wip

camunda · Nov 22, 2024 · 83ce32a · 83ce32a
1 parent 6b4bcff
commit 83ce32a
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 60 deletions.
diff --git a/charts/camunda-platform-alpha/templates/camunda/secret-camunda.yaml b/charts/camunda-platform-alpha/templates/camunda/secret-camunda.yaml
@@ -17,18 +17,22 @@ metadata:
       "context" $) | nindent 4 }}
 type: Opaque
 data:
+  {{- $identityAuthAdmin := (
+    (typeIs "string" .Values.global.identity.auth.admin.existingSecret) |
+    ternary false true
+  ) }}
   {{- $identityAuth := dict
-    "admin" (((.Values.global.identity.auth).admin).existingSecret).name
     "connectors" (.Values.global.identity.auth.connectors.existingSecret).name
     "console" (.Values.global.identity.auth.console.existingSecret).name
     "core" (.Values.global.identity.auth.core.existingSecret).name
     "optimize" (.Values.global.identity.auth.optimize.existingSecret).name
   }}
-  {{- if or ($identityAuth.connectors) ($identityAuth.console)
+  {{- if or ($identityAuthAdmin)
+            ($identityAuth.connectors) ($identityAuth.console)
             ($identityAuth.core) ($identityAuth.optimize)
   }}
   # Identity apps auth.
-  {{- if $identityAuth.admin }}
+  {{- if $identityAuthAdmin }}
   {{ .Values.global.identity.auth.admin.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
   {{- end }}
   {{- if $identityAuth.connectors }}

diff --git a/charts/camunda-platform-alpha/templates/identity/configmap.yaml b/charts/camunda-platform-alpha/templates/identity/configmap.yaml
@@ -217,6 +217,9 @@ data:
             - Web Modeler Admin
           {{- end }}
         {{- end }}
+        {{- if .Values.identity.users }}
+          {{- include "common.tplvalues.render" (dict "value" .Values.identity.users "context" $) | nindent 8 }}
+        {{- end }}
       environment:
         clients:
           - name: Identity
@@ -226,6 +229,28 @@ data:
             root-url: {{ include "identity.externalUrl" . | quote }}
             redirect-uris:
               - "/auth/login-callback"
+          {{- if .Values.global.identity.auth.admin.enabled }}
+          - name: {{ .Values.global.identity.auth.admin.clientId | title | default "Admin" | quote }}
+            id: {{ .Values.global.identity.auth.admin.clientId | default "admin" | quote }}
+            type: CONFIDENTIAL
+            secret: ${VALUES_CAMUNDA_ADMIN_CLIENT_SECRET:}
+            root-url: "http://placeholder"
+            redirect-uris:
+              - "/placeholder"
+            permissions:
+              - resourceServerId: {{ include "identity.authAudience" . | quote }}
+                definition: read
+              - resourceServerId: {{ include "identity.authAudience" . | quote }}
+                definition: write
+              - resourceServerId: {{ include "console.authAudience" . | quote }}
+                definition: "write:*"
+              - resourceServerId: {{ include "webModeler.authClientApiAudience" . | quote }}
+                definition: "write:*"
+              - resourceServerId: {{ include "core.authAudience" . | quote }}
+                definition: "write:*"
+              - resourceServerId: {{ include "optimize.authAudience" . | quote }}
+                definition: "write:*"
+          {{- end }}
       # The presets key should be removed when 8.6.0 of the applications are released
       presets:
         core:

diff --git a/charts/camunda-platform-alpha/templates/identity/deployment.yaml b/charts/camunda-platform-alpha/templates/identity/deployment.yaml
@@ -123,6 +123,17 @@ spec:
                   key: {{ .Values.global.identity.auth.identity.existingSecretKey }}
               {{- end }}
             {{- end }}
+            {{- if .Values.global.identity.auth.admin.enabled }}
+            - name: VALUES_CAMUNDA_ADMIN_CLIENT_SECRET
+              {{- if (typeIs "string" .Values.global.identity.auth.admin.existingSecret) }}
+              value: {{ .Values.global.identity.auth.admin.existingSecret | quote }}
+              {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.global.identity.auth.admin.existingSecret.name }}
+                  key: {{ .Values.global.identity.auth.admin.existingSecretKey }}
+              {{- end }}
+            {{- end }}
             {{- end }}
             {{- end }}
             {{- if or .Values.identityPostgresql.enabled .Values.identity.externalDatabase.enabled }}

