fix: support optional chart secrets auto-generation - camunda 8.3 (#2742

) Co-authored-by: distro-ci[bot] <122795778+distro-ci[bot]@users.noreply.github.com>
camunda · Jan 8, 2025 · 653b31d · 653b31d
1 parent 910cd66
commit 653b31d
Show file tree

Hide file tree

Showing 19 changed files with 354 additions and 196 deletions.
diff --git a/Makefile b/Makefile
@@ -100,7 +100,6 @@ tools.zbctl-topology:
 .PHONY: helm.repos-add
 helm.repos-add:
 	helm repo add camunda https://helm.camunda.io
-	helm repo add bitnami https://charts.bitnami.com/bitnami
 	helm repo add elastic https://helm.elastic.co
 	helm repo update
 

diff --git a/charts/camunda-platform-8.3/README.md b/charts/camunda-platform-8.3/README.md
diff --git a/charts/camunda-platform-8.3/charts/identity/templates/deployment.yaml b/charts/camunda-platform-8.3/charts/identity/templates/deployment.yaml
@@ -52,12 +52,12 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.operate.existingSecret "context" $) }}
-                  key: operate-secret
+                  key: {{ .Values.global.identity.auth.operate.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "operate") }}
-                  key: operate-secret
+                  key: {{ .Values.global.identity.auth.operate.existingSecretKey }}
               {{- end }}
             - name: KEYCLOAK_INIT_OPERATE_ROOT_URL
               value: {{ tpl .Values.global.identity.auth.operate.redirectUrl $ | quote }}
@@ -71,12 +71,12 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.console.existingSecret "context" $) }}
-                  key: console-secret
+                  key: {{ .Values.global.identity.auth.console.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "console") }}
-                  key: console-secret
+                  key: {{ .Values.global.identity.auth.console.existingSecretKey }}
               {{- end }}
             - name: KEYCLOAK_INIT_CONSOLE_ROOT_URL
               value: {{ tpl .Values.global.identity.auth.console.redirectUrl $ | quote }}
@@ -90,12 +90,12 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: "{{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.tasklist.existingSecret "context" $) }}"
-                  key: tasklist-secret
+                  key: {{ .Values.global.identity.auth.tasklist.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "tasklist") }}
-                  key: tasklist-secret
+                  key: {{ .Values.global.identity.auth.tasklist.existingSecretKey }}
               {{- end }}
             - name: KEYCLOAK_INIT_TASKLIST_ROOT_URL
               value: {{ tpl .Values.global.identity.auth.tasklist.redirectUrl $ | quote }}
@@ -109,12 +109,12 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.optimize.existingSecret "context" $) }}
-                  key: optimize-secret
+                  key: {{ .Values.global.identity.auth.optimize.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "optimize") }}
-                  key: optimize-secret
+                  key: {{ .Values.global.identity.auth.optimize.existingSecretKey }}
               {{- end }}
             - name: KEYCLOAK_INIT_OPTIMIZE_ROOT_URL
               value: {{ tpl .Values.global.identity.auth.optimize.redirectUrl $ | quote }}
@@ -138,11 +138,11 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.connectors.existingSecret "context" $) }}
-                  key: connectors-secret
+                  key: {{ .Values.global.identity.auth.connectors.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
-                  key: connectors-secret
+                  key: {{ .Values.global.identity.auth.connectors.existingSecretKey }}
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "connectors") }}
               {{- end }}
             - name: KEYCLOAK_CLIENTS_0_ROOT_URL
@@ -167,12 +167,12 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }}
-                  key: zeebe-secret
+                  key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }}
-                  key: zeebe-secret
+                  key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }}
               {{- end }}
             - name: KEYCLOAK_CLIENTS_1_TYPE
               value: "M2M"

diff --git a/charts/camunda-platform-8.3/templates/camunda/secret-camunda.yaml b/charts/camunda-platform-8.3/templates/camunda/secret-camunda.yaml
@@ -0,0 +1,84 @@
+{{- if .Values.global.secrets.autoGenerated }}
+# NOTE:
+# - This secret object is NOT managed with corresponding releases and NOR part of Helm deployment/upgrade!
+#   It's generated once, and if it's deleted, you will lose the secrets.
+# - This file is only for auto-generated secrets within the chart; don't add secrets for external resources.
+# - The Camunda Helm chart "existingSecret" syntax will be changed in the Camunda 8.8 releases.
+#   More details: https://github.com/camunda/camunda-platform-helm/issues/1898
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.global.secrets.name }}
+  labels:
+    {{- include "camundaPlatform.labels" . | nindent 4 }}
+  annotations:
+    {{- include "common.tplvalues.merge" (dict
+      "values" (list .Values.global.annotations .Values.global.secrets.annotations)
+      "context" $) | nindent 4 }}
+type: Opaque
+data:
+  {{- $identityAuth := dict
+    "admin" (((.Values.global.identity.auth).admin).existingSecret).name
+    "connectors" (.Values.global.identity.auth.connectors.existingSecret).name
+    "console" (.Values.global.identity.auth.console.existingSecret).name
+    "operate" (.Values.global.identity.auth.operate.existingSecret).name
+    "optimize" (.Values.global.identity.auth.optimize.existingSecret).name
+    "tasklist" (.Values.global.identity.auth.tasklist.existingSecret).name
+    "zeebe" (.Values.global.identity.auth.zeebe.existingSecret).name
+  }}
+  {{- if or ($identityAuth.connectors) ($identityAuth.console) ($identityAuth.operate)
+            ($identityAuth.optimize) ($identityAuth.tasklist) ($identityAuth.zeebe)
+  }}
+  # Identity apps auth.
+  {{- if $identityAuth.admin }}
+  {{ .Values.global.identity.auth.admin.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.connectors }}
+  {{ .Values.global.identity.auth.connectors.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.console }}
+  {{ .Values.global.identity.auth.console.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.operate }}
+  {{ .Values.global.identity.auth.operate.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.optimize }}
+  {{ .Values.global.identity.auth.optimize.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.tasklist }}
+  {{ .Values.global.identity.auth.tasklist.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- if $identityAuth.zeebe }}
+  {{ .Values.global.identity.auth.zeebe.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+  {{- end }}
+
+  {{- if .Values.identity.firstUser.existingSecret }}
+  # Identity login.
+  {{ .Values.identity.firstUser.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+  {{- if and .Values.identity.postgresql.enabled .Values.identity.postgresql.auth.existingSecret }}
+  # Identity PostgreSQL.
+  {{ .Values.identity.postgresql.auth.secretKeys.adminPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{ .Values.identity.postgresql.auth.secretKeys.userPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+  {{- if .Values.identity.keycloak.auth.existingSecret }}
+  # Identity Keycloak login.
+  {{ .Values.identity.keycloak.auth.passwordSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+  {{- if .Values.identity.keycloak.postgresql.auth.existingSecret }}
+  # Identity Keycloak PostgreSQL.
+  {{ .Values.identity.keycloak.postgresql.auth.secretKeys.adminPasswordKey  }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{ .Values.identity.keycloak.postgresql.auth.secretKeys.userPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+  {{- if and .Values.postgresql.enabled .Values.postgresql.auth.existingSecret }}
+  # WebModeler PostgreSQL.
+  {{ .Values.postgresql.auth.secretKeys.adminPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{ .Values.postgresql.auth.secretKeys.userPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{- end }}
+
+{{- end }}
diff --git a/charts/camunda-platform-8.3/templates/camunda/secret-connectors.yaml b/charts/camunda-platform-8.3/templates/camunda/secret-connectors.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  connectors-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "connectors-secret" "length" 10 "providedValues" (list "global.identity.auth.connectors.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.connectors.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" (print .Values.global.identity.auth.connectors.existingSecretKey) "length" 10 "providedValues" (list "global.identity.auth.connectors.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-8.3/templates/camunda/secret-console.yaml b/charts/camunda-platform-8.3/templates/camunda/secret-console.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  console-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "console-secret" "length" 10 "providedValues" (list "global.identity.auth.console.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.console.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" (print .Values.global.identity.auth.console.existingSecretKey) "length" 10 "providedValues" (list "global.identity.auth.console.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-8.3/templates/camunda/secret-operate.yaml b/charts/camunda-platform-8.3/templates/camunda/secret-operate.yaml
@@ -8,5 +8,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  operate-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "operate-secret" "length" 10 "providedValues" (list "global.identity.auth.operate.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.operate.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" (print .Values.global.identity.auth.operate.existingSecretKey) "length" 10 "providedValues" (list "global.identity.auth.operate.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-8.3/templates/camunda/secret-optimize.yaml b/charts/camunda-platform-8.3/templates/camunda/secret-optimize.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  optimize-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "optimize-secret" "length" 10 "providedValues" (list "global.identity.auth.optimize.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.optimize.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" (print .Values.global.identity.auth.optimize.existingSecretKey) "length" 10 "providedValues" (list "global.identity.auth.optimize.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-8.3/templates/camunda/secret-tasklist.yaml b/charts/camunda-platform-8.3/templates/camunda/secret-tasklist.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  tasklist-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "tasklist-secret" "length" 10 "providedValues" (list "global.identity.auth.tasklist.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.tasklist.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" (print .Values.global.identity.auth.tasklist.existingSecretKey) "length" 10 "providedValues" (list "global.identity.auth.tasklist.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-8.3/templates/camunda/secret-zeebe.yaml b/charts/camunda-platform-8.3/templates/camunda/secret-zeebe.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
 type: Opaque
 data:
-  zeebe-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "zeebe-secret" "length" 10 "providedValues" (list "global.identity.auth.zeebe.existingSecret") "context" $) }}
+  {{ .Values.global.identity.auth.zeebe.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" (print .Values.global.identity.auth.zeebe.existingSecretKey) "length" 10 "providedValues" (list "global.identity.auth.zeebe.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-8.3/templates/connectors/deployment.yaml b/charts/camunda-platform-8.3/templates/connectors/deployment.yaml
@@ -58,7 +58,7 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: {{ include "connectors.authCredentialsSecretName" . }}
-                  key: connectors-secret
+                  key: {{ .Values.global.identity.auth.connectors.existingSecretKey }}
           {{- end }}
           {{- if and .Values.global.identity.auth.enabled (eq .Values.connectors.inbound.mode "oauth") }}
             - name: CAMUNDA_OPERATE_CLIENT_KEYCLOAK-TOKEN-URL
@@ -70,12 +70,12 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.connectors.existingSecret "context" $) }}
-                  key: connectors-secret
+                  key: {{ .Values.global.identity.auth.connectors.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "connectors") }}
-                  key: connectors-secret
+                  key: {{ .Values.global.identity.auth.connectors.existingSecretKey }}
               {{- end }}
             - name: CAMUNDA_OPERATE_CLIENT_URL
               value: {{ include "camundaPlatform.operateURL" . | quote }}
@@ -92,12 +92,12 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }}
-                  key: zeebe-secret
+                  key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }}
-                  key: zeebe-secret
+                  key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }}
               {{- end }}
             - name: ZEEBE_AUTHORIZATION_SERVER_URL
               value: {{ include "camundaPlatform.authIssuerBackendUrlTokenEndpoint" . | quote }}

