diff --git a/.github/config/external-secret/external-secret-certificates.yaml b/.github/config/external-secret/external-secret-certificates.yaml new file mode 100644 index 0000000000..2a5103a452 --- /dev/null +++ b/.github/config/external-secret/external-secret-certificates.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: external-secret-camunda-platform +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: distribution-team + target: + name: camunda-platform # name of the k8s Secret to be created + data: + - secretKey: tls.crt + remoteRef: + key: ci-distro-ultrawombat-com + property: tls.crt + - secretKey: tls.key + remoteRef: + key: ci-distro-ultrawombat-com + property: tls.key + +--- + +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: external-secret-zeebe-gateway +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: distribution-team + target: + name: camunda-platform-zeebe-gateway # name of the k8s Secret to be created + data: + - secretKey: tls.crt + remoteRef: + key: ci-distro-ultrawombat-com + property: tls.crt + - secretKey: tls.key + remoteRef: + key: ci-distro-ultrawombat-com + property: tls.key diff --git a/.github/config/external-secret.yaml b/.github/config/external-secret/external-secret-credentials.yaml similarity index 63% rename from .github/config/external-secret.yaml rename to .github/config/external-secret/external-secret-credentials.yaml index 87acb4ed3f..64cff5baa6 100644 --- a/.github/config/external-secret.yaml +++ b/.github/config/external-secret/external-secret-credentials.yaml @@ -1,49 +1,5 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: external-secret-camunda-platform -spec: - refreshInterval: 1h - secretStoreRef: - kind: ClusterSecretStore - name: distribution-team - target: - name: camunda-platform # name of the k8s Secret to be created - data: - - secretKey: tls.crt - remoteRef: - key: ci-distro-ultrawombat-com - property: tls.crt - - secretKey: tls.key - remoteRef: - key: ci-distro-ultrawombat-com - property: tls.key - ---- - -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: external-secret-zeebe-gateway -spec: - refreshInterval: 1h - secretStoreRef: - kind: ClusterSecretStore - name: distribution-team - target: - name: camunda-platform-zeebe-gateway # name of the k8s Secret to be created - data: - - secretKey: tls.crt - remoteRef: - key: ci-distro-ultrawombat-com - property: tls.crt - - secretKey: tls.key - remoteRef: - key: ci-distro-ultrawombat-com - property: tls.key - +# This file should be removed when Camunda 8.5 reaches EOL since Camunda 8.6 chart has a built-in auto-gen. --- - apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: diff --git a/.github/workflows/test-integration-template.yaml b/.github/workflows/test-integration-template.yaml index eec4cb7871..3afe9a90da 100644 --- a/.github/workflows/test-integration-template.yaml +++ b/.github/workflows/test-integration-template.yaml @@ -26,6 +26,14 @@ on: required: false default: "" type: string + camunda-helm-credentials-source: + description: | + Auto-generate credentials or copy them from external secret. + Valid options: auto-generated or external-secret. + New optional auto-generated secrets are only supported in Camunda 8.6 chart and above. + required: false + default: "auto-generated" + type: string caller-git-ref: required: false default: main @@ -235,9 +243,23 @@ jobs: kubectl label ns $TEST_NAMESPACE github-repo=$(basename $GITHUB_REPOSITORY) kubectl annotate ns $TEST_NAMESPACE cleaner/ttl=1d kubectl annotate ns $TEST_NAMESPACE github-workflow-run-url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID - - name: Copy PRs wildcard certificate + - name: Set Deployment Secrets run: | - kubectl apply -n $TEST_NAMESPACE -f .github/config/external-secret.yaml + kubectl apply -n $TEST_NAMESPACE \ + -f .github/config/external-secret/external-secret-certificates.yaml + + # External-secrets that are predefined and copied from another namespace. + if [[ ${{ inputs.camunda-helm-credentials-source }} == 'external-secret' ]]; then + kubectl apply -n $TEST_NAMESPACE \ + -f .github/config/external-secret/external-secret-credentials.yaml + fi + + # Auto-generated secrets that are generated by the chart at the installation. + if [[ ${{ matrix.scenario.flow }} == 'upgrade' ]] && + [[ ${{ inputs.camunda-helm-credentials-source }} == 'auto-generated' ]]; then + _TEST_HELM_EXTRA_ARGS="${TEST_HELM_EXTRA_ARGS} --set global.secrets.autoGenerated=true" + echo "TEST_HELM_EXTRA_ARGS=${_TEST_HELM_EXTRA_ARGS}" | tee -a $GITHUB_ENV + fi - name: Start GitHub deployment uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1 id: deployment @@ -262,6 +284,7 @@ jobs: TEST_CHART_FLOW: ${{ matrix.scenario.flow }} TEST_OPENSHIFT_POST_RENDER: ${{ inputs.camunda-helm-post-render }} TEST_HELM_EXTRA_ARGS: >- + ${{ env.TEST_HELM_EXTRA_ARGS }} --set global.ingress.host=${{ steps.vars.outputs.ingress-host }} --values ${{ steps.test-type-vars.outputs.valuesBaseDir }}/infra/values-infra-${{ inputs.infra-type }}.yaml --values /tmp/extra-values-file.yaml diff --git a/.github/workflows/test-version-alpha.yaml b/.github/workflows/test-version-alpha.yaml index a6726a557c..1615deb41e 100644 --- a/.github/workflows/test-version-alpha.yaml +++ b/.github/workflows/test-version-alpha.yaml @@ -59,3 +59,4 @@ jobs: # We need to set the var here as the Alpha is stored on the OCI Helm registry and uses different versioning. camunda-helm-upgrade-version: "0.0.0-snapshot-alpha" camunda-helm-post-render: false + caller-git-ref: "${{ github.event.pull_request.head.sha }}" diff --git a/.github/workflows/test-version-latest.yaml b/.github/workflows/test-version-latest.yaml index 5426d3e4ec..e0473e52d3 100644 --- a/.github/workflows/test-version-latest.yaml +++ b/.github/workflows/test-version-latest.yaml @@ -55,4 +55,5 @@ jobs: flows: "install,upgrade" camunda-helm-dir: "camunda-platform-latest" camunda-helm-git-ref: "${{ github.event.pull_request.head.sha }}" + camunda-helm-credentials-source: "external-secret" caller-git-ref: "${{ github.event.pull_request.head.sha }}" diff --git a/.github/workflows/test-version-maintenance.yaml b/.github/workflows/test-version-maintenance.yaml index c1308c7f46..ce4f00c783 100644 --- a/.github/workflows/test-version-maintenance.yaml +++ b/.github/workflows/test-version-maintenance.yaml @@ -85,4 +85,5 @@ jobs: flows: "install,upgrade" camunda-helm-dir: "camunda-platform-${{ matrix.version }}" camunda-helm-git-ref: "${{ github.event.pull_request.head.sha }}" + camunda-helm-credentials-source: "external-secret" caller-git-ref: "${{ github.event.pull_request.head.sha }}" diff --git a/charts/camunda-platform-alpha/README.md b/charts/camunda-platform-alpha/README.md index cc619ee2b0..5add800e34 100644 --- a/charts/camunda-platform-alpha/README.md +++ b/charts/camunda-platform-alpha/README.md @@ -401,11 +401,15 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | Name | Description | Value | | ----------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------- | | `global` | | | +| `global.secrets` | configuration for auto-generated secrets which is only used during the installation. | | +| `global.secrets.autoGenerated` | if true, a secret object will be generated with auto-generated passwords. This secret object is NOT managed with corresponding releases and NOR part of Helm deployment/upgrade! It's generated once, and if it's deleted, you will lose the secrets. | `false` | +| `global.secrets.name` | defines the name of the secret object that has the auto-generated passwords. | `camunda-credentials-autogen` | +| `global.secrets.annotations` | defines the secret object annotations that utilize Helm hooks to keep that object out of the Helm deployment. | `{}` | | `global.license` | | | | `global.license.key` | if set, it will be exposed as "CAMUNDA_LICENSE_KEY" in the apps. | `nil` | | `global.license.existingSecret` | you can provide an existing secret name for Camunda license secret. | `nil` | | `global.license.existingSecretKey` | you can provide the key within the existing secret object for Camunda license key. | `nil` | -| `global.compatibility.openshift.adaptSecurityContext` | | `disabled` | +| `global.compatibility` | Compatibility adaptations for Kubernetes platforms | | | `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` | | `global.multitenancy` | | | | `global.multitenancy.enabled` | if true, then enable multitenancy in all applicable components. | `false` | @@ -435,7 +439,7 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `global.elasticsearch.auth.username` | the username for external elasticsearch | `nil` | | `global.elasticsearch.auth.password` | the password for external elasticsearch | `nil` | | `global.elasticsearch.auth.existingSecret` | you can provide an existing secret for the external elasticsearch password | `nil` | -| `global.elasticsearch.auth.existingSecretKey` | you can provide an existing secret key for the external elasticsearch password | `nil` | +| `global.elasticsearch.auth.existingSecretKey` | you can provide an existing secret key for the external elasticsearch password | `password` | | `global.elasticsearch.disableExporter` | DEPRECATED: this value is not needed anymore. Use global.elasticsearch.enabled | `false` | | `global.elasticsearch.url` | Configuration to configure elasticsearch url | | | `global.elasticsearch.url.protocol` | defines the elasticsearch access protocol. | `http` | @@ -453,7 +457,7 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `global.opensearch.auth.username` | the username for external opensearch | `nil` | | `global.opensearch.auth.password` | the password for external opensearch | `nil` | | `global.opensearch.auth.existingSecret` | you can provide an existing secret for the external opensearch password | `nil` | -| `global.opensearch.auth.existingSecretKey` | you can provide an existing secret key for the external opensearch password | `nil` | +| `global.opensearch.auth.existingSecretKey` | you can provide an existing secret key for the external opensearch password | `password` | | `global.opensearch.url` | Configuration to configure opensearch url | | | `global.opensearch.url.protocol` | defines the external opensearch access protocol | `https` | | `global.opensearch.url.host` | defines the external opensearch host, ideally the service name inside the namespace | `nil` | @@ -476,10 +480,12 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `global.identity.auth.connectors` | configuration to configure Connectors authentication specifics on global level, which can be accessed by other sub-charts | | | `global.identity.auth.connectors.clientId` | defines the client id, which is used by Connectors in authentication flows. | `connectors` | | `global.identity.auth.connectors.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | +| `global.identity.auth.connectors.existingSecretKey` | defines the key within the existing secret object. | `connectors-secret` | | `global.identity.auth.identity` | configuration to configure Identity authentication specifics on global level, which can be accessed by other sub-charts | | | `global.identity.auth.identity.clientId` | defines the client id, which is used by Identity in authentication flows. | `identity` | | `global.identity.auth.identity.audience` | defines the audience, which is used by Identity. | `camunda-identity-resource-server` | | `global.identity.auth.identity.existingSecret` | can be used to reference an existing secret. This should ONLY be used for an external OIDC provider. If not set, a random secret is generated. | `nil` | +| `global.identity.auth.identity.existingSecretKey` | defines the key within the existing secret object. | `identity-secret` | | `global.identity.auth.identity.redirectUrl` | defines the redirect URL, which is used by the auth platform to access Identity. | `http://localhost:8085` | | `global.identity.auth.identity.initialClaimName` | defines the initial claim name, which is used by Identity to configure initial mapping rules, | `oid` | | `global.identity.auth.identity.initialClaimValue` | defines the initial claim value, which is used by Identity to configure initial mapping rules. | `nil` | @@ -487,16 +493,19 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `global.identity.auth.operate.clientId` | defines the client id, which is used by Operate in authentication flows. | `operate` | | `global.identity.auth.operate.audience` | defines the audience, which is used by Operate. | `operate-api` | | `global.identity.auth.operate.existingSecret` | can be used to reference an existing secret. If not set, a random secret is generated. | `nil` | +| `global.identity.auth.operate.existingSecretKey` | defines the key within the existing secret object. | `operate-secret` | | `global.identity.auth.operate.redirectUrl` | defines the redirect URL, which is used by Keycloak to access Operate. | `http://localhost:8081` | | `global.identity.auth.tasklist` | configuration to configure Tasklist authentication specifics on global level, which can be accessed by other sub-charts | | | `global.identity.auth.tasklist.clientId` | defines the client id, which is used by Tasklist in authentication flows. | `tasklist` | | `global.identity.auth.tasklist.audience` | defines the audience, which is used by Tasklist. | `tasklist-api` | | `global.identity.auth.tasklist.