda.yaml
@@ -0,0 +1,72 @@
+{{- if .Values.global.secrets.autoGenerated }}
+# NOTE:
+# - This secret object is NOT managed with corresponding releases and NOT part of Helm deployment!
+#   It's generated once and if it's deleted you will lose the secrets.
+# - This file is only for auto-generate secrets within the chart, don't add secrets for external resources.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.global.secrets.name }}
+  labels:
+    {{- include "camundaPlatform.labels" . | nindent 4 }}
+  annotations:
+    {{- include "common.tplvalues.merge" (dict
+      "values" (list .Values.global.annotations .Values.global.secrets.annotations)
+      "context" $) | nindent 4 }}
+type: Opaque
+data:
+  {{- $identityAuth := dict
+    "connectors" .Values.global.identity.auth.connectors.existingSecret
+    "console" .Values.global.identity.auth.console.existingSecret
+    "operate" .Values.global.identity.auth.operate.existingSecret
+    "optimize" .Values.global.identity.auth.optimize.existingSecret
+    "tasklist" .Values.global.identity.auth.tasklist.existingSecret
+    "zeebe" .Values.global.identity.auth.zeebe.existingSecret
+  }}
+  {{- if or ($identityAuth.connectors) ($identityAuth.console) ($identityAuth.operate)
+            ($identityAuth.optimize) ($identityAuth.tasklist) ($identityAuth.zeebe)
+  }}
+  # Ideneity apps auth.
+  {{- if $identityAuth.connectors }}
+  identity-connectors-client-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.console }}
+  identity-console-client-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.operate }}
+  identity-operate-client-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.optimize }}
+  identity-optimize-client-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.tasklist }}
+  identity-tasklist-client-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.zeebe }}
+  identity-zeebe-client-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- end }}
+
+  {{- if .Values.identity.firstUser.existingSecret }}
+  # Identity login.
+  identity-user-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+  {{- if and .Values.identityPostgresql.enabled .Values.identityPostgresql.auth.existingSecret }}
+  # Ideneity PostgreSQL.
+  identity-postgresql-admin-password: "{{ randAlphaNum 16 | b64enc }}"
+  identity-postgresql-user-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+  {{- if .Values.identityKeycloak.auth.existingSecret }}
+  # Ideneity Keycloak.
+  identity-keycloak-admin-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+  {{- if .Values.identityKeycloak.postgresql.auth.existingSecret }}
+  # Ideneity Keycloak PostgreSQL.
+  identity-keycloak-postgresql-admin-password: "{{ randAlphaNum 16 | b64enc }}"
+  identity-keycloak-postgresql-user-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+{{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-connectors.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-connectors.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  connectors-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "connectors-secret" "length" 10 "providedValues" (list "global.identity.auth.connectors.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.connectors.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.connectors.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.connectors.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-console.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-console.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  console-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "console-secret" "length" 10 "providedValues" (list "global.identity.auth.console.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.console.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.console.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.console.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-elasticsearch.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-elasticsearch.yaml
@@ -6,5 +6,5 @@ metadata:
   annotations: {{- toYaml .Values.global.annotations | nindent 4 }}
 type: Opaque
 data:
-  password: {{ .Values.global.elasticsearch.auth.password | b64enc }}
+  {{ .Values.global.elasticsearch.auth.existingSecretKey }}: {{ .Values.global.elasticsearch.auth.password | b64enc }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-opensearch.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-opensearch.yaml
@@ -6,5 +6,5 @@ metadata:
   annotations: {{- toYaml .Values.global.annotations | nindent 4 }}
 type: Opaque
 data:
-  password: {{ .Values.global.opensearch.auth.password | b64enc }}
+  {{ .Values.global.opensearch.auth.existingSecretKey }}: {{ .Values.global.opensearch.auth.password | b64enc }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-operate.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-operate.yaml
@@ -8,5 +8,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  operate-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "operate-secret" "length" 10 "providedValues" (list "global.identity.auth.operate.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.operate.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.operate.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.operate.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-optimize.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-optimize.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  optimize-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "optimize-secret" "length" 10 "providedValues" (list "global.identity.auth.optimize.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.optimize.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.optimize.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.optimize.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-tasklist.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-tasklist.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  tasklist-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "tasklist-secret" "length" 10 "providedValues" (list "global.identity.auth.tasklist.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.tasklist.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.tasklist.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.tasklist.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-zeebe.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-zeebe.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  zeebe-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "zeebe-secret" "length" 10 "providedValues" (list "global.identity.auth.zeebe.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.zeebe.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.zeebe.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.zeebe.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/connectors/inbound-secret.yaml b/charts/camunda-platform-alpha/templates/connectors/inbound-secret.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "connectors.labels" . | nindent 4 }}
 type: Opaque
 data:
-  connectors-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "connectors-secret" "length" 10 "providedValues" (list "connectors.inbound.auth.existingSecret") "context" $) }}
+  {{ .Values.connectors.inbound.auth.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.connectors.inbound.auth.existingSecretKey "length" 10 "providedValues" (list "connectors.inbound.auth.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/identity/deployment.yaml b/charts/camunda-platform-alpha/templates/identity/deployment.yaml
@@ -190,7 +190,7 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.identity.firstUser.existingSecret }}
-                  key: "identity-firstuser-password"
+                  key: {{ .Values.identity.firstUser.existingSecretKey }}
             {{- else }}
             - name: KEYCLOAK_USERS_0_PASSWORD
               value: {{ .Values.identity.firstUser.password | quote }}

diff --git a/charts/camunda-platform-alpha/templates/web-modeler/secret-restapi.yaml b/charts/camunda-platform-alpha/templates/web-modeler/secret-restapi.yaml
@@ -11,10 +11,10 @@ metadata:
 type: Opaque
 data:
   {{- if $useExternalDatabasePassword }}
-  database-password: {{ .Values.webModeler.restapi.externalDatabase.existingSecret | default .Values.webModeler.restapi.externalDatabase.password | b64enc }}
+  {{ .Values.webModeler.restapi.externalDatabase.existingSecretPasswordKey }} : {{ .Values.webModeler.restapi.externalDatabase.existingSecret | default .Values.webModeler.restapi.externalDatabase.password | b64enc }}
   {{- end }}
   {{- if $useSmtpPassword }}
-  smtp-password: {{ .Values.webModeler.restapi.mail.existingSecret | default .Values.webModeler.restapi.mail.smtpPassword | b64enc }}
+  {{ .Values.webModeler.restapi.mail.existingSecretPasswordKey }}: {{ .Values.webModeler.restapi.mail.existingSecret | default .Values.webModeler.restapi.mail.smtpPassword | b64enc }}
   {{- end }}
 
 {{- end }}