feat(generic): migration from bitnami scripts

.github/actionlint.yaml

@@ -3,3 +3,4 @@ self-hosted-runner:
     # Labels of self-hosted runner in array of string
     labels:
         - aws-core-8-default
+        - aws-core-16-default

.github/workflows-config/generic-kubernetes-migration-from-bitnami/test_matrix.yml

@@ -0,0 +1,34 @@
+---
+# Test matrix configuration for Migration from Bitnami tests
+# This matrix defines the test scenarios for migrating from Bitnami sub-charts
+# to Kubernetes operators (ECK, CNPG, Keycloak Operator)
+
+matrix:
+    distro:
+        # Kind is used for migration tests — no cloud infra needed
+        - name: Kind
+          schedule_only: false
+          type: kind
+
+    scenario:
+        # Test the full migration workflow
+        - name: migration-from-bitnami
+          shortName: mfb
+
+    declination:
+        - name: no-domain
+          use_tls: false
+          desc: Test migration from Bitnami to operators without domain configuration.
+        - name: domain
+          use_tls: true
+          desc: Test migration from Bitnami to operators with Ingress and TLS (camunda.example.com).
+
+    # Components to test migration for
+    # Each component can be tested independently
+    component:
+        - name: full
+          desc: Run full migration (all components)
+          orchestration: true
+          identity: true
+          keycloak: true
+          webmodeler: true

.gitignore

@@ -123,3 +123,5 @@ terraform.tfstate.backup
 trivyreport.txt
 
 camunda-docs/
+debug/
+camunda-platform-helm/

.pre-commit-config.yaml

@@ -79,4 +79,6 @@ repos:
       rev: 0.2.3
       hooks:
           - id: yamlfmt
-            exclude: (generic/kubernetes/operator-based/elasticsearch/elasticsearch-cluster.yml|local/kubernetes/kind-single-region/configs/elasticsearch-cluster.yml)
+            # yamlfmt removes quotes around YAML values like "OFF" which breaks ES config
+            # yamllint disable-line rule:line-length
+            exclude: (generic/kubernetes/operator-based/elasticsearch/elasticsearch-cluster.yml|generic/kubernetes/migration/manifests/eck-cluster.yml|local/kubernetes/kind-single-region/configs/elasticsearch-cluster.yml)

