wip

Signed-off-by: Ahmed AbouZaid <[email protected]>
camunda · Aug 23, 2024 · f42b915 · f42b915
1 parent cf50ee3
commit f42b915
Show file tree

Hide file tree

Showing 19 changed files with 194 additions and 79 deletions.
diff --git a/charts/camunda-platform-alpha/templates/camunda/constraints.tpl b/charts/camunda-platform-alpha/templates/camunda/constraints.tpl
@@ -149,17 +149,19 @@ metadata:
   name: identity-secret-for-components
 type: Opaque
 data:
-  operate-secret: <base64-encoded-secret>
-  tasklist-secret: <base64-encoded-secret>
-  optimize-secret: <base64-encoded-secret>
+  # Ideneity apps auth.
   connectors-secret: <base64-encoded-secret>
   console-secret: <base64-encoded-secret>
-  keycloak-secret: <base64-encoded-secret>
+  operate-secret: <base64-encoded-secret>
+  optimize-secret: <base64-encoded-secret>
+  tasklist-secret: <base64-encoded-secret>
   zeebe-secret: <base64-encoded-secret>
-  admin-password: <base64-encoded-secret> # used for keycloak
-  management-password: <base64-encoded-secret> # used for keycloak
+  # Ideneity Keycloak.
+  admin-password: <base64-encoded-secret>.
+  # Ideneity Keycloak PostgreSQL.
   postgres-password: <base64-encoded-secret> # used for postgresql admin password
   password: <base64-encoded-secret> # used for postgresql user password
+  # Web Modeler.
   smtp-password: <base64-encoded-secret> # used for web modeler mail
 
 The following values inside your values.yaml need to be set but were not:
@@ -186,17 +188,19 @@ metadata:
   name: identity-secret-for-components
 type: Opaque
 data:
-  operate-secret: <base64-encoded-secret>
-  tasklist-secret: <base64-encoded-secret>
-  optimize-secret: <base64-encoded-secret>
+  # Ideneity apps auth.
   connectors-secret: <base64-encoded-secret>
   console-secret: <base64-encoded-secret>
-  keycloak-secret: <base64-encoded-secret>
+  operate-secret: <base64-encoded-secret>
+  optimize-secret: <base64-encoded-secret>
+  tasklist-secret: <base64-encoded-secret>
   zeebe-secret: <base64-encoded-secret>
-  admin-password: <base64-encoded-secret> # used for keycloak
-  management-password: <base64-encoded-secret> # used for keycloak
+  # Ideneity Keycloak.
+  admin-password: <base64-encoded-secret>.
+  # Ideneity Keycloak PostgreSQL.
   postgres-password: <base64-encoded-secret> # used for postgresql admin password
   password: <base64-encoded-secret> # used for postgresql user password
+  # Web Modeler.
   smtp-password: <base64-encoded-secret> # used for web modeler mail
 
 The following values inside your values.yaml need to be set but were not:

diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-camunda.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-camunda.yaml
@@ -0,0 +1,80 @@
+{{- if .Values.global.secrets.autoGenerated }}
+# NOTE:
+# - This secret object is NOT managed with corresponding releases and NOR part of Helm deployment!
+#   It's generated once, and if it's deleted, you will lose the secrets.
+# - This file is only for auto-generating secrets within the chart; don't add secrets for external resources.
+# - The Camunda Helm chart "existingSecret" syntax will be changed in the Camunda 8.8 releases.
+#   More details: https://github.com/camunda/camunda-platform-helm/issues/1898
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.global.secrets.name }}
+  labels:
+    {{- include "camundaPlatform.labels" . | nindent 4 }}
+  annotations:
+    {{- include "common.tplvalues.merge" (dict
+      "values" (list .Values.global.annotations .Values.global.secrets.annotations)
+      "context" $) | nindent 4 }}
+type: Opaque
+data:
+  {{- $identityAuth := dict
+    "connectors" (.Values.global.identity.auth.connectors.existingSecret).name
+    "console" (.Values.global.identity.auth.console.existingSecret).name
+    "operate" (.Values.global.identity.auth.operate.existingSecret).name
+    "optimize" (.Values.global.identity.auth.optimize.existingSecret).name
+    "tasklist" (.Values.global.identity.auth.tasklist.existingSecret).name
+    "zeebe" (.Values.global.identity.auth.zeebe.existingSecret).name
+  }}
+  {{- if or ($identityAuth.connectors) ($identityAuth.console) ($identityAuth.operate)
+            ($identityAuth.optimize) ($identityAuth.tasklist) ($identityAuth.zeebe)
+  }}
+  # Ideneity apps auth.
+  {{- if $identityAuth.connectors }}
+  identity-connectors-client-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.console }}
+  identity-console-client-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.operate }}
+  identity-operate-client-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.optimize }}
+  identity-optimize-client-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.tasklist }}
+  identity-tasklist-client-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.zeebe }}
+  identity-zeebe-client-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- end }}
+
+  {{- if .Values.identity.firstUser.existingSecret }}
+  # Identity login.
+  identity-user-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+  {{- if and .Values.identityPostgresql.enabled .Values.identityPostgresql.auth.existingSecret }}
+  # Ideneity PostgreSQL.
+  identity-postgresql-admin-password: "{{ randAlphaNum 16 | b64enc }}"
+  identity-postgresql-user-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+  {{- if .Values.identityKeycloak.auth.existingSecret }}
+  # Ideneity Keycloak.
+  identity-keycloak-admin-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+  {{- if .Values.identityKeycloak.postgresql.auth.existingSecret }}
+  # Ideneity Keycloak PostgreSQL.
+  identity-keycloak-postgresql-admin-password: "{{ randAlphaNum 16 | b64enc }}"
+  identity-keycloak-postgresql-user-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+  {{- if and .Values.postgresql.enabled .Values.postgresql.auth.existingSecret }}
+  # WebModeler PostgreSQL.
+  webmodeler-postgresql-admin-password: "{{ randAlphaNum 16 | b64enc }}"
+  webmodeler-postgresql-user-password: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+{{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-connectors.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-connectors.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  connectors-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "connectors-secret" "length" 10 "providedValues" (list "global.identity.auth.connectors.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.connectors.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.connectors.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.connectors.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-console.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-console.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  console-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "console-secret" "length" 10 "providedValues" (list "global.identity.auth.console.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.console.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.console.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.console.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-elasticsearch.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-elasticsearch.yaml
@@ -6,5 +6,5 @@ metadata:
   annotations: {{- toYaml .Values.global.annotations | nindent 4 }}
 type: Opaque
 data:
-  password: {{ .Values.global.elasticsearch.auth.password | b64enc }}
+  {{ .Values.global.elasticsearch.auth.existingSecretKey }}: {{ .Values.global.elasticsearch.auth.password | b64enc }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-opensearch.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-opensearch.yaml
@@ -6,5 +6,5 @@ metadata:
   annotations: {{- toYaml .Values.global.annotations | nindent 4 }}
 type: Opaque
 data:
-  password: {{ .Values.global.opensearch.auth.password | b64enc }}
+  {{ .Values.global.opensearch.auth.existingSecretKey }}: {{ .Values.global.opensearch.auth.password | b64enc }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-operate.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-operate.yaml
@@ -8,5 +8,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  operate-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "operate-secret" "length" 10 "providedValues" (list "global.identity.auth.operate.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.operate.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.operate.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.operate.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-optimize.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-optimize.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  optimize-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "optimize-secret" "length" 10 "providedValues" (list "global.identity.auth.optimize.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.optimize.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.optimize.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.optimize.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-tasklist.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-tasklist.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  tasklist-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "tasklist-secret" "length" 10 "providedValues" (list "global.identity.auth.tasklist.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.tasklist.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.tasklist.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.tasklist.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-zeebe.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-zeebe.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  zeebe-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "zeebe-secret" "length" 10 "providedValues" (list "global.identity.auth.zeebe.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.zeebe.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.zeebe.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.zeebe.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/connectors/deployment.yaml b/charts/camunda-platform-alpha/templates/connectors/deployment.yaml
@@ -49,7 +49,7 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: {{ include "connectors.authCredentialsSecretName" . }}
-                  key: connectors-secret
+                  key: {{ .Values.global.identity.auth.connectors.existingSecretKey }}
           {{- end }}
           {{- if .Values.global.identity.auth.enabled }}
             {{- if eq .Values.connectors.inbound.mode "oauth" }}
@@ -58,12 +58,12 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.connectors.existingSecret "context" $) }}
-                  key: connectors-secret
+                  key: {{ .Values.global.identity.auth.connectors.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "connectors") }}
-                  key: connectors-secret
+                  key: {{ .Values.global.identity.auth.connectors.existingSecretKey }}
               {{- end }}
             {{- end }}
             - name: ZEEBE_CLIENT_ID
@@ -73,12 +73,12 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }}
-                  key: zeebe-secret
+                  key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }}
-                  key: zeebe-secret
+                  key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }}
               {{- end }}
             - name: ZEEBE_AUTHORIZATION_SERVER_URL
               value: {{ include "camundaPlatform.authIssuerBackendUrlTokenEndpoint" . | quote }}