diff --git a/charts/camunda-platform-alpha/test/integration/scenarios/common/values-integration-test.yaml b/charts/camunda-platform-alpha/test/integration/scenarios/common/values-integration-test.yaml
@@ -1,70 +1,19 @@
-identity:
-  # Keycloak client seed which is used to query Camunda APIs.
-  env:
-  - name: KEYCLOAK_CLIENTS_2_ID
-    value: test
-  - name: KEYCLOAK_CLIENTS_2_NAME
-    value: Test
-  - name: KEYCLOAK_CLIENTS_2_SECRET
-    valueFrom:
-      secretKeyRef:
-        name: integration-test-credentials
-        key: identity-admin-client-password
-  - name: KEYCLOAK_CLIENTS_2_REDIRECT_URIS_0
-    value: /dummy
-  - name: KEYCLOAK_CLIENTS_2_ROOT_URL
-    value: http://dummy
-  - name: KEYCLOAK_CLIENTS_2_TYPE
-    value: CONFIDENTIAL
-  #######################
-  # Management Group
-  #######################
-  # Identity access.
-  - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_0_RESOURCE_SERVER_ID
-    value: camunda-identity-resource-server
-  - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_0_DEFINITION
-    value: read
-  - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_1_RESOURCE_SERVER_ID
-    value: camunda-identity-resource-server
-  - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_1_DEFINITION
-    value: write
-  # Console access.
-  - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_2_RESOURCE_SERVER_ID
-    value: console-api
-  - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_2_DEFINITION
-    value: "write:*"
-  # WebModeler access.
-  - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_3_RESOURCE_SERVER_ID
-    value: web-modeler-api
-  - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_3_DEFINITION
-    value: "write:*"
-  #######################
-  # Orchestration Group
-  #######################
-  # Core access.
-  - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_4_RESOURCE_SERVER_ID
-    value: core-api
-  - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_4_DEFINITION
-    value: "write:*"
-  # Optimize access.
-  - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_5_RESOURCE_SERVER_ID
-    value: optimize-api
-  - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_5_DEFINITION
-    value: "write:*"
 
-# Auth to avoid Docker download rate limit.
-# https://docs.docker.com/docker-hub/download-rate-limit/
-identityKeycloak:
+global:
+  # Auth to avoid Docker download rate limit.
+  # https://docs.docker.com/docker-hub/download-rate-limit/
   image:
     pullSecrets:
     - name: index-docker-io
 
-global:
+identityKeycloak:
+  # Auth to avoid Docker download rate limit.
   image:
     pullSecrets:
     - name: index-docker-io
 
 elasticsearch:
+  # Auth to avoid Docker download rate limit.
   global:
     imagePullSecrets:
     - name: index-docker-io
diff --git a/charts/camunda-platform-alpha/values.yaml b/charts/camunda-platform-alpha/values.yaml
@@ -255,6 +255,17 @@ global:
       ## @param global.identity.auth.publicIssuerUrl Can be overwritten if ingress is in use and an external IP is available.
       publicIssuerUrl: "http://localhost:18080/auth/realms/camunda-platform"
 
+      ## @extra global.identity.auth.admin configuration to configure Connectors authentication specifics on global level, which can be accessed by other sub-charts
+      admin:
+        ## @param global.identity.auth.admin.enabled if true, creates the admin client which is used in administration operations if needed.
+        enabled: false
+        ## @param global.identity.auth.admin.clientId defines the client id.
+        clientId: admin
+        ## @param global.identity.auth.admin.existingSecret can be used to use an own existing secret. If not set a random secret is generated.
+        existingSecret:
+        ## @param global.identity.auth.admin.existingSecretKey defines the key within the existing secret object.
+        existingSecretKey: admin-secret
+
       #######################
       # Management Group
       #######################
@@ -427,6 +438,9 @@ identity:
     ## @param identity.firstUser.existingSecretKey defines the key within the existing secret object.
     existingSecretKey: "identity-firstuser-password"
 
+  ## @extra identity.users configuration to configure properties of the Identity users, which can be used to access web applications.
+  users: []
+
   ## @extra identity.image configuration to configure the identity image specifics
   image:
     ## @param identity.image.registry can be used to set container image registry.