refactor: move orchestration oidc from global to component (#4233)

Author: aabouzaid

charts/camunda-platform-8.8/README.md

@@ -167,11 +167,11 @@ Fail with a message if Web Modeler is enabled but management Identity is not ena
     {{- end }}
 
     {{ if and (.Values.orchestration.enabled)
-              (not .Values.global.identity.auth.orchestration.existingSecret)
-              (not .Values.global.identity.auth.orchestration.secret.existingSecret)
+              (not .Values.orchestration.security.authentication.oidc.existingSecret)
+              (not .Values.orchestration.security.authentication.oidc.secret.existingSecret)
               (not .Values.global.secrets.autoGenerated) }}
       {{- $existingSecretsNotConfigured = append
-          $existingSecretsNotConfigured "global.identity.auth.orchestration.secret.existingSecret" }}
+          $existingSecretsNotConfigured "orchestration.security.authentication.oidc.secret.existingSecret" }}
     {{- end }}
     {{- end }}
 

charts/camunda-platform-8.8/templates/common/constraints.tpl

@@ -38,10 +38,10 @@ data:
   {{ ((.Values.global.identity.auth.console.secret).existingSecretKey) | default .Values.global.identity.auth.console.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
     {{- end }}
     {{- if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
-      "config" .Values.global.identity.auth.orchestration
+      "config" .Values.orchestration.security.authentication.oidc
       "autogeneratedSecretName" .Values.global.secrets.name
     )) "true" }}
-  {{ ((.Values.global.identity.auth.orchestration.secret).existingSecretKey) | default .Values.global.identity.auth.orchestration.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  {{ ((.Values.orchestration.security.authentication.oidc.secret).existingSecretKey) | default .Values.orchestration.security.authentication.oidc.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
     {{- end }}
     {{- if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
       "config" .Values.global.identity.auth.optimize

charts/camunda-platform-8.8/templates/common/secret-camunda.yaml

@@ -0,0 +1,11 @@
+{{- if and (.Values.global.identity.auth.enabled) (or (not .Values.orchestration.security.authentication.oidc.existingSecret) (typeIs "string" .Values.orchestration.security.authentication.oidc.existingSecret)) }}
+{{- $secretName := include "camundaPlatform.identitySecretName" (dict "context" . "component" "orchestration") }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels: {{- include "camundaPlatform.identityLabels" . | nindent 4 }}
+type: Opaque
+data:
+  {{ .Values.orchestration.security.authentication.oidc.existingSecretKey }}: {{ include "common.secrets.passwords.manage" (dict "secret" $secretName "key" .Values.orchestration.security.authentication.oidc.existingSecretKey "length" 10 "providedValues" (list "orchestration.security.authentication.oidc.existingSecret") "context" $) }}
+{{- end }} 

charts/camunda-platform-8.8/templates/common/secret-core.yaml

@@ -110,7 +110,7 @@ data:
               id: ${CAMUNDA_ORCHESTRATION_CLIENT_ID:${VALUES_KEYCLOAK_INIT_ORCHESTRATION_CLIENT_ID:orchestration}}
               type: confidential
               secret: ${CAMUNDA_ORCHESTRATION_SECRET:${VALUES_KEYCLOAK_INIT_ORCHESTRATION_SECRET:}}
-              root-url: {{ tpl .Values.global.identity.auth.orchestration.redirectUrl $ | quote }}
+              root-url: {{ tpl .Values.orchestration.security.authentication.oidc.redirectUrl $ | quote }}
               redirect-uris:
                 - "/login/oauth2/code/orchestration"
           apis:
@@ -276,7 +276,7 @@ data:
               id: orchestration
               type: confidential
               secret: ${VALUES_KEYCLOAK_INIT_ORCHESTRATION_SECRET:}
-              root-url: {{ tpl .Values.global.identity.auth.orchestration.redirectUrl $ | quote }}
+              root-url: {{ tpl .Values.orchestration.security.authentication.oidc.redirectUrl $ | quote }}
               redirect-uris:
                 - "/identity-callback"
         optimize:

charts/camunda-platform-8.8/templates/common/secret-orchestration.yaml

@@ -49,7 +49,7 @@ spec:
             ) | nindent 12 }}
             {{- include "camundaPlatform.emitEnvVarFromSecretConfig" (dict
                 "envName"       "VALUES_KEYCLOAK_INIT_ORCHESTRATION_SECRET"
-                "config"        .Values.global.identity.auth.orchestration
+                "config"        .Values.orchestration.security.authentication.oidc
             ) | nindent 12 }}
             {{- include "camundaPlatform.emitEnvVarFromSecretConfig" (dict
                 "envName"       "VALUES_KEYCLOAK_INIT_CONSOLE_SECRET"
@@ -83,10 +83,10 @@ spec:
               value: "orchestration"
             {{- include "camundaPlatform.emitEnvVarFromSecretConfig" (dict
                 "envName" "KEYCLOAK_CLIENTS_1_SECRET"
-                "config" .Values.global.identity.auth.orchestration
+                "config" .Values.orchestration.security.authentication.oidc
             ) | nindent 12 }}
             - name: KEYCLOAK_CLIENTS_1_ROOT_URL
-              value: {{ tpl .Values.global.identity.auth.orchestration.redirectUrl $ | quote }}
+              value: {{ tpl .Values.orchestration.security.authentication.oidc.redirectUrl $ | quote }}
             - name: KEYCLOAK_CLIENTS_1_REDIRECT_URIS_0
               value: /login/oauth2/code/orchestration
             - name: KEYCLOAK_CLIENTS_1_REDIRECT_URIS_1
@@ -110,7 +110,7 @@ spec:
               value: Migration
             {{- include "camundaPlatform.emitEnvVarFromSecretConfig" (dict
                 "envName" "KEYCLOAK_CLIENTS_2_SECRET"
-                "config" .Values.global.identity.auth.orchestration
+                "config" .Values.orchestration.security.authentication.oidc
             ) | nindent 12 }}
             - name: KEYCLOAK_CLIENTS_2_REDIRECT_URIS_0
               value: /dummy

