search

camunda / camunda-platform-helm

Camunda Platform 8 Self-Managed Helm charts
https://docs.camunda.io/docs/self-managed/overview/
Apache License 2.0
74 stars 137 forks source link

[ENHANCEMENT] Inconsistent inputs for existingSecret #1898

Open jessesimpson36 opened 5 months ago

jessesimpson36 commented 5 months ago

Describe the use case:

SUPPORT-23070

Hey all, I'm using this ticket as a way of documenting all of the different usages of existingSecret and which format they accept as input. This github issue is for tracking the inconsistency between the different usages.

Existing references

Path in values.yaml Expected input Is subchart
global.elasticsearch.tls.existingSecret Name of k8s secret (string) No
global.elasticsearch.auth.existingSecret Name of k8s secret (string) No
global.opensearch.tls.existingSecret Name of k8s secret (string) No
global.opensearch.auth.existingSecret Name of k8s secret (string) No
global.identity.auth.connectors.existingSecret explicit password (string) or K8s Secret under name subkey (map) No
global.identity.auth.identity.existingSecret explicit password (string) ONLY No
global.identity.auth.operate.existingSecret explicit password (string) or K8s Secret under name subkey (map) No
global.identity.auth.tasklist.existingSecret explicit password (string) or K8s Secret under name subkey (map) No
global.identity.auth.optimize.existingSecret explicit password (string) or K8s Secret under name subkey (map) No
global.identity.auth.console.existingSecret explicit password (string) or K8s Secret under name subkey (map) No
global.identity.auth.zeebe.existingSecret explicit password (string) or K8s Secret under name subkey (map) No
global.identity.auth.connectors.existingSecret explicit password (string) or K8s Secret under name subkey (map) No
identity.firstUser.existingSecret Name of k8s secret (string) No
identity.externalDatabase.existingSecret Name of k8s secret (string) No
connectors.inbound.auth.existingSecret explicit password (string) ONLY No
webModeler.restapi.externalDatabase.existingSecret explicit password (string) or K8s Secret under name subkey (map) No
webModeler.restapi.mail.existingSecret explicit password (string) or K8s Secret under name subkey (map) No

Existing references in subcharts

Path in values.yaml Expected input Is subchart
identityPostgresql.auth.existingSecret Name of k8s secret (string) Yes
identityKeycloak.auth.existingSecret Name of k8s secret (string) Yes
postgresql.auth.existingSecret Name of k8s secret (string) Yes
global.identity.keycloak.auth.existingSecret Name of k8s secret (string) Yes

Describe the enhancement/feature:

Ideally, we should be using the same sort of input formats everywhere, however, we have some limitations:

  1. It's difficult to configure support for existingSecret AND existingSecret.name
  2. We do not get to modify how subcharts specify their own values.yaml's
  3. Changes we do would be considered a breaking change.

Desired outcome and acceptance tests:

hamza-m-masood commented 3 months ago

Currently some of the comments are vague for exsitingSecret values. It is not clear whether an existingSecret can be provided from k8s or an explicit string including the password is needed. Example: https://github.com/camunda/camunda-platform-helm/blob/337e4c877149f817d3d10d83ea2de425da4ed524/charts/camunda-platform-latest/README.md?plain=1#L491

ingorichtsmeier commented 3 months ago

Hi @jessesimpson36, there is another issue/inconsistency.

The password for global.postgresql.auth.password is not mentioned in your list.

Upgrading without it shows this error:

Error: UPGRADE FAILED: execution error at (camunda-platform/charts/identityKeycloak/charts/postgresql/templates/secrets.yaml:23:16):
PASSWORDS ERROR: You must provide your current passwords when upgrading the release.
                 Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims.
                 Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases

    'global.postgresql.auth.password' must not be empty, please add '--set global.postgresql.auth.password=$PASSWORD' to the command. To get the current value:

        export PASSWORD=$(kubectl get secret --namespace "camunda-platform" camunda-platform-postgresql -o jsonpath="{.data.password}" | base64 -d)

The error message disappears after adding

global:
  postgresql:
    auth:
      password: 65IkdkT9eE
      postgresPassword: brIgMHUJ7X

But it requires the Admin password for the Keycloak PostgresQL database as well.

I've tried existingSecret as mentioned here: https://github.com/bitnami/charts/tree/main/bitnami/postgresql#parameters as well, without success.