generic/kubernetes/migration/.gitignore

@@ -0,0 +1 @@
+.state

generic/kubernetes/migration/1-deploy-targets.sh

@@ -0,0 +1,147 @@
+#!/bin/bash
+# =============================================================================
+# Phase 1: Deploy target operators and clusters (NO DOWNTIME)
+# =============================================================================
+# This phase installs the target infrastructure alongside the existing Bitnami
+# components. It runs while the application is fully operational.
+#
+# Delegates to the operator-based reference architecture scripts:
+#   ../operator-based/postgresql/deploy.sh  — CNPG operator + PG clusters
+#   ../operator-based/elasticsearch/deploy.sh — ECK operator + ES cluster
+#   ../operator-based/keycloak/deploy.sh    — Keycloak operator + CR
+#
+# The Elasticsearch cluster uses a migration-specific manifest that adds
+# reindex.remote.whitelist support for data migration via the _reindex API.
+#
+# Prerequisites:
+#   - source env.sh
+#   - kubectl configured and pointing to the right cluster
+#   - helm repo add camunda https://helm.camunda.io
+#   - yq installed (for CNPG CLUSTER_FILTER support)
+# =============================================================================
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck disable=SC2034 # Used by lib.sh after sourcing
+CURRENT_SCRIPT="1-deploy-targets.sh"
+# shellcheck disable=SC1091
+source "${SCRIPT_DIR}/lib.sh"
+parse_common_args "$@"
+
+check_env
+
+timer_start
+
+section "Phase 1: Deploy Target Infrastructure (no downtime)"
+
+show_plan 1
+run_hooks "pre-phase-1"
+
+if is_external_pg || is_external_es; then
+    echo "External target mode is active:"
+    is_external_pg && echo "  • PostgreSQL → external managed service (CNPG will NOT be deployed)"
+    is_external_es && echo "  • Elasticsearch → external managed service (ECK will NOT be deployed)"
+    echo ""
+fi
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Customization warning
+# ─────────────────────────────────────────────────────────────────────────────
+warn_customization
+
+confirm "Have you reviewed and customized the operator-based manifests?"
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Resource validation
+# ─────────────────────────────────────────────────────────────────────────────
+validate_target_resources
+
+# ─────────────────────────────────────────────────────────────────────────────
+# 1. PostgreSQL (CNPG) — one cluster per component that needs PG
+# ─────────────────────────────────────────────────────────────────────────────
+
+needs_pg_migration() {
+    local component="$1"
+    detect_pg_sts "$component" >/dev/null 2>&1
+}
+
+if [[ "${MIGRATE_IDENTITY}" == "true" ]] || [[ "${MIGRATE_KEYCLOAK}" == "true" ]] || [[ "${MIGRATE_WEBMODELER}" == "true" ]]; then
+    section "1/3 — CloudNativePG (operator + clusters)"
+
+    if is_external_pg; then
+        log_info "PG_TARGET_MODE=external — CNPG deployment skipped"
+        save_state "PG_TARGET_IS_EXTERNAL" "true"
+    else
+        # Determine which clusters to deploy
+        PG_CLUSTERS_TO_DEPLOY=()
+
+        if [[ "${MIGRATE_IDENTITY}" == "true" ]] && needs_pg_migration identity; then
+            PG_CLUSTERS_TO_DEPLOY+=("${CNPG_IDENTITY_CLUSTER}")
+        fi
+        if [[ "${MIGRATE_KEYCLOAK}" == "true" ]] && needs_pg_migration keycloak; then
+            PG_CLUSTERS_TO_DEPLOY+=("${CNPG_KEYCLOAK_CLUSTER}")
+        fi
+        if [[ "${MIGRATE_WEBMODELER}" == "true" ]] && needs_pg_migration webmodeler; then
+            PG_CLUSTERS_TO_DEPLOY+=("${CNPG_WEBMODELER_CLUSTER}")
+        fi
+
+        if [[ ${#PG_CLUSTERS_TO_DEPLOY[@]} -eq 3 ]]; then
+            # All 3 clusters needed — deploy without filter (more efficient)
+            deploy_postgresql ""
+        elif [[ ${#PG_CLUSTERS_TO_DEPLOY[@]} -gt 0 ]]; then
+            # Deploy individual clusters
+            for cluster in "${PG_CLUSTERS_TO_DEPLOY[@]}"; do
+                deploy_postgresql "$cluster"
+            done
+        else
+            log_info "No PostgreSQL components need migration — skipping CNPG"
+        fi
+    fi
+fi
+
+# ─────────────────────────────────────────────────────────────────────────────
+# 2. Elasticsearch (ECK)
+# ─────────────────────────────────────────────────────────────────────────────
+
+if [[ "${MIGRATE_ELASTICSEARCH}" == "true" ]]; then
+    section "2/3 — ECK Elasticsearch"
+
+    if is_external_es; then
+        log_info "ES_TARGET_MODE=external — ECK deployment skipped"
+        save_state "ES_TARGET_IS_EXTERNAL" "true"
+    elif kubectl get elasticsearch "${ECK_CLUSTER_NAME}" -n "${NAMESPACE}" &>/dev/null; then
+        log_success "ECK cluster ${ECK_CLUSTER_NAME} already exists — skipping"
+    else
+        deploy_elasticsearch
+        save_state "ECK_DEPLOYED" "true"
+    fi
+fi
+
+# ─────────────────────────────────────────────────────────────────────────────
+# 3. Keycloak Operator
+# ─────────────────────────────────────────────────────────────────────────────
+
+if [[ "${MIGRATE_KEYCLOAK}" == "true" ]]; then
+    section "3/3 — Keycloak Operator"
+
+    if kubectl get keycloak keycloak -n "${NAMESPACE}" &>/dev/null; then
+        log_success "Keycloak CR already exists — skipping"
+    else
+        deploy_keycloak
+        save_state "KEYCLOAK_OPERATOR_DEPLOYED" "true"
+    fi
+fi
+
+section "Phase 1 Complete ($(timer_elapsed))"
+if is_external_pg || is_external_es; then
+    echo "Target infrastructure configured (external targets will be used for data restore)."
+else
+    echo "All target infrastructure is deployed and running alongside existing Bitnami."
+fi
+echo "The application is still fully operational — no downtime has occurred."
+echo ""
+echo "Next: ./2-backup.sh"
+
+run_hooks "post-phase-1"
+complete_phase 1

