Skip to content

Commit dfef7ac

Browse files
hamza-m-masoodhamza-m-masood
authored
fix: simplify oidc mappings in 8.8 (#4229)
1 parent 9dceda4 commit dfef7ac

File tree

10 files changed

+319
-344
lines changed

10 files changed

+319
-344
lines changed

charts/camunda-platform-8.8/README.md

Lines changed: 243 additions & 241 deletions
Large diffs are not rendered by default.

charts/camunda-platform-8.8/templates/orchestration/files/_application-unified.yaml

Lines changed: 3 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,7 @@ camunda:
8787
{{- if eq .Values.orchestration.security.authentication.method "oidc" }}
8888
oidc:
8989
username-claim: {{ .Values.orchestration.security.authentication.oidc.usernameClaim | quote }}
90+
client-id-claim: {{ .Values.orchestration.security.authentication.oidc.clientIdClaim | quote }}
9091
groups-claim: {{ .Values.orchestration.security.authentication.oidc.groupsClaim | quote }}
9192
client-id: {{ include "orchestration.authClientId" . | quote }}
9293
client-secret: ${VALUES_ORCHESTRATION_CLIENT_SECRET:}
@@ -109,27 +110,11 @@ camunda:
109110
authorizations:
110111
enabled: {{ .Values.orchestration.security.authorizations.enabled }}
111112
initialization:
113+
default-roles:
114+
{{- .Values.orchestration.security.initialization.defaultRoles | toYaml | nindent 8 }}
112115
{{- if eq .Values.orchestration.security.authentication.method "basic" }}
113116
users:
114117
{{- .Values.orchestration.security.initialization.users | toYaml | nindent 8 }}
115-
default-roles:
116-
{{- .Values.orchestration.security.initialization.defaultRoles | toYaml | nindent 8 }}
117-
{{- else if eq .Values.orchestration.security.authentication.method "oidc" }}
118-
mapping-rules:
119-
- mapping-rule-id: "connectors-client-mapping-rule"
120-
claim-name: "client_id"
121-
claim-value: "connectors"
122-
{{- range $mappingRule := .Values.orchestration.security.initialization.mappingRules }}
123-
- mapping-rule-id: {{ index $mappingRule "mappingRuleID" | quote }}
124-
claim-name: {{ index $mappingRule "claimName" | quote }}
125-
claim-value: {{ index $mappingRule "claimValue" | quote }}
126-
{{- end }}
127-
default-roles.connectors.mappingRules:
128-
- "connectors-client-mapping-rule"
129-
default-roles.admin.mappingRules:
130-
{{- range $mappingRule := .Values.orchestration.security.initialization.mappingRules }}
131-
- {{ index $mappingRule "mappingRuleID" | quote }}
132-
{{- end }}
133118
{{- end }}
134119
multiTenancy:
135120
checksEnabled: {{ include "orchestration.multitenancyChecksEnabled" . }}

charts/camunda-platform-8.8/test/integration/scenarios/chart-full-setup/values-integration-test-ingress-keycloak.yaml

Lines changed: 11 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,10 @@ global:
3131
redirectUrl: "https://{{ .Values.global.ingress.host }}/optimize"
3232
existingSecret:
3333
name: "integration-test-credentials"
34+
orchestration:
35+
redirectUrl: "https://{{ .Values.global.ingress.host }}/orchestration"
36+
existingSecret:
37+
name: "integration-test-credentials"
3438

3539
identity:
3640
enabled: true
@@ -98,40 +102,16 @@ orchestration:
98102
external-dns.alpha.kubernetes.io/hostname: "orchestration-{{ .Values.global.ingress.host }}"
99103
external-dns.alpha.kubernetes.io/ttl: "60"
100104
security:
105+
initialization:
106+
defaultRoles:
107+
admin:
108+
users:
109+
- demo
110+
clients:
111+
- venom
101112
authentication:
102113
method: oidc
103114
authenticationRefreshInterval: "PT30S"
104-
oidc:
105-
redirectUrl: "https://{{ .Values.global.ingress.host }}/orchestration"
106-
existingSecret:
107-
name: "integration-test-credentials"
108-
# giving access to venom to deploy a model. Given access to connectors
109-
# TODO: Find a way to only give connectors read access
110-
env:
111-
- name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_0_MAPPINGRULEID
112-
value: "demo-user-mapping-rule"
113-
- name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_0_CLAIMNAME
114-
value: "preferred_username"
115-
- name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_0_CLAIMVALUE
116-
value: "demo"
117-
- name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_1_MAPPINGRULEID
118-
value: "venom-client-mapping-rule"
119-
- name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_1_CLAIMNAME
120-
value: "client_id"
121-
- name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_1_CLAIMVALUE
122-
value: "venom"
123-
- name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_2_MAPPINGRULEID
124-
value: "connectors-client-mapping-rule"
125-
- name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_2_CLAIMNAME
126-
value: "client_id"
127-
- name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGRULES_2_CLAIMVALUE
128-
value: "connectors"
129-
- name: CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_ADMIN_MAPPINGRULES_0
130-
value: "demo-user-mapping-rule"
131-
- name: CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_ADMIN_MAPPINGRULES_1
132-
value: "venom-client-mapping-rule"
133-
- name: CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_ADMIN_MAPPINGRULES_2
134-
value: "connectors-client-mapping-rule"
135115

