fix: remove console secret since console is a public OIDC client (#4482)

Author: hamza-m-masood

charts/camunda-platform-8.5/README.md

@@ -530,8 +530,6 @@ Please see the corresponding [release guide](../../docs/release.md) to find out
 | `global.identity.auth.console.clientId`             | defines the client id, which is used by Console in authentication flows.                                                                                                                                                                                 | `console`                                             |
 | `global.identity.auth.console.audience`             | defines the audience which is used by Console's client API.                                                                                                                                                                                              | `console-api`                                         |
 | `global.identity.auth.console.wellKnown`            | defines the uri for the well known config which is used by Console (optional).                                                                                                                                                                           | `https://well-known-uri`                              |
-| `global.identity.auth.console.existingSecret`       | A string literal secret can be provided. If not set, a random secret is generated. Recommended: reference an existing Kubernetes Secret using global.identity.auth.console.existingSecret.name.                                                          | `{}`                                                  |
-| `global.identity.auth.console.existingSecretKey`    | defines the key within the existing secret object.                                                                                                                                                                                                       | `console-secret`                                      |
 | `global.identity.auth.console.redirectUrl`          | defines the root URL which is used by Keycloak to access WebModeler.                                                                                                                                                                                     | `http://localhost:8080`                               |
 | `global.identity.auth.zeebe`                        | configuration to configure Zeebe authentication specifics on global level, which can be accessed by other sub-charts                                                                                                                                     |                                                       |
 | `global.identity.auth.zeebe.clientId`               | defines the client id, which is used by Zeebe in authentication flows.                                                                                                                                                                                   | `zeebe`                                               |

charts/camunda-platform-8.5/templates/camunda/constraints.tpl

@@ -103,10 +103,6 @@ Fail with a message if zeebeGateway.contextPath and zeebeGateway.ingress.rest.pa
       {{- $existingSecretsNotConfigured = append $existingSecretsNotConfigured "global.identity.auth.optimize.existingSecret.name" }}
     {{- end }}
 
-    {{ if and (.Values.global.identity.auth.enabled) (.Values.console.enabled) (not .Values.global.identity.auth.console.existingSecret) }}
-      {{- $existingSecretsNotConfigured = append $existingSecretsNotConfigured "global.identity.auth.console.existingSecret.name" }}
-    {{- end }}
-
     {{ if and (.Values.global.identity.auth.enabled) (.Values.zeebe.enabled) (not .Values.global.identity.auth.zeebe.existingSecret) }}
       {{- $existingSecretsNotConfigured = append $existingSecretsNotConfigured "global.identity.auth.zeebe.existingSecret.name" }}
     {{- end }}
@@ -152,7 +148,6 @@ data:
   tasklist-secret: <base64-encoded-secret>
   optimize-secret: <base64-encoded-secret>
   connectors-secret: <base64-encoded-secret>
-  console-secret: <base64-encoded-secret>
   keycloak-secret: <base64-encoded-secret>
   zeebe-secret: <base64-encoded-secret>
   admin-password: <base64-encoded-secret> # used for keycloak
@@ -188,7 +183,6 @@ data:
   tasklist-secret: <base64-encoded-secret>
   optimize-secret: <base64-encoded-secret>
   connectors-secret: <base64-encoded-secret>
-  console-secret: <base64-encoded-secret>
   keycloak-secret: <base64-encoded-secret>
   zeebe-secret: <base64-encoded-secret>
   admin-password: <base64-encoded-secret> # used for keycloak

charts/camunda-platform-8.5/templates/camunda/secret-camunda.yaml

@@ -20,13 +20,12 @@ data:
   {{- $identityAuth := dict
     "admin" (((.Values.global.identity.auth).admin).existingSecret).name
     "connectors" (.Values.global.identity.auth.connectors.existingSecret).name
-    "console" (.Values.global.identity.auth.console.existingSecret).name
     "operate" (.Values.global.identity.auth.operate.existingSecret).name
     "optimize" (.Values.global.identity.auth.optimize.existingSecret).name
     "tasklist" (.Values.global.identity.auth.tasklist.existingSecret).name
     "zeebe" (.Values.global.identity.auth.zeebe.existingSecret).name
   }}
-  {{- if or ($identityAuth.connectors) ($identityAuth.console) ($identityAuth.operate)
+  {{- if or ($identityAuth.connectors) ($identityAuth.operate)
             ($identityAuth.optimize) ($identityAuth.tasklist) ($identityAuth.zeebe)
   }}
   # Identity apps auth.
@@ -36,9 +35,6 @@ data:
   {{- if $identityAuth.connectors }}
   {{ .Values.global.identity.auth.connectors.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
   {{- end }}
-  {{- if $identityAuth.console }}
-  {{ .Values.global.identity.auth.console.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
-  {{- end }}
   {{- if $identityAuth.operate }}
   {{ .Values.global.identity.auth.operate.existingSecretKey }}: "{{ randAlphaNum 16 | b64enc }}"
   {{- end }}

