feat(console-sm): integrate with identity (#931)

Author: urbanisierung

.vscode/settings.json

@@ -1,3 +1,4 @@
 {
   "markdown.extension.toc.levels": "2..3",
-}
+  "editor.formatOnSaveMode": "modifications"
+}

charts/camunda-platform/README.md

@@ -527,6 +527,8 @@ Please see the corresponding [release guide](../../RELEASE.md) to find out how t
 | `global.identity.auth.optimize.redirectUrl`      | defines the root (or redirect) URL, which is used by Keycloak to access Optimize.                                                                        | `http://localhost:8083`                               |
 | `global.identity.auth.webModeler`                | configuration to configure Web Modeler authentication specifics on global level, which can be accessed by other sub-charts                               |                                                       |
 | `global.identity.auth.webModeler.redirectUrl`    | defines the root URL which is used by Keycloak to access Web Modeler.                                                                                    | `http://localhost:8084`                               |
+| `global.identity.auth.console`                   | configuration to configure Console authentication specifics on global level, which can be accessed by other sub-charts                                   |                                                       |
+| `global.identity.auth.console.redirectUrl`       | defines the root URL which is used by Keycloak to access Web Modeler.                                                                                    | `http://localhost:8080`                               |
 | `global.identity.auth.zeebe`                     | configuration to configure Zeebe authentication specifics on global level, which can be accessed by other sub-charts                                     |                                                       |
 | `global.identity.auth.zeebe.existingSecret`      | can be used to use an own existing secret. If not set a random secret is generated.                                                                      | `""`                                                  |
 

charts/camunda-platform/charts/identity/templates/_helpers.tpl

@@ -61,6 +61,14 @@ Defines match labels for identity, which are extended by sub-charts and should b
 {{- printf "%s-operate-identity-secret" $name | trunc 63 | trimSuffix "-" | quote -}}
 {{- end }}
 
+{{/*
+[identity] Create the name of the console-identity secret
+*/}}
+{{- define "identity.secretNameConsoleIdentity" -}}
+{{- $name := .Release.Name -}}
+{{- printf "%s-console-identity-secret" $name | trunc 63 | trimSuffix "-" | quote -}}
+{{- end }}
+
 {{/*
 [identity] Create the name of the tasklist-identity secret
 */}}

charts/camunda-platform/charts/identity/templates/console-secret.yaml

@@ -0,0 +1,11 @@
+{{- if and (.Values.global.identity.auth.enabled) (or (not .Values.global.identity.auth.console.existingSecret) (typeIs "string" .Values.global.identity.auth.console.existingSecret)) }}
+{{- $secretName := include "identity.secretNameConsoleIdentity" . }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels: {{- include "identity.labels" . | nindent 4 }}
+type: Opaque
+data:
+  console-secret: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" "console-secret" "length" 10 "providedValues" (list "global.identity.auth.console.existingSecret") "context" $) }}
+{{- end }}

charts/camunda-platform/charts/identity/templates/deployment.yaml

@@ -61,6 +61,25 @@ spec:
             {{- end }}
           - name: KEYCLOAK_INIT_OPERATE_ROOT_URL
             value: {{ tpl .Values.global.identity.auth.operate.redirectUrl $ | quote }}
+          - name: KEYCLOAK_INIT_CONSOLE_SECRET
+            {{- if and .Values.global.identity.auth.console.existingSecret (not (typeIs "string" .Values.global.identity.auth.console.existingSecret)) }}
+            valueFrom:
+              secretKeyRef:
+                {{- /*
+                    Helper: https://github.com/bitnami/charts/blob/master/bitnami/common/templates/_secrets.tpl
+                    Usage in keycloak secrets https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/secrets.yaml
+                    and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
+                */}}
+                name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.console.existingSecret "context" $) }}
+                key: console-secret
+            {{- else }}
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "identity.secretNameConsoleIdentity" . }}
+                key: console-secret
+            {{- end }}
+          - name: KEYCLOAK_INIT_CONSOLE_ROOT_URL
+            value: {{ tpl .Values.global.identity.auth.console.redirectUrl $ | quote }}
           - name: KEYCLOAK_INIT_TASKLIST_SECRET
             {{- if and .Values.global.identity.auth.tasklist.existingSecret (not (typeIs "string" .Values.global.identity.auth.tasklist.existingSecret)) }}
             valueFrom:

charts/camunda-platform/templates/console/deployment.yaml

@@ -35,6 +35,16 @@ spec:
           env:
             - name: NODE_ENV
               value: production
+            - name: IDENTITY_BASE
+              value: {{ tpl .Values.global.identity.auth.publicIssuerUrl $ | quote }}
+            - name: IDENTITY_ISSUER_URL
+              value: {{ tpl .Values.global.identity.auth.publicIssuerUrl $ | quote }}
+            - name: IDENTITY_REALM
+              value: camunda-platform
+            - name: IDENTITY_AUDIENCE
+              value: console
+            - name: IDENTITY_CLIENT_ID
+              value: console
           {{- if .Values.console.env}}
             {{ .Values.console.env | toYaml | nindent 12 }}
           {{- end }}

charts/camunda-platform/test/integration/scenarios/chart-full-setup/values-integration-test-ingress.yaml

