search

camunda / camunda-platform-helm

Camunda Platform 8 Self-Managed Helm charts
https://docs.camunda.io/docs/self-managed/overview/
Apache License 2.0
74 stars 138 forks source link

[ISSUE] Unable to reference existingSecret for camunda components #760

Closed proxyvert closed 1 year ago

proxyvert commented 1 year ago

Describe the issue:

When I try to utilize existingSecret for camunda components, it still generates default secret and puts value of global.identity.auth.camunda-component.existingSecret in camunda-component secretKey base64 encoded, instead of referencing existingSecret that I created.

snippet from values.yaml:

global:
  identity:
    auth:
      enabled: true
      publicIssuerUrl: https://mykeycloak.example.com/auth/realms/myrealm
      connectors:
        existingSecret: myExistingSecretName

Actual behavior:

camunda-platform/charts/identity/templates/deployment.yaml env is using default secret that is created by chart:

          - name: KEYCLOAK_CLIENTS_0_SECRET
            valueFrom:
              secretKeyRef:
                key: connectors-secret
                name: "dev-connectors-identity-secret"

camunda-platform/charts/identity/templates/connectors-secret.yaml is rendered to:

apiVersion: v1
kind: Secret
metadata:
  name: "dev-connectors-identity-secret"
  labels:
    app: camunda-platform
    app.kubernetes.io/name: identity
    app.kubernetes.io/instance: dev
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/part-of: camunda-platform
    helm.sh/chart: identity-8.2.6
    app.kubernetes.io/version: "8.3.0-alpha2"
    app.kubernetes.io/component: identity
type: Opaque
data:
  connectors-secret: "base64encoded myExistingSecretName"

Expected behavior:

camunda-platform/charts/identity/templates/deployment.yaml env is using myExistingSecret that is created by me that has right secretKey in place:

          - name: KEYCLOAK_CLIENTS_0_SECRET
            valueFrom:
              secretKeyRef:
                key: connectors-secret
                name: "myExistingSecretName"

How to reproduce:

create myExistingSecret that has connectors-secret secretKey and arbitrary value.

use values.yaml and run helm template

global:
  identity:
    auth:
      enabled: true
      publicIssuerUrl: https://mykeycloak.example.com/auth/realms/myrealm
      connectors:
        existingSecret: myExistingSecretName

Steps to reproduce the issue.

If possible add a minimal reproducer code sample in a new repo/branch. -->

Logs:

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

user: &user 2000
global:
  identity:
    auth:
      enabled: true
      publicIssuerUrl: https://external-keycloak-route.example.com/auth/realms/myrealm
      connectors:
        existingSecret: myExistingSecretName
      operate:
        existingSecret: myExistingSecretName
        redirectUrl: https://dev-camunda-operate-ns.example.com
      tasklist:
        existingSecret: myExistingSecretName
        redirectUrl: https://dev-camunda-tasklist-ns.example.com
      optimize:
        existingSecret: myExistingSecretName
        redirectUrl: https://dev-camunda-optimize-ns.example.com
      zeebe:
        existingSecret: myExistingSecretName
    keycloak:
      legacy: false
      contextPath: "/auth"
      url:
        protocol: "http"
        host: "external-keycloak"
        port: "8080"
      realm: "/realms/myrealm"
      # auth:
      #   adminUser: "admin"
      #   existingSecret: "camunda-identity-keycloak-admin-secret"
      #   existingSecretKey: "admin-password"

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

camunda-platform:
  enabled: true
  zeebe:
    configMap:
      defaultMode: 0555
  zeebe-gateway:
    configMap:
      defaultMode: 0444
  operate:
    configMap:
      defaultMode: 0444
    service:
      port: 8080
  optimize:
    service:
      port: 8080
  tasklist:
    configMap:
      defaultMode: 0444
    service:
      port: 8080
  connectors:
    env:
      - name: CAMUNDA_OPERATE_CLIENT_KEYCLOAK-URL
        value: http://external-keycloak:8080
  identity:
    image:
      tag: 8.3.0-alpha2
    fullURL: https://dev-camunda-identity-ns.example.com
    service:
      port: 8080
    env:
      - name: IDENTITY_CLIENT_SECRET
        valueFrom:
          secretKeyRef:
            name: camunda-components-client-secrets-secret
            key: identity-secret
      - name: KEYCLOAK_REALM
        value: myrealm
      - name: KEYCLOAK_SETUP_REALM
        value: myrealm
    firstUser:
      username: admin
      email: admin@example.com
      firstName: Admin
      lastName: User
      existingSecret: camunda-identity-first-user-secret
    keycloak:
      enabled: false
      service:
        ports:
          http: 8080
      containerSecurityContext:
        runAsUser: *user
      podSecurityContext:
        fsGroup: *user
        runAsUser: *user
      auth:
        adminUser: admin
        existingSecret: camunda-identity-keycloak-admin-secret
      postgresql:
        primary:
          containerSecurityContext:
            runAsUser: *user
          podSecurityContext:
            fsGroup: *user
            runAsUser: *user
        readReplicas:
          containerSecurityContext:
            runAsUser: *user
          podSecurityContext:
            fsGroup: *user
            runAsUser: *user
  elasticsearch:
    securityContext:
      runAsUser: *user
    sysctlInitContainer:
      enabled: false
    podSecurityContext:
      fsGroup: *user
      runAsUser: *user
  postgresql:
    primary:
      containerSecurityContext:
        runAsUser: *user
      podSecurityContext:
        fsGroup: *user
        runAsUser: *user
    readReplicas:
      containerSecurityContext:
        runAsUser: *user
      podSecurityContext:
        fsGroup: *user
        runAsUser: *user
    metrics:
      containerSecurityContext:
        runAsUser: *user
      podSecurityContext:
        fsGroup: *user
        runAsUser: *user
floric commented 1 year ago

We have the same issue and currently try to reverse engineer the Helm chart. Do you know any workaround?

floric commented 1 year ago

@PaleIntrovert We found the solution in other issues :)

You need to use:

global:
  identity:
    auth:
      connectors:
        existingSecret:
          name: myExistingSecretName
proxyvert commented 1 year ago

@floric, I'm very grateful for you help, I checked this structure of values and rendered templates are indeed referencing existingSecret.