diff --git a/charts/camunda-platform-alpha/templates/camunda/constraints.tpl b/charts/camunda-platform-alpha/templates/camunda/constraints.tpl index 80e10db182..d8886de466 100644 --- a/charts/camunda-platform-alpha/templates/camunda/constraints.tpl +++ b/charts/camunda-platform-alpha/templates/camunda/constraints.tpl @@ -149,17 +149,19 @@ metadata: name: identity-secret-for-components type: Opaque data: - operate-secret: - tasklist-secret: - optimize-secret: + # Ideneity apps auth. connectors-secret: console-secret: - keycloak-secret: + operate-secret: + optimize-secret: + tasklist-secret: zeebe-secret: - admin-password: # used for keycloak - management-password: # used for keycloak + # Ideneity Keycloak. + admin-password: . + # Ideneity Keycloak PostgreSQL. postgres-password: # used for postgresql admin password password: # used for postgresql user password + # Web Modeler. smtp-password: # used for web modeler mail The following values inside your values.yaml need to be set but were not: @@ -186,17 +188,19 @@ metadata: name: identity-secret-for-components type: Opaque data: - operate-secret: - tasklist-secret: - optimize-secret: + # Ideneity apps auth. connectors-secret: console-secret: - keycloak-secret: + operate-secret: + optimize-secret: + tasklist-secret: zeebe-secret: - admin-password: # used for keycloak - management-password: # used for keycloak + # Ideneity Keycloak. + admin-password: . + # Ideneity Keycloak PostgreSQL. postgres-password: # used for postgresql admin password password: # used for postgresql user password + # Web Modeler. smtp-password: # used for web modeler mail The following values inside your values.yaml need to be set but were not: diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-camunda.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-camunda.yaml new file mode 100644 index 0000000000..44d31c1ba6 --- /dev/null +++ b/charts/camunda-platform-alpha/templates/camunda/secret-camunda.yaml @@ -0,0 +1,80 @@ +{{- if .Values.global.secrets.autoGenerated }} +# NOTE: +# - This secret object is NOT managed with corresponding releases and NOR part of Helm deployment! +# It's generated once, and if it's deleted, you will lose the secrets. +# - This file is only for auto-generating secrets within the chart; don't add secrets for external resources. +# - The Camunda Helm chart "existingSecret" syntax will be changed in the Camunda 8.8 releases. +# More details: https://github.com/camunda/camunda-platform-helm/issues/1898 +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.global.secrets.name }} + labels: + {{- include "camundaPlatform.labels" . | nindent 4 }} + annotations: + {{- include "common.tplvalues.merge" (dict + "values" (list .Values.global.annotations .Values.global.secrets.annotations) + "context" $) | nindent 4 }} +type: Opaque +data: + {{- $identityAuth := dict + "connectors" (.Values.global.identity.auth.connectors.existingSecret).name + "console" (.Values.global.identity.auth.console.existingSecret).name + "operate" (.Values.global.identity.auth.operate.existingSecret).name + "optimize" (.Values.global.identity.auth.optimize.existingSecret).name + "tasklist" (.Values.global.identity.auth.tasklist.existingSecret).name + "zeebe" (.Values.global.identity.auth.zeebe.existingSecret).name + }} + {{- if or ($identityAuth.connectors) ($identityAuth.console) ($identityAuth.operate) + ($identityAuth.optimize) ($identityAuth.tasklist) ($identityAuth.zeebe) + }} + # Ideneity apps auth. + {{- if $identityAuth.connectors }} + identity-connectors-client-password: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- if $identityAuth.console }} + identity-console-client-password: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- if $identityAuth.operate }} + identity-operate-client-password: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- if $identityAuth.optimize }} + identity-optimize-client-password: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- if $identityAuth.tasklist }} + identity-tasklist-client-password: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- if $identityAuth.zeebe }} + identity-zeebe-client-password: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- end }} + + {{- if .Values.identity.firstUser.existingSecret }} + # Identity login. + identity-user-password: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + + {{- if and .Values.identityPostgresql.enabled .Values.identityPostgresql.auth.existingSecret }} + # Ideneity PostgreSQL. + identity-postgresql-admin-password: "{{ randAlphaNum 16 | b64enc }}" + identity-postgresql-user-password: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + + {{- if .Values.identityKeycloak.auth.existingSecret }} + # Ideneity Keycloak. + identity-keycloak-admin-password: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + + {{- if .Values.identityKeycloak.postgresql.auth.existingSecret }} + # Ideneity Keycloak PostgreSQL. + identity-keycloak-postgresql-admin-password: "{{ randAlphaNum 16 | b64enc }}" + identity-keycloak-postgresql-user-password: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + + {{- if and .Values.postgresql.enabled .Values.postgresql.auth.existingSecret }} + # WebModeler PostgreSQL. + webmodeler-postgresql-admin-password: "{{ randAlphaNum 16 | b64enc }}" + webmodeler-postgresql-user-password: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + +{{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-connectors.