diff --git a/charts/camunda-platform-8.3/templates/connectors/inbound-secret.yaml b/charts/camunda-platform-8.3/templates/connectors/inbound-secret.yaml
@@ -7,5 +7,5 @@ metadata:
   labels: {{- include "connectors.labels" . | nindent 4 }}
 type: Opaque
 data:
-  connectors-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "connectors-secret" "length" 10 "providedValues" (list "connectors.inbound.auth.existingSecret") "context" $) }}
+  {{ .Values.connectors.inbound.auth.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" (print .Values.connectors.inbound.auth.existingSecretKey) "length" 10 "providedValues" (list "connectors.inbound.auth.existingSecret") "context" $) }}
 {{- end }}
diff --git a/charts/camunda-platform-8.3/templates/operate/deployment.yaml b/charts/camunda-platform-8.3/templates/operate/deployment.yaml
@@ -68,7 +68,7 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.operate.existingSecret "context" $) }}
-                  key: operate-secret
+                  key: {{ .Values.global.identity.auth.operate.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
@@ -78,7 +78,7 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "operate") }}
-                  key: operate-secret
+                  key: {{ .Values.global.identity.auth.operate.existingSecretKey }}
               {{- end }}
             - name: CAMUNDA_OPERATE_IDENTITY_AUDIENCE
               value: "operate-api"
@@ -95,12 +95,12 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.zeebe.existingSecret "context" $) }}
-                  key: zeebe-secret
+                  key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "zeebe") }}
-                  key: zeebe-secret
+                  key: {{ .Values.global.identity.auth.zeebe.existingSecretKey }}
               {{- end }}
             - name: ZEEBE_AUTHORIZATION_SERVER_URL
               value: {{ include "camundaPlatform.authIssuerBackendUrlTokenEndpoint" . | quote }}

diff --git a/charts/camunda-platform-8.3/templates/optimize/deployment.yaml b/charts/camunda-platform-8.3/templates/optimize/deployment.yaml
@@ -105,12 +105,12 @@ spec:
                       and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
                   */}}
                   name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.optimize.existingSecret "context" $) }}
-                  key: optimize-secret
+                  key: {{ .Values.global.identity.auth.optimize.existingSecretKey }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "optimize") }}
-                  key: optimize-secret
+                  key: {{ .Values.global.identity.auth.optimize.existingSecretKey }}
               {{- end }}
             - name: CAMUNDA_OPTIMIZE_IDENTITY_AUDIENCE
               value: "optimize-api"