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | +| `global.identity.auth.tasklist.existingSecretKey` | defines the key within the existing secret object. | `tasklist-secret` | | `global.identity.auth.tasklist.redirectUrl` | defines the root (or redirect) URL, which is used by Keycloak to access Tasklist. | `http://localhost:8082` | | `global.identity.auth.optimize` | configuration to configure Optimize authentication specifics on global level, which can be accessed by other sub-charts | | | `global.identity.auth.optimize.clientId` | defines the client id, which is used by Optimize in authentication flows. | `optimize` | | `global.identity.auth.optimize.audience` | defines the audience, which is used by Optimize. | `optimize-api` | | `global.identity.auth.optimize.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | +| `global.identity.auth.optimize.existingSecretKey` | defines the key within the existing secret object. | `optimize-secret` | | `global.identity.auth.optimize.redirectUrl` | defines the root (or redirect) URL, which is used by Keycloak to access Optimize. | `http://localhost:8083` | | `global.identity.auth.webModeler` | configuration to configure WebModeler authentication specifics on global level, which can be accessed by other sub-charts | | | `global.identity.auth.webModeler.clientId` | defines the client id, which is used by WebModeler in authentication flows. | `web-modeler` | @@ -508,10 +517,12 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `global.identity.auth.console.audience` | defines the audience which is used by Console's client API. | `console-api` | | `global.identity.auth.console.wellKnown` | defines the uri for the well known config which is used by Console (optional). | `https://well-known-uri` | | `global.identity.auth.console.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | +| `global.identity.auth.console.existingSecretKey` | defines the key within the existing secret object. | `console-secret` | | `global.identity.auth.console.redirectUrl` | defines the root URL which is used by Keycloak to access WebModeler. | `http://localhost:8080` | | `global.identity.auth.zeebe` | configuration to configure Zeebe authentication specifics on global level, which can be accessed by other sub-charts | | | `global.identity.auth.zeebe.clientId` | defines the client id, which is used by Zeebe in authentication flows. | `zeebe` | | `global.identity.auth.zeebe.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | +| `global.identity.auth.zeebe.existingSecretKey` | defines the key within the existing secret object. | `zeebe-secret` | | `global.identity.auth.zeebe.audience` | defines the audience, which is used by Zeebe. | `zeebe-api` | | `global.identity.auth.zeebe.tokenScope` | defines the token scope, which is used by Zeebe. | `nil` | @@ -1165,116 +1176,117 @@ Please see the corresponding [release guide](../../docs/release.md) to find out ### Identity Parameters -| Name | Description | Value | -| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- | -| `identity.enabled` | if true, the identity deployment and its related resources are deployed via a helm release | `true` | -| `identity.fullnameOverride` | can be used to override the full name of the Identity resources | `""` | -| `identity.nameOverride` | can be used to partly override the name of the Identity resources (names will still be prefixed with the release name) | `""` | -| `identity.firstUser` | configuration to configure properties of the first Identity user, which can be used to access all | | -| `identity.firstUser.enabled` | if true, Identity will seed the first user in Keycloak. | `true` | -| `identity.firstUser.username` | defines the username of the first user, needed to log in into the web applications | `demo` | -| `identity.firstUser.password` | defines the password of the first user, needed to log in into the web applications | `demo` | -| `identity.firstUser.email` | defines the email address of the first user; a valid email address is required to use WebModeler | `demo@example.org` | -| `identity.firstUser.firstName` | defines the first name of the first user; a name is required to use WebModeler | `Demo` | -| `identity.firstUser.lastName` | defines the last name of the first user; a name is required to use WebModeler | `User` | -| `identity.firstUser.existingSecret` | can be used to use an own existing secret for Identity first user. | `""` | -| `identity.image` | configuration to configure the identity image specifics | | -| `identity.image.registry` | can be used to set container image registry. | `""` | -| `identity.image.repository` | defines which image repository to use | `camunda/identity` | -| `identity.image.tag` | can be set to overwrite the global tag, which should be used in that chart | `8.6.0-alpha4` | -| `identity.image.pullSecrets` | can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod | `[]` | -| `identity.sidecars` | can be used to attach extra containers to the identity deployment | `[]` | -| `identity.initContainers` | can be used to set up extra init containers for the application Pod | `[]` | -| `identity.fullURL` | can be used when Ingress is configured (for both multi and single domain setup). | `""` | -| `identity.contextPath` | can be used to make Identity web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain. | `""` | -| `identity.podAnnotations` | can be used to define extra Identity pod annotations | `{}` | -| `identity.podLabels` | can be used to define extra Identity pod labels | `{}` | -| `identity.service` | configuration to configure the identity service. | | -| `identity.service.annotations` | can be used to define annotations, which will be applied to the identity service | `{}` | -| `identity.service.type` | defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | `ClusterIP` | -| `identity.service.port` | defines the port of the service on which the identity application will be available | `80` | -| `identity.service.metricsPort` | defines the port of the service on which the identity metrics will be available | `82` | -| `identity.service.metricsName` | defines the name of the service on which the identity metrics will be available | `metrics` | -| `identity.podSecurityContext` | defines the security options the Identity pod should be run with | | -| `identity.podSecurityContext.runAsNonRoot` | | `true` | -| `identity.podSecurityContext.fsGroup` | | `1001` | -| `identity.podSecurityContext.seccompProfile` | | | -| `identity.podSecurityContext.seccompProfile.type` | | `RuntimeDefault` | -| `identity.containerSecurityContext` | defines the security options the Identity container should be run with | | -| `identity.containerSecurityContext.allowPrivilegeEscalation` | | `false` | -| `identity.containerSecurityContext.privileged` | | `false` | -| `identity.containerSecurityContext.readOnlyRootFilesystem` | | `true` | -| `identity.containerSecurityContext.runAsNonRoot` | | `true` | -| `identity.containerSecurityContext.runAsUser` | | `1001` | -| `identity.containerSecurityContext.seccompProfile` | | | -| `identity.containerSecurityContext.seccompProfile.type` | | `RuntimeDefault` | -| `identity.startupProbe` | configuration | | -| `identity.startupProbe.enabled` | if true, the startup probe is enabled in app container | `false` | -| `identity.startupProbe.scheme` | defines the startup probe schema used on calling the probePath | `HTTP` | -| `identity.startupProbe.probePath` | defines the startup probe route used on the app | `/actuator/health` | -| `identity.startupProbe.initialDelaySeconds` | defines the number of seconds after the container has started before the probe is initiated. | `30` | -| `identity.startupProbe.periodSeconds` | defines how often the probe is executed | `30` | -| `identity.startupProbe.successThreshold` | defines how often it needs to be true to be marked as ready, after failure | `1` | -| `identity.startupProbe.failureThreshold` | defines when the probe is considered as failed so the Pod will be marked Unready | `5` | -| `identity.startupProbe.timeoutSeconds` | defines the seconds after the probe times out | `1` | -| `identity.readinessProbe` | configuration | | -| `identity.readinessProbe.enabled` | if true, the readiness probe is enabled in app container | `true` | -| `identity.readinessProbe.scheme` | defines the startup probe schema used on calling the probePath | `HTTP` | -| `identity.readinessProbe.probePath` | defines the readiness probe route used on the app | `/actuator/health` | -| `identity.readinessProbe.initialDelaySeconds` | defines the number of seconds after the container has started before the probe is initiated. | `30` | -| `identity.readinessProbe.periodSeconds` | defines how often the probe is executed | `30` | -| `identity.readinessProbe.successThreshold` | defines how often it needs to be true to be marked as ready, after failure | `1` | -| `identity.readinessProbe.failureThreshold` | defines when the probe is considered as failed so the Pod will be marked Unready | `5` | -| `identity.readinessProbe.timeoutSeconds` | defines the seconds after the probe times out | `1` | -| `identity.livenessProbe` | configuration | | -| `identity.livenessProbe.enabled` | if true, the liveness probe is enabled in app container | `false` | -| `identity.livenessProbe.scheme` | defines the startup probe schema used on calling the probePath | `HTTP` | -| `identity.livenessProbe.probePath` | defines the liveness probe route used on the app | `/actuator/health` | -| `identity.livenessProbe.initialDelaySeconds` | defines the number of seconds after the container has started before | `30` | -| `identity.livenessProbe.periodSeconds` | defines how often the probe is executed | `30` | -| `identity.livenessProbe.successThreshold` | defines how often it needs to be true to be considered successful after having failed | `1` | -| `identity.livenessProbe.failureThreshold` | defines when the probe is considered as failed so the container will be restarted | `5` | -| `identity.livenessProbe.timeoutSeconds` | defines the seconds after the probe times out | `1` | -| `identity.metrics.prometheus` | Prometheus metrics endpoint | `/actuator/prometheus` | -| `identity.nodeSelector` | can be used to define on which nodes the Identity pods should run | `{}` | -| `identity.tolerations` | can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | `[]` | -| `identity.affinity` | can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | `{}` | -| `identity.resources` | configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits | | -| `identity.resources.requests.memory` | | `400Mi` | -| `identity.resources.limits.cpu` | | `2000m` | -| `identity.resources.requests.cpu` | | `600m` | -| `identity.resources.limits.memory` | | `2Gi` | -| `identity.env` | can be used to set extra environment variables in each identity container. See the documentation https://docs.camunda.io/docs/self-managed/identity/deployment/configuration-variables/ for more details. | `[]` | -| `identity.envFrom` | list of environment variables to import from configMapRef and secretRef | `[]` | -| `identity.command` | can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ | `[]` | -| `identity.extraVolumes` | can be used to define extra volumes for the identity pods, useful for tls and self-signed certificates | `[]` | -| `identity.extraVolumeMounts` | can be used to mount extra volumes for the identity pods, useful for tls and self-signed certificates | `[]` | -| `identity.serviceAccount` | configuration for the service account where the identity pods are assigned to | | -| `identity.serviceAccount.enabled` | if true, enables the identity service account | `true` | -| `identity.serviceAccount.name` | can be used to set the name of the identity service account | `""` | -| `identity.serviceAccount.annotations` | can be used to set the annotations of the identity service account | `{}` | -| `identity.serviceAccount.automountServiceAccountToken` | can be used to control whether the service account token should be automatically mounted | `true` | -| `identity.ingress.enabled` | if true, an ingress resource is deployed with the identity deployment. Only useful if an ingress controller is available, like nginx. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead. | `false` | -| `identity.ingress.className` | defines the class or configuration of ingress which should be used by the controller | `nginx` | -| `identity.ingress.annotations` | defines the ingress related annotations, consumed mostly by the ingress controller | `{}` | -| `identity.ingress.path` | defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules | `/` | -| `identity.ingress.pathType` | can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types | `Prefix` | -| `identity.ingress.host` | can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules | `""` | -| `identity.ingress.tls` | configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls | | -| `identity.ingress.tls.enabled` | if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. | `false` | -| `identity.ingress.tls.secretName` | defines the secret name which contains the TLS private key and certificate | `camunda-platform-identity` | -| `identity.externalDatabase.enabled` | | `false` | -| `identity.externalDatabase.host` | Database host | `nil` | -| `identity.externalDatabase.port` | Database port number | `nil` | -| `identity.externalDatabase.username` | Non-root username | `nil` | -| `identity.externalDatabase.password` | Password for the non-root username | `nil` | -| `identity.externalDatabase.database` | The database name | `nil` | -| `identity.externalDatabase.existingSecret` | Name of an existing secret resource containing the database credentials | `nil` | -| `identity.externalDatabase.existingSecretPasswordKey` | Name of an existing secret key containing the database credentials | `nil` | -| `identity.configuration` | if specified, contents will be used as the application.yaml | `""` | -| `identity.extraConfiguration` | if specified, contents will be used for any extra configuration files such as the log4j2.xml | `{}` | -| `identity.dnsPolicy` | https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | `""` | -| `identity.dnsConfig` | https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config | `{}` | +| Name | Description | Value | +| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------- | +| `identity.enabled` | if true, the identity deployment and its related resources are deployed via a helm release | `true` | +| `identity.fullnameOverride` | can be used to override the full name of the Identity resources | `""` | +| `identity.nameOverride` | can be used to partly override the name of the Identity resources (names will still be prefixed with the release name) | `""` | +| `identity.firstUser` | configuration to configure properties of the first Identity user, which can be used to access all | | +| `identity.firstUser.enabled` | if true, Identity will seed the first user in Keycloak. | `true` | +| `identity.firstUser.username` | defines the username of the first user, needed to log in into the web applications | `demo` | +| `identity.firstUser.password` | defines the password of the first user, needed to log in into the web applications | `demo` | +| `identity.firstUser.email` | defines the email address of the first user; a valid email address is required to use WebModeler | `demo@example.org` | +| `identity.firstUser.firstName` | defines the first name of the first user; a name is required to use WebModeler | `Demo` | +| `identity.firstUser.lastName` | defines the last name of the first user; a name is required to use WebModeler | `User` | +| `identity.firstUser.existingSecret` | can be used to use an own existing secret for Identity first user. | `""` | +| `identity.firstUser.existingSecretKey` | defines the key within the existing secret object. | `identity-firstuser-password` | +| `identity.image` | configuration to configure the identity image specifics | | +| `identity.image.registry` | can be used to set container image registry. | `""` | +| `identity.image.repository` | defines which image repository to use | `camunda/identity` | +| `identity.image.tag` | can be set to overwrite the global tag, which should be used in that chart | `8.6.0-alpha4` | +| `identity.image.pullSecrets` | can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod | `[]` | +| `identity.sidecars` | can be used to attach extra containers to the identity deployment | `[]` | +| `identity.initContainers` | can be used to set up extra init containers for the application Pod | `[]` | +| `identity.fullURL` | can be used when Ingress is configured (for both multi and single domain setup). | `""` | +| `identity.contextPath` | can be used to make Identity web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain. | `""` | +| `identity.podAnnotations` | can be used to define extra Identity pod annotations | `{}` | +| `identity.podLabels` | can be used to define extra Identity pod labels | `{}` | +| `identity.service` | configuration to configure the identity service. | | +| `identity.service.annotations` | can be used to define annotations, which will be applied to the identity service | `{}` | +| `identity.service.type` | defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types | `ClusterIP` | +| `identity.service.port` | defines the port of the service on which the identity application will be available | `80` | +| `identity.service.metricsPort` | defines the port of the service on which the identity metrics will be available | `82` | +| `identity.service.metricsName` | defines the name of the service on which the identity metrics will be available | `metrics` | +| `identity.podSecurityContext` | defines the security options the Identity pod should be run with | | +| `identity.podSecurityContext.runAsNonRoot` | | `true` | +| `identity.podSecurityContext.fsGroup` | | `1001` | +| `identity.podSecurityContext.seccompProfile` | | | +| `identity.podSecurityContext.seccompProfile.type` | | `RuntimeDefault` | +| `identity.containerSecurityContext` | defines the security options the Identity container should be run with | | +| `identity.containerSecurityContext.allowPrivilegeEscalation` | | `false` | +| `identity.containerSecurityContext.privileged` | | `false` | +| `identity.containerSecurityContext.readOnlyRootFilesystem` | | `true` | +| `identity.containerSecurityContext.runAsNonRoot` | | `true` | +| `identity.containerSecurityContext.runAsUser` | | `1001` | +| `identity.containerSecurityContext.seccompProfile` | | | +| `identity.containerSecurityContext.seccompProfile.type` | | `RuntimeDefault` | +| `identity.startupProbe` | configuration | | +| `identity.startupProbe.enabled` | if true, the startup probe is enabled in app container | `false` | +| `identity.startupProbe.scheme` | defines the startup probe schema used on calling the probePath | `HTTP` | +| `identity.startupProbe.probePath` | defines the startup probe route used on the app | `/actuator/health` | +| `identity.startupProbe.initialDelaySeconds` | defines the number of seconds after the container has started before the probe is initiated. | `30` | +| `identity.startupProbe.periodSeconds` | defines how often the probe is executed | `30` | +| `identity.startupProbe.successThreshold` | defines how often it needs to be true to be marked as ready, after failure | `1` | +| `identity.startupProbe.failureThreshold` | defines when the probe is considered as failed so the Pod will be marked Unready | `5` | +| `identity.startupProbe.timeoutSeconds` | defines the seconds after the probe times out | `1` | +| `identity.readinessProbe` | configuration | | +| `identity.readinessProbe.enabled` | if true, the readiness probe is enabled in app container | `true` | +| `identity.readinessProbe.scheme` | defines the startup probe schema used on calling the probePath | `HTTP` | +| `identity.readinessProbe.probePath` | defines the readiness probe route used on the app | `/actuator/health` | +| `identity.readinessProbe.initialDelaySeconds` | defines the number of seconds after the container has started before the probe is initiated. | `30` | +| `identity.readinessProbe.periodSeconds` | defines how often the probe is executed | `30` | +| `identity.readinessProbe.successThreshold` | defines how often it needs to be true to be marked as ready, after failure | `1` | +| `identity.readinessProbe.failureThreshold` | defines when the probe is considered as failed so the Pod will be marked Unready | `5` | +| `identity.readinessProbe.timeoutSeconds` | defines the seconds after the probe times out | `1` | +| `identity.livenessProbe` | configuration | | +| `identity.livenessProbe.enabled` | if true, the liveness probe is enabled in app container | `false` | +| `identity.livenessProbe.scheme` | defines the startup probe schema used on calling the probePath | `HTTP` | +| `identity.livenessProbe.probePath` | defines the liveness probe route used on the app | `/actuator/health` | +| `identity.livenessProbe.initialDelaySeconds` | defines the number of seconds after the container has started before | `30` | +| `identity.livenessProbe.periodSeconds` | defines how often the probe is executed | `30` | +| `identity.livenessProbe.successThreshold` | defines how often it needs to be true to be considered successful after having failed | `1` | +| `identity.livenessProbe.failureThreshold` | defines when the probe is considered as failed so the container will be restarted | `5` | +| `identity.livenessProbe.timeoutSeconds` | defines the seconds after the probe times out | `1` | +| `identity.metrics.prometheus` | Prometheus metrics endpoint | `/actuator/prometheus` | +| `identity.nodeSelector` | can be used to define on which nodes the Identity pods should run | `{}` | +| `identity.tolerations` | can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ | `[]` | +| `identity.affinity` | can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | `{}` | +| `identity.resources` | configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits | | +| `identity.resources.requests.memory` | | `400Mi` | +| `identity.resources.limits.cpu` | | `2000m` | +| `identity.resources.requests.cpu` | | `600m` | +| `identity.resources.limits.memory` | | `2Gi` | +| `identity.env` | can be used to set extra environment variables in each identity container. See the documentation https://docs.camunda.io/docs/self-managed/identity/deployment/configuration-variables/ for more details. | `[]` | +| `identity.envFrom` | list of environment variables to import from configMapRef and secretRef | `[]` | +| `identity.command` | can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/ | `[]` | +| `identity.extraVolumes` | can be used to define extra volumes for the identity pods, useful for tls and self-signed certificates | `[]` | +| `identity.extraVolumeMounts` | can be used to mount extra volumes for the identity pods, useful for tls and self-signed certificates | `[]` | +| `identity.serviceAccount` | configuration for the service account where the identity pods are assigned to | | +| `identity.serviceAccount.enabled` | if true, enables the identity service account | `true` | +| `identity.serviceAccount.name` | can be used to set the name of the identity service account | `""` | +| `identity.serviceAccount.annotations` | can be used to set the annotations of the identity service account | `{}` | +| `identity.serviceAccount.automountServiceAccountToken` | can be used to control whether the service account token should be automatically mounted | `true` | +| `identity.ingress.enabled` | if true, an ingress resource is deployed with the identity deployment. Only useful if an ingress controller is available, like nginx. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead. | `false` | +| `identity.ingress.className` | defines the class or configuration of ingress which should be used by the controller | `nginx` | +| `identity.ingress.annotations` | defines the ingress related annotations, consumed mostly by the ingress controller | `{}` | +| `identity.ingress.path` | defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules | `/` | +| `identity.ingress.pathType` | can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types | `Prefix` | +| `identity.ingress.host` | can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules | `""` | +| `identity.ingress.tls` | configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls | | +| `identity.ingress.tls.enabled` | if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined. | `false` | +| `identity.ingress.tls.secretName` | defines the secret name which contains the TLS private key and certificate | `camunda-platform-identity` | +| `identity.externalDatabase.enabled` | | `false` | +| `identity.externalDatabase.host` | Database host | `nil` | +| `identity.externalDatabase.port` | Database port number | `nil` | +| `identity.externalDatabase.username` | Non-root username | `nil` | +| `identity.externalDatabase.password` | Password for the non-root username | `nil` | +| `identity.externalDatabase.database` | The database name | `nil` | +| `identity.externalDatabase.existingSecret` | Name of an existing secret resource containing the database credentials | `nil` | +| `identity.externalDatabase.existingSecretPasswordKey` | Name of an existing secret key containing the database credentials | `nil` | +| `identity.configuration` | if specified, contents will be used as the application.yaml | `""` | +| `identity.extraConfiguration` | if specified, contents will be used for any extra configuration files such as the log4j2.xml | `{}` | +| `identity.dnsPolicy` | https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy | `""` | +| `identity.dnsConfig` | https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config | `{}` | ### Identity - PostgreSQL Parameters @@ -1282,6 +1294,7 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | ------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | | `identityPostgresql` | configuration for the PostgreSQL dependency chart used by Identity. For more details, check [Bitnami package for PostgreSQL](https://artifacthub.io/packages/helm/bitnami/postgresql#parameters) documentation. | | | `identityPostgresql.enabled` | Enable Identity PostgreSQL Helm chart. Required for Multi-Tenancy. | `false` | +| `identityPostgresql.global.compatibility` | Compatibility adaptations for Kubernetes platforms | | | `identityPostgresql.global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) | `{{ .Values.global.compatibility.openshift.adaptSecurityContext | default "disabled" }}` | | `identityPostgresql.image.repository` | PostgreSQL repo | `bitnami/postgresql` | | `identityPostgresql.image.tag` | PostgreSQL image tag | `15.8.0` | @@ -1290,6 +1303,8 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `identityPostgresql.auth.database` | The database name | `identity` | | `identityPostgresql.auth.password` | Password for the non-root username | `nil` | | `identityPostgresql.auth.existingSecret` | Name of an existing secret resource containing the database credentials | `nil` | +| `identityPostgresql.auth.secretKeys.adminPasswordKey` | defines the key within the existing secret object for PostgreSQL admin. | `postgres-password` | +| `identityPostgresql.auth.secretKeys.userPasswordKey` | defines the key within the existing secret object for PostgreSQL user. | `password` | ### Identity - Keycloak Parameters @@ -1297,6 +1312,7 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | --------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | | `identityKeycloak` | configuration, for the Keycloak dependency chart which is used by Identity. For more details, check [Bitnami package for Keycloak](https://artifacthub.io/packages/helm/bitnami/keycloak#parameters) documentation. | | | `identityKeycloak.enabled` | Enable Identity Keycloak Helm chart. It is used incorporate with "global.identity.keycloak" to use your own Keycloak instead of the one comes with Camunda Helm chart | `true` | +| `identityKeycloak.global.compatibility` | Compatibility adaptations for Kubernetes platforms | | | `identityKeycloak.global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) | `{{ .Values.global.compatibility.openshift.adaptSecurityContext | default "disabled" }}` | | `identityKeycloak.nameOverride` | the name used for Keycloak. | `keycloak` | | `identityKeycloak.image` | configuration. | | @@ -1305,6 +1321,9 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `identityKeycloak.postgresql` | configuration. | | | `identityKeycloak.postgresql.image.repository` | image repo | `bitnami/postgresql` | | `identityKeycloak.postgresql.image.tag` | image tag | `15.8.0` | +| `identityKeycloak.postgresql.auth.existingSecret` | defines the existing secret resource containing the database credentials | `nil` | +| `identityKeycloak.postgresql.auth.secretKeys.adminPasswordKey` | defines the key within the existing secret object for PostgreSQL admin. | `postgres-password` | +| `identityKeycloak.postgresql.auth.secretKeys.userPasswordKey` | defines the key within the existing secret object for PostgreSQL user. | `password` | | `identityKeycloak.postgresql.primary.containerSecurityContext.enabled` | | `true` | | `identityKeycloak.postgresql.primary.containerSecurityContext.privileged` | | `false` | | `identityKeycloak.postgresql.primary.containerSecurityContext.readOnlyRootFilesystem` | | `true` | @@ -1343,6 +1362,7 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `identityKeycloak.auth` | uses the secrets generated by keycloak, to access keycloak. | | | `identityKeycloak.auth.adminUser` | defines the keycloak administrator user | `admin` | | `identityKeycloak.auth.existingSecret` | can be used to reuse an existing secret containing authentication information. | `""` | +| `identityKeycloak.auth.passwordSecretKey` | defines the key within the existing secret object. | `admin-password` | ### WebModeler Parameters @@ -1371,7 +1391,7 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `webModeler.restapi.externalDatabase.user` | defines the database user | `""` | | `webModeler.restapi.externalDatabase.password` | can be used to provide the database user's password; ignored if `webModeler.restapi.externalDatabase.existingSecret` is set | `""` | | `webModeler.restapi.externalDatabase.existingSecret` | can be used to provide the name of an existing secret resource containing the database password | `nil` | -| `webModeler.restapi.externalDatabase.existingSecretPasswordKey` | can be used to provide the name of an existing secret key containing the database password | `""` | +| `webModeler.restapi.externalDatabase.existingSecretPasswordKey` | can be used to provide the name of an existing secret key containing the database password | `database-password` | | `webModeler.restapi.mail` | configuration for emails sent by WebModeler | | | `webModeler.restapi.mail.smtpHost` | defines the host name of the SMTP server to be used by WebModeler | `""` | | `webModeler.restapi.mail.smtpPort` | defines the port number of the SMTP server | `587` | @@ -1379,7 +1399,7 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `webModeler.restapi.mail.smtpPassword` | can be used to provide a password for the SMTP server; ignored if `webModeler.restapi.mail.existingSecret` is set | `""` | | `webModeler.restapi.mail.smtpTlsEnabled` | if true, enforces TLS encryption for SMTP connections (using STARTTLS) | `true` | | `webModeler.restapi.mail.existingSecret` | can be used to provide the name of an existing secret resource containing the SMTP password | `nil` | -| `webModeler.restapi.mail.existingSecretPasswordKey` | can be used to provide the name of an existing secret key containing the SMTP password | `""` | +| `webModeler.restapi.mail.existingSecretPasswordKey` | can be used to provide the name of an existing secret key containing the SMTP password | `smtp-password` | | `webModeler.restapi.mail.fromAddress` | defines the email address that will be displayed as the sender of emails sent by WebModeler | `""` | | `webModeler.restapi.mail.fromName` | defines the name that will be displayed as the sender of emails sent by WebModeler | `Camunda 8` | | `webModeler.restapi.podAnnotations` | can be used to define extra restapi pod annotations | `{}` | @@ -1618,6 +1638,7 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | | `postgresql` | configuration for the postgresql dependency chart used by WebModeler. See the chart documentation https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters for more details. | | | `postgresql.enabled` | if true, a PostgreSQL database will be deployed as part of the Helm release by using the dependency chart | `false` | +| `postgresql.global.compatibility` | Compatibility adaptations for Kubernetes platforms | | | `postgresql.global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) | `{{ .Values.global.compatibility.openshift.adaptSecurityContext | default "disabled" }}` | | `postgresql.nameOverride` | defines the name of the Postgres resources (names will be prefixed with the release name), see https://github.com/bitnami/charts/tree/main/bitnami/postgresql#common-parameters | `postgresql-web-modeler` | | `postgresql.image.repository` | PostgreSQL repo | `bitnami/postgresql` | @@ -1627,6 +1648,8 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `postgresql.auth.password` | can be used to provide the database user's password; a random password will be generated if left empty / ignored if `postgresql.auth.existingSecret` is set | `""` | | `postgresql.auth.database` | defines the name of the database to be created for WebModeler | `web-modeler` | | `postgresql.auth.existingSecret` | can be used to provide the name of an existing secret resource containing the database password | `""` | +| `postgresql.auth.secretKeys.adminPasswordKey` | defines the key within the existing secret object for PostgreSQL admin. | `postgres-password` | +| `postgresql.auth.secretKeys.userPasswordKey` | defines the key within the existing secret object for PostgreSQL user. | `password` | | `postgresql.primary.containerSecurityContext.enabled` | | `true` | | `postgresql.primary.containerSecurityContext.allowPrivilegeEscalation` | | `false` | | `postgresql.primary.containerSecurityContext.privileged` | | `false` | @@ -1649,6 +1672,7 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `connectors.inbound.mode` | acceptable values: disabled, credentials, or oauth | `oauth` | | `connectors.inbound.auth` | configuration of the credentials authentication. | | | `connectors.inbound.auth.existingSecret` | can be used to configure Secret name that contains Operate password (if inbound mode is credentials) | `""` | +| `connectors.inbound.auth.existingSecretKey` | defines the key within the existing secret object. | `connectors-secret` | | `connectors.image` | configuration to configure the Connectors image specifics | | | `connectors.image.registry` | can be used to set container image registry. | `""` | | `connectors.image.repository` | defines which image repository to use | `camunda/connectors-bundle` | @@ -1747,6 +1771,7 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | | `elasticsearch` | | | | `elasticsearch.enabled` | | `true` | +| `elasticsearch.global.compatibility` | Compatibility