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-connectors.yaml index 6ce2a97997..041fd06aa9 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-connectors.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-connectors.yaml @@ -7,5 +7,5 @@ metadata: labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }} type: Opaque data: - connectors-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "connectors-secret" "length" 10 "providedValues" (list "global.identity.auth.connectors.existingSecret") "context" $) }} + {{ .Values.global.identity.auth.connectors.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.connectors.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.connectors.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-console.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-console.yaml index be702baf6c..f9e438f1d0 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-console.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-console.yaml @@ -7,5 +7,5 @@ metadata: labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }} type: Opaque data: - console-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "console-secret" "length" 10 "providedValues" (list "global.identity.auth.console.existingSecret") "context" $) }} + {{ .Values.global.identity.auth.console.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.console.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.console.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-elasticsearch.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-elasticsearch.yaml index a2abbb0326..a1313561e4 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-elasticsearch.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-elasticsearch.yaml @@ -6,5 +6,5 @@ metadata: annotations: {{- toYaml .Values.global.annotations | nindent 4 }} type: Opaque data: - password: {{ .Values.global.elasticsearch.auth.password | b64enc }} + {{ .Values.global.elasticsearch.auth.existingSecretKey }}: {{ .Values.global.elasticsearch.auth.password | b64enc }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-opensearch.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-opensearch.yaml index eb8d7fdde7..4439faf8e6 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-opensearch.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-opensearch.yaml @@ -6,5 +6,5 @@ metadata: annotations: {{- toYaml .Values.global.annotations | nindent 4 }} type: Opaque data: - password: {{ .Values.global.opensearch.auth.password | b64enc }} + {{ .Values.global.opensearch.auth.existingSecretKey }}: {{ .Values.global.opensearch.auth.password | b64enc }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-operate.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-operate.yaml index 01f71da985..89ebf8c073 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-operate.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-operate.yaml @@ -8,5 +8,5 @@ metadata: labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }} type: Opaque data: - operate-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "operate-secret" "length" 10 "providedValues" (list "global.identity.auth.operate.existingSecret") "context" $) }} + {{ .Values.global.identity.auth.operate.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.operate.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.operate.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-optimize.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-optimize.yaml index 39bf25c2a5..601ae3375e 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-optimize.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-optimize.yaml @@ -7,5 +7,5 @@ metadata: labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }} type: Opaque data: - optimize-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "optimize-secret" "length" 10 "providedValues" (list "global.identity.auth.optimize.existingSecret") "context" $) }} + {{ .Values.global.identity.auth.optimize.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.optimize.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.optimize.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-tasklist.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-tasklist.yaml index ce900a8b30..1b8ee38408 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-tasklist.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-tasklist.yaml @@ -7,5 +7,5 @@ metadata: labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }} type: Opaque data: - tasklist-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "tasklist-secret" "length" 10 "providedValues" (list "global.identity.auth.tasklist.existingSecret") "context" $) }} + {{ .Values.global.identity.auth.tasklist.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.tasklist.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.tasklist.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-zeebe.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-zeebe.yaml index f008a5895b..7ad61043e7 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-zeebe.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-zeebe.yaml @@ -7,5 +7,5 @@ metadata: labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }} type: Opaque data: - zeebe-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "zeebe-secret" "length" 10 "providedValues" (list "global.identity.auth.zeebe.existingSecret") "context" $) }} + {{ .Values.global.identity.auth.zeebe.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.zeebe.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.zeebe.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/connectors/deployment.yaml b/charts/camunda-platform-alpha/templates/connectors/deployment.yaml index aab2162023..265ff980e6 100644 --- a/charts/camunda-platform-alpha/templates/connectors/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/connectors/deployment.yaml @@ -49,7 +49,7 @@ spec: valueFrom: secretKeyRef: name: {{ include "connectors.authCredentialsSecretName" . }} - key: connectors-secret + key: {{ .Values.global.identity.auth.connectors.existingSecretKey }} {{- end }} {{- if .Values.global.identity.auth.enabled }} {{- if eq .Values.connectors.inbound.mode "oauth" }} @@ -58,12 +58,12 @@ spec: valueFrom: secretKeyRef: name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.connectors.existingSecret "context" $) }} - key: connectors-secret + key: {{ .Values.global.identity.auth.connectors.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "connectors") }} - key: connectors-secret + key: {{ .Values.global.identity.auth.connectors.existingSecretKey }} {{- end }} {{- end }} - name: ZEEBE_CLIENT_ID @@ -73,12 +73,12 @@ spec: valueFrom: secretKeyRef: name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- end }} - name: ZEEBE_AUTHORIZATION_SERVER_URL value: {{ include "camundaPlatform.authIssuerBackendUrlTokenEndpoint" . | quote }} diff --git a/charts/camunda-platform-alpha/templates/connectors/inbound-secret.yaml b/charts/camunda-platform-alpha/templates/connectors/inbound-secret.yaml index 81215d2940..1f32bda6d3 100644 --- a/charts/camunda-platform-alpha/templates/connectors/inbound-secret.yaml +++ b/charts/camunda-platform-alpha/templates/connectors/inbound-secret.yaml @@ -7,5 +7,5 @@ metadata: labels: {{- include "connectors.labels" . | nindent 4 }} type: Opaque data: - connectors-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "connectors-secret" "length" 10 "providedValues" (list "connectors.inbound.auth.existingSecret") "context" $) }} + {{ .Values.connectors.inbound.auth.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.connectors.inbound.auth.existingSecretKey "length" 10 "providedValues" (list "connectors.inbound.auth.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/identity/deployment.yaml b/charts/camunda-platform-alpha/templates/identity/deployment.yaml index 1eef2541e6..bd0d60ea32 100644 --- a/charts/camunda-platform-alpha/templates/identity/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/identity/deployment.yaml @@ -53,12 +53,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.operate.existingSecret "context" $) }} - key: operate-secret + key: {{ .Values.global.identity.auth.operate.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "operate") }} - key: operate-secret + key: {{ .Values.global.identity.auth.operate.existingSecretKey }} {{- end }} - name: KEYCLOAK_INIT_CONSOLE_SECRET {{- if and .Values.global.identity.auth.console.existingSecret (not (typeIs "string" .Values.global.identity.auth.console.existingSecret)) }} @@ -70,12 +70,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.console.existingSecret "context" $) }} - key: console-secret + key: {{ .Values.global.identity.auth.console.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "console") }} - key: console-secret + key: {{ .Values.global.identity.auth.console.existingSecretKey }} {{- end }} - name: KEYCLOAK_INIT_TASKLIST_SECRET {{- if and .Values.global.identity.auth.tasklist.existingSecret (not (typeIs "string" .Values.global.identity.auth.tasklist.existingSecret)) }} @@ -87,12 +87,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: "{{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.tasklist.existingSecret "context" $) }}" - key: tasklist-secret + key: {{ .Values.global.identity.auth.tasklist.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "tasklist") }} - key: tasklist-secret + key: {{ .Values.global.identity.auth.tasklist.existingSecretKey }} {{- end }} - name: KEYCLOAK_INIT_OPTIMIZE_SECRET {{- if and .Values.global.identity.auth.optimize.existingSecret (not (typeIs "string" .Values.global.identity.auth.optimize.existingSecret)) }} @@ -104,12 +104,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.optimize.existingSecret "context" $) }} - key: optimize-secret + key: {{ .Values.global.identity.auth.optimize.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "optimize") }} - key: optimize-secret + key: {{ .Values.global.identity.auth.optimize.existingSecretKey }} {{- end }} - name: KEYCLOAK_INIT_WEBMODELER_ROOT_URL value: {{ tpl .Values.global.identity.auth.webModeler.redirectUrl $ | quote }} @@ -131,12 +131,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.connectors.existingSecret "context" $) }} - key: connectors-secret + key: {{ .Values.global.identity.auth.connectors.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: - key: connectors-secret name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "connectors") }} + key: {{ .Values.global.identity.auth.connectors.existingSecretKey }} {{- end }} - name: KEYCLOAK_CLIENTS_0_ROOT_URL value: http://placeholder @@ -160,12 +160,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- end }} - name: KEYCLOAK_CLIENTS_1_TYPE value: "M2M" @@ -190,7 +190,7 @@ spec: valueFrom: secretKeyRef: name: {{ .Values.identity.firstUser.existingSecret }} - key: "identity-firstuser-password" + key: {{ .Values.identity.firstUser.existingSecretKey }} {{- else }} - name: KEYCLOAK_USERS_0_PASSWORD value: {{ .Values.identity.firstUser.password | quote }} diff --git a/charts/camunda-platform-alpha/templates/operate/deployment.yaml b/charts/camunda-platform-alpha/templates/operate/deployment.yaml index 03e3e2c495..f4bdbf3776 100644 --- a/charts/camunda-platform-alpha/templates/operate/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/operate/deployment.yaml @@ -158,7 +158,7 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.operate.existingSecret "context" $) }} - key: operate-secret + key: {{ .Values.global.identity.auth.operate.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: @@ -168,7 +168,7 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "operate") }} - key: operate-secret + key: {{ .Values.global.identity.auth.operate.existingSecretKey }} {{- end }} - name: ZEEBE_CLIENT_ID value: {{ tpl .Values.global.identity.auth.zeebe.clientId $ | quote }} @@ -177,12 +177,12 @@ spec: valueFrom: secretKeyRef: name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- end }} - name: ZEEBE_AUTHORIZATION_SERVER_URL value: {{ include "camundaPlatform.authIssuerBackendUrlTokenEndpoint" . | quote }} diff --git a/charts/camunda-platform-alpha/templates/optimize/deployment.yaml b/charts/camunda-platform-alpha/templates/optimize/deployment.yaml index 5c28ea86d6..a7073eef5c 100644 --- a/charts/camunda-platform-alpha/templates/optimize/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/optimize/deployment.yaml @@ -184,12 +184,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.optimize.existingSecret "context" $) }} - key: optimize-secret + key: {{ .Values.global.identity.auth.optimize.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "optimize") }} - key: optimize-secret + key: {{ .Values.global.identity.auth.optimize.existingSecretKey }} {{- end }} {{- end }} {{- if .Values.global.multitenancy.enabled }} diff --git a/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml b/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml index 41bb96a5eb..654e2c8e44 100644 --- a/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml @@ -97,12 +97,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.tasklist.existingSecret "context" $) }} - key: tasklist-secret + key: {{ .Values.global.identity.auth.tasklist.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "tasklist") }} - key: tasklist-secret + key: {{ .Values.global.identity.auth.tasklist.existingSecretKey }} {{- end }} - name: ZEEBE_CLIENT_ID value: {{ tpl .Values.global.identity.auth.zeebe.clientId $ | quote }} @@ -111,12 +111,12 @@ spec: valueFrom: secretKeyRef: name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- end }} - name: ZEEBE_AUTHORIZATION_SERVER_URL value: {{ include "camundaPlatform.authIssuerBackendUrlTokenEndpoint" . | quote }} diff --git a/charts/camunda-platform-alpha/templates/web-modeler/secret-restapi.yaml b/charts/camunda-platform-alpha/templates/web-modeler/secret-restapi.yaml index fec822a068..3838f64ef9 100644 --- a/charts/camunda-platform-alpha/templates/web-modeler/secret-restapi.yaml +++ b/charts/camunda-platform-alpha/templates/web-modeler/secret-restapi.yaml @@ -11,10 +11,10 @@ metadata: type: Opaque data: {{- if $useExternalDatabasePassword }} - database-password: {{ .Values.webModeler.restapi.externalDatabase.existingSecret | default .Values.webModeler.restapi.externalDatabase.password | b64enc }} + {{ .Values.webModeler.restapi.externalDatabase.existingSecretPasswordKey }} : {{ .Values.webModeler.restapi.externalDatabase.existingSecret | default .Values.webModeler.restapi.externalDatabase.password | b64enc }} {{- end }} {{- if $useSmtpPassword }} - smtp-password: {{ .Values.webModeler.restapi.mail.existingSecret | default .Values.webModeler.restapi.mail.smtpPassword | b64enc }} + {{ .Values.webModeler.restapi.mail.existingSecretPasswordKey }}: {{ .Values.webModeler.restapi.mail.existingSecret | default .Values.webModeler.restapi.mail.smtpPassword | b64enc }} {{- end }} {{- end }} diff --git a/charts/camunda-platform-alpha/test/integration/scenarios/chart-full-setup/values-integration-test-ingress.yaml b/charts/camunda-platform-alpha/test/integration/scenarios/chart-full-setup/values-integration-test-ingress.yaml index cc34e50b24..3955adefea 100644 --- a/charts/camunda-platform-alpha/test/integration/scenarios/chart-full-setup/values-integration-test-ingress.yaml +++ b/charts/camunda-platform-alpha/test/integration/scenarios/chart-full-setup/values-integration-test-ingress.yaml @@ -1,4 +1,6 @@ global: + secrets: + autoGenerated: true ingress: enabled: true className: nginx @@ -16,44 +18,51 @@ global: publicIssuerUrl: "https://{{ .Values.global.ingress.host }}/auth/realms/camunda-platform" connectors: existingSecret: - name: "integration-test" + name: "camunda-credentials-autogen" + existingSecretKey: "identity-connectors-client-password" console: redirectUrl: "https://{{ .Values.global.ingress.host }}" existingSecret: - name: "integration-test" + name: "camunda-credentials-autogen" + existingSecretKey: "identity-console-client-password" operate: redirectUrl: "https://{{ .Values.global.ingress.host }}/operate" existingSecret: - name: "integration-test" + name: "camunda-credentials-autogen" + existingSecretKey: "identity-operate-client-password" tasklist: redirectUrl: "https://{{ .Values.global.ingress.host }}/tasklist" existingSecret: - name: "integration-test" + name: "camunda-credentials-autogen" + existingSecretKey: "identity-tasklist-client-password" optimize: redirectUrl: "https://{{ .Values.global.ingress.host }}/optimize" existingSecret: - name: "integration-test" + name: "camunda-credentials-autogen" + existingSecretKey: "identity-optimize-client-password" webModeler: redirectUrl: "https://{{ .Values.global.ingress.host }}/modeler" zeebe: existingSecret: - name: "integration-test" + name: "camunda-credentials-autogen" + existingSecretKey: "identity-zeebe-client-password" identity: contextPath: "/identity" firstUser: - existingSecret: "integration-test" + existingSecret: "camunda-credentials-autogen" + existingSecretKey: "identity-user-password" identityKeycloak: postgresql: auth: - existingSecret: "integration-test" + existingSecret: "camunda-credentials-autogen" + secretKeys: + adminPasswordKey: "identity-keycloak-postgresql-admin-password" + userPasswordKey: "identity-keycloak-postgresql-user-password" auth: - existingSecret: "integration-test" - -identityPostgresql: - auth: - existingSecret: "integration-test" + existingSecret: "camunda-credentials-autogen" + passwordSecretKey: "identity-keycloak-admin-password" operate: contextPath: "/operate" @@ -78,14 +87,15 @@ webModeler: mail: # This value is required, otherwise the restapi pod wouldn't start. fromAddress: noreply@example.com - existingSecret: - name: "integration-test" # WebModeler Database. postgresql: enabled: true auth: - existingSecret: "integration-test" + existingSecret: "camunda-credentials-autogen" + secretKeys: + adminPasswordKey: "webmodeler-postgresql-admin-password" + userPasswordKey: "webmodeler-postgresql-user-password" zeebeGateway: contextPath: "/zeebe" diff --git a/charts/camunda-platform-alpha/values.yaml b/charts/camunda-platform-alpha/values.yaml index d6374b1942..522d7879b8 100644 --- a/charts/camunda-platform-alpha/values.yaml +++ b/charts/camunda-platform-alpha/values.yaml @@ -37,6 +37,14 @@ ## @section Global parameters ## @extra global global: + secrets: + ## @param global.secrets.autoGenerated TBA + autoGenerated: false + name: "camunda-credentials-autogen" + annotations: + helm.sh/hook: 'pre-install' + helm.sh/resource-policy: 'keep' + ## License configuration. ## @extra global.license license: @@ -123,7 +131,7 @@ global: username: password: existingSecret: - existingSecretKey: + existingSecretKey: "password" ## @param global.elasticsearch.disableExporter DEPRECATED: this value is not needed anymore. Use global.elasticsearch.enabled disableExporter: false ## @extra global.elasticsearch.url Configuration to configure elasticsearch url @@ -161,7 +169,7 @@ global: username: password: existingSecret: - existingSecretKey: + existingSecretKey: "password" ## @extra global.opensearch.url Configuration to configure opensearch url ## @param global.opensearch.url.protocol defines the external opensearch access protocol ## @param global.opensearch.url.host defines the external opensearch host, ideally the service name inside the namespace @@ -231,8 +239,8 @@ global: ## @param global.identity.auth.connectors.clientId defines the client id, which is used by Connectors in authentication flows. clientId: connectors ## @param global.identity.auth.connectors.existingSecret can be used to use an own existing secret. If not set a random secret is generated. - # The existing secret should contain an `connectors-secret` field, which will be used as secret for the identity-Connectors communication. existingSecret: + existingSecretKey: connectors-secret ## @extra global.identity.auth.identity configuration to configure Identity authentication specifics on global level, which can be accessed by other sub-charts identity: @@ -241,8 +249,8 @@ global: ## @param global.identity.auth.identity.audience defines the audience, which is used by Identity. audience: camunda-identity-resource-server ## @param global.identity.auth.identity.existingSecret can be used to reference an existing secret. This should ONLY be used for an external OIDC provider. If not set, a random secret is generated. - # The existing secret should contain an `identity-secret` field, which will be used as secret for the identity-identity communication. existingSecret: + existingSecretKey: identity-secret ## @param global.identity.auth.identity.redirectUrl defines the redirect URL, which is used by the auth platform to access Identity. # Should be publicly accessible, the default value works if a port-forward to Identity is created to 8085. # Can be overwritten if ingress is in use and an external IP is available. @@ -260,8 +268,8 @@ global: ## @param global.identity.auth.operate.audience defines the audience, which is used by Operate. audience: operate-api ## @param global.identity.auth.operate.existingSecret can be used to reference an existing secret. If not set, a random secret is generated. - # The existing secret should contain an `operate-secret` field, which will be used as secret for the identity-Operate communication. existingSecret: + existingSecretKey: operate-secret ## @param global.identity.auth.operate.redirectUrl defines the redirect URL, which is used by Keycloak to access Operate. # Should be publicly accessible, the default value works if a port-forward to Operate is created to 8081. # Can be overwritten if ingress is in use and an external IP is available. @@ -274,8 +282,8 @@ global: ## @param global.identity.auth.tasklist.audience defines the audience, which is used by Tasklist. audience: tasklist-api ## @param global.identity.auth.tasklist.existingSecret can be used to use an own existing secret. If not set a random secret is generated. - # The existing secret should contain an `tasklist-secret` field, which will be used as secret for the identity-Tasklist communication. existingSecret: + existingSecretKey: tasklist-secret ## @param global.identity.auth.tasklist.redirectUrl defines the root (or redirect) URL, which is used by Keycloak to access Tasklist. # Should be publicly accessible, the default value works if a port-forward to Tasklist is created to 8082. # Can be overwritten if ingress is in use and an external IP is available. @@ -288,8 +296,8 @@ global: ## @param global.identity.auth.optimize.audience defines the audience, which is used by Optimize. audience: optimize-api ## @param global.identity.auth.optimize.existingSecret can be used to use an own existing secret. If not set a random secret is generated. - # The existing secret should contain an `optimize-secret` field, which will be used as secret for the identity-Optimize communication. existingSecret: + existingSecretKey: optimize-secret ## @param global.identity.auth.optimize.redirectUrl defines the root (or redirect) URL, which is used by Keycloak to access Optimize. # Should be publicly accessible, the default value works if a port-forward to Optimize is created to 8083. # Can be overwritten if ingress is in use and an external IP is available. @@ -317,8 +325,8 @@ global: ## @param global.identity.auth.console.wellKnown defines the uri for the well known config which is used by Console (optional). wellKnown: https://well-known-uri ## @param