diff --git a/charts/camunda-platform-8.5/templates/web-modeler/configmap-restapi.yaml b/charts/camunda-platform-8.5/templates/web-modeler/configmap-restapi.yaml index 3706050723..b31b60c759 100644 --- a/charts/camunda-platform-8.5/templates/web-modeler/configmap-restapi.yaml +++ b/charts/camunda-platform-8.5/templates/web-modeler/configmap-restapi.yaml @@ -59,6 +59,7 @@ data: resourceserver: jwt: issuer-uri: {{ include "camundaPlatform.authIssuerUrl" . | quote }} + jwk-set-uri: {{ include "camundaPlatform.authIssuerBackendUrlCertsEndpoint" . | quote }} {{- end }} {{- range $key, $val := .Values.webModeler.restapi.extraConfiguration }} diff --git a/charts/camunda-platform-8.5/test/unit/web-modeler/configmap_restapi_test.go b/charts/camunda-platform-8.5/test/unit/web-modeler/configmap_restapi_test.go index a54caa51a3..7ef8d6fc17 100644 --- a/charts/camunda-platform-8.5/test/unit/web-modeler/configmap_restapi_test.go +++ b/charts/camunda-platform-8.5/test/unit/web-modeler/configmap_restapi_test.go @@ -194,6 +194,7 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectKeycloakServ // then s.Require().Equal("http://keycloak:80/auth/realms/camunda-platform", configmapApplication.Camunda.Modeler.Security.JWT.Issuer.BackendUrl) } + func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectKeycloakServiceUrlWithCustomPort() { // given options := &helm.Options{ @@ -221,6 +222,7 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectKeycloakServ // then s.Require().Equal("http://keycloak:8888/auth/realms/camunda-platform", configmapApplication.Camunda.Modeler.Security.JWT.Issuer.BackendUrl) } + func (s *configmapRestAPITemplateTest) TestContainerShouldSetSmtpCredentials() { // given options := &helm.Options{ @@ -247,6 +249,7 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetSmtpCredentials() { // then s.Require().Equal("modeler-user", configmapApplication.Spring.Mail.Username) } + func (s *configmapRestAPITemplateTest) TestContainerShouldSetExternalDatabaseConfiguration() { // given options := &helm.Options{ @@ -276,3 +279,85 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetExternalDatabaseCon s.Require().Equal("jdbc:postgresql://postgres.example.com:65432/modeler-database", configmapApplication.Spring.Datasource.Url) s.Require().Equal("modeler-user", configmapApplication.Spring.Datasource.Username) } + +func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromJwksUrlProperty() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "webModeler.enabled": "true", + "webModeler.restapi.mail.fromAddress": "example@example.com", + "global.identity.auth.jwksUrl": "https://example.com/auth/realms/test/protocol/openid-connect/certs", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var configmap corev1.ConfigMap + var configmapApplication WebModelerRestAPIApplicationYAML + helm.UnmarshalK8SYaml(s.T(), output, &configmap) + + err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication) + if err != nil { + s.Fail("Failed to unmarshal yaml. error=", err) + } + + // then + s.Require().Equal("https://example.com/auth/realms/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI) +} + +func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromIssuerBackendUrlProperty() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "webModeler.enabled": "true", + "webModeler.restapi.mail.fromAddress": "example@example.com", + "global.identity.auth.issuerBackendUrl": "http://test-keycloak/auth/realms/test", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var configmap corev1.ConfigMap + var configmapApplication WebModelerRestAPIApplicationYAML + helm.UnmarshalK8SYaml(s.T(), output, &configmap) + + err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication) + if err != nil { + s.Fail("Failed to unmarshal yaml. error=", err) + } + + // then + s.Require().Equal("http://test-keycloak/auth/realms/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI) +} + +func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromKeycloakUrlProperties() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "webModeler.enabled": "true", + "webModeler.restapi.mail.fromAddress": "example@example.com", + "global.identity.keycloak.url.protocol": "https", + "global.identity.keycloak.url.host": "example.com", + "global.identity.keycloak.url.port": "443", + "global.identity.keycloak.contextPath": "/", + "global.identity.keycloak.realm": "test", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var configmap corev1.ConfigMap + var configmapApplication WebModelerRestAPIApplicationYAML + helm.UnmarshalK8SYaml(s.T(), output, &configmap) + + err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication) + if err != nil { + s.Fail("Failed to unmarshal yaml. error=", err) + } + + // then + s.Require().Equal("https://example.com:443/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI) +} diff --git a/charts/camunda-platform-8.5/test/unit/web-modeler/golden/configmap-restapi.golden.yaml b/charts/camunda-platform-8.5/test/unit/web-modeler/golden/configmap-restapi.golden.yaml new file mode 100644 index 0000000000..e25a8d170f --- /dev/null +++ b/charts/camunda-platform-8.5/test/unit/web-modeler/golden/configmap-restapi.golden.yaml @@ -0,0 +1,62 @@ +--- +# Source: camunda-platform/templates/web-modeler/configmap-restapi.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: camunda-platform-test-web-modeler-restapi-configuration + labels: + app: camunda-platform + app.kubernetes.io/name: web-modeler + app.kubernetes.io/instance: camunda-platform-test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: camunda-platform + app.kubernetes.io/component: web-modeler + app.kubernetes.io/version: "8.5.13" + annotations: + {} +data: + application.yaml: | + camunda: + identity: + base-url: "http://camunda-platform-test-identity:80" + issuer: "http://localhost:18080/auth/realms/camunda-platform" + issuerBackendUrl: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform" + type: "KEYCLOAK" + + modeler: + pusher: + host: "camunda-platform-test-web-modeler-websockets" + port: 80 + + security: + jwt: + issuer: + backend-url: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform" + audience: + internal-api: "web-modeler-api" + public-api: "web-modeler-public-api" + mail: + from-address: "example@example.com" + from-name: "Camunda 8" + + server: + url: "http://localhost:8084" + spring: + datasource: + url: "jdbc:postgresql://camunda-platform-test-postgresql-web-modeler:5432/web-modeler" + username: "web-modeler" + + mail: + host: "" + port: 587 + properties: + mail.smtp.auth: false + mail.smtp.starttls.enable: true + mail.smtp.starttls.required: true + + security: + oauth2: + resourceserver: + jwt: + issuer-uri: "http://localhost:18080/auth/realms/camunda-platform" + jwk-set-uri: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform/protocol/openid-connect/certs" \ No newline at end of file diff --git a/charts/camunda-platform-8.5/test/unit/web-modeler/goldenfiles_test.go b/charts/camunda-platform-8.5/test/unit/web-modeler/goldenfiles_test.go index 2a89644787..837c489c4d 100644 --- a/charts/camunda-platform-8.5/test/unit/web-modeler/goldenfiles_test.go +++ b/charts/camunda-platform-8.5/test/unit/web-modeler/goldenfiles_test.go @@ -31,6 +31,7 @@ func TestGoldenDefaultsTemplate(t *testing.T) { chartPath, err := filepath.Abs("../../../") require.NoError(t, err) templateNames := []string{ + "configmap-restapi", "configmap-shared", "deployment-restapi", "deployment-webapp", diff --git a/charts/camunda-platform-8.5/test/unit/web-modeler/types.go b/charts/camunda-platform-8.5/test/unit/web-modeler/types.go index fddd485f51..a04e0ac15d 100644 --- a/charts/camunda-platform-8.5/test/unit/web-modeler/types.go +++ b/charts/camunda-platform-8.5/test/unit/web-modeler/types.go @@ -7,8 +7,9 @@ type WebModelerRestAPIApplicationYAML struct { } type SpringYAML struct { - Mail MailYAML `yaml:"mail"` - Datasource DatasourceYAML `yaml:"datasource"` + Mail MailYAML `yaml:"mail"` + Datasource DatasourceYAML `yaml:"datasource"` + Security SpringSecurityYAML `yaml:"security"` } type DatasourceYAML struct { Url string `yaml:"url"` @@ -19,6 +20,22 @@ type MailYAML struct { Username string `yaml:"username"` } +type SpringSecurityYAML struct { + OAuth2 OAuth2YAML `yaml:"oauth2"` +} + +type OAuth2YAML struct { + ResourceServer ResourceServerYAML `yaml:"resourceserver"` +} + +type ResourceServerYAML struct { + JWT SpringJwtYAML `yaml:"jwt"` +} + +type SpringJwtYAML struct { + JwkSetURI string `yaml:"jwk-set-uri"` +} + type CamundaYAML struct { Modeler ModelerYAML `yaml:"modeler"` Identity IdentityYAML `yaml:"identity"` @@ -29,14 +46,14 @@ type IdentityYAML struct { Type string `yaml:"type"` } type ModelerYAML struct { - Security SecurityYAML `yaml:"security"` + Security ModelerSecurityYAML `yaml:"security"` } -type SecurityYAML struct { - JWT JwtYAML `yaml:"jwt"` +type ModelerSecurityYAML struct { + JWT ModelerJwtYAML `yaml:"jwt"` } -type JwtYAML struct { +type ModelerJwtYAML struct { Audience AudienceYAML `yaml:"audience"` Issuer IssuerYAML `yaml:"issuer"` } diff --git a/charts/camunda-platform-8.6/templates/web-modeler/configmap-restapi.yaml b/charts/camunda-platform-8.6/templates/web-modeler/configmap-restapi.yaml index 3706050723..b31b60c759 100644 --- a/charts/camunda-platform-8.6/templates/web-modeler/configmap-restapi.yaml +++ b/charts/camunda-platform-8.6/templates/web-modeler/configmap-restapi.yaml @@ -59,6 +59,7 @@ data: resourceserver: jwt: issuer-uri: {{ include "camundaPlatform.authIssuerUrl" . | quote }} + jwk-set-uri: {{ include "camundaPlatform.authIssuerBackendUrlCertsEndpoint" . | quote }} {{- end }} {{- range $key, $val := .Values.webModeler.restapi.extraConfiguration }} diff --git a/charts/camunda-platform-8.6/test/unit/web-modeler/configmap_restapi_test.go b/charts/camunda-platform-8.6/test/unit/web-modeler/configmap_restapi_test.go index a54caa51a3..7ef8d6fc17 100644 --- a/charts/camunda-platform-8.6/test/unit/web-modeler/configmap_restapi_test.go +++ b/charts/camunda-platform-8.6/test/unit/web-modeler/configmap_restapi_test.go @@ -194,6 +194,7 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectKeycloakServ // then s.Require().Equal("http://keycloak:80/auth/realms/camunda-platform", configmapApplication.Camunda.Modeler.Security.JWT.Issuer.BackendUrl) } + func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectKeycloakServiceUrlWithCustomPort() { // given options := &helm.Options{ @@ -221,6 +222,7 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectKeycloakServ // then s.Require().Equal("http://keycloak:8888/auth/realms/camunda-platform", configmapApplication.Camunda.Modeler.Security.JWT.Issuer.BackendUrl) } + func (s *configmapRestAPITemplateTest) TestContainerShouldSetSmtpCredentials() { // given options := &helm.Options{ @@ -247,6 +249,7 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetSmtpCredentials() { // then s.Require().Equal("modeler-user", configmapApplication.Spring.Mail.Username) } + func (s *configmapRestAPITemplateTest) TestContainerShouldSetExternalDatabaseConfiguration() { // given options := &helm.Options{ @@ -276,3 +279,85 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetExternalDatabaseCon s.Require().Equal("jdbc:postgresql://postgres.example.com:65432/modeler-database", configmapApplication.Spring.Datasource.Url) s.Require().Equal("modeler-user", configmapApplication.Spring.Datasource.Username) } + +func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromJwksUrlProperty() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "webModeler.enabled": "true", + "webModeler.restapi.mail.fromAddress": "example@example.com", + "global.identity.auth.jwksUrl": "https://example.com/auth/realms/test/protocol/openid-connect/certs", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var configmap corev1.ConfigMap + var configmapApplication WebModelerRestAPIApplicationYAML + helm.UnmarshalK8SYaml(s.T(), output, &configmap) + + err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication) + if err != nil { + s.Fail("Failed to unmarshal yaml. error=", err) + } + + // then + s.Require().Equal("https://example.com/auth/realms/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI) +} + +func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromIssuerBackendUrlProperty() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "webModeler.enabled": "true", + "webModeler.restapi.mail.fromAddress": "example@example.com", + "global.identity.auth.issuerBackendUrl": "http://test-keycloak/auth/realms/test", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var configmap corev1.ConfigMap + var configmapApplication WebModelerRestAPIApplicationYAML + helm.UnmarshalK8SYaml(s.T(), output, &configmap) + + err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication) + if err != nil { + s.Fail("Failed to unmarshal yaml. error=", err) + } + + // then + s.Require().Equal("http://test-keycloak/auth/realms/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI) +} + +func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromKeycloakUrlProperties() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "webModeler.enabled": "true", + "webModeler.restapi.mail.fromAddress": "example@example.com", + "global.identity.keycloak.url.protocol": "https", + "global.identity.keycloak.url.host": "example.com", + "global.identity.keycloak.url.port": "443", + "global.identity.keycloak.contextPath": "/", + "global.identity.keycloak.realm": "test", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var configmap corev1.ConfigMap + var configmapApplication WebModelerRestAPIApplicationYAML + helm.UnmarshalK8SYaml(s.T(), output, &configmap) + + err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication) + if err != nil { + s.Fail("Failed to unmarshal yaml. error=", err) + } + + // then + s.Require().Equal("https://example.com:443/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI) +} diff --git a/charts/camunda-platform-8.6/test/unit/web-modeler/golden/configmap-restapi.golden.yaml b/charts/camunda-platform-8.6/test/unit/web-modeler/golden/configmap-restapi.golden.yaml new file mode 100644 index 0000000000..f98e87764a --- /dev/null +++ b/charts/camunda-platform-8.6/test/unit/web-modeler/golden/configmap-restapi.golden.yaml @@ -0,0 +1,62 @@ +--- +# Source: camunda-platform/templates/web-modeler/configmap-restapi.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: camunda-platform-test-web-modeler-restapi-configuration + labels: + app: camunda-platform + app.kubernetes.io/name: web-modeler + app.kubernetes.io/instance: camunda-platform-test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: camunda-platform + app.kubernetes.io/component: web-modeler + app.kubernetes.io/version: "8.6.5" + annotations: + {} +data: + application.yaml: | + camunda: + identity: + base-url: "http://camunda-platform-test-identity:80" + issuer: "http://localhost:18080/auth/realms/camunda-platform" + issuerBackendUrl: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform" + type: "KEYCLOAK" + + modeler: + pusher: + host: "camunda-platform-test-web-modeler-websockets" + port: 80 + + security: + jwt: + issuer: + backend-url: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform" + audience: + internal-api: "web-modeler-api" + public-api: "web-modeler-public-api" + mail: + from-address: "example@example.com" + from-name: "Camunda 8" + + server: + url: "http://localhost:8084" + spring: + datasource: + url: "jdbc:postgresql://camunda-platform-test-postgresql-web-modeler:5432/web-modeler" + username: "web-modeler" + + mail: + host: "" + port: 587 + properties: + mail.smtp.auth: false + mail.smtp.starttls.enable: true + mail.smtp.starttls.required: true + + security: + oauth2: + resourceserver: + jwt: + issuer-uri: "http://localhost:18080/auth/realms/camunda-platform" + jwk-set-uri: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform/protocol/openid-connect/certs" \ No newline at end of file diff --git a/charts/camunda-platform-8.6/test/unit/web-modeler/goldenfiles_test.go b/charts/camunda-platform-8.6/test/unit/web-modeler/goldenfiles_test.go index 2a89644787..837c489c4d 100644 --- a/charts/camunda-platform-8.6/test/unit/web-modeler/goldenfiles_test.go +++ b/charts/camunda-platform-8.6/test/unit/web-modeler/goldenfiles_test.go @@ -31,6 +31,7 @@ func TestGoldenDefaultsTemplate(t *testing.T) { chartPath, err := filepath.Abs("../../../") require.NoError(t, err) templateNames := []string{ + "configmap-restapi", "configmap-shared", "deployment-restapi", "deployment-webapp", diff --git a/charts/camunda-platform-8.6/test/unit/web-modeler/types.go b/charts/camunda-platform-8.6/test/unit/web-modeler/types.go index fddd485f51..a04e0ac15d 100644 --- a/charts/camunda-platform-8.6/test/unit/web-modeler/types.go +++ b/charts/camunda-platform-8.6/test/unit/web-modeler/types.go @@ -7,8 +7,9 @@ type WebModelerRestAPIApplicationYAML struct { } type SpringYAML struct { - Mail MailYAML `yaml:"mail"` - Datasource DatasourceYAML `yaml:"datasource"` + Mail MailYAML `yaml:"mail"` + Datasource DatasourceYAML `yaml:"datasource"` + Security SpringSecurityYAML `yaml:"security"` } type DatasourceYAML struct { Url string `yaml:"url"` @@ -19,6 +20,22 @@ type MailYAML struct { Username string `yaml:"username"` } +type SpringSecurityYAML struct { + OAuth2 OAuth2YAML `yaml:"oauth2"` +} + +type OAuth2YAML struct { + ResourceServer ResourceServerYAML `yaml:"resourceserver"` +} + +type ResourceServerYAML struct { + JWT SpringJwtYAML `yaml:"jwt"` +} + +type SpringJwtYAML struct { + JwkSetURI string `yaml:"jwk-set-uri"` +} + type CamundaYAML struct { Modeler ModelerYAML `yaml:"modeler"` Identity IdentityYAML `yaml:"identity"` @@ -29,14 +46,14 @@ type IdentityYAML struct { Type string `yaml:"type"` } type ModelerYAML struct { - Security SecurityYAML `yaml:"security"` + Security ModelerSecurityYAML `yaml:"security"` } -type SecurityYAML struct { - JWT JwtYAML `yaml:"jwt"` +type ModelerSecurityYAML struct { + JWT ModelerJwtYAML `yaml:"jwt"` } -type JwtYAML struct { +type ModelerJwtYAML struct { Audience AudienceYAML `yaml:"audience"` Issuer IssuerYAML `yaml:"issuer"` } diff --git a/charts/camunda-platform-alpha/templates/web-modeler/configmap-restapi.yaml b/charts/camunda-platform-alpha/templates/web-modeler/configmap-restapi.yaml index 1dadbe3f14..6bd350ac3f 100644 --- a/charts/camunda-platform-alpha/templates/web-modeler/configmap-restapi.yaml +++ b/charts/camunda-platform-alpha/templates/web-modeler/configmap-restapi.yaml @@ -85,6 +85,7 @@ data: resourceserver: jwt: issuer-uri: {{ include "camundaPlatform.authIssuerUrl" . | quote }} + jwk-set-uri: {{ include "camundaPlatform.authIssuerBackendUrlCertsEndpoint" . | quote }} logging: {{- with .Values.webModeler.restapi.logging }} {{ . | toYaml | indent 6 }} diff --git a/charts/camunda-platform-alpha/test/unit/web-modeler/configmap_restapi_test.go b/charts/camunda-platform-alpha/test/unit/web-modeler/configmap_restapi_test.go index 914c9b5dc1..a1d896a609 100644 --- a/charts/camunda-platform-alpha/test/unit/web-modeler/configmap_restapi_test.go +++ b/charