test(8.8): cover Zeebe TLS migration upgrade

charts/camunda-platform-8.7/test/integration/scenarios/chart-full-setup/values/features/zeebe-tls.yaml

@@ -0,0 +1,34 @@
+# Enables Zeebe internal TLS for 8.7 source installs in 8.7 -> 8.8 migration tests.
+zeebe:
+  extraVolumes:
+    - name: zeebe-tls
+      secret:
+        secretName: camunda-zeebe-tls
+  extraVolumeMounts:
+    - name: zeebe-tls
+      readOnly: true
+      mountPath: /etc/tls/
+  env:
+    - name: ZEEBE_BROKER_NETWORK_SECURITY_ENABLED
+      value: "true"
+    - name: ZEEBE_BROKER_NETWORK_SECURITY_CERTIFICATECHAINPATH
+      value: "/etc/tls/chainZeebeCluster.pem"
+    - name: ZEEBE_BROKER_NETWORK_SECURITY_PRIVATEKEYPATH
+      value: "/etc/tls/zeebeCluster.key"
+
+zeebeGateway:
+  extraVolumes:
+    - name: zeebe-tls
+      secret:
+        secretName: camunda-zeebe-tls
+  extraVolumeMounts:
+    - name: zeebe-tls
+      readOnly: true
+      mountPath: /etc/tls/
+  env:
+    - name: ZEEBE_GATEWAY_CLUSTER_SECURITY_ENABLED
+      value: "true"
+    - name: ZEEBE_GATEWAY_CLUSTER_SECURITY_CERTIFICATECHAINPATH
+      value: "/etc/tls/chainZeebeCluster.pem"
+    - name: ZEEBE_GATEWAY_CLUSTER_SECURITY_PRIVATEKEYPATH
+      value: "/etc/tls/zeebeCluster.key"

charts/camunda-platform-8.7/test/integration/scenarios/pre-setup-scripts/create-zeebe-tls-secret.sh

@@ -0,0 +1,90 @@
+#!/bin/bash
+# Copyright 2024 Camunda Services GmbH
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Generates a self-signed certificate and creates the Kubernetes secret used by
+# Zeebe internal TLS migration tests.
+
+set -euo pipefail
+
+NAMESPACE="${TEST_NAMESPACE:?TEST_NAMESPACE must be set}"
+RELEASE="${RELEASE_NAME:-integration}"
+CONTEXT_FLAG=""
+if [[ -n "${KUBE_CONTEXT:-}" ]]; then
+  CONTEXT_FLAG="--context ${KUBE_CONTEXT}"
+fi
+
+CERT_VALIDITY_DAYS=365
+
+WORK_DIR=$(mktemp -d)
+trap '[[ -n "${WORK_DIR:-}" ]] && rm -rf "$WORK_DIR"' EXIT
+
+echo "[zeebe-tls] Working directory: $WORK_DIR"
+echo "[zeebe-tls] Generating self-signed certificate..."
+
+cat > "$WORK_DIR/san.cnf" <<EOF
+[req]
+distinguished_name = req_dn
+req_extensions     = v3_req
+prompt             = no
+
+[req_dn]
+CN = ${RELEASE}-zeebe
+O  = camunda-ci
+
+[v3_req]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1  = ${RELEASE}-zeebe
+DNS.2  = ${RELEASE}-zeebe.${NAMESPACE}.svc.cluster.local
+DNS.3  = ${RELEASE}-zeebe-gateway
+DNS.4  = ${RELEASE}-zeebe-gateway.${NAMESPACE}.svc.cluster.local
+DNS.5  = ${RELEASE}-zeebe-0.${RELEASE}-zeebe
+DNS.6  = ${RELEASE}-zeebe-1.${RELEASE}-zeebe
+DNS.7  = ${RELEASE}-zeebe-2.${RELEASE}-zeebe
+DNS.8  = ${RELEASE}-zeebe-0.${RELEASE}-zeebe.${NAMESPACE}.svc.cluster.local
+DNS.9  = ${RELEASE}-zeebe-1.${RELEASE}-zeebe.${NAMESPACE}.svc.cluster.local
+DNS.10 = ${RELEASE}-zeebe-2.${RELEASE}-zeebe.${NAMESPACE}.svc.cluster.local
+DNS.11 = localhost
+IP.1   = 127.0.0.1
+EOF
+
+openssl req -nodes -newkey rsa:4096 \
+  -keyout "$WORK_DIR/zeebeCluster.key" \
+  -out "$WORK_DIR/zeebeCluster.csr" \
+  -config "$WORK_DIR/san.cnf" \
+  2>/dev/null
+
+openssl x509 -req \
+  -in "$WORK_DIR/zeebeCluster.csr" \
+  -signkey "$WORK_DIR/zeebeCluster.key" \
+  -out "$WORK_DIR/chainZeebeCluster.pem" \
+  -days "$CERT_VALIDITY_DAYS" \
+  -extensions v3_req \
+  -extfile "$WORK_DIR/san.cnf" \
+  2>/dev/null
+
+echo "[zeebe-tls] Creating Kubernetes secret in namespace $NAMESPACE..."
+
+if kubectl ${CONTEXT_FLAG} -n "$NAMESPACE" get secret camunda-zeebe-tls >/dev/null 2>&1; then
+  echo "  Secret camunda-zeebe-tls already exists - replacing"
+  kubectl ${CONTEXT_FLAG} -n "$NAMESPACE" delete secret camunda-zeebe-tls --ignore-not-found
+fi
+
+kubectl ${CONTEXT_FLAG} -n "$NAMESPACE" create secret generic camunda-zeebe-tls \
+  --from-file="chainZeebeCluster.pem=$WORK_DIR/chainZeebeCluster.pem" \
+  --from-file="zeebeCluster.key=$WORK_DIR/zeebeCluster.key"
+
+echo "[zeebe-tls] Done. Created secret camunda-zeebe-tls."

charts/camunda-platform-8.7/test/integration/scenarios/pre-setup-scripts/pre-install-elasticsearch-self-signed-upgrade.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# Copyright 2024 Camunda Services GmbH
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Pre-install script for the "elasticsearch-self-signed" persistence layer.
+# Called by deploy-camunda's PreInstallHook mechanism before helm install.
+#
+# Delegates to TLS secret helper scripts in the same directory.
+#
+# Required env vars (set by the matrix runner):
+#   TEST_NAMESPACE  - target Kubernetes namespace
+#   KUBE_CONTEXT    - kubectl context (optional)
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+bash "${SCRIPT_DIR}/create-elasticsearch-tls-secrets.sh"
+bash "${SCRIPT_DIR}/create-zeebe-tls-secret.sh"

charts/camunda-platform-8.8/test/ci-test-config.yaml

@@ -151,7 +151,7 @@ integration:
           shortname: esss
           auth: keycloak
           flow: upgrade-minor
-          features: [migrator]
+          features: [migrator, zeebe-tls]
           infra-type:
             gke: distroci
           identity: keycloak

charts/camunda-platform-8.8/test/integration/scenarios/chart-full-setup/values/features/zeebe-tls.yaml

@@ -0,0 +1,48 @@
+# Enables Zeebe internal TLS for 8.7 -> 8.8 migration tests.
+orchestration:
+  extraVolumes:
+    - name: zeebe-tls
+      secret:
+        secretName: camunda-zeebe-tls
+  extraVolumeMounts:
+    - name: zeebe-tls
+      readOnly: true
+      mountPath: /etc/tls/
+  importer:
+    extraVolumes:
+      - name: zeebe-tls
+        secret:
+          secretName: camunda-zeebe-tls
+    extraVolumeMounts:
+      - name: zeebe-tls
+        readOnly: true
+        mountPath: /etc/tls/
+  migration:
+    data:
+      extraVolumes:
+        - name: zeebe-tls
+          secret:
+            secretName: camunda-zeebe-tls
+      extraVolumeMounts:
+        - name: zeebe-tls
+          readOnly: true
+          mountPath: /etc/tls/
+  env:
+    - name: ZEEBE_BROKER_NETWORK_SECURITY_ENABLED
+      value: "true"
+    - name: ZEEBE_BROKER_NETWORK_SECURITY_CERTIFICATECHAINPATH
+      value: "/etc/tls/chainZeebeCluster.pem"
+    - name: ZEEBE_BROKER_NETWORK_SECURITY_PRIVATEKEYPATH
+      value: "/etc/tls/zeebeCluster.key"
+    - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_ENABLED
+      value: "true"
+    - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_CERTIFICATECHAINPATH
+      value: "/etc/tls/chainZeebeCluster.pem"
+    - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_PRIVATEKEYPATH
+      value: "/etc/tls/zeebeCluster.key"
+    - name: ZEEBE_GATEWAY_CLUSTER_SECURITY_ENABLED
+      value: "true"
+    - name: ZEEBE_GATEWAY_CLUSTER_SECURITY_CERTIFICATECHAINPATH
+      value: "/etc/tls/chainZeebeCluster.pem"
+    - name: ZEEBE_GATEWAY_CLUSTER_SECURITY_PRIVATEKEYPATH
+      value: "/etc/tls/zeebeCluster.key"

scripts/deploy-camunda/matrix/lifecycle_hook_test.go

@@ -38,10 +38,17 @@ import (
 //	create-elasticsearch-tls-secrets.sh — helper sourced by
 //	                                 pre-install-elasticsearch-self-signed*.sh
 //	                                 (8.7-8.9 only; removed from 8.10.)
+//	pre-install-elasticsearch-self-signed-upgrade.sh — 8.7 Step 1 hook referenced
+//	                                 by the 8.8 upgrade scenario config.
+//	create-zeebe-tls-secret.sh — helper sourced by the 8.7
+//	                                 pre-install-elasticsearch-self-signed-upgrade.sh
+//	                                 wrapper.
 var preSetupScriptAllowlist = map[string]bool{
-	"pre-install-upgrade.sh":              true,
-	"create-elasticsearch-tls-secrets.sh": true,
-	"create-opensearch-tls-secrets.sh":    true,
+	"pre-install-upgrade.sh":                           true,
+	"create-elasticsearch-tls-secrets.sh":              true,
+	"create-opensearch-tls-secrets.sh":                 true,
+	"pre-install-elasticsearch-self-signed-upgrade.sh": true,
+	"create-zeebe-tls-secret.sh":                       true,
 }
 
 // commonResourcesAllowlist names files inside common/resources/ that are
@@ -56,9 +63,9 @@ var preSetupScriptAllowlist = map[string]bool{
 //	                                (8.10) via envsubst+kubectl, not via the
 //	                                runner's declarative fixtures pipeline.
 var commonResourcesAllowlist = map[string]bool{
-	"postgres-createdb-job.yaml":    true,
-	"postgresql-cluster-tls.yaml":   true,
-	"gateway-proxy-settings.yaml":   true,
+	"postgres-createdb-job.yaml":  true,
+	"postgresql-cluster-tls.yaml": true,
+	"gateway-proxy-settings.yaml": true,
 }
 
 // TestLifecycleFixtures asserts the integrity of the declarative lifecycle