Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TASK] Simplify deployment upgrade with Identity enabled #403

Closed
aabouzaid opened this issue Sep 8, 2022 · 4 comments
Closed

[TASK] Simplify deployment upgrade with Identity enabled #403

aabouzaid opened this issue Sep 8, 2022 · 4 comments
Assignees
@jessesimpson36
Labels
kind/docs kind/enhancement New feature or request kind/task

Comments

@aabouzaid
Copy link
Member

aabouzaid commented Sep 8, 2022
edited
Loading

Describe the use case:

Currently, as in Camunda Platform v8.0 and Helm chart v8.0.13, when Camunda Identity is enabled, the deployment upgrade is not smooth and needs many manual steps to be done.

In action:

export TASKLIST_SECRET=$(kubectl get secret "<RELEASE_NAME>-tasklist-identity-secret" -o jsonpath="{.data.tasklist-secret}" | base64 --decode)
export OPTIMIZE_SECRET=$(kubectl get secret "<RELEASE_NAME>-optimize-identity-secret" -o jsonpath="{.data.optimize-secret}" | base64 --decode)
export OPERATE_SECRET=$(kubectl get secret "<RELEASE_NAME>-operate-identity-secret" -o jsonpath="{.data.operate-secret}" | base64 --decode)
export CONNECTORS_SECRET=$(kubectl get secret "<RELEASE_NAME>-connectors-identity-secret" -o jsonpath="{.data.connectors-secret}" | base64 --decode)
export KEYCLOAK_ADMIN_SECRET=$(kubectl get secret "<RELEASE_NAME>-keycloak" -o jsonpath="{.data.admin-password}" | base64 --decode)
export ZEEBE_SECRET=$(kubectl get secret "<RELEASE_NAME>-zeebe-identity-secret" -o jsonpath="{.data.zeebe-secret}" | base64 --decode)
export KEYCLOAK_MANAGEMENT_SECRET=$(kubectl get secret "<RELEASE_NAME>-keycloak" -o jsonpath="{.data.management-password}" | base64 --decode)
export POSTGRESQL_SECRET=$(kubectl get secret "<RELEASE_NAME>-postgresql" -o jsonpath="{.data.postgres-password}" | base64 --decode)


helm upgrade <RELEASE_NAME> camunda/camunda-platform \
  --set global.identity.auth.tasklist.existingSecret=$TASKLIST_SECRET \
  --set global.identity.auth.optimize.existingSecret=$OPTIMIZE_SECRET \
  --set global.identity.auth.operate.existingSecret=$OPERATE_SECRET \
  --set global.identity.auth.connectors.existingSecret=$CONNECTORS_SECRET \
  --set global.identity.auth.zeebe.existingSecret=$ZEEBE_SECRET \
  --set identity.keycloak.auth.adminPassword=$KEYCLOAK_ADMIN_SECRET \
  --set identity.keycloak.auth.managementPassword=$KEYCLOAK_MANAGEMENT_SECRET \
  --set identity.keycloak.postgresql.auth.password=$POSTGRESQL_SECRET

Describe the enhancement/feature:
We need to enhance that probably by preserving the secrets during the upgrade.

Desired outcome and acceptance tests:

  • Deployment upgrades should be done without (or with minimal) manual interactions.

Related tickets

  • SUPPORT-18598 [not as a direct issue, but underlined the importance of it]

Other related issues
@aabouzaid aabouzaid added the kind/enhancement New feature or request label Sep 8, 2022
@aabouzaid
Copy link
Member Author

I've found that the best way to deal with that issue is to use Helm hooks. Namely, using "helm.sh/hook": pre-install with the auto-generated secrets so they will only be executed in the installation but not in the upgrade.

@aabouzaid aabouzaid self-assigned this Oct 4, 2023
@hisImminence hisImminence added the support/enterprise Marks an issue as related to a customer support request label Oct 4, 2023
@hisImminence
Copy link
Contributor

Added the related support ticket ;)

@hisImminence hisImminence added epic kind/roadmap Ideas and plans for future enhancements and removed epic labels Oct 22, 2023
@aabouzaid
Copy link
Member Author

I've found that the best what we can do here is to remove the password auto-generation and leave that to the user, as there are many tools to do that and each user can use different things.

@aabouzaid aabouzaid changed the title [ENHANCEMENT] Streamline deployment upgrade with Identity enabled [TASK] Streamline deployment upgrade with Identity enabled Nov 30, 2023
@aabouzaid aabouzaid added kind/task and removed kind/roadmap Ideas and plans for future enhancements labels Nov 30, 2023
@aabouzaid aabouzaid changed the title [TASK] Streamline deployment upgrade with Identity enabled [TASK] Simplify deployment upgrade with Identity enabled Nov 30, 2023
@aabouzaid aabouzaid removed the support/enterprise Marks an issue as related to a customer support request label Dec 1, 2023
@aabouzaid aabouzaid added this to the 8.5 release milestone Dec 6, 2023
@aabouzaid aabouzaid removed their assignment Apr 18, 2024
@jessesimpson36 jessesimpson36 mentioned this issue May 29, 2024
Closed
@jessesimpson36 jessesimpson36 self-assigned this Jun 6, 2024
@jessesimpson36
Copy link
Contributor

Closed because of related PR #1868 being closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jessesimpson36 jessesimpson36

Labels
kind/docs kind/enhancement New feature or request kind/task
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aabouzaid @jessesimpson36 @hisImminence