@@ -15,6 +15,8 @@ global:
   identity:
     auth:
       publicIssuerUrl: "https://{{ .Values.global.ingress.host }}/auth/realms/camunda-platform"
+      console:
+        redirectUrl: "https://{{ .Values.global.ingress.host }}"
       operate:
         redirectUrl: "https://{{ .Values.global.ingress.host }}/operate"
       tasklist:

charts/camunda-platform/test/integration/scenarios/lib/chart-upgrade-taskfile.yaml

@@ -26,6 +26,8 @@ tasks:
         -n $TEST_NAMESPACE -o jsonpath="{.data.operate-secret}" | base64 --decode)
       export CONNECTORS_SECRET=$(kubectl get secret "integration-connectors-identity-secret" \
         -n $TEST_NAMESPACE -o jsonpath="{.data.connectors-secret}" | base64 --decode)
+      export CONSOLE_SECRET=$(kubectl get secret "integration-console-identity-secret" \
+        -n $TEST_NAMESPACE -o jsonpath="{.data.console-secret}" | base64 --decode)
       export KEYCLOAK_ADMIN_SECRET=$(kubectl get secret "integration-keycloak" \
         -n $TEST_NAMESPACE -o jsonpath="{.data.admin-password}" | base64 --decode)
       export KEYCLOAK_POSTGRESQL_SECRET=$(kubectl get secret "integration-postgresql" \
@@ -42,6 +44,7 @@ tasks:
         --set global.identity.auth.optimize.existingSecret=$OPTIMIZE_SECRET \
         --set global.identity.auth.operate.existingSecret=$OPERATE_SECRET \
         --set global.identity.auth.connectors.existingSecret=$CONNECTORS_SECRET \
+        --set --set global.identity.auth.console.existingSecret=$CONSOLE_SECRET \
         --set identity.keycloak.auth.adminPassword=$KEYCLOAK_ADMIN_SECRET \
         --set identity.keycloak.postgresql.auth.password=$KEYCLOAK_POSTGRESQL_SECRET \
         --set global.postgresql.auth.password=${IDENTITY_POSTGRESQL_SECRET} \

charts/camunda-platform/test/unit/identity/golden/deployment.golden.yaml

@@ -59,6 +59,13 @@ spec:
                 key: operate-secret
           - name: KEYCLOAK_INIT_OPERATE_ROOT_URL
             value: "http://localhost:8081"
+          - name: KEYCLOAK_INIT_CONSOLE_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: "camunda-platform-test-console-identity-secret"
+                key: console-secret
+          - name: KEYCLOAK_INIT_CONSOLE_ROOT_URL
+            value: "http://localhost:8080"
           - name: KEYCLOAK_INIT_TASKLIST_SECRET
             valueFrom:
               secretKeyRef:

charts/camunda-platform/values.yaml

@@ -185,6 +185,16 @@ global:
         # Can be overwritten if ingress is in use and an external IP is available.
         redirectUrl: "http://localhost:8084"
 
+      ## @extra global.identity.auth.console configuration to configure Console authentication specifics on global level, which can be accessed by other sub-charts
+      console:
+        ## @param global.identity.auth.console.existingSecret can be used to use an own existing secret. If not set a random secret is generated.
+        # The existing secret should contain an `console-secret` field, which will be used as secret for the identity-console communication.
+        existingSecret:
+        ## @param global.identity.auth.console.redirectUrl defines the root URL which is used by Keycloak to access Web Modeler.
+        # Should be publicly accessible, the default value works if a port-forward to Web Modeler is created to 8080.
+        # Can be overwritten if ingress is in use and an external IP is available.
+        redirectUrl: "http://localhost:8080"
+
       ## @extra global.identity.auth.zeebe configuration to configure Zeebe authentication specifics on global level, which can be accessed by other sub-charts
       zeebe:
         ## @param global.identity.auth.zeebe.existingSecret can be used to use an own existing secret. If not set a random secret is generated.