136116
console:
137117
enabled: true

charts/camunda-platform-8.8/test/unit/connectors/golden/configmap.golden.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ data:
4444
mode: selfManaged
4545
auth:
4646
method: basic
47-
username: "connector"
47+
username: "connectors"
4848
password: "connector"
4949
connector:
5050
headless:

charts/camunda-platform-8.8/test/unit/orchestration/golden/configmap-authorizations.golden.yaml

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -91,22 +91,24 @@ data:
9191
authorizations:
9292
enabled: true
9393
initialization:
94+
default-roles:
95+
admin:
96+
users:
97+
- demo
98+
connectors:
99+
clients:
100+
- connectors
101+
users:
102+
- connectors
94103
users:
95104
- email: [email protected]
96105
name: Connector User
97106
password: connector
98-
username: connector
107+
username: connectors
99108
- email: [email protected]
100109
name: Demo User
101110
password: demo
102111
username: demo
103-
default-roles:
104-
admin:
105-
users:
106-
- demo
107-
connectors:
108-
users:
109-
- connector
110112
multiTenancy:
111113
checksEnabled: false
112114
apiEnabled: true

charts/camunda-platform-8.8/test/unit/orchestration/golden/configmap-log4j2.golden.yaml

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -91,22 +91,24 @@ data:
9191
authorizations:
9292
enabled: true
9393
initialization:
94+
default-roles:
95+
admin:
96+
users:
97+
- demo
98+
connectors:
99+
clients:
100+
- connectors
101+
users:
102+
- connectors
94103
users:
95104
- email: [email protected]
96105
name: Connector User
97106
password: connector
98-
username: connector
107+
username: connectors
99108
- email: [email protected]
100109
name: Demo User
101110
password: demo
102111
username: demo
103-
default-roles:
104-
admin:
105-
users:
106-
- demo
107-
connectors:
108-
users:
109-
- connector
110112
multiTenancy:
111113
checksEnabled: false
112114
apiEnabled: true

charts/camunda-platform-8.8/test/unit/orchestration/golden/configmap-unified.golden.yaml

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -91,22 +91,24 @@ data:
9191
authorizations:
9292
enabled: true
9393
initialization:
94+
default-roles:
95+
admin:
96+
users:
97+
- demo
98+
connectors:
99+
clients:
100+
- connectors
101+
users:
102+
- connectors
94103
users:
95104
- email: [email protected]
96105
name: Connector User
97106
password: connector
98-
username: connector
107+
username: connectors
99108
- email: [email protected]
100109
name: Demo User
101110
password: demo
102111
username: demo
103-
default-roles:
104-
admin:
105-
users:
106-
- demo
107-
connectors:
108-
users:
109-
- connector
110112
multiTenancy:
111113
checksEnabled: false
112114
apiEnabled: true

charts/camunda-platform-8.8/values-digest.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ orchestration:
5858
image:
5959
repository: camunda/camunda
6060
tag: 8.8-SNAPSHOT
61-
digest: "sha256:01b0086057b52dfd24b26e448381cfd72d941f6f30946c7cfd898bc9747ba41a"
61+
digest: "sha256:95e0ad04e4d5827e59dc342e68eccf4b6cb9dc121aee006e2e297b16f766a2eb"
6262