adaptations for Kubernetes platforms | | | `elasticsearch.global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) | `{{ .Values.global.compatibility.openshift.adaptSecurityContext | default "disabled" }}` | | `elasticsearch.image.repository` | | `bitnami/elasticsearch` | | `elasticsearch.image.tag` | | `8.15.0` | diff --git a/charts/camunda-platform-alpha/templates/camunda/constraints.tpl b/charts/camunda-platform-alpha/templates/camunda/constraints.tpl index a04aa34486..b7400f9654 100644 --- a/charts/camunda-platform-alpha/templates/camunda/constraints.tpl +++ b/charts/camunda-platform-alpha/templates/camunda/constraints.tpl @@ -157,17 +157,19 @@ metadata: name: identity-secret-for-components type: Opaque data: - operate-secret: - tasklist-secret: - optimize-secret: + # Ideneity apps auth. connectors-secret: console-secret: - keycloak-secret: + operate-secret: + optimize-secret: + tasklist-secret: zeebe-secret: - admin-password: # used for keycloak - management-password: # used for keycloak + # Ideneity Keycloak. + admin-password: . + # Ideneity Keycloak PostgreSQL. postgres-password: # used for postgresql admin password password: # used for postgresql user password + # Web Modeler. smtp-password: # used for web modeler mail The following values inside your values.yaml need to be set but were not: @@ -194,17 +196,19 @@ metadata: name: identity-secret-for-components type: Opaque data: - operate-secret: - tasklist-secret: - optimize-secret: + # Ideneity apps auth. connectors-secret: console-secret: - keycloak-secret: + operate-secret: + optimize-secret: + tasklist-secret: zeebe-secret: - admin-password: # used for keycloak - management-password: # used for keycloak + # Ideneity Keycloak. + admin-password: . + # Ideneity Keycloak PostgreSQL. postgres-password: # used for postgresql admin password password: # used for postgresql user password + # Web Modeler. smtp-password: # used for web modeler mail The following values inside your values.yaml need to be set but were not: diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-camunda.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-camunda.yaml new file mode 100644 index 0000000000..78492d5e43 --- /dev/null +++ b/charts/camunda-platform-alpha/templates/camunda/secret-camunda.yaml @@ -0,0 +1,84 @@ +{{- if .Values.global.secrets.autoGenerated }} +# NOTE: +# - This secret object is NOT managed with corresponding releases and NOR part of Helm deployment/upgrade! +# It's generated once, and if it's deleted, you will lose the secrets. +# - This file is only for auto-generated secrets within the chart; don't add secrets for external resources. +# - The Camunda Helm chart "existingSecret" syntax will be changed in the Camunda 8.8 releases. +# More details: https://github.com/camunda/camunda-platform-helm/issues/1898 +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.global.secrets.name }} + labels: + {{- include "camundaPlatform.labels" . | nindent 4 }} + annotations: + {{- include "common.tplvalues.merge" (dict + "values" (list .Values.global.annotations .Values.global.secrets.annotations) + "context" $) | nindent 4 }} +type: Opaque +data: + {{- $identityAuth := dict + "admin" (((.Values.global.identity.auth).admin).existingSecret).name + "connectors" (.Values.global.identity.auth.connectors.existingSecret).name + "console" (.Values.global.identity.auth.console.existingSecret).name + "operate" (.Values.global.identity.auth.operate.existingSecret).name + "optimize" (.Values.global.identity.auth.optimize.existingSecret).name + "tasklist" (.Values.global.identity.auth.tasklist.existingSecret).name + "zeebe" (.Values.global.identity.auth.zeebe.existingSecret).name + }} + {{- if or ($identityAuth.connectors) ($identityAuth.console) ($identityAuth.operate) + ($identityAuth.optimize) ($identityAuth.tasklist) ($identityAuth.zeebe) + }} + # Identity apps auth. + {{- if $identityAuth.admin }} + {{ .Values.global.identity.auth.admin.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- if $identityAuth.connectors }} + {{ .Values.global.identity.auth.connectors.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- if $identityAuth.console }} + {{ .Values.global.identity.auth.console.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- if $identityAuth.operate }} + {{ .Values.global.identity.auth.operate.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- if $identityAuth.optimize }} + {{ .Values.global.identity.auth.optimize.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- if $identityAuth.tasklist }} + {{ .Values.global.identity.auth.tasklist.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- if $identityAuth.zeebe }} + {{ .Values.global.identity.auth.zeebe.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + {{- end }} + + {{- if .Values.identity.firstUser.existingSecret }} + # Identity login. + {{ .Values.identity.firstUser.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + + {{- if and .Values.identityPostgresql.enabled .Values.identityPostgresql.auth.existingSecret }} + # Identity PostgreSQL. + {{ .Values.identityPostgresql.auth.secretKeys.adminPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{ .Values.identityPostgresql.auth.secretKeys.userPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + + {{- if .Values.identityKeycloak.auth.existingSecret }} + # Identity Keycloak login. + {{ .Values.identityKeycloak.auth.passwordSecretKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + + {{- if .Values.identityKeycloak.postgresql.auth.existingSecret }} + # Identity Keycloak PostgreSQL. + {{ .Values.identityKeycloak.postgresql.auth.secretKeys.adminPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{ .Values.identityKeycloak.postgresql.auth.secretKeys.userPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + + {{- if and .Values.postgresql.enabled .Values.postgresql.auth.existingSecret }} + # WebModeler PostgreSQL. + {{ .Values.postgresql.auth.secretKeys.adminPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{ .Values.postgresql.auth.secretKeys.userPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}" + {{- end }} + +{{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-connectors.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-connectors.yaml index 6ce2a97997..041fd06aa9 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-connectors.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-connectors.yaml @@ -7,5 +7,5 @@ metadata: labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }} type: Opaque data: - connectors-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "connectors-secret" "length" 10 "providedValues" (list "global.identity.auth.connectors.existingSecret") "context" $) }} + {{ .Values.global.identity.auth.connectors.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.connectors.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.connectors.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-console.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-console.yaml index be702baf6c..f9e438f1d0 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-console.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-console.yaml @@ -7,5 +7,5 @@ metadata: labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }} type: Opaque data: - console-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "console-secret" "length" 10 "providedValues" (list "global.identity.auth.console.existingSecret") "context" $) }} + {{ .Values.global.identity.auth.console.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.console.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.console.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-elasticsearch.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-elasticsearch.yaml index a2abbb0326..a1313561e4 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-elasticsearch.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-elasticsearch.yaml @@ -6,5 +6,5 @@ metadata: annotations: {{- toYaml .Values.global.annotations | nindent 4 }} type: Opaque data: - password: {{ .Values.global.elasticsearch.auth.password | b64enc }} + {{ .Values.global.elasticsearch.auth.existingSecretKey }}: {{ .Values.global.elasticsearch.auth.password | b64enc }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-opensearch.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-opensearch.yaml index eb8d7fdde7..4439faf8e6 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-opensearch.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-opensearch.yaml @@ -6,5 +6,5 @@ metadata: annotations: {{- toYaml .Values.global.annotations | nindent 4 }} type: Opaque data: - password: {{ .Values.global.opensearch.auth.password | b64enc }} + {{ .Values.global.opensearch.auth.existingSecretKey }}: {{ .Values.global.opensearch.auth.password | b64enc }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-operate.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-operate.yaml index 01f71da985..89ebf8c073 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-operate.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-operate.yaml @@ -8,5 +8,5 @@ metadata: labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }} type: Opaque data: - operate-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "operate-secret" "length" 10 "providedValues" (list "global.identity.auth.operate.existingSecret") "context" $) }} + {{ .Values.global.identity.auth.operate.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.operate.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.operate.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-optimize.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-optimize.yaml index 39bf25c2a5..601ae3375e 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-optimize.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-optimize.yaml @@ -7,5 +7,5 @@ metadata: labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }} type: Opaque data: - optimize-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "optimize-secret" "length" 10 "providedValues" (list "global.identity.auth.optimize.existingSecret") "context" $) }} + {{ .Values.global.identity.auth.optimize.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.optimize.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.optimize.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-tasklist.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-tasklist.yaml index ce900a8b30..1b8ee38408 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-tasklist.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-tasklist.yaml @@ -7,5 +7,5 @@ metadata: labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }} type: Opaque data: - tasklist-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "tasklist-secret" "length" 10 "providedValues" (list "global.identity.auth.tasklist.existingSecret") "context" $) }} + {{ .Values.global.identity.auth.tasklist.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.tasklist.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.tasklist.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-zeebe.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-zeebe.yaml index f008a5895b..7ad61043e7 100644 --- a/charts/camunda-platform-alpha/templates/camunda/secret-zeebe.yaml +++ b/charts/camunda-platform-alpha/templates/camunda/secret-zeebe.yaml @@ -7,5 +7,5 @@ metadata: labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }} type: Opaque data: - zeebe-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "zeebe-secret" "length" 10 "providedValues" (list "global.identity.auth.zeebe.existingSecret") "context" $) }} + {{ .Values.global.identity.auth.zeebe.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.global.identity.auth.zeebe.existingSecretKey "length" 10 "providedValues" (list "global.identity.auth.zeebe.