Skip to content

test(8.8): cover Zeebe TLS migration upgrade#6281

Open
eamonnmoloney wants to merge 2 commits into
mainfrom
inc-33081-intercluster-tls-test
Open

test(8.8): cover Zeebe TLS migration upgrade#6281
eamonnmoloney wants to merge 2 commits into
mainfrom
inc-33081-intercluster-tls-test

Conversation

@eamonnmoloney

@eamonnmoloney eamonnmoloney commented Jun 1, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Adds a Zeebe internal TLS feature to the 8.7 -> 8.8 elasticsearch-self-signed-upgrade scenario.
  • Creates the camunda-zeebe-tls Secret before the 8.7 source install so the Secret is reused through the upgrade instead of rotating mid-migration.
  • Extends lifecycle hook coverage for the cross-version 8.7 pre-install wrapper used by the 8.8 upgrade scenario.

Validation

  • go test ./matrix
  • make helm.dependency-update chartPath=charts/camunda-platform-8.7
  • make helm.dependency-update chartPath=charts/camunda-platform-8.8
  • Helm render checks for 8.7 StatefulSet and 8.8 importer/data migration TLS env and mounts
  • bash -n charts/camunda-platform-8.7/test/integration/scenarios/pre-setup-scripts/create-zeebe-tls-secret.sh plus local fake-kubectl run confirmed the generated Zeebe cert includes DNS/IP SANs
  • deploy-camunda matrix list confirmed features=migrator,zeebe-tls
  • GKE repo-backed validation passed for esss upgrade in 11m31s
  • Seeded-data GKE validation passed in namespace inc33081-h7-data-gke:
    • deployed 8.7 with Elasticsearch self-signed TLS plus Zeebe TLS
    • seeded real process data with tests/SM-8.7/smoke-tests.spec.ts / Most Common Flow User Flow With All Apps
    • upgraded the same namespace to 8.8 with features migrator,zeebe-tls
    • migration job completed with operate-import-position-8.3.0_ total=36 pending=0 and tasklist-import-position-8.2.0_ total=19 pending=0
    • importer logs showed gateway cluster messaging started using TLS

Links

@github-actions github-actions Bot added version/8.7 Camunda applications/cycle version version/8.8 Camunda applications/cycle version tool/script labels Jun 1, 2026
@eamonnmoloney eamonnmoloney mentioned this pull request Jun 1, 2026
Draft
@eamonnmoloney eamonnmoloney marked this pull request as ready for review June 2, 2026 05:48
@eamonnmoloney eamonnmoloney requested a review from a team as a code owner June 2, 2026 05:48
@eamonnmoloney eamonnmoloney requested review from Copilot and hamza-m-masood and removed request for a team and Copilot June 2, 2026 05:48
This was referenced Jun 3, 2026
Open
Open
Copilot AI review requested due to automatic review settings June 10, 2026 13:22
@eamonnmoloney eamonnmoloney force-pushed the inc-33081-intercluster-tls-test branch from b5e6f65 to dd95fbb Compare June 10, 2026 13:22
Copilot AI reviewed Jun 10, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request extends the integration-test upgrade coverage for the 8.7 → 8.8 elasticsearch-self-signed-upgrade scenario by enabling Zeebe internal TLS during the migration flow, and ensures the required TLS Secret exists prior to the 8.7 install step so it persists through the upgrade.

Changes:

  • Adds a new zeebe-tls feature to the 8.8 upgrade scenario registry (and snapshot) so the scenario runs with Zeebe internal TLS enabled.
  • Introduces 8.7 pre-setup scripts to create/reuse the camunda-zeebe-tls Secret ahead of the Step-1 (8.7) install.
  • Adds 8.7/8.8 feature values overlays to mount the TLS Secret and set the relevant Zeebe TLS environment variables for the components involved in the upgrade.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
scripts/deploy-camunda/matrix/lifecycle_allowlist.go Allowlists new pre-setup scripts used for the cross-version upgrade hook path.
charts/camunda-platform-8.8/test/integration/scenarios/chart-full-setup/values/features/zeebe-tls.yaml Adds the 8.8-side feature overlay to mount Zeebe TLS Secret and set TLS env vars for orchestration/importer/migration.
charts/camunda-platform-8.8/test/ci/registry/scenarios/elasticsearch-self-signed-upgrade.yaml Enables the zeebe-tls feature for the elasticsearch-self-signed-upgrade scenario.
charts/camunda-platform-8.8/test/ci/registry/hooks/elasticsearch-self-signed-upgrade.yaml Updates hook description to reflect creation of the Zeebe TLS Secret as part of pre-install preparation.
charts/camunda-platform-8.8/test/ci/registry-snapshot.yaml Regenerates the registry snapshot to include the zeebe-tls feature and updated hook description.
charts/camunda-platform-8.7/test/integration/scenarios/pre-setup-scripts/pre-install-elasticsearch-self-signed-upgrade.sh Adds a dedicated pre-install wrapper for the upgrade scenario that provisions TLS secrets (ES + Zeebe).
charts/camunda-platform-8.7/test/integration/scenarios/pre-setup-scripts/create-zeebe-tls-secret.sh Adds helper to generate a self-signed Zeebe TLS cert/key and create the camunda-zeebe-tls Secret.
charts/camunda-platform-8.7/test/integration/scenarios/chart-full-setup/values/features/zeebe-tls.yaml Adds the 8.7-side feature overlay to mount the TLS Secret and set Zeebe broker/gateway TLS env vars for the source install.

@eamonnmoloney eamonnmoloney force-pushed the inc-33081-intercluster-tls-test branch from dd95fbb to 9321f5b Compare June 17, 2026 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hamza-m-masood hamza-m-masood hamza-m-masood approved these changes

Assignees

No one assigned

Labels

tool/script version/8.7 Camunda applications/cycle version version/8.8 Camunda applications/cycle version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@eamonnmoloney @hamza-m-masood