Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ISSUE] Unable to reference existingSecret for camunda components #760

Closed
proxyvert opened this issue Jul 7, 2023 · 3 comments
Closed

[ISSUE] Unable to reference existingSecret for camunda components #760

proxyvert opened this issue Jul 7, 2023 · 3 comments
Labels
kind/issue Unidentified issue, it could be a bug, misconfig, or anything in between

Comments

@proxyvert
Copy link

proxyvert commented Jul 7, 2023
edited
Loading

Describe the issue:

When I try to utilize existingSecret for camunda components, it still generates default secret and puts value of global.identity.auth.camunda-component.existingSecret in camunda-component secretKey base64 encoded, instead of referencing existingSecret that I created.

snippet from values.yaml:

global:
  identity:
    auth:
      enabled: true
      publicIssuerUrl: https://mykeycloak.example.com/auth/realms/myrealm
      connectors:
        existingSecret: myExistingSecretName

Actual behavior:

camunda-platform/charts/identity/templates/deployment.yaml env is using default secret that is created by chart:

          - name: KEYCLOAK_CLIENTS_0_SECRET
            valueFrom:
              secretKeyRef:
                key: connectors-secret
                name: "dev-connectors-identity-secret"

camunda-platform/charts/identity/templates/connectors-secret.yaml is rendered to:

apiVersion: v1
kind: Secret
metadata:
  name: "dev-connectors-identity-secret"
  labels:
    app: camunda-platform
    app.kubernetes.io/name: identity
    app.kubernetes.io/instance: dev
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: camunda-platform
    helm.sh/chart: identity-8.2.6
    app.kubernetes.io/version: "8.3.0-alpha2"
    app.kubernetes.io/component: identity
type: Opaque
data:
  connectors-secret: "base64encoded myExistingSecretName"

Expected behavior:

camunda-platform/charts/identity/templates/deployment.yaml env is using myExistingSecret that is created by me that has right secretKey in place:

          - name: KEYCLOAK_CLIENTS_0_SECRET
            valueFrom:
              secretKeyRef:
                key: connectors-secret
                name: "myExistingSecretName"

How to reproduce:

create myExistingSecret that has connectors-secret secretKey and arbitrary value.

use values.yaml and run helm template

global:
  identity:
    auth:
      enabled: true
      publicIssuerUrl: https://mykeycloak.example.com/auth/realms/myrealm
      connectors:
        existingSecret: myExistingSecretName

Steps to reproduce the issue.

If possible add a minimal reproducer code sample in a new repo/branch.
-->

Logs:

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

  • Platform: OKD
  • Helm CLI version: 3.11.1
  • Chart version: 8.2.6
  • Values file:
user: &user 2000
global:
  identity:
    auth:
      enabled: true
      publicIssuerUrl: https://external-keycloak-route.example.com/auth/realms/myrealm
      connectors:
        existingSecret: myExistingSecretName
      operate:
        existingSecret: myExistingSecretName
        redirectUrl: https://dev-camunda-operate-ns.example.com
      tasklist:
        existingSecret: myExistingSecretName
        redirectUrl: https://dev-camunda-tasklist-ns.example.com
      optimize:
        existingSecret: myExistingSecretName
        redirectUrl: https://dev-camunda-optimize-ns.example.com
      zeebe:
        existingSecret: myExistingSecretName
    keycloak:
      legacy: false
      contextPath: "/auth"
      url:
        protocol: "http"
        host: "external-keycloak"
        port: "8080"
      realm: "/realms/myrealm"
      # auth:
      #   adminUser: "admin"
      #   existingSecret: "camunda-identity-keycloak-admin-secret"
      #   existingSecretKey: "admin-password"

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

camunda-platform:
  enabled: true
  zeebe:
    configMap:
      defaultMode: 0555
  zeebe-gateway:
    configMap:
      defaultMode: 0444
  operate:
    configMap:
      defaultMode: 0444
    service:
      port: 8080
  optimize:
    service:
      port: 8080
  tasklist:
    configMap:
      defaultMode: 0444
    service:
      port: 8080
  connectors:
    env:
      - name: CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL
        value: http://external-keycloak:8080
  identity:
    image:
      tag: 8.3.0-alpha2
    fullURL: https://dev-camunda-identity-ns.example.com
    service:
      port: 8080
    env:
      - name: IDENTITY_CLIENT_SECRET
        valueFrom:
          secretKeyRef:
            name: camunda-components-client-secrets-secret
            key: identity-secret
      - name: KEYCLOAK_REALM
        value: myrealm
      - name: KEYCLOAK_SETUP_REALM
        value: myrealm
    firstUser:
      username: admin
      email: [email protected]
      firstName: Admin
      lastName: User
      existingSecret: camunda-identity-first-user-secret
    keycloak:
      enabled: false
      service:
        ports:
          http: 8080
      containerSecurityContext:
        runAsUser: *user
      podSecurityContext:
        fsGroup: *user
        runAsUser: *user
      auth:
        adminUser: admin
        existingSecret: camunda-identity-keycloak-admin-secret
      postgresql:
        primary:
          containerSecurityContext:
            runAsUser: *user
          podSecurityContext:
            fsGroup: *user
            runAsUser: *user
        readReplicas:
          containerSecurityContext:
            runAsUser: *user
          podSecurityContext:
            fsGroup: *user
            runAsUser: *user
  elasticsearch:
    securityContext:
      runAsUser: *user
    sysctlInitContainer:
      enabled: false
    podSecurityContext:
      fsGroup: *user
      runAsUser: *user
  postgresql:
    primary:
      containerSecurityContext:
        runAsUser: *user
      podSecurityContext:
        fsGroup: *user
        runAsUser: *user
    readReplicas:
      containerSecurityContext:
        runAsUser: *user
      podSecurityContext:
        fsGroup: *user
        runAsUser: *user
    metrics:
      containerSecurityContext:
        runAsUser: *user
      podSecurityContext:
        fsGroup: *user
        runAsUser: *user
@proxyvert proxyvert added the kind/issue Unidentified issue, it could be a bug, misconfig, or anything in between label Jul 7, 2023
@proxyvert proxyvert mentioned this issue Jul 8, 2023
Open
@floric
Copy link

floric commented Jul 10, 2023

We have the same issue and currently try to reverse engineer the Helm chart. Do you know any workaround?

@floric
Copy link

floric commented Jul 10, 2023

@PaleIntrovert We found the solution in other issues :)

You need to use:

global:
  identity:
    auth:
      connectors:
        existingSecret:
          name: myExistingSecretName

@proxyvert
Copy link
Author

@floric, I'm very grateful for you help, I checked this structure of values and rendered templates are indeed referencing existingSecret.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/issue Unidentified issue, it could be a bug, misconfig, or anything in between
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@floric @proxyvert