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/connectors/deployment.yaml b/charts/camunda-platform-alpha/templates/connectors/deployment.yaml index e3503fedb9..5acf4029a3 100644 --- a/charts/camunda-platform-alpha/templates/connectors/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/connectors/deployment.yaml @@ -49,7 +49,7 @@ spec: valueFrom: secretKeyRef: name: {{ include "connectors.authCredentialsSecretName" . }} - key: connectors-secret + key: {{ .Values.global.identity.auth.connectors.existingSecretKey }} {{- end }} {{- if .Values.global.identity.auth.enabled }} {{- if eq .Values.connectors.inbound.mode "oauth" }} @@ -58,12 +58,12 @@ spec: valueFrom: secretKeyRef: name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.connectors.existingSecret "context" $) }} - key: connectors-secret + key: {{ .Values.global.identity.auth.connectors.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "connectors") }} - key: connectors-secret + key: {{ .Values.global.identity.auth.connectors.existingSecretKey }} {{- end }} {{- end }} - name: ZEEBE_CLIENT_ID @@ -73,12 +73,12 @@ spec: valueFrom: secretKeyRef: name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- end }} - name: ZEEBE_AUTHORIZATION_SERVER_URL value: {{ include "camundaPlatform.authIssuerBackendUrlTokenEndpoint" . | quote }} diff --git a/charts/camunda-platform-alpha/templates/connectors/inbound-secret.yaml b/charts/camunda-platform-alpha/templates/connectors/inbound-secret.yaml index 81215d2940..1f32bda6d3 100644 --- a/charts/camunda-platform-alpha/templates/connectors/inbound-secret.yaml +++ b/charts/camunda-platform-alpha/templates/connectors/inbound-secret.yaml @@ -7,5 +7,5 @@ metadata: labels: {{- include "connectors.labels" . | nindent 4 }} type: Opaque data: - connectors-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "connectors-secret" "length" 10 "providedValues" (list "connectors.inbound.auth.existingSecret") "context" $) }} + {{ .Values.connectors.inbound.auth.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.connectors.inbound.auth.existingSecretKey "length" 10 "providedValues" (list "connectors.inbound.auth.existingSecret") "context" $) }} {{- end }} diff --git a/charts/camunda-platform-alpha/templates/identity/deployment.yaml b/charts/camunda-platform-alpha/templates/identity/deployment.yaml index 22fa5cd94a..a90ef1fe1a 100644 --- a/charts/camunda-platform-alpha/templates/identity/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/identity/deployment.yaml @@ -53,12 +53,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.operate.existingSecret "context" $) }} - key: operate-secret + key: {{ .Values.global.identity.auth.operate.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "operate") }} - key: operate-secret + key: {{ .Values.global.identity.auth.operate.existingSecretKey }} {{- end }} - name: KEYCLOAK_INIT_CONSOLE_SECRET {{- if and .Values.global.identity.auth.console.existingSecret (not (typeIs "string" .Values.global.identity.auth.console.existingSecret)) }} @@ -70,12 +70,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.console.existingSecret "context" $) }} - key: console-secret + key: {{ .Values.global.identity.auth.console.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "console") }} - key: console-secret + key: {{ .Values.global.identity.auth.console.existingSecretKey }} {{- end }} - name: KEYCLOAK_INIT_TASKLIST_SECRET {{- if and .Values.global.identity.auth.tasklist.existingSecret (not (typeIs "string" .Values.global.identity.auth.tasklist.existingSecret)) }} @@ -87,12 +87,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: "{{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.tasklist.existingSecret "context" $) }}" - key: tasklist-secret + key: {{ .Values.global.identity.auth.tasklist.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "tasklist") }} - key: tasklist-secret + key: {{ .Values.global.identity.auth.tasklist.existingSecretKey }} {{- end }} - name: KEYCLOAK_INIT_OPTIMIZE_SECRET {{- if and .Values.global.identity.auth.optimize.existingSecret (not (typeIs "string" .Values.global.identity.auth.optimize.existingSecret)) }} @@ -104,12 +104,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.optimize.existingSecret "context" $) }} - key: optimize-secret + key: {{ .Values.global.identity.auth.optimize.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "optimize") }} - key: optimize-secret + key: {{ .Values.global.identity.auth.optimize.existingSecretKey }} {{- end }} - name: KEYCLOAK_INIT_WEBMODELER_ROOT_URL value: {{ tpl .Values.global.identity.auth.webModeler.redirectUrl $ | quote }} @@ -131,12 +131,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.connectors.existingSecret "context" $) }} - key: connectors-secret + key: {{ .Values.global.identity.auth.connectors.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: - key: connectors-secret name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "connectors") }} + key: {{ .Values.global.identity.auth.connectors.existingSecretKey }} {{- end }} - name: KEYCLOAK_CLIENTS_0_ROOT_URL value: http://placeholder @@ -160,12 +160,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- end }} - name: KEYCLOAK_CLIENTS_1_TYPE value: "M2M" @@ -190,7 +190,7 @@ spec: valueFrom: secretKeyRef: name: {{ .Values.identity.firstUser.existingSecret }} - key: "identity-firstuser-password" + key: {{ .Values.identity.firstUser.existingSecretKey }} {{- else }} - name: KEYCLOAK_USERS_0_PASSWORD value: {{ .Values.identity.firstUser.password | quote }} diff --git a/charts/camunda-platform-alpha/templates/operate/deployment.yaml b/charts/camunda-platform-alpha/templates/operate/deployment.yaml index c7b7206ddc..e9b77c7ad9 100644 --- a/charts/camunda-platform-alpha/templates/operate/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/operate/deployment.yaml @@ -158,7 +158,7 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.operate.existingSecret "context" $) }} - key: operate-secret + key: {{ .Values.global.identity.auth.operate.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: @@ -168,7 +168,7 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "operate") }} - key: operate-secret + key: {{ .Values.global.identity.auth.operate.existingSecretKey }} {{- end }} - name: ZEEBE_CLIENT_ID value: {{ tpl .Values.global.identity.auth.zeebe.clientId $ | quote }} @@ -177,12 +177,12 @@ spec: valueFrom: secretKeyRef: name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- end }} - name: ZEEBE_AUTHORIZATION_SERVER_URL value: {{ include "camundaPlatform.authIssuerBackendUrlTokenEndpoint" . | quote }} diff --git a/charts/camunda-platform-alpha/templates/optimize/deployment.yaml b/charts/camunda-platform-alpha/templates/optimize/deployment.yaml index 701678f100..00e405b16c 100644 --- a/charts/camunda-platform-alpha/templates/optimize/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/optimize/deployment.yaml @@ -184,12 +184,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.optimize.existingSecret "context" $) }} - key: optimize-secret + key: {{ .Values.global.identity.auth.optimize.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "optimize") }} - key: optimize-secret + key: {{ .Values.global.identity.auth.optimize.existingSecretKey }} {{- end }} {{- end }} {{- if .Values.global.multitenancy.enabled }} diff --git a/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml b/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml index a5ffb6f040..d74e02adfb 100644 --- a/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml +++ b/charts/camunda-platform-alpha/templates/tasklist/deployment.yaml @@ -97,12 +97,12 @@ spec: and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml */}} name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.tasklist.existingSecret "context" $) }} - key: tasklist-secret + key: {{ .Values.global.identity.auth.tasklist.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "tasklist") }} - key: tasklist-secret + key: {{ .Values.global.identity.auth.tasklist.existingSecretKey }} {{- end }} - name: ZEEBE_CLIENT_ID value: {{ tpl .Values.global.identity.auth.zeebe.clientId $ | quote }} @@ -111,12 +111,12 @@ spec: valueFrom: secretKeyRef: name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- else }} valueFrom: secretKeyRef: name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }} - key: zeebe-secret + key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }} {{- end }} - name: ZEEBE_AUTHORIZATION_SERVER_URL value: {{ include "camundaPlatform.authIssuerBackendUrlTokenEndpoint" . | quote }} diff --git a/charts/camunda-platform-alpha/templates/web-modeler/secret-restapi.yaml b/charts/camunda-platform-alpha/templates/web-modeler/secret-restapi.yaml index fec822a068..3838f64ef9 100644 --- a/charts/camunda-platform-alpha/templates/web-modeler/secret-restapi.yaml +++ b/charts/camunda-platform-alpha/templates/web-modeler/secret-restapi.yaml @@ -11,10 +11,10 @@ metadata: type: Opaque data: {{- if $useExternalDatabasePassword }} - database-password: {{ .Values.webModeler.restapi.externalDatabase.existingSecret | default .Values.webModeler.restapi.externalDatabase.password | b64enc }} + {{ .Values.webModeler.restapi.externalDatabase.existingSecretPasswordKey }} : {{ .Values.webModeler.restapi.externalDatabase.existingSecret | default .Values.webModeler.restapi.externalDatabase.password | b64enc }} {{- end }} {{- if $useSmtpPassword }} - smtp-password: {{ .Values.webModeler.restapi.mail.existingSecret | default .Values.webModeler.restapi.mail.smtpPassword | b64enc }} + {{ .Values.webModeler.restapi.mail.existingSecretPasswordKey }}: {{ .Values.webModeler.restapi.mail.existingSecret | default .Values.webModeler.restapi.mail.smtpPassword | b64enc }} {{- end }} {{- end }} diff --git a/charts/camunda-platform-alpha/test/integration/scenarios/chart-full-setup/values-integration-test-ingress.yaml b/charts/camunda-platform-alpha/test/integration/scenarios/chart-full-setup/values-integration-test-ingress.yaml index cc34e50b24..4cd8cdeac9 100644 --- a/charts/camunda-platform-alpha/test/integration/scenarios/chart-full-setup/values-integration-test-ingress.yaml +++ b/charts/camunda-platform-alpha/test/integration/scenarios/chart-full-setup/values-integration-test-ingress.yaml @@ -1,4 +1,7 @@ global: + secrets: + autoGenerated: true + name: "integration-credentials-autogen" ingress: enabled: true className: nginx @@ -14,46 +17,57 @@ global: identity: auth: publicIssuerUrl: "https://{{ .Values.global.ingress.host }}/auth/realms/camunda-platform" + admin: + existingSecret: + name: "integration-credentials-autogen" + existingSecretKey: "identity-admin-client-password" connectors: existingSecret: - name: "integration-test" + name: "integration-credentials-autogen" + existingSecretKey: "identity-connectors-client-password" console: redirectUrl: "https://{{ .Values.global.ingress.host }}" existingSecret: - name: "integration-test" + name: "integration-credentials-autogen" + existingSecretKey: "identity-console-client-password" operate: redirectUrl: "https://{{ .Values.global.ingress.host }}/operate" existingSecret: - name: "integration-test" + name: "integration-credentials-autogen" + existingSecretKey: "identity-operate-client-password" tasklist: redirectUrl: "https://{{ .Values.global.ingress.host }}/tasklist" existingSecret: - name: "integration-test" + name: "integration-credentials-autogen" + existingSecretKey: "identity-tasklist-client-password" optimize: redirectUrl: "https://{{ .Values.global.ingress.host }}/optimize" existingSecret: - name: "integration-test" + name: "integration-credentials-autogen" + existingSecretKey: "identity-optimize-client-password" webModeler: redirectUrl: "https://{{ .Values.global.ingress.host }}/modeler" zeebe: existingSecret: - name: "integration-test" + name: "integration-credentials-autogen" + existingSecretKey: "identity-zeebe-client-password" identity: contextPath: "/identity" firstUser: - existingSecret: "integration-test" + existingSecret: "integration-credentials-autogen" + existingSecretKey: "identity-user-password" identityKeycloak: postgresql: auth: - existingSecret: "integration-test" - auth: - existingSecret: "integration-test" - -identityPostgresql: + existingSecret: "integration-credentials-autogen" + secretKeys: + adminPasswordKey: "identity-keycloak-postgresql-admin-password" + userPasswordKey: "identity-keycloak-postgresql-user-password" auth: - existingSecret: "integration-test" + existingSecret: "integration-credentials-autogen" + passwordSecretKey: "identity-keycloak-admin-password" operate: contextPath: "/operate" @@ -78,14 +92,15 @@ webModeler: mail: # This value is required, otherwise the restapi pod wouldn't start. fromAddress: noreply@example.com - existingSecret: - name: "integration-test" # WebModeler Database. postgresql: enabled: true auth: - existingSecret: "integration-test" + existingSecret: "integration-credentials-autogen" + secretKeys: + adminPasswordKey: "webmodeler-postgresql-admin-password" + userPasswordKey: "webmodeler-postgresql-user-password" zeebeGateway: contextPath: "/zeebe" diff --git a/charts/camunda-platform-alpha/test/integration/scenarios/common/values-integration-test.yaml b/charts/camunda-platform-alpha/test/integration/scenarios/common/values-integration-test.yaml index 3c3f061b46..f92f838b0f 100644 --- a/charts/camunda-platform-alpha/test/integration/scenarios/common/values-integration-test.yaml +++ b/charts/camunda-platform-alpha/test/integration/scenarios/common/values-integration-test.yaml @@ -8,8 +8,8 @@ identity: - name: KEYCLOAK_CLIENTS_2_SECRET valueFrom: secretKeyRef: - name: integration-test - key: client-secret + name: integration-credentials-autogen + key: identity-admin-client-password - name: KEYCLOAK_CLIENTS_2_REDIRECT_URIS_0 value: /dummy - name: KEYCLOAK_CLIENTS_2_ROOT_URL diff --git a/charts/camunda-platform-alpha/test/integration/testsuites/core/patches/job.yaml b/charts/camunda-platform-alpha/test/integration/testsuites/core/patches/job.yaml new file mode 100644 index 0000000000..988a88ccda --- /dev/null +++ b/charts/camunda-platform-alpha/test/integration/testsuites/core/patches/job.yaml @@ -0,0 +1,41 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: integration-venom +spec: + template: + spec: + containers: + - name: venom + env: + # Console uses client type "Public" so it's not tested in the machine-to-machine tests. + - name: VENOM_VAR_TEST_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-credentials-autogen + key: identity-admin-client-password + - name: VENOM_VAR_CONNECTORS_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-credentials-autogen + key: identity-connectors-client-password + - name: VENOM_VAR_OPERATE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-credentials-autogen + key: identity-operate-client-password + - name: VENOM_VAR_OPTIMIZE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-credentials-autogen + key: identity-optimize-client-password + - name: VENOM_VAR_TASKLIST_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-credentials-autogen + key: identity-tasklist-client-password + - name: VENOM_VAR_ZEEBE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-credentials-autogen + key: identity-zeebe-client-password diff --git a/charts/camunda-platform-alpha/test/integration/testsuites/vars/files/testsuite-core.yaml b/charts/camunda-platform-alpha/test/integration/testsuites/vars/files/testsuite-core.yaml index 62d344fbb7..e64a6392c4 100644 --- a/charts/camunda-platform-alpha/test/integration/testsuites/vars/files/testsuite-core.yaml +++ b/charts/camunda-platform-alpha/test/integration/testsuites/vars/files/testsuite-core.yaml @@ -22,6 +22,9 @@ testcases: - name: "{{ .value.component }}" type: http range: + - component: Connectors + clientID: connectors + clientSecret: "{{ .CONNECTORS_CLIENT_SECRET }}" - component: Tasklist clientID: tasklist clientSecret: "{{ .TASKLIST_CLIENT_SECRET }}" @@ -31,9 +34,9 @@ testcases: - component: Optimize clientID: optimize clientSecret: "{{ .OPTIMIZE_CLIENT_SECRET }}" - - component: Connectors - clientID: connectors - clientSecret: "{{ .CONNECTORS_CLIENT_SECRET }}" + - component: Zeebe + clientID: zeebe + clientSecret: "{{ .ZEEBE_CLIENT_SECRET }}" method: POST url: "{{ .coreVars.authURL }}" headers: diff --git a/charts/camunda-platform-alpha/test/unit/identity/golden/deployment.golden.yaml b/charts/camunda-platform-alpha/test/unit/identity/golden/deployment.golden.yaml index af1379029e..486c46e820 100644 --- a/charts/camunda-platform-alpha/test/unit/identity/golden/deployment.golden.yaml +++ b/charts/camunda-platform-alpha/test/unit/identity/golden/deployment.golden.yaml @@ -91,8 +91,8 @@ spec: - name: KEYCLOAK_CLIENTS_0_SECRET valueFrom: secretKeyRef: - key: connectors-secret name: camunda-platform-test-connectors-identity-secret + key: connectors-secret - name: KEYCLOAK_CLIENTS_0_ROOT_URL value: http://placeholder - name: KEYCLOAK_CLIENTS_0_REDIRECT_URIS_0 diff --git a/charts/camunda-platform-alpha/values.yaml b/charts/camunda-platform-alpha/values.yaml index d4f5ecf53b..261df38843 100644 --- a/charts/camunda-platform-alpha/values.yaml +++ b/charts/camunda-platform-alpha/values.yaml @@ -37,6 +37,18 @@ ## @section Global parameters ## @extra global global: + ## Secrets configuration. + ## @extra global.secrets configuration for auto-generated secrets which is only used during the installation. + secrets: + ## @param global.secrets.autoGenerated if true, a secret object will be generated with auto-generated passwords. This secret object is NOT managed with corresponding releases and NOR part of Helm deployment/upgrade! It's generated once, and if it's deleted, you will lose the secrets. + autoGenerated: false + ## @param global.secrets.name defines the name of the secret object that has the auto-generated passwords. + name: "camunda-credentials-autogen" + ## @param global.secrets.annotations [object] defines the secret object annotations that utilize Helm hooks to keep that object out of the Helm deployment. + annotations: + helm.sh/hook: 'pre-install' + helm.sh/resource-policy: 'keep' + ## License configuration. ## @extra global.license license: @@ -46,9 +58,8 @@ global: existingSecret: ## @param global.license.existingSecretKey you can provide the key within the existing secret object for Camunda license key. existingSecretKey: - ## @param global.compatibility.openshift.adaptSecurityContext - ## Compatibility adaptations for Kubernetes platforms - ## + + ## @extra global.compatibility Compatibility adaptations for Kubernetes platforms compatibility: ## Compatibility adaptations for Openshift ## @@ -56,6 +67,7 @@ global: ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) ## adaptSecurityContext: disabled + ## Multitenancy configuration. ## @extra global.multitenancy multitenancy: @@ -132,7 +144,7 @@ global: username: password: existingSecret: - existingSecretKey: + existingSecretKey: "password" ## @param global.elasticsearch.disableExporter DEPRECATED: this value is not needed anymore. Use global.elasticsearch.enabled disableExporter: false ## @extra global.elasticsearch.url Configuration to configure elasticsearch url @@ -170,7 +182,7 @@ global: username: password: existingSecret: - existingSecretKey: + existingSecretKey: "password" ## @extra global.opensearch.url Configuration to configure opensearch url ## @param global.opensearch.url.protocol defines the external opensearch access protocol ## @param global.opensearch.url.host defines the external opensearch host, ideally the service name inside the namespace @@ -240,8 +252,9 @@ global: ## @param global.identity.auth.connectors.clientId defines the client id, which is used by Connectors in authentication flows. clientId: connectors ## @param global.identity.auth.connectors.existingSecret can be used to use an own existing secret. If not set a random secret is generated. - # The existing secret should contain an `connectors-secret` field, which will be used as secret for the identity-Connectors communication. existingSecret: + ## @param global.identity.auth.connectors.existingSecretKey defines the key within the existing secret object. + existingSecretKey: connectors-secret ## @extra global.identity.auth.identity configuration to configure Identity authentication specifics on global level, which can be accessed by other sub-charts identity: @@ -250,8 +263,9 @@ global: ## @param global.identity.auth.identity.audience defines the audience, which is used by Identity. audience: camunda-identity-resource-server ## @param global.identity.auth.identity.existingSecret can be used to reference an existing secret. This should ONLY be used for an external OIDC provider. If not set, a random secret is generated. - # The existing secret should contain an `identity-secret` field, which will be used as secret for the identity-identity communication. existingSecret: + ## @param global.identity.auth.identity.existingSecretKey defines the key within the existing secret object. + existingSecretKey: identity-secret ## @param global.identity.auth.identity.redirectUrl defines the redirect URL, which is used by the auth platform to access Identity. # Should be publicly accessible, the default value works if a port-forward to Identity is created to 8085. # Can be overwritten if ingress is in use and an external IP is available. @@ -269,8 +283,9 @@ global: ## @param global.identity.auth.operate.audience defines the audience, which is used by Operate. audience: operate-api ## @param global.identity.auth.operate.existingSecret can be used to reference an existing secret. If not set, a random secret is generated. - # The existing secret should contain an `operate-secret` field, which will be used as secret for the identity-Operate communication. existingSecret: + ## @param global.identity.auth.operate.existingSecretKey defines the key within the existing secret object. + existingSecretKey: operate-secret ## @param global.identity.auth.operate.redirectUrl defines the redirect URL, which is used by Keycloak to access Operate. # Should be publicly accessible, the default value works if a port-forward to Operate is created to 8081. # Can be overwritten if ingress is in use and an external IP is available. @@ -283,8 +298,9 @@ global: ## @param global.identity.auth.tasklist.audience defines the audience, which is used by Tasklist. audience: tasklist-api ## @param global.identity.auth.tasklist.existingSecret can be used to use an own existing secret. If not set a random secret is generated. - # The existing secret should contain an `tasklist-secret` field, which will be used as secret for the identity-Tasklist communication. existingSecret: + ## @param global.identity.auth.tasklist.existingSecretKey defines the key within the existing secret object. + existingSecretKey: tasklist-secret ## @param global.identity.auth.tasklist.redirectUrl defines the root (or redirect) URL, which is used by Keycloak to access Tasklist. # Should be publicly accessible, the default value works if a port-forward to Tasklist is created to 8082. # Can be overwritten if ingress is in use and an external IP is available. @@ -297,8 +313,9 @@ global: ## @param global.identity.auth.optimize.audience defines the audience, which is used by Optimize. audience: optimize-api ## @param global.identity.auth.optimize.existingSecret can be used to use an own existing secret. If not set a random secret is generated. - # The existing secret should contain an `optimize-secret` field, which will be used as secret for the identity-Optimize communication. existingSecret: + ## @param global.identity.auth.optimize.existingSecretKey defines the key within the existing secret object. + existingSecretKey: optimize-secret ## @param global.identity.auth.optimize.redirectUrl defines the root (or redirect) URL, which is used by Keycloak to access Optimize. # Should be publicly accessible, the default value works if a port-forward to Optimize is created to 8083. # Can be overwritten if ingress is in use and an external IP is available. @@ -326,8 +343,9 @@ global: ## @param global.identity.auth.console.wellKnown defines the uri for the well known config which is used by Console (optional). wellKnown: https://well-known-uri ## @param global.identity.auth.console.existingSecret can be used to use an own existing secret. If not set a random secret is generated. - # The existing secret should contain an `console-secret` field, which will be used as secret for the identity-console communication. existingSecret: + ## @param global.identity.auth.console.existingSecretKey defines the key within the existing secret object. + existingSecretKey: console-secret ## @param