6363
#
6464
# Identity

charts/camunda-platform-8.8/values.schema.json

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -5062,6 +5062,11 @@
50625062
"description": "username claim.",
50635063
"default": "preferred_username"
50645064
},
5065+
"clientIdClaim": {
5066+
"type": "string",
5067+
"description": "client ID claim.",
5068+
"default": "client_id"
5069+
},
50655070
"groupsClaim": {
50665071
"type": "string",
50675072
"description": "group claim.",
@@ -5179,7 +5184,17 @@
51795184
"type": "array",
51805185
"description": "defines the initial users that will get the connectors permission",
51815186
"default": [
5182-
"connector"
5187+
"connectors"
5188+
],
5189+
"items": {
5190+
"type": "string"
5191+
}
5192+
},
5193+
"clients": {
5194+
"type": "array",
5195+
"description": "define clients for the orchestration cluster.",
5196+
"default": [
5197+
"connectors"
51835198
],
51845199
"items": {
51855200
"type": "string"
@@ -5191,24 +5206,9 @@
51915206
},
51925207
"mappingRules": {
51935208
"type": "array",
5194-
"description": "the mapping-rule-id of an initial mapping rule.",
5195-
"items": {
5196-
"type": "object",
5197-
"properties": {
5198-
"mappingRuleID": {
5199-
"type": "string",
5200-
"description": "the mapping-rule-id of an initial mapping rule."
5201-
},
5202-
"claimName": {
5203-
"type": "string",
5204-
"description": "the claim-name of an initial mapping rule."
5205-
},
5206-
"claimValue": {
5207-
"type": "string",
5208-
"description": "the claim-value of an initial mapping rule."
5209-
}
5210-
}
5211-
}
5209+
"description": "define mapping rules.",
5210+
"default": [],
5211+
"items": {}
52125212
}
52135213
}
52145214
}

charts/camunda-platform-8.8/values.yaml

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -2394,6 +2394,8 @@ orchestration:
23942394
oidc:
23952395
## @param orchestration.security.authentication.oidc.usernameClaim username claim.
23962396
usernameClaim: preferred_username
2397+
## @param orchestration.security.authentication.oidc.clientIdClaim client ID claim.
2398+
clientIdClaim: client_id
23972399
## @param orchestration.security.authentication.oidc.groupsClaim group claim.
23982400
groupsClaim: "groups"
23992401
## @param orchestration.security.authentication.oidc.audience defines the audience, which is used by Orchestration Cluster.
@@ -2438,7 +2440,7 @@ orchestration:
24382440
## @param orchestration.security.initialization.users[1].email
24392441
users:
24402442
## @extra orchestration.security.initialization.users.username, the username of an initial user, used for the connectors component.
2441-
- username: connector
2443+
- username: connectors
24422444
## @extra orchestration.security.initialization.users.password, the password of an initial user, used for the connectors component.
24432445
password: connector
24442446
## @extra orchestration.security.initialization.users.name, the name of an initial user, used for the connectors component.
@@ -2456,20 +2458,20 @@ orchestration:
24562458
## @extra orchestration.security.initialization.defaultRoles assigning initial users to default roles. More roles can be added to the dictionary: https://docs.camunda.io/docs/next/components/concepts/access-control/authorizations/#default-roles
24572459
## @param orchestration.security.initialization.defaultRoles.admin.users defines the initial users that will get the admin permission
24582460
## @param orchestration.security.initialization.defaultRoles.connectors.users defines the initial users that will get the connectors permission
2461+
## @param orchestration.security.initialization.defaultRoles.connectors.clients define clients for the orchestration cluster.
24592462
defaultRoles:
24602463
admin:
24612464
users:
24622465
- demo
24632466
connectors:
24642467
users:
2465-
- connector
2466-
mappingRules:
2467-
## @param orchestration.security.initialization.mappingRules[0].mappingRuleID the mapping-rule-id of an initial mapping rule.
2468-
- mappingRuleID: demo-user-mapping-rule
2469-
## @param orchestration.security.initialization.mappingRules[0].claimName the claim-name of an initial mapping rule.
2470-
claimName: preferred_username
2471-
## @param orchestration.security.initialization.mappingRules[0].claimValue the claim-value of an initial mapping rule.
2472-
claimValue: demo
2468+
## @extra orchestration.security.initialization.defaultRoles.connectors.users[0].connectors Needed for basic auth setup. Can be removed for OIDC. Define the connectors user with the connectors role.
2469+
- connectors
2470+
clients:
2471+
## @extra orchestration.security.initialization.defaultRoles.connectors.clients[0].connectors Needed for OIDC setup. Can be removed for basic auth. Define the connectors client with the connrectors role.
2472+
- connectors
2473+
## @param orchestration.security.initialization.mappingRules define mapping rules.
2474+
mappingRules: []
24732475
## @extra orchestration.image configuration to configure the image specifics
24742476
image:
24752477
## @param orchestration.image.registry can be used to set container image registry.

0 commit comments

Comments
 (0)