global.identity.auth.console.existingSecret can be used to use an own existing secret. If not set a random secret is generated. - # The existing secret should contain an `console-secret` field, which will be used as secret for the identity-console communication. existingSecret: + existingSecretKey: console-secret ## @param global.identity.auth.console.redirectUrl defines the root URL which is used by Keycloak to access WebModeler. # Should be publicly accessible, the default value works if a port-forward to WebModeler is created to 8080. # Can be overwritten if ingress is in use and an external IP is available. @@ -329,8 +337,8 @@ global: ## @param global.identity.auth.zeebe.clientId defines the client id, which is used by Zeebe in authentication flows. clientId: zeebe ## @param global.identity.auth.zeebe.existingSecret can be used to use an own existing secret. If not set a random secret is generated. - # The existing secret should contain an `zeebe-secret` field, which will be used as secret for the Identity-Zeebe communication. existingSecret: + existingSecretKey: zeebe-secret ## @param global.identity.auth.zeebe.audience defines the audience, which is used by Zeebe. audience: zeebe-api ## @param global.identity.auth.zeebe.tokenScope defines the token scope, which is used by Zeebe. @@ -1991,8 +1999,8 @@ identity: ## @param identity.firstUser.lastName defines the last name of the first user; a name is required to use WebModeler lastName: User ## @param identity.firstUser.existingSecret can be used to use an own existing secret for Identity first user. - # Currently, only password field is supported via "identity-firstuser-password" key in the secret resource. existingSecret: "" + existingSecretKey: "identity-firstuser-password" ## @extra identity.image configuration to configure the identity image specifics image: @@ -2263,6 +2271,9 @@ identityPostgresql: ## @param identityPostgresql.auth.existingSecret Name of an existing secret resource containing the database credentials ## existingSecret: + secretKeys: + adminPasswordKey: "postgres-password" + userPasswordKey: "password" # Identity. # # ###### # # #### # #### ## # # @@ -2295,6 +2306,11 @@ identityKeycloak: repository: bitnami/postgresql ## @param identityKeycloak.postgresql.image.tag image tag tag: 15.8.0 + auth: + existingSecret: + secretKeys: + adminPasswordKey: "postgres-password" + userPasswordKey: "password" primary: ## @param identityKeycloak.postgresql.primary.containerSecurityContext.enabled ## @param identityKeycloak.postgresql.primary.containerSecurityContext.privileged @@ -2454,6 +2470,7 @@ identityKeycloak: ## @param identityKeycloak.auth.existingSecret can be used to reuse an existing secret containing authentication information. # See https://docs.bitnami.com/kubernetes/apps/keycloak/configuration/manage-passwords/ for more details. existingSecret: "" + passwordSecretKey: "" ####################################################################### @@ -2524,7 +2541,7 @@ webModeler: ## @param webModeler.restapi.externalDatabase.existingSecret can be used to provide the name of an existing secret resource containing the database password existingSecret: ## @param webModeler.restapi.externalDatabase.existingSecretPasswordKey can be used to provide the name of an existing secret key containing the database password - existingSecretPasswordKey: "" + existingSecretPasswordKey: "database-password" ## @extra webModeler.restapi.mail configuration for emails sent by WebModeler mail: @@ -2541,7 +2558,7 @@ webModeler: ## @param webModeler.restapi.mail.existingSecret can be used to provide the name of an existing secret resource containing the SMTP password existingSecret: ## @param webModeler.restapi.mail.existingSecretPasswordKey can be used to provide the name of an existing secret key containing the SMTP password - existingSecretPasswordKey: "" + existingSecretPasswordKey: "smtp-password" ## @param webModeler.restapi.mail.fromAddress defines the email address that will be displayed as the sender of emails sent by WebModeler # NOTE: This value is mandatory. fromAddress: "" @@ -3095,6 +3112,9 @@ postgresql: database: web-modeler ## @param postgresql.auth.existingSecret can be used to provide the name of an existing secret resource containing the database password existingSecret: "" + secretKeys: + adminPasswordKey: "postgres-password" + userPasswordKey: "password" primary: containerSecurityContext: @@ -3139,6 +3159,7 @@ connectors: auth: ## @param connectors.inbound.auth.existingSecret can be used to configure Secret name that contains Operate password (if inbound mode is credentials) existingSecret: "" + existingSecretKey: "connectors-secret" ## @extra connectors.image configuration to configure the Connectors image specifics # https://hub.docker.com/r/camunda/connectors-bundle/tags