Skip to content

test: replace weak literal connectors password with secretKeyRef in multitenancy scenario#6467

Open
eamonnmoloney wants to merge 1 commit into
mainfrom
fix/nightly-6463-connectors-weak-password
Open

test: replace weak literal connectors password with secretKeyRef in multitenancy scenario#6467
eamonnmoloney wants to merge 1 commit into
mainfrom
fix/nightly-6463-connectors-weak-password

Conversation

@eamonnmoloney

@eamonnmoloney eamonnmoloney commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Which problem does the PR fix?

Fixes the failing kemt (keycloak-mt) scenario in the merge queue for #6463.

The GKE CI cluster enforces a ValidatingAdmissionPolicy (deny-weak-password-defaults) that rejects any Deployment where a password-named env var is set to a known default or a value shorter than 12 characters. The multitenancy scenario values set connectors.env[].name: password, value: password, which triggers the policy and causes Helm install to fail immediately with:

deployments.apps "integration-connectors" is forbidden: ValidatingAdmissionPolicy
'deny-weak-password-defaults' with binding 'deny-weak-password-defaults' denied request:
container(s) connectors set a password env var to a weak literal value

What's in this PR?

Replace the literal value: password with a secretKeyRef pointing to the integration-test-credentials secret (already provisioned in every integration test namespace via External Secrets). The password key in that secret holds a strong, Vault-managed password.

Applied to all five affected chart versions: 8.6, 8.7, 8.8, 8.9, 8.10.

Checklist

Before opening the PR:

  • In the repo's root dir, run make go.update-golden-only.
  • There is no other open pull request for the same update/change.
  • Tests for charts are added (if needed).
  • In-repo documentation are updated (if needed).

After opening the PR:

  • Did you sign our CLA (Contributor License Agreement)? It will show once you open the PR.
  • Did all checks/tests pass in the PR?

@github-actions github-actions Bot added version/8.6 Camunda applications/cycle version version/8.7 Camunda applications/cycle version version/8.8 Camunda applications/cycle version version/8.9 Camunda applications/cycle version version/8.10 Camunda applications/cycle version labels Jun 26, 2026
@eamonnmoloney eamonnmoloney marked this pull request as ready for review June 26, 2026 14:23
@eamonnmoloney eamonnmoloney requested a review from a team as a code owner June 26, 2026 14:23
Copilot AI review requested due to automatic review settings June 26, 2026 14:23
Copilot AI reviewed Jun 26, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the multitenancy integration-test scenario values to avoid GKE admission rejection (deny-weak-password-defaults) by replacing a weak literal password env var value with a valueFrom.secretKeyRef pointing to the existing integration-test-credentials Secret. This is applied consistently across chart versions 8.6–8.10.

Changes:

  • Replace connectors.env literal value: password with valueFrom.secretKeyRef (integration-test-credentials / password).
  • Apply the same change across all affected chart versions (8.6, 8.7, 8.8, 8.9, 8.10).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
charts/camunda-platform-8.6/test/integration/scenarios/chart-full-setup/values/features/multitenancy.yaml Switch connectors password env var to Secret-backed valueFrom for the 8.6 scenario.
charts/camunda-platform-8.7/test/integration/scenarios/chart-full-setup/values/features/multitenancy.yaml Switch connectors password env var to Secret-backed valueFrom for the 8.7 scenario.
charts/camunda-platform-8.8/test/integration/scenarios/chart-full-setup/values/features/multitenancy.yaml Switch connectors password env var to Secret-backed valueFrom for the 8.8 scenario.
charts/camunda-platform-8.9/test/integration/scenarios/chart-full-setup/values/features/multitenancy.yaml Switch connectors password env var to Secret-backed valueFrom for the 8.9 scenario.
charts/camunda-platform-8.10/test/integration/scenarios/chart-full-setup/values/features/multitenancy.yaml Switch connectors password env var to Secret-backed valueFrom for the 8.10 scenario.

@eamonnmoloney eamonnmoloney enabled auto-merge June 26, 2026 14:41
@eamonnmoloney @claude
test: replace weak literal connectors password with secretKeyRef in m…
bb2172c 
…ultitenancy scenario

The GKE CI cluster has a ValidatingAdmissionPolicy (deny-weak-password-defaults)
that rejects Deployments where a password-named env var is set to a known default
or a value shorter than 12 characters. The connectors env var `password: password`
was triggering this policy, causing the kemt (keycloak-mt) scenario to fail on
Helm install across all chart versions.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@eamonnmoloney eamonnmoloney force-pushed the fix/nightly-6463-connectors-weak-password branch from a150a31 to bb2172c Compare June 26, 2026 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@hisImminence hisImminence Awaiting requested review from hisImminence
@bkenez bkenez Awaiting requested review from bkenez

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

version/8.6 Camunda applications/cycle version version/8.7 Camunda applications/cycle version version/8.8 Camunda applications/cycle version version/8.9 Camunda applications/cycle version version/8.10 Camunda applications/cycle version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eamonnmoloney