diff --git a/charts/camunda-platform-alpha/templates/connectors/inbound-secret.yaml b/charts/camunda-platform-alpha/templates/connectors/inbound-secret.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "connectors.labels" . | nindent 4 }}
 type: Opaque
 data:
-  connectors-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "connectors-secret" "length" 10 "providedValues" (list "connectors.inbound.auth.existingSecret") "context" $) }}
+  {{ .Values.connectors.inbound.auth.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.connectors.inbound.auth.existingSecretKey "length" 10 "providedValues" (list "connectors.inbound.auth.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-alpha/templates/identity/deployment.yaml b/charts/camunda-platform-alpha/templates/identity/deployment.yaml
@@ -53,12 +53,12 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.operate.existingSecret "context" $) }}
-                  key: operate-secret
+                  key: {{ .Values.global.identity.auth.operate.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "operate") }}
-                  key: operate-secret
+                  key: {{ .Values.global.identity.auth.operate.existingSecretKey }}
               {{- end }}
             - name: KEYCLOAK_INIT_CONSOLE_SECRET
               {{- if and .Values.global.identity.auth.console.existingSecret (not (typeIs "string" .Values.global.identity.auth.console.existingSecret)) }}
@@ -70,12 +70,12 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.console.existingSecret "context" $) }}
-                  key: console-secret
+                  key: {{ .Values.global.identity.auth.console.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "console") }}
-                  key: console-secret
+                  key: {{ .Values.global.identity.auth.console.existingSecretKey }}
               {{- end }}
             - name: KEYCLOAK_INIT_TASKLIST_SECRET
               {{- if and .Values.global.identity.auth.tasklist.existingSecret (not (typeIs "string" .Values.global.identity.auth.tasklist.existingSecret)) }}
@@ -87,12 +87,12 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: "{{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.tasklist.existingSecret "context" $) }}"
-                  key: tasklist-secret
+                  key: {{ .Values.global.identity.auth.tasklist.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "tasklist") }}
-                  key: tasklist-secret
+                  key: {{ .Values.global.identity.auth.tasklist.existingSecretKey }}
               {{- end }}
             - name: KEYCLOAK_INIT_OPTIMIZE_SECRET
               {{- if and .Values.global.identity.auth.optimize.existingSecret (not (typeIs "string" .Values.global.identity.auth.optimize.existingSecret)) }}
@@ -104,12 +104,12 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.optimize.existingSecret "context" $) }}
-                  key: optimize-secret
+                  key: {{ .Values.global.identity.auth.optimize.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "optimize") }}
-                  key: optimize-secret
+                  key: {{ .Values.global.identity.auth.optimize.existingSecretKey }}
               {{- end }}
             - name: KEYCLOAK_INIT_WEBMODELER_ROOT_URL
               value: {{ tpl .Values.global.identity.auth.webModeler.redirectUrl $ | quote }}
@@ -131,12 +131,12 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.connectors.existingSecret "context" $) }}
-                  key: connectors-secret
+                  key: {{ .Values.global.identity.auth.connectors.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
-                  key: connectors-secret
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "connectors") }}
+                  key: {{ .Values.global.identity.auth.connectors.existingSecretKey }}
               {{- end }}
             - name: KEYCLOAK_CLIENTS_0_ROOT_URL
               value: http://placeholder
@@ -160,12 +160,12 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }}
-                  key: zeebe-secret
+                  key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }}
-                  key: zeebe-secret
+                  key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }}
               {{- end }}
             - name: KEYCLOAK_CLIENTS_1_TYPE
               value: "M2M"
@@ -190,7 +190,7 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.identity.firstUser.existingSecret }}
-                  key: "identity-firstuser-password"
+                  key: {{ .Values.identity.firstUser.existingSecretKey }}
             {{- else }}
             - name: KEYCLOAK_USERS_0_PASSWORD
               value: {{ .Values.identity.firstUser.password | quote }}