charts/camunda-platform-8.5/templates/camunda/secret-console.yaml

@@ -55,23 +55,6 @@ spec:
                   name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "operate") }}
                   key: {{ .Values.global.identity.auth.operate.existingSecretKey }}
               {{- end }}
-            - name: KEYCLOAK_INIT_CONSOLE_SECRET
-              {{- if and .Values.global.identity.auth.console.existingSecret (not (typeIs "string" .Values.global.identity.auth.console.existingSecret)) }}
-              valueFrom:
-                secretKeyRef:
-                  {{- /*
-                      Helper: https://github.com/bitnami/charts/blob/master/bitnami/common/templates/_secrets.tpl
-                      Usage in keycloak secrets https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/secrets.yaml
-                      and in statefulset https://github.com/bitnami/charts/blob/master/bitnami/keycloak/templates/statefulset.yaml
-                  */}}
-                  name: {{ include "common.secrets.name" (dict "existingSecret" .Values.global.identity.auth.console.existingSecret "context" $) }}
-                  key: {{ .Values.global.identity.auth.console.existingSecretKey }}
-              {{- else }}
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "camundaPlatform.identitySecretName" (dict "context" . "component" "console") }}
-                  key: {{ .Values.global.identity.auth.console.existingSecretKey }}
-              {{- end }}
             - name: KEYCLOAK_INIT_TASKLIST_SECRET
               {{- if and .Values.global.identity.auth.tasklist.existingSecret (not (typeIs "string" .Values.global.identity.auth.tasklist.existingSecret)) }}
               valueFrom:

charts/camunda-platform-8.5/templates/identity/deployment.yaml

@@ -32,7 +32,6 @@ func TestGoldenDefaultsTemplateSecrets(t *testing.T) {
 	require.NoError(t, err)
 	templateNames := []string{
 		"secret-connectors",
-		"secret-console",
 		"secret-operate",
 		"secret-optimize",
 		"secret-tasklist",

charts/camunda-platform-8.5/test/unit/camunda/goldenfiles_test.go

@@ -55,14 +55,13 @@ func (s *SecretTest) TestDifferentValuesInputs() {
 	// Define components that need secret tests
 	components := []string{
 		"Connectors",
-		"Console",
 		"Operate",
 		"Optimize",
 		"TaskList",
 		"Zeebe",
 	}
 
-	require.Equal(s.T(), len(components), 6, "Expected 6 components to be tested")
+	require.Equal(s.T(), len(components), 5, "Expected 5 components to be tested")
 
 	// Create test cases for each component
 	testCases := make([]testhelpers.TestCase, 0, len(components)+1)

charts/camunda-platform-8.5/test/unit/camunda/secret_test.go

@@ -60,11 +60,6 @@ spec:
                 secretKeyRef:
                   name: camunda-platform-test-operate-identity-secret
                   key: operate-secret
-            - name: KEYCLOAK_INIT_CONSOLE_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: camunda-platform-test-console-identity-secret
-                  key: console-secret
             - name: KEYCLOAK_INIT_TASKLIST_SECRET
               valueFrom:
                 secretKeyRef:

charts/camunda-platform-8.5/test/unit/identity/golden/deployment.golden.yaml

@@ -352,11 +352,6 @@ global:
         audience: console-api
         ## @param global.identity.auth.console.wellKnown defines the uri for the well known config which is used by Console (optional).
         wellKnown: https://well-known-uri
-        ## @param global.identity.auth.console.existingSecret [string,object] A string literal secret can be provided. If not set, a random secret is generated. Recommended: reference an existing Kubernetes Secret using global.identity.auth.console.existingSecret.name.
-        # The existing secret should contain an `console-secret` field, which will be used as secret for the identity-console communication.
-        existingSecret:
-        ## @param global.identity.auth.console.existingSecretKey defines the key within the existing secret object.
-        existingSecretKey: console-secret
         ## @param global.identity.auth.console.redirectUrl defines the root URL which is used by Keycloak to access WebModeler.
         # Should be publicly accessible, the default value works if a port-forward to WebModeler is created to 8080.
         # Can be overwritten if ingress is in use and an external IP is available.

charts/camunda-platform-8.5/values.yaml

@@ -112,10 +112,6 @@ Fail with a message if zeebeGateway.contextPath and zeebeGateway.ingress.rest.pa
       {{- $existingSecretsNotConfigured = append $existingSecretsNotConfigured "global.identity.auth.optimize.existingSecret.name" }}
     {{- end }}
 
-    {{ if and (.Values.global.identity.auth.enabled) (.Values.console.enabled) (not .Values.global.identity.auth.console.existingSecret) }}
-      {{- $existingSecretsNotConfigured = append $existingSecretsNotConfigured "global.identity.auth.console.existingSecret.name" }}
-    {{- end }}
-
     {{ if and (.Values.global.identity.auth.enabled) (.Values.zeebe.enabled) (not .Values.global.identity.auth.zeebe.existingSecret) }}
       {{- $existingSecretsNotConfigured = append $existingSecretsNotConfigured "global.identity.auth.zeebe.existingSecret.name" }}
     {{- end }}
@@ -159,7 +155,6 @@ type: Opaque
 data:
   # Identity apps auth.
   connectors-secret: <base64-encoded-secret>
-  console-secret: <base64-encoded-secret>
   operate-secret: <base64-encoded-secret>
   optimize-secret: <base64-encoded-secret>
   tasklist-secret: <base64-encoded-secret>
@@ -198,7 +193,6 @@ type: Opaque
 data:
   # Identity apps auth.
   connectors-secret: <base64-encoded-secret>
-  console-secret: <base64-encoded-secret>
   operate-secret: <base64-encoded-secret>
   optimize-secret: <base64-encoded-secret>
   tasklist-secret: <base64-encoded-secret>