charts/camunda-platform-8.8/templates/identity/configmap.yaml

@@ -157,15 +157,15 @@ app.kubernetes.io/version: {{ include "camundaPlatform.versionLabel" (dict
 [orchestration] Define variables related to authentication.
 */}}
 {{- define "orchestration.authClientId" -}}
-    {{- .Values.global.identity.auth.orchestration.clientId | default "orchestration" -}}
+    {{- .Values.orchestration.security.authentication.oidc.clientId | default "orchestration" -}}
 {{- end -}}
 
 {{- define "orchestration.authAudience" -}}
-    {{- .Values.global.identity.auth.orchestration.audience | default "orchestration-api" -}}
+    {{- .Values.orchestration.security.authentication.oidc.audience | default "orchestration-api" -}}
 {{- end -}}
 
 {{- define "orchestration.authTokenScope" -}}
-    {{- .Values.global.identity.auth.orchestration.tokenScope -}}
+    {{- .Values.orchestration.security.authentication.oidc.tokenScope -}}
 {{- end -}}
 
 {{- define "orchestration.enabledProfiles" -}}

charts/camunda-platform-8.8/templates/identity/deployment.yaml

@@ -92,7 +92,7 @@ camunda:
         client-secret: ${VALUES_ORCHESTRATION_CLIENT_SECRET:}
         audiences:
           - {{ include "orchestration.authClientId" . | quote }}
-          - {{ .Values.global.identity.auth.orchestration.audience | quote }}
+          - {{ .Values.orchestration.security.authentication.oidc.audience | quote }}
           - {{ .Values.global.identity.auth.webModeler.clientApiAudience | quote }}
           - {{ .Values.global.identity.auth.webModeler.publicApiAudience | quote }}
         {{- $redirectURIDefault := printf "http://%s:8080" (include "orchestration.fullname" .) }}
@@ -101,7 +101,7 @@ camunda:
           For more details: https://github.com/camunda/camunda-platform-helm/issues/3952
         */}}
         issuer-uri: {{ (include "camundaPlatform.authIssuerUrl" .) | quote }}
-        redirect-uri: "{{ tpl .Values.global.identity.auth.orchestration.redirectUrl $ | default $redirectURIDefault }}/sso-callback"
+        redirect-uri: "{{ tpl .Values.orchestration.security.authentication.oidc.redirectUrl $ | default $redirectURIDefault }}/sso-callback"
         authenticationRefreshInterval: {{ .Values.orchestration.security.authentication.authenticationRefreshInterval | quote }}
     {{- end }}
       method: {{ .Values.orchestration.security.authentication.method | quote }}
@@ -152,7 +152,7 @@ camunda:
       enabled: {{ include "orchestration.multitenancyChecksEnabled" . }}
     {{- if .Values.global.identity.auth.enabled }}
     identity:
-      redirectRootUrl: "{{ tpl .Values.global.identity.auth.orchestration.redirectUrl $ }}/operate"
+      redirectRootUrl: "{{ tpl .Values.orchestration.security.authentication.oidc.redirectUrl $ }}/operate"
     {{- end }}
     {{- if .Values.global.opensearch.enabled }}
     # OpenSearch
@@ -185,7 +185,7 @@ camunda:
 
     {{- if .Values.global.identity.auth.enabled }}
     identity:
-      redirectRootUrl: "{{ tpl .Values.global.identity.auth.orchestration.redirectUrl $ }}/tasklist"
+      redirectRootUrl: "{{ tpl .Values.orchestration.security.authentication.oidc.redirectUrl $ }}/tasklist"
     {{- end }}
     {{- if .Values.global.opensearch.enabled }}
     # OpenSearch

charts/camunda-platform-8.8/templates/orchestration/_helpers.tpl

@@ -60,7 +60,7 @@ spec:
             {{- if .Values.global.identity.auth.enabled }}
             {{- include "camundaPlatform.emitEnvVarFromSecretConfig" (dict
                 "envName" "VALUES_ORCHESTRATION_CLIENT_SECRET"
-                "config" .Values.global.identity.auth.orchestration
+                "config" .Values.orchestration.security.authentication.oidc
             ) | nindent 12 }}
             {{- end }}
             {{- if or .Values.global.elasticsearch.tls.existingSecret .Values.global.opensearch.tls.existingSecret }}