Support mTLS in C8 deployment and start process

camunda / camunda-modeler

An integrated modeling solution for BPMN, DMN and Forms based on bpmn.io.

https://camunda.com/products/modeler

MIT License

1.51k stars 484 forks source link

Support mTLS in C8 deployment and start process #4692

Open barmac opened 1 week ago

barmac commented 1 week ago

What should we do?

[ ] Migrate to camunda-8-js-sdk (draft https://github.com/camunda/camunda-modeler/pull/4233)
[ ] Support mTLS configuration in C8 self-managed (oAuth)

Why should we do it?

Product hub epic: https://github.com/camunda/product-hub/issues/2451

barmac commented 1 week ago

It is unclear to me right now whether we want to support it via UI (file selector instead of secret input), or via configuration. The first one sounds more reasonable though, as the certificate is a way to authenticate to a certain endpoint.

nikku commented 1 week ago

I see two options as viable:

You specify a set of client certificates via flags (command line) and these will be used
We have an improved deploy mechanism in place, where connections can be properly maintained. On that dialog you're able to specify the client certificate to use for a particular connection.

barmac commented 1 week ago

For better clarity, below is how it could work in the UI (unstyled):

This is missing an option to decide whether to use a secret or a certificate.

nikku commented 1 week ago

Yep, there you go. This blows up in our users faces. I propose we take this as an action item to make connections configurable outside of the deploy dialog.

barmac commented 1 week ago

The configurable connections are an ages-old issue: https://github.com/camunda/camunda-modeler/issues/804

barmac commented 1 week ago

@lmbateman Please have a look at this as a potential topic you could help with.

barmac commented 1 week ago

With configurable endpoints, this could look similar to:

The configuration could be then performed in a full-screen component.