Skip to content

fix: refactor tls secrets to use new pattern #4599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

fix: refactor tls secrets to use new pattern #4599

wants to merge 6 commits into from
+930 −140

Conversation

@bkenez
Copy link
Member

@bkenez bkenez commented Oct 30, 2025
edited
Loading

Which problem does the PR fix?

Closes: #4240
Closes: #4048

Refactors global.elasticsearch.tls, global.opensearch.tls, and console.tls to use the new grouped secret object pattern for consistency with other components like global.license.secret and identity.firstUser.secret.

What's in this PR?

This PR migrates TLS secret configurations from the legacy flat structure (existingSecret) to the new grouped pattern with secret.existingSecret and secret.existingSecretKey, bringing consistency across the Helm chart's secret management. The implementation adds helper functions in _helpers.tpl to handle both patterns for backwards compatibility, updates Orchestration and Optimize templates to use these helpers instead of hardcoded "externaldb.jks" references, and refactors Console to use the new secret.existingSecret pattern. The inlineSecret field is intentionally omitted from TLS configurations because certificates must be properly signed and managed externally rather than defined inline in values files. Console retains certKeyFilename instead of using existingSecretKey because it mounts the entire certificate directory rather than individual files with subPath. All changes are validated by unit tests.

Docs PR: camunda/camunda-docs#7216

Checklist

Please make sure to follow our Contributing Guide.

Before opening the PR:

  • In the repo's root dir, run make go.update-golden-only.
  • There is no other open pull request for the same update/change.
  • Tests for charts are added (if needed).
  • In-repo documentation are updated (if needed).

After opening the PR:

  • Did you sign our CLA (Contributor License Agreement)? It will show once you open the PR.
  • Did all checks/tests pass in the PR?

This was referenced Oct 30, 2025
Open
Open
@bkenez bkenez marked this pull request as ready for review October 31, 2025 10:17
@bkenez bkenez requested a review from a team as a code owner October 31, 2025 10:17
@bkenez bkenez requested a review from hamza-m-masood October 31, 2025 10:17
@bkenez bkenez mentioned this pull request Oct 31, 2025
Draft
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hamza-m-masood hamza-m-masood Awaiting requested review from hamza-m-masood hamza-m-masood is a code owner automatically assigned from camunda/distribution

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

component/console component/optimize component/orchestration version/8.9 Camunda applications/cycle version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ENHANCEMENT] Refactor global.elasticsearch.tls and global.opensearch.tls secrets [ENHANCEMENT] console.tls secret refactor

2 participants

@bkenez