generic/kubernetes/migration/2-backup.sh

@@ -0,0 +1,118 @@
+#!/bin/bash
+# =============================================================================
+# Phase 2: Initial Backup (NO DOWNTIME)
+# =============================================================================
+# Takes a backup of all data sources while the application is still running.
+# This is a "warm" backup — final consistency is ensured in Phase 3 after
+# freezing the application.
+#
+# What it does:
+#   1. Introspect source Bitnami StatefulSets (PG + ES)
+#   2. Create backup PVC
+#   3. Run PG backup jobs for identity, keycloak, webmodeler
+#   4. Run ES backup verification for orchestration data
+# =============================================================================
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# shellcheck disable=SC2034 # Used by lib.sh after sourcing
+CURRENT_SCRIPT="2-backup.sh"
+# shellcheck disable=SC1091
+source "${SCRIPT_DIR}/lib.sh"
+parse_common_args "$@"
+load_state
+
+check_env
+require_phase 1 "Phase 1 (deploy targets)"
+
+timer_start
+
+section "Phase 2: Initial Backup (no downtime)"
+
+show_plan 2
+run_hooks "pre-phase-2"
+
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+export TIMESTAMP
+
+ensure_backup_pvc
+
+# ─────────────────────────────────────────────────────────────────────────────
+# PostgreSQL backups (one per component)
+# ─────────────────────────────────────────────────────────────────────────────
+
+do_pg_backup() {
+    local component="$1"
+    local db_name="$2"
+    local db_user="$3"
+
+    local sts_name
+    sts_name=$(detect_pg_sts "$component") || {
+        log_warn "${component}: Bitnami PG not found — skipping"
+        return 0
+    }
+
+    section "  Backup: ${component} PostgreSQL (${sts_name})"
+    introspect_pg "$sts_name"
+
+    export COMPONENT="$component"
+    export PG_HOST="${sts_name}.${NAMESPACE}.svc.cluster.local"
+    export PG_PORT="5432"
+    export PG_DATABASE="$db_name"
+    export PG_USERNAME="$db_user"
+    # PG_SECRET_NAME and PG_SECRET_KEY are auto-detected by introspect_pg
+
+    backup_pg
+
+    # Save state for Phase 3
+    save_state "${component^^}_PG_STS" "$sts_name"
+    save_state "${component^^}_PG_IMAGE" "$PG_IMAGE"
+    save_state "${component^^}_BACKUP_FILE" "${component}-db-${TIMESTAMP}.dump"
+    save_state "${component^^}_BACKUP_TIMESTAMP" "$TIMESTAMP"
+}
+
+if [[ "${MIGRATE_IDENTITY}" == "true" ]]; then
+    do_pg_backup identity "${IDENTITY_DB_NAME}" "${IDENTITY_DB_USER}"
+fi
+
+if [[ "${MIGRATE_KEYCLOAK}" == "true" ]]; then
+    do_pg_backup keycloak "${KEYCLOAK_DB_NAME}" "${KEYCLOAK_DB_USER}"
+fi
+
+if [[ "${MIGRATE_WEBMODELER}" == "true" ]]; then
+    do_pg_backup webmodeler "${WEBMODELER_DB_NAME}" "${WEBMODELER_DB_USER}"
+fi
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Elasticsearch backup verification
+# ─────────────────────────────────────────────────────────────────────────────
+
+if [[ "${MIGRATE_ELASTICSEARCH}" == "true" ]]; then
+    section "  Backup: Elasticsearch"
+
+    introspect_es
+
+    # Use the ClusterIP service name for ES API access (not the StatefulSet name).
+    export ES_HOST="${ES_SERVICE}.${NAMESPACE}.svc.cluster.local"
+    export ES_PORT="9200"
+    export ES_SECRET_NAME="${CAMUNDA_RELEASE_NAME}-elasticsearch"
+
+    backup_es
+
+    save_state "ES_STS" "$ES_STS_NAME"
+    save_state "ES_SERVICE" "$ES_SERVICE"
+    save_state "ES_IMAGE" "$ES_IMAGE"
+fi
+
+section "Phase 2 Complete ($(timer_elapsed))"
+echo "All initial backups are done. The application is still fully operational."
+echo ""
+echo "IMPORTANT: The next phase (3-cutover.sh) will cause a brief downtime"
+echo "while it freezes the application, takes a final consistent backup,"
+echo "restores data to the new targets, and switches over."
+echo ""
+echo "Next: ./3-cutover.sh"
+
+run_hooks "post-phase-2"
+complete_phase 2