camunda · aabouzaid · Sep 2, 2024 · Sep 2, 2024
diff --git a/.github/config/external-secret/external-secret-certificates.yaml b/.github/config/external-secret/external-secret-certificates.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: external-secret-camunda-platform
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: distribution-team
+  target:
+    name: camunda-platform  # name of the k8s Secret to be created
+  data:
+  - secretKey: tls.crt
+    remoteRef:
+      key: ci-distro-ultrawombat-com
+      property: tls.crt
+  - secretKey: tls.key
+    remoteRef:
+      key: ci-distro-ultrawombat-com
+      property: tls.key
+
+---
+
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: external-secret-zeebe-gateway
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: distribution-team
+  target:
+    name: camunda-platform-zeebe-gateway  # name of the k8s Secret to be created
+  data:
+  - secretKey: tls.crt
+    remoteRef:
+      key: ci-distro-ultrawombat-com
+      property: tls.crt
+  - secretKey: tls.key
+    remoteRef:
+      key: ci-distro-ultrawombat-com
+      property: tls.key
diff --git a/.github/config/external-secret.yaml → ...l-secret/external-secret-credentials.yaml b/.github/config/external-secret.yaml → ...l-secret/external-secret-credentials.yaml
@@ -1,49 +1,5 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: external-secret-camunda-platform
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: distribution-team
-  target:
-    name: camunda-platform  # name of the k8s Secret to be created
-  data:
-  - secretKey: tls.crt
-    remoteRef:
-      key: ci-distro-ultrawombat-com
-      property: tls.crt
-  - secretKey: tls.key
-    remoteRef:
-      key: ci-distro-ultrawombat-com
-      property: tls.key
-
----
-
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: external-secret-zeebe-gateway
-spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: distribution-team
-  target:
-    name: camunda-platform-zeebe-gateway  # name of the k8s Secret to be created
-  data:
-  - secretKey: tls.crt
-    remoteRef:
-      key: ci-distro-ultrawombat-com
-      property: tls.crt
-  - secretKey: tls.key
-    remoteRef:
-      key: ci-distro-ultrawombat-com
-      property: tls.key
-
+# This file should be removed when Camunda 8.5 reaches EOL since Camunda 8.6 chart has a built-in auto-gen.
 ---
-
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:

diff --git a/.github/workflows/test-integration-template.yaml b/.github/workflows/test-integration-template.yaml
@@ -26,6 +26,14 @@ on:
         required: false
         default: ""
         type: string
+      camunda-helm-credentials-source:
+        description: |
+          Auto-generate credentials or copy them from external secret.
+          Valid options: auto-generated or external-secret.
+          New optional auto-generated secrets are only supported in Camunda 8.6 chart and above.
+        required: false
+        default: "auto-generated"
+        type: string
       caller-git-ref:
         required: false
         default: main
@@ -235,9 +243,23 @@ jobs:
           kubectl label ns $TEST_NAMESPACE github-repo=$(basename $GITHUB_REPOSITORY)
           kubectl annotate ns $TEST_NAMESPACE cleaner/ttl=1d
           kubectl annotate ns $TEST_NAMESPACE github-workflow-run-url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
-      - name: Copy PRs wildcard certificate
+      - name: Set Deployment Secrets
         run: |
-          kubectl apply -n $TEST_NAMESPACE -f .github/config/external-secret.yaml
+          kubectl apply -n $TEST_NAMESPACE \
+            -f .github/config/external-secret/external-secret-certificates.yaml
+
+          # External-secrets that are predefined and copied from another namespace.
+          if [[ ${{ inputs.camunda-helm-credentials-source }} == 'external-secret' ]]; then
+            kubectl apply -n $TEST_NAMESPACE \
+              -f .github/config/external-secret/external-secret-credentials.yaml
+          fi
+
+          # Auto-generated secrets that are generated by the chart at the installation.
+          if [[ ${{ matrix.scenario.flow }} == 'upgrade' ]] &&
+          [[ ${{ inputs.camunda-helm-credentials-source }} == 'auto-generated' ]]; then
+            _TEST_HELM_EXTRA_ARGS="${TEST_HELM_EXTRA_ARGS} --set global.secrets.autoGenerated=true"
+            echo "TEST_HELM_EXTRA_ARGS=${_TEST_HELM_EXTRA_ARGS}" | tee -a $GITHUB_ENV
+          fi
       - name: Start GitHub deployment
         uses: bobheadxi/deployments@648679e8e4915b27893bd7dbc35cb504dc915bc8 # v1
         id: deployment
@@ -262,6 +284,7 @@ jobs:
           TEST_CHART_FLOW: ${{ matrix.scenario.flow }}
           TEST_OPENSHIFT_POST_RENDER: ${{ inputs.camunda-helm-post-render }}
           TEST_HELM_EXTRA_ARGS: >-
+            ${{ env.TEST_HELM_EXTRA_ARGS }}
             --set global.ingress.host=${{ steps.vars.outputs.ingress-host }}
             --values ${{ steps.test-type-vars.outputs.valuesBaseDir }}/infra/values-infra-${{ inputs.infra-type }}.yaml
             --values /tmp/extra-values-file.yaml

diff --git a/.github/workflows/test-version-alpha.yaml b/.github/workflows/test-version-alpha.yaml
@@ -59,3 +59,4 @@ jobs:
       # We need to set the var here as the Alpha is stored on the OCI Helm registry and uses different versioning.
       camunda-helm-upgrade-version: "0.0.0-snapshot-alpha"
       camunda-helm-post-render: false
+      caller-git-ref: "${{ github.event.pull_request.head.sha }}"
diff --git a/.github/workflows/test-version-latest.yaml b/.github/workflows/test-version-latest.yaml
@@ -55,4 +55,5 @@ jobs:
       flows: "install,upgrade"
       camunda-helm-dir: "camunda-platform-latest"
       camunda-helm-git-ref: "${{ github.event.pull_request.head.sha }}"
+      camunda-helm-credentials-source: "external-secret"
       caller-git-ref: "${{ github.event.pull_request.head.sha }}"
diff --git a/.github/workflows/test-version-maintenance.yaml b/.github/workflows/test-version-maintenance.yaml
@@ -85,4 +85,5 @@ jobs:
       flows: "install,upgrade"
       camunda-helm-dir: "camunda-platform-${{ matrix.version }}"
       camunda-helm-git-ref: "${{ github.event.pull_request.head.sha }}"
+      camunda-helm-credentials-source: "external-secret"
       caller-git-ref: "${{ github.event.pull_request.head.sha }}"