global.identity.auth.console.redirectUrl defines the root URL which is used by Keycloak to access WebModeler. # Should be publicly accessible, the default value works if a port-forward to WebModeler is created to 8080. # Can be overwritten if ingress is in use and an external IP is available. @@ -338,8 +356,9 @@ global: ## @param global.identity.auth.zeebe.clientId defines the client id, which is used by Zeebe in authentication flows. clientId: zeebe ## @param global.identity.auth.zeebe.existingSecret can be used to use an own existing secret. If not set a random secret is generated. - # The existing secret should contain an `zeebe-secret` field, which will be used as secret for the Identity-Zeebe communication. existingSecret: + ## @param global.identity.auth.zeebe.existingSecretKey defines the key within the existing secret object. + existingSecretKey: zeebe-secret ## @param global.identity.auth.zeebe.audience defines the audience, which is used by Zeebe. audience: zeebe-api ## @param global.identity.auth.zeebe.tokenScope defines the token scope, which is used by Zeebe. @@ -2000,8 +2019,9 @@ identity: ## @param identity.firstUser.lastName defines the last name of the first user; a name is required to use WebModeler lastName: User ## @param identity.firstUser.existingSecret can be used to use an own existing secret for Identity first user. - # Currently, only password field is supported via "identity-firstuser-password" key in the secret resource. existingSecret: "" + ## @param identity.firstUser.existingSecretKey defines the key within the existing secret object. + existingSecretKey: "identity-firstuser-password" ## @extra identity.image configuration to configure the identity image specifics image: @@ -2249,6 +2269,7 @@ identityPostgresql: ## @param identityPostgresql.enabled Enable Identity PostgreSQL Helm chart. Required for Multi-Tenancy. ## enabled: false + ## @extra identityPostgresql.global.compatibility Compatibility adaptations for Kubernetes platforms global: ## Compatibility adaptations for Kubernetes platforms ## @@ -2282,6 +2303,11 @@ identityPostgresql: ## @param identityPostgresql.auth.existingSecret Name of an existing secret resource containing the database credentials ## existingSecret: + secretKeys: + ## @param identityPostgresql.auth.secretKeys.adminPasswordKey defines the key within the existing secret object for PostgreSQL admin. + adminPasswordKey: "postgres-password" + ## @param identityPostgresql.auth.secretKeys.userPasswordKey defines the key within the existing secret object for PostgreSQL user. + userPasswordKey: "password" # Identity. # # ###### # # #### # #### ## # # @@ -2295,6 +2321,7 @@ identityPostgresql: identityKeycloak: ## @param identityKeycloak.enabled Enable Identity Keycloak Helm chart. It is used incorporate with "global.identity.keycloak" to use your own Keycloak instead of the one comes with Camunda Helm chart enabled: true + ## @extra identityKeycloak.global.compatibility Compatibility adaptations for Kubernetes platforms global: ## Compatibility adaptations for Kubernetes platforms ## @@ -2324,6 +2351,14 @@ identityKeycloak: repository: bitnami/postgresql ## @param identityKeycloak.postgresql.image.tag image tag tag: 15.8.0 + auth: + ## @param identityKeycloak.postgresql.auth.existingSecret defines the existing secret resource containing the database credentials + existingSecret: + secretKeys: + ## @param identityKeycloak.postgresql.auth.secretKeys.adminPasswordKey defines the key within the existing secret object for PostgreSQL admin. + adminPasswordKey: "postgres-password" + ## @param identityKeycloak.postgresql.auth.secretKeys.userPasswordKey defines the key within the existing secret object for PostgreSQL user. + userPasswordKey: "password" primary: ## @param identityKeycloak.postgresql.primary.containerSecurityContext.enabled ## @param identityKeycloak.postgresql.primary.containerSecurityContext.privileged @@ -2366,10 +2401,11 @@ identityKeycloak: ## @skip identityKeycloak.extraVolumes [object] Extra volumes for keycloak ## @skip identityKeycloak.extraVolumes[0].name ## @skip identityKeycloak.extraVolumes[0].emptyDir + ## @skip identityKeycloak.extraVolumes[1].name + ## @skip identityKeycloak.extraVolumes[1].emptyDir extraVolumes: - name: data-tmp emptyDir: {} - ## @param identityKeycloak.extraVolumeMounts[0].name ## @param identityKeycloak.extraVolumeMounts[0].mountPath extraVolumeMounts: @@ -2443,6 +2479,8 @@ identityKeycloak: ## @param identityKeycloak.auth.existingSecret can be used to reuse an existing secret containing authentication information. # See https://docs.bitnami.com/kubernetes/apps/keycloak/configuration/manage-passwords/ for more details. existingSecret: "" + ## @param identityKeycloak.auth.passwordSecretKey defines the key within the existing secret object. + passwordSecretKey: "admin-password" ####################################################################### @@ -2513,7 +2551,7 @@ webModeler: ## @param webModeler.restapi.externalDatabase.existingSecret can be used to provide the name of an existing secret resource containing the database password existingSecret: ## @param webModeler.restapi.externalDatabase.existingSecretPasswordKey can be used to provide the name of an existing secret key containing the database password - existingSecretPasswordKey: "" + existingSecretPasswordKey: "database-password" ## @extra webModeler.restapi.mail configuration for emails sent by WebModeler mail: @@ -2530,7 +2568,7 @@ webModeler: ## @param webModeler.restapi.mail.existingSecret can be used to provide the name of an existing secret resource containing the SMTP password existingSecret: ## @param webModeler.restapi.mail.existingSecretPasswordKey can be used to provide the name of an existing secret key containing the SMTP password - existingSecretPasswordKey: "" + existingSecretPasswordKey: "smtp-password" ## @param webModeler.restapi.mail.fromAddress defines the email address that will be displayed as the sender of emails sent by WebModeler # NOTE: This value is mandatory. fromAddress: "" @@ -3065,6 +3103,7 @@ postgresql: ## @param postgresql.enabled if true, a PostgreSQL database will be deployed as part of the Helm release by using the dependency chart # Note: If WebModeler is enabled, and WebModeler Postgresql is disabled, the external database configuration must be set under "webModeler.restapi.externalDatabase". enabled: false + ## @extra postgresql.global.compatibility Compatibility adaptations for Kubernetes platforms global: ## Compatibility adaptations for Kubernetes platforms ## @@ -3094,6 +3133,11 @@ postgresql: database: web-modeler ## @param postgresql.auth.existingSecret can be used to provide the name of an existing secret resource containing the database password existingSecret: "" + secretKeys: + ## @param postgresql.auth.secretKeys.adminPasswordKey defines the key within the existing secret object for PostgreSQL admin. + adminPasswordKey: "postgres-password" + ## @param postgresql.auth.secretKeys.userPasswordKey defines the key within the existing secret object for PostgreSQL user. + userPasswordKey: "password" ## @param postgresql.primary.containerSecurityContext.enabled ## @param postgresql.primary.containerSecurityContext.allowPrivilegeEscalation @@ -3146,6 +3190,8 @@ connectors: auth: ## @param connectors.inbound.auth.existingSecret can be used to configure Secret name that contains Operate password (if inbound mode is credentials) existingSecret: "" + ## @param connectors.inbound.auth.existingSecretKey defines the key within the existing secret object. + existingSecretKey: "connectors-secret" ## @extra connectors.image configuration to configure the Connectors image specifics # https://hub.docker.com/r/camunda/connectors-bundle/tags @@ -3378,6 +3424,7 @@ connectors: elasticsearch: ## @param elasticsearch.enabled enabled: true + ## @extra elasticsearch.global.compatibility Compatibility adaptations for Kubernetes platforms global: ## Compatibility adaptations for Kubernetes platforms ## diff --git a/charts/camunda-platform-latest/test/integration/testsuites/core/patches/job.yaml b/charts/camunda-platform-latest/test/integration/testsuites/core/patches/job.yaml new file mode 100644 index 0000000000..d5362c4628 --- /dev/null +++ b/charts/camunda-platform-latest/test/integration/testsuites/core/patches/job.yaml @@ -0,0 +1,42 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: integration-venom +spec: + template: + spec: + containers: + - name: venom + # All env vars here assume that the Helm deployment is called "integration". + env: + # Used to access get token from Keycloak to access Camunda APIs. + - name: VENOM_VAR_TEST_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-test + key: client-secret + - name: VENOM_VAR_CONSOLE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-test + key: console-secret + - name: VENOM_VAR_TASKLIST_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-test + key: tasklist-secret + - name: VENOM_VAR_OPERATE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-test + key: operate-secret + - name: VENOM_VAR_OPTIMIZE_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-test + key: optimize-secret + - name: VENOM_VAR_CONNECTORS_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-test + key: connectors-secret diff --git a/docs/gha-workflows.md b/docs/gha-workflows.md index 55a555a99d..2fa156b439 100644 --- a/docs/gha-workflows.md +++ b/docs/gha-workflows.md @@ -63,6 +63,13 @@ jobs: # Required: false camunda-helm-git-ref: 'main' + + # Auto-generate credentials or copy them from external secret. Valid options: auto-generated or external-secret + # New optional auto-generated secrets are only supported in Camunda 8.6 chart and above. + # Default: 'auto-generated' + # Required: false + camunda-helm-credentials-source: 'auto-generated' + # Git reference of the caller's repository (branch, tag, or commit SHA) that initiated the workflow # Default: 'main' # Required: false diff --git a/test/integration/scenarios/lib/testsuite-deploy-taskfile.yaml b/test/integration/scenarios/lib/testsuite-deploy-taskfile.yaml index 76df45913d..0408decf4d 100644 --- a/test/integration/scenarios/lib/testsuite-deploy-taskfile.yaml +++ b/test/integration/scenarios/lib/testsuite-deploy-taskfile.yaml @@ -25,6 +25,10 @@ tasks: kustomize edit add configmap venom-tests --disableNameSuffixHash \ --from-file=files/testsuite-{{ .testID }}.yaml ) + # Add testsuites secrets patch. + - | + cp -a {{ .chartDir }}/test/integration/testsuites/core/patches/* \ + ../../testsuites/core/patches/ - | kubectl kustomize {{ .chartDir }}/test/integration/testsuites/vars | kubectl apply -n $TEST_NAMESPACE -f - # Add imagePullSecrets if needed. diff --git a/test/integration/testsuites/base/job.yaml b/test/integration/testsuites/base/job.yaml index bd686c808a..ae50f86ac5 100644 --- a/test/integration/testsuites/base/job.yaml +++ b/test/integration/testsuites/base/job.yaml @@ -60,14 +60,6 @@ spec: env: - name: IS_TTY value: "true" - # Used to access get token from Keycloak to access Camunda APIs. - - name: VENOM_VAR_TEST_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: integration-test - key: client-secret - # Making it optional for debugging Venom where is no Camunda is deployed. - optional: true - name: VENOM_VAR_K8S_NAMESPACE valueFrom: fieldRef: diff --git a/test/integration/testsuites/core/patches/job.yaml b/test/integration/testsuites/core/patches/job.yaml index 4fc82df0d7..023b23fd5c 100644 --- a/test/integration/testsuites/core/patches/job.yaml +++ b/test/integration/testsuites/core/patches/job.yaml @@ -9,12 +9,19 @@ spec: - name: venom # All env vars here assume that the Helm deployment is called "integration". env: + # Used to access get token from Keycloak to access Camunda APIs. + - name: VENOM_VAR_TEST_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: integration-test + key: client-secret + # Making it optional for debugging Venom where is no Camunda is deployed. + optional: true - name: VENOM_VAR_CONSOLE_CLIENT_SECRET valueFrom: secretKeyRef: name: integration-test key: console-secret - optional: true - name: VENOM_VAR_TASKLIST_CLIENT_SECRET valueFrom: secretKeyRef: