feat(web-modeler): configure jwk-set-uri for restapi component

camunda · Jan 2, 2025 · 3d41864 · 3d41864
1 parent 88d40e4
commit 3d41864
Show file tree

Hide file tree

Showing 15 changed files with 542 additions and 57 deletions.
diff --git a/charts/camunda-platform-8.5/templates/web-modeler/configmap-restapi.yaml b/charts/camunda-platform-8.5/templates/web-modeler/configmap-restapi.yaml
@@ -59,6 +59,7 @@ data:
           resourceserver:
             jwt:
               issuer-uri: {{ include "camundaPlatform.authIssuerUrl" . | quote }}
+              jwk-set-uri: {{ include "camundaPlatform.authIssuerBackendUrlCertsEndpoint" . | quote }}
 
   {{- end }}
   {{- range $key, $val := .Values.webModeler.restapi.extraConfiguration }}

diff --git a/charts/camunda-platform-8.5/test/unit/web-modeler/configmap_restapi_test.go b/charts/camunda-platform-8.5/test/unit/web-modeler/configmap_restapi_test.go
@@ -194,6 +194,7 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectKeycloakServ
 	// then
 	s.Require().Equal("http://keycloak:80/auth/realms/camunda-platform", configmapApplication.Camunda.Modeler.Security.JWT.Issuer.BackendUrl)
 }
+
 func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectKeycloakServiceUrlWithCustomPort() {
 	// given
 	options := &helm.Options{
@@ -221,6 +222,7 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectKeycloakServ
 	// then
 	s.Require().Equal("http://keycloak:8888/auth/realms/camunda-platform", configmapApplication.Camunda.Modeler.Security.JWT.Issuer.BackendUrl)
 }
+
 func (s *configmapRestAPITemplateTest) TestContainerShouldSetSmtpCredentials() {
 	// given
 	options := &helm.Options{
@@ -247,6 +249,7 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetSmtpCredentials() {
 	// then
 	s.Require().Equal("modeler-user", configmapApplication.Spring.Mail.Username)
 }
+
 func (s *configmapRestAPITemplateTest) TestContainerShouldSetExternalDatabaseConfiguration() {
 	// given
 	options := &helm.Options{
@@ -276,3 +279,85 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetExternalDatabaseCon
 	s.Require().Equal("jdbc:postgresql://postgres.example.com:65432/modeler-database", configmapApplication.Spring.Datasource.Url)
 	s.Require().Equal("modeler-user", configmapApplication.Spring.Datasource.Username)
 }
+
+func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromJwksUrlProperty() {
+	// given
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"webModeler.enabled":                  "true",
+			"webModeler.restapi.mail.fromAddress": "example@example.com",
+			"global.identity.auth.jwksUrl":        "https://example.com/auth/realms/test/protocol/openid-connect/certs",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace),
+	}
+
+	// when
+	output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates)
+	var configmap corev1.ConfigMap
+	var configmapApplication WebModelerRestAPIApplicationYAML
+	helm.UnmarshalK8SYaml(s.T(), output, &configmap)
+
+	err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication)
+	if err != nil {
+		s.Fail("Failed to unmarshal yaml. error=", err)
+	}
+
+	// then
+	s.Require().Equal("https://example.com/auth/realms/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI)
+}
+
+func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromIssuerBackendUrlProperty() {
+	// given
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"webModeler.enabled":                    "true",
+			"webModeler.restapi.mail.fromAddress":   "example@example.com",
+			"global.identity.auth.issuerBackendUrl": "http://test-keycloak/auth/realms/test",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace),
+	}
+
+	// when
+	output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates)
+	var configmap corev1.ConfigMap
+	var configmapApplication WebModelerRestAPIApplicationYAML
+	helm.UnmarshalK8SYaml(s.T(), output, &configmap)
+
+	err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication)
+	if err != nil {
+		s.Fail("Failed to unmarshal yaml. error=", err)
+	}
+
+	// then
+	s.Require().Equal("http://test-keycloak/auth/realms/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI)
+}
+
+func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromKeycloakUrlProperties() {
+	// given
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"webModeler.enabled":                    "true",
+			"webModeler.restapi.mail.fromAddress":   "example@example.com",
+			"global.identity.keycloak.url.protocol": "https",
+			"global.identity.keycloak.url.host":     "example.com",
+			"global.identity.keycloak.url.port":     "443",
+			"global.identity.keycloak.contextPath":  "/",
+			"global.identity.keycloak.realm":        "test",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace),
+	}
+
+	// when
+	output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates)
+	var configmap corev1.ConfigMap
+	var configmapApplication WebModelerRestAPIApplicationYAML
+	helm.UnmarshalK8SYaml(s.T(), output, &configmap)
+
+	err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication)
+	if err != nil {
+		s.Fail("Failed to unmarshal yaml. error=", err)
+	}
+
+	// then
+	s.Require().Equal("https://example.com:443/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI)
+}
diff --git a/charts/camunda-platform-8.5/test/unit/web-modeler/golden/configmap-restapi.golden.yaml b/charts/camunda-platform-8.5/test/unit/web-modeler/golden/configmap-restapi.golden.yaml
@@ -0,0 +1,62 @@
+---
+# Source: camunda-platform/templates/web-modeler/configmap-restapi.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: camunda-platform-test-web-modeler-restapi-configuration
+  labels:
+    app: camunda-platform
+    app.kubernetes.io/name: web-modeler
+    app.kubernetes.io/instance: camunda-platform-test
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/part-of: camunda-platform
+    app.kubernetes.io/component: web-modeler
+    app.kubernetes.io/version: "8.5.13"
+  annotations:
+    {}
+data:
+  application.yaml: |
+    camunda:
+      identity:
+        base-url: "http://camunda-platform-test-identity:80"
+        issuer: "http://localhost:18080/auth/realms/camunda-platform"
+        issuerBackendUrl: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform"
+        type: "KEYCLOAK"
+
+      modeler:
+        pusher:
+          host: "camunda-platform-test-web-modeler-websockets"
+          port: 80
+
+        security:
+          jwt:
+            issuer:
+              backend-url: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform"
+            audience:
+              internal-api: "web-modeler-api"
+              public-api: "web-modeler-public-api"
+        mail:
+          from-address: "example@example.com"
+          from-name: "Camunda 8"
+
+        server:
+          url: "http://localhost:8084"
+    spring:
+      datasource:
+        url: "jdbc:postgresql://camunda-platform-test-postgresql-web-modeler:5432/web-modeler"
+        username: "web-modeler"
+
+      mail:
+        host: ""
+        port: 587
+        properties:
+          mail.smtp.auth: false
+          mail.smtp.starttls.enable: true
+          mail.smtp.starttls.required: true
+
+      security:
+        oauth2:
+          resourceserver:
+            jwt:
+              issuer-uri: "http://localhost:18080/auth/realms/camunda-platform"
+              jwk-set-uri: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform/protocol/openid-connect/certs"
diff --git a/charts/camunda-platform-8.5/test/unit/web-modeler/goldenfiles_test.go b/charts/camunda-platform-8.5/test/unit/web-modeler/goldenfiles_test.go
@@ -31,6 +31,7 @@ func TestGoldenDefaultsTemplate(t *testing.T) {
 	chartPath, err := filepath.Abs("../../../")
 	require.NoError(t, err)
 	templateNames := []string{
+		"configmap-restapi",
 		"configmap-shared",
 		"deployment-restapi",
 		"deployment-webapp",

diff --git a/charts/camunda-platform-8.5/test/unit/web-modeler/types.go b/charts/camunda-platform-8.5/test/unit/web-modeler/types.go
@@ -7,8 +7,9 @@ type WebModelerRestAPIApplicationYAML struct {
 }
 
 type SpringYAML struct {
-	Mail       MailYAML       `yaml:"mail"`
-	Datasource DatasourceYAML `yaml:"datasource"`
+	Mail       MailYAML           `yaml:"mail"`
+	Datasource DatasourceYAML     `yaml:"datasource"`
+	Security   SpringSecurityYAML `yaml:"security"`
 }
 type DatasourceYAML struct {
 	Url      string `yaml:"url"`
@@ -19,6 +20,22 @@ type MailYAML struct {
 	Username string `yaml:"username"`
 }
 
+type SpringSecurityYAML struct {
+	OAuth2 OAuth2YAML `yaml:"oauth2"`
+}
+
+type OAuth2YAML struct {
+	ResourceServer ResourceServerYAML `yaml:"resourceserver"`
+}
+
+type ResourceServerYAML struct {
+	JWT SpringJwtYAML `yaml:"jwt"`
+}
+
+type SpringJwtYAML struct {
+	JwkSetURI string `yaml:"jwk-set-uri"`
+}
+
 type CamundaYAML struct {
 	Modeler  ModelerYAML  `yaml:"modeler"`
 	Identity IdentityYAML `yaml:"identity"`
@@ -29,14 +46,14 @@ type IdentityYAML struct {
 	Type    string `yaml:"type"`
 }
 type ModelerYAML struct {
-	Security SecurityYAML `yaml:"security"`
+	Security ModelerSecurityYAML `yaml:"security"`
 }
 
-type SecurityYAML struct {
-	JWT JwtYAML `yaml:"jwt"`
+type ModelerSecurityYAML struct {
+	JWT ModelerJwtYAML `yaml:"jwt"`
 }
 
-type JwtYAML struct {
+type ModelerJwtYAML struct {
 	Audience AudienceYAML `yaml:"audience"`
 	Issuer   IssuerYAML   `yaml:"issuer"`
 }

diff --git a/charts/camunda-platform-8.6/templates/web-modeler/configmap-restapi.yaml b/charts/camunda-platform-8.6/templates/web-modeler/configmap-restapi.yaml
@@ -59,6 +59,7 @@ data:
           resourceserver:
             jwt:
               issuer-uri: {{ include "camundaPlatform.authIssuerUrl" . | quote }}
+              jwk-set-uri: {{ include "camundaPlatform.authIssuerBackendUrlCertsEndpoint" . | quote }}
 
   {{- end }}
   {{- range $key, $val := .Values.webModeler.restapi.extraConfiguration }}

diff --git a/charts/camunda-platform-8.6/test/unit/web-modeler/configmap_restapi_test.go b/charts/camunda-platform-8.6/test/unit/web-modeler/configmap_restapi_test.go
@@ -194,6 +194,7 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectKeycloakServ
 	// then
 	s.Require().Equal("http://keycloak:80/auth/realms/camunda-platform", configmapApplication.Camunda.Modeler.Security.JWT.Issuer.BackendUrl)
 }
+
 func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectKeycloakServiceUrlWithCustomPort() {
 	// given
 	options := &helm.Options{
@@ -221,6 +222,7 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectKeycloakServ
 	// then
 	s.Require().Equal("http://keycloak:8888/auth/realms/camunda-platform", configmapApplication.Camunda.Modeler.Security.JWT.Issuer.BackendUrl)
 }
+
 func (s *configmapRestAPITemplateTest) TestContainerShouldSetSmtpCredentials() {
 	// given
 	options := &helm.Options{
@@ -247,6 +249,7 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetSmtpCredentials() {
 	// then
 	s.Require().Equal("modeler-user", configmapApplication.Spring.Mail.Username)
 }
+
 func (s *configmapRestAPITemplateTest) TestContainerShouldSetExternalDatabaseConfiguration() {
 	// given
 	options := &helm.Options{
@@ -276,3 +279,85 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetExternalDatabaseCon
 	s.Require().Equal("jdbc:postgresql://postgres.example.com:65432/modeler-database", configmapApplication.Spring.Datasource.Url)
 	s.Require().Equal("modeler-user", configmapApplication.Spring.Datasource.Username)
 }
+
+func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromJwksUrlProperty() {
+	// given
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"webModeler.enabled":                  "true",
+			"webModeler.restapi.mail.fromAddress": "example@example.com",
+			"global.identity.auth.jwksUrl":        "https://example.com/auth/realms/test/protocol/openid-connect/certs",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace),
+	}
+
+	// when
+	output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates)
+	var configmap corev1.ConfigMap
+	var configmapApplication WebModelerRestAPIApplicationYAML
+	helm.UnmarshalK8SYaml(s.T(), output, &configmap)
+
+	err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication)
+	if err != nil {
+		s.Fail("Failed to unmarshal yaml. error=", err)
+	}
+
+	// then
+	s.Require().Equal("https://example.com/auth/realms/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI)
+}
+
+func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromIssuerBackendUrlProperty() {
+	// given
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"webModeler.enabled":                    "true",
+			"webModeler.restapi.mail.fromAddress":   "example@example.com",
+			"global.identity.auth.issuerBackendUrl": "http://test-keycloak/auth/realms/test",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace),
+	}
+
+	// when
+	output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates)
+	var configmap corev1.ConfigMap
+	var configmapApplication WebModelerRestAPIApplicationYAML
+	helm.UnmarshalK8SYaml(s.T(), output, &configmap)
+
+	err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication)
+	if err != nil {
+		s.Fail("Failed to unmarshal yaml. error=", err)
+	}
+
+	// then
+	s.Require().Equal("http://test-keycloak/auth/realms/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI)
+}
+
+func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromKeycloakUrlProperties() {
+	// given
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"webModeler.enabled":                    "true",
+			"webModeler.restapi.mail.fromAddress":   "example@example.com",
+			"global.identity.keycloak.url.protocol": "https",
+			"global.identity.keycloak.url.host":     "example.com",
+			"global.identity.keycloak.url.port":     "443",
+			"global.identity.keycloak.contextPath":  "/",
+			"global.identity.keycloak.realm":        "test",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace),
+	}
+
+	// when
+	output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates)
+	var configmap corev1.ConfigMap
+	var configmapApplication WebModelerRestAPIApplicationYAML
+	helm.UnmarshalK8SYaml(s.T(), output, &configmap)
+
+	err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication)
+	if err != nil {
+		s.Fail("Failed to unmarshal yaml. error=", err)
+	}
+
+	// then
+	s.Require().Equal("https://example.com:443/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI)
+}