diff --git a/charts/camunda-platform-latest/README.md b/charts/camunda-platform-latest/README.md index 51ef979407..9f79288676 100644 --- a/charts/camunda-platform-latest/README.md +++ b/charts/camunda-platform-latest/README.md @@ -517,9 +517,11 @@ Please see the corresponding [release guide](../../docs/release.md) to find out | `global.identity.auth.webModeler.publicApiAudience` | defines the audience which is used by WebModeler's public API. | `web-modeler-public-api` | | `global.identity.auth.webModeler.redirectUrl` | defines the root URL which is used by Keycloak to access WebModeler. | `http://localhost:8084` | | `global.identity.auth.console` | configuration to configure Console authentication specifics on global level, which can be accessed by other sub-charts | | +| `global.identity.auth.console.clientId` | defines the client id, which is used by Console in authentication flows. | `console` | +| `global.identity.auth.console.audience` | defines the audience which is used by Console's client API. | `console-api` | +| `global.identity.auth.console.wellKnown` | defines the uri for the well known config which is used by Console (optional). | `https://well-known-uri` | | `global.identity.auth.console.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | | `global.identity.auth.console.redirectUrl` | defines the root URL which is used by Keycloak to access WebModeler. | `http://localhost:8080` | -| `global.identity.auth.console.audience` | can be used to Console audience in Identity. | `console-api` | | `global.identity.auth.zeebe` | configuration to configure Zeebe authentication specifics on global level, which can be accessed by other sub-charts | | | `global.identity.auth.zeebe.clientId` | defines the client id, which is used by Zeebe in authentication flows. | `zeebe` | | `global.identity.auth.zeebe.existingSecret` | can be used to use an own existing secret. If not set a random secret is generated. | `nil` | diff --git a/charts/camunda-platform-latest/templates/console/configmap.yaml b/charts/camunda-platform-latest/templates/console/configmap.yaml index f469618c0b..32f896f8ee 100644 --- a/charts/camunda-platform-latest/templates/console/configmap.yaml +++ b/charts/camunda-platform-latest/templates/console/configmap.yaml @@ -13,6 +13,13 @@ data: # https://docs.camunda.io/docs/self-managed/console-deployment/configuration/ camunda: console: + oAuth: + audience: {{ .Values.global.identity.auth.console.audience | quote }} + clientId: {{ .Values.global.identity.auth.console.clientId | quote }} + issuer: {{ include "camundaPlatform.authIssuerUrl" . | quote }} + jwksUri: {{ include "camundaPlatform.authIssuerBackendUrlCertsEndpoint" . | quote }} + type: {{ include "camundaPlatform.authType" . | quote }} + wellKnown: {{ .Values.global.identity.auth.console.wellKnown | quote }} managed: method: plain releases: diff --git a/charts/camunda-platform-latest/test/unit/console/configmap_test.go b/charts/camunda-platform-latest/test/unit/console/configmap_test.go index 63922641f9..a5315be703 100644 --- a/charts/camunda-platform-latest/test/unit/console/configmap_test.go +++ b/charts/camunda-platform-latest/test/unit/console/configmap_test.go @@ -19,9 +19,13 @@ import ( "strings" "testing" + "github.com/gruntwork-io/terratest/modules/helm" + "github.com/gruntwork-io/terratest/modules/k8s" "github.com/gruntwork-io/terratest/modules/random" "github.com/stretchr/testify/require" "github.com/stretchr/testify/suite" + "gopkg.in/yaml.v3" + corev1 "k8s.io/api/core/v1" ) type configMapTemplateTest struct { @@ -45,3 +49,30 @@ func TestConfigMapTemplate(t *testing.T) { templates: []string{"templates/console/configmap.yaml"}, }) } + +func (s *configMapTemplateTest) TestContainerShouldSetCorrectIdentityType() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "console.enabled": "true", + "global.identity.auth.type": "MICROSOFT", + "global.identity.auth.issuer": "https://example.com", + "global.identity.auth.issuerBackendUrl": "https://example.com", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var configmap corev1.ConfigMap + var configmapApplication ConsoleYAML + helm.UnmarshalK8SYaml(s.T(), output, &configmap) + + err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication) + if err != nil { + s.Fail("Failed to unmarshal yaml. error=", err) + } + + // then + s.Require().Equal("MICROSOFT", configmapApplication.Camunda.Console.OAuth.Type) +} diff --git a/charts/camunda-platform-latest/test/unit/console/golden/configmap.golden.yaml b/charts/camunda-platform-latest/test/unit/console/golden/configmap.golden.yaml index a67efe6cf3..6f32543903 100644 --- a/charts/camunda-platform-latest/test/unit/console/golden/configmap.golden.yaml +++ b/charts/camunda-platform-latest/test/unit/console/golden/configmap.golden.yaml @@ -17,6 +17,13 @@ data: # https://docs.camunda.io/docs/self-managed/console-deployment/configuration/ camunda: console: + oAuth: + audience: "console-api" + clientId: "console" + issuer: "http://localhost:18080/auth/realms/camunda-platform" + jwksUri: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform/protocol/openid-connect/certs" + type: "KEYCLOAK" + wellKnown: "https://well-known-uri" managed: method: plain releases: diff --git a/charts/camunda-platform-latest/test/unit/console/types.go b/charts/camunda-platform-latest/test/unit/console/types.go new file mode 100644 index 0000000000..2c686e9773 --- /dev/null +++ b/charts/camunda-platform-latest/test/unit/console/types.go @@ -0,0 +1,20 @@ +package console + +type ConsoleYAML struct { + Camunda CamundaConfig `yaml:"camunda"` +} + +type CamundaConfig struct { + Console ConsoleConfig `yaml:"console"` +} + +type ConsoleConfig struct { + OAuth OAuth2Config `yaml:"oAuth"` +} + +type OAuth2Config struct { + ClientId string `yaml:"clientId"` + Type string `yaml:"type"` + Audience string `yaml:"audience"` + JwksUri string `yaml:"jwksUri"` +} diff --git a/charts/camunda-platform-latest/values.yaml b/charts/camunda-platform-latest/values.yaml index 555a9045bd..779d853c2a 100644 --- a/charts/camunda-platform-latest/values.yaml +++ b/charts/camunda-platform-latest/values.yaml @@ -303,6 +303,12 @@ global: ## @extra global.identity.auth.console configuration to configure Console authentication specifics on global level, which can be accessed by other sub-charts console: + ## @param global.identity.auth.console.clientId defines the client id, which is used by Console in authentication flows. + clientId: console + ## @param global.identity.auth.console.audience defines the audience which is used by Console's client API. + audience: console-api + ## @param global.identity.auth.console.wellKnown defines the uri for the well known config which is used by Console (optional). + wellKnown: https://well-known-uri ## @param global.identity.auth.console.existingSecret can be used to use an own existing secret. If not set a random secret is generated. # The existing secret should contain an `console-secret` field, which will be used as secret for the identity-console communication. existingSecret: @@ -310,8 +316,6 @@ global: # Should be publicly accessible, the default value works if a port-forward to WebModeler is created to 8080. # Can be overwritten if ingress is in use and an external IP is available. redirectUrl: "http://localhost:8080" - ## @param global.identity.auth.console.audience can be used to Console audience in Identity. - audience: console-api ## @extra global.identity.auth.zeebe configuration to configure Zeebe authentication specifics on global level, which can be accessed by other sub-charts zeebe: