search

camunda / camunda-platform-helm

Camunda Platform 8 Self-Managed Helm charts
https://docs.camunda.io/docs/self-managed/overview/
Apache License 2.0
69 stars 127 forks source link

[ISSUE] Can't reference an existing secret for `global.identity.auth.identity.existingSecret` #1857

Open hamza-m-masood opened 1 month ago

hamza-m-masood commented 1 month ago

Describe the issue:

Currently, it is not possible to reference an existing secret for identity like so:

global:
  identity:
    auth:
      identity:
        existingSecret:
          name: "testSecret"

Only the value of the secret can be provided in the values.yaml.

Actual behavior:

When you attempt to add a name key under existingSecret you get the following output in the identity configmap:

data:
  application.yaml: |
    identity:
      client-secret: "map[name:testSecret]"

For this reason, if it is not intended to create functionality to reference an existing secret using the name value, then at least there should be a check to ensure that the existingSecret value is a string.

This secret is only needed when you configure external OIDC A clear comment should be mentioned in the vaues.yaml to make it clear to customers that this secret is only needed for external OIDC Expected behavior:

I expect to reference an existing secret using the name value under existingSecret for identity and have it rendered correctly.

How to reproduce:

use the values.yaml I provided at the top.

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

Boboltus commented 1 month ago

I have the exact same issue/request. Only I would like to see it solved for all the secrets in the Helm chart and not just the one mentioned here (Identity). In addition to that it would be nice if you could reference the name of the existing secret's key. For example, when using the identityPostgresql there is an option called secretKeys/userPasswordKey where you can specify the name of the key. That would allow us to integrate more easily with existing Kubernetes Secrets.

j-lindner commented 1 month ago

Addition: When you set the identity secret with a string value, like global.identity.auth.identity.existingSecret: EasySecretInPlainText, this gets inject in clear in Identities configmap/application.yaml.

Snippet from ConfigMap camunda-identity-configuration:

│ Data │ │ ==== │ │ application.yaml: │ │ ---- │ │ identity: │ │ url: "https://mydomain.de/identity" │ │ client-id: "identity" │ │ client-secret: "EasySecretInPlainText"

Edit: Expectation: It should work like for other secrets via Env Var. Example for Connectors Secret (in the same configmap):

│ applications: │ │ - name: Connectors │ │ id: ${CAMUNDA_CONNECTORS_CLIENT_ID:${KEYCLOAK_INIT_CONNECTORS_CLIENT_ID:connectors}} │ │ type: m2m │ │ secret: ${CAMUNDA_CONNECTORS_SECRET:${KEYCLOAK_INIT_CONNECTORS_SECRET:}}