fix: refactor autogenerated secrets (#3988)

bkenez · web-flow · commit 5684195be510 · 2025-09-03T20:21:17.000+02:00
diff --git a/charts/camunda-platform-8.8/templates/common/_helpers.tpl b/charts/camunda-platform-8.8/templates/common/_helpers.tpl
@@ -832,6 +832,65 @@ false
 {{- end -}}
 {{- end -}}
 
+{{/*
+shouldAutogenerateSecret
+Determines whether a secret should be autogenerated for a given component configuration.
+Returns "true" if autogeneration should occur, "false" otherwise.
+
+This function handles both legacy (< 8.8) and new (>= 8.8) secret configuration patterns:
+1. If the component has no secret configuration at all -> autogenerate
+2. If the component explicitly references the autogenerated secret name -> autogenerate
+3. Otherwise -> do not autogenerate (user has their own secret config)
+
+Note: This helper assumes it's called within the context where global autogeneration is enabled,
+since the secret template only renders when .Values.global.secrets.autoGenerated is true.
+
+Usage:
+  {{ if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
+      "config" .Values.identity.firstUser
+      "autogeneratedSecretName" .Values.global.secrets.name
+      "plaintextKey" "password"
+      "legacyKeyField" "existingSecretKey"
+  )) "true" }}
+
+Parameters:
+- config: The component's configuration object
+- autogeneratedSecretName: The name of the autogenerated secret
+- plaintextKey: The key to check for plaintext values (optional)
+- legacyKeyField: The legacy key field name (optional, defaults to "existingSecretKey")
+*/}}
+{{- define "camundaPlatform.shouldAutogenerateSecret" -}}
+{{- $config := .config | default dict -}}
+{{- $autogenSecretName := .autogeneratedSecretName | default "" -}}
+{{- $plaintextKey := .plaintextKey | default "password" -}}
+{{- $legacyKeyField := .legacyKeyField | default "existingSecretKey" -}}
+
+{{- $result := "false" -}}
+
+{{/* Check if component has no secret configuration */}}
+{{- $hasSecretConfig := include "camundaPlatform.hasSecretConfig" (dict
+    "config" $config
+    "plaintextKey" $plaintextKey
+    "legacyKeyField" $legacyKeyField
+) -}}
+
+{{- if eq $hasSecretConfig "false" -}}
+  {{/* No secret config found -> autogenerate */}}
+  {{- $result = "true" -}}
+{{- else -}}
+  {{/* Check if component explicitly references the autogenerated secret */}}
+  {{- if and $config.existingSecret (eq (toString $config.existingSecret) (toString $autogenSecretName)) -}}
+    {{/* Legacy format points to autogen secret -> autogenerate */}}
+    {{- $result = "true" -}}
+  {{- else if and $config.secret $config.secret.existingSecret (eq (toString $config.secret.existingSecret) (toString $autogenSecretName)) -}}
+    {{/* New format points to autogen secret -> autogenerate */}}
+    {{- $result = "true" -}}
+  {{- end -}}
+{{- end -}}
+
+{{- $result -}}
+{{- end -}}
+
 {{/*
 ********************************************************************************
 Release highlights.
diff --git a/charts/camunda-platform-8.8/templates/common/secret-camunda.yaml b/charts/camunda-platform-8.8/templates/common/secret-camunda.yaml
@@ -17,64 +17,86 @@ metadata:
       "context" $) | nindent 4 }}
 type: Opaque
 data:
-  {{- $identityAuthAdmin := (
-    and (typeIs "string" .Values.global.identity.auth.admin.existingSecret) 
-        (eq .Values.global.identity.auth.admin.existingSecret "")
-  ) }}
-  {{- $identityAuth := dict
-    "connectors" (and (typeIs "string" .Values.global.identity.auth.connectors.existingSecret) (eq .Values.global.identity.auth.connectors.existingSecret ""))
-    "console" (and (typeIs "string" .Values.global.identity.auth.console.existingSecret) (eq .Values.global.identity.auth.console.existingSecret ""))
-    "orchestration" (and (typeIs "string" .Values.global.identity.auth.orchestration.existingSecret) (eq .Values.global.identity.auth.orchestration.existingSecret ""))
-    "optimize" (and (typeIs "string" .Values.global.identity.auth.optimize.existingSecret) (eq .Values.global.identity.auth.optimize.existingSecret ""))
-  }}
-  {{- if or ($identityAuthAdmin)
-            ($identityAuth.connectors) ($identityAuth.console)
-            ($identityAuth.orchestration) ($identityAuth.optimize)
-  }}
-  # Identity apps auth.
-  {{- if $identityAuthAdmin }}
-  {{ .Values.global.identity.auth.admin.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
-  {{- end }}
-  {{- if $identityAuth.connectors }}
-  {{ .Values.global.identity.auth.connectors.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
-  {{- end }}
-  {{- if $identityAuth.console }}
-  {{ .Values.global.identity.auth.console.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
-  {{- end }}
-  {{- if $identityAuth.orchestration }}
-  {{ .Values.global.identity.auth.orchestration.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
-  {{- end }}
-  {{- if $identityAuth.optimize }}
-  {{ .Values.global.identity.auth.optimize.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
-  {{- end }}
-  {{- end }}
+  {{- if .Values.global.identity.auth.enabled }}
+  # Identity authentication client tokens.
+    {{- if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
+      "config" .Values.global.identity.auth.admin
+      "autogeneratedSecretName" .Values.global.secrets.name
+    )) "true" }}
+  {{ ((.Values.global.identity.auth.admin.secret).existingSecretKey) | default .Values.global.identity.auth.admin.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+    {{- end }}
+    {{- if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
+      "config" .Values.global.identity.auth.connectors
+      "autogeneratedSecretName" .Values.global.secrets.name
+    )) "true" }}
+  {{ ((.Values.global.identity.auth.connectors.secret).existingSecretKey) | default .Values.global.identity.auth.connectors.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+    {{- end }}
+    {{- if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
+      "config" .Values.global.identity.auth.console
+      "autogeneratedSecretName" .Values.global.secrets.name
+    )) "true" }}
+  {{ ((.Values.global.identity.auth.console.secret).existingSecretKey) | default .Values.global.identity.auth.console.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+    {{- end }}
+    {{- if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
+      "config" .Values.global.identity.auth.orchestration
+      "autogeneratedSecretName" .Values.global.secrets.name
+    )) "true" }}
+  {{ ((.Values.global.identity.auth.orchestration.secret).existingSecretKey) | default .Values.global.identity.auth.orchestration.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+    {{- end }}
+    {{- if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
+      "config" .Values.global.identity.auth.optimize
+      "autogeneratedSecretName" .Values.global.secrets.name
+    )) "true" }}
+  {{ ((.Values.global.identity.auth.optimize.secret).existingSecretKey) | default .Values.global.identity.auth.optimize.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+    {{- end }}
+
+  # Identity first user password.
+    {{- if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
+      "config" .Values.identity.firstUser
+      "autogeneratedSecretName" .Values.global.secrets.name
+      "plaintextKey" "password"
+    )) "true" }}
+  {{ ((.Values.identity.firstUser.secret).existingSecretKey) | default .Values.identity.firstUser.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+    {{- end }}
 
-  {{- if and .Values.identity.firstUser.existingSecret (eq .Values.identity.firstUser.existingSecret .Values.global.secrets.name) }}
-  # Identity login.
-  {{ .Values.identity.firstUser.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+  # Identity Keycloak admin password.
+    {{- if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
+      "config" .Values.identityKeycloak.auth
+      "autogeneratedSecretName" .Values.global.secrets.name
+      "plaintextKey" "adminPassword"
+    )) "true" }}
+  {{ ((.Values.identityKeycloak.auth.secret).passwordSecretKey) | default .Values.identityKeycloak.auth.passwordSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
+    {{- end }}
   {{- end }}
 
-  {{- if and .Values.identityPostgresql.enabled (or (eq .Values.identityPostgresql.auth.existingSecret "") (eq .Values.identityPostgresql.auth.existingSecret .Values.global.secrets.name)) }}
   # Identity PostgreSQL.
+  {{- if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
+    "config" .Values.identityPostgresql.auth
+    "autogeneratedSecretName" .Values.global.secrets.name
+    "plaintextKey" "postgresPassword"
+  )) "true" }}
   {{ .Values.identityPostgresql.auth.secretKeys.adminPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}"
   {{ .Values.identityPostgresql.auth.secretKeys.userPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}"
   {{- end }}
 
-  {{- if and .Values.identityKeycloak.auth.existingSecret (eq .Values.identityKeycloak.auth.existingSecret .Values.global.secrets.name) }}
-  # Identity Keycloak login.
-  {{ .Values.identityKeycloak.auth.passwordSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
-  {{- end }}
-
-  {{- if and .Values.identityKeycloak.postgresql.auth.existingSecret (eq .Values.identityKeycloak.postgresql.auth.existingSecret .Values.global.secrets.name) }}
+  {{- if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
+    "config" .Values.identityKeycloak.postgresql.auth
+    "autogeneratedSecretName" .Values.global.secrets.name
+    "plaintextKey" "postgresPassword"
+  )) "true" }}
   # Identity Keycloak PostgreSQL.
   {{ .Values.identityKeycloak.postgresql.auth.secretKeys.adminPasswordKey  }}: "{{ randAlphaNum 16 | b64enc }}"
   {{ .Values.identityKeycloak.postgresql.auth.secretKeys.userPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}"
   {{- end }}
 
-  {{- if and .Values.webModelerPostgresql.enabled (or (eq .Values.webModelerPostgresql.auth.existingSecret "") (eq .Values.webModelerPostgresql.auth.existingSecret .Values.global.secrets.name)) }}
-  # WebModeler PostgreSQL.
+  # Web Modeler PostgreSQL.
+  {{- if eq (include "camundaPlatform.shouldAutogenerateSecret" (dict
+    "config" .Values.webModelerPostgresql.auth
+    "autogeneratedSecretName" .Values.global.secrets.name
+    "plaintextKey" "postgresPassword"
+  )) "true" }}
   {{ .Values.webModelerPostgresql.auth.secretKeys.adminPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}"
   {{ .Values.webModelerPostgresql.auth.secretKeys.userPasswordKey }}: "{{ randAlphaNum 16 | b64enc }}"
   {{- end }}
 
-{{- end }}
+{{- end }}
diff --git a/charts/camunda-platform-8.8/test/unit/common/golden/secret-camunda.golden.yaml b/charts/camunda-platform-8.8/test/unit/common/golden/secret-camunda.golden.yaml
@@ -21,7 +21,8 @@ metadata:
     helm.sh/resource-policy: keep
 type: Opaque
 data:
-  # Identity apps auth.
-  # Identity login.
-  # Identity Keycloak login.
-  # Identity Keycloak PostgreSQL.
+
+  # Identity PostgreSQL.
+  # Identity Keycloak PostgreSQL.
+
+  # Web Modeler PostgreSQL.
diff --git a/charts/camunda-platform-8.8/test/unit/common/secret_test.go b/charts/camunda-platform-8.8/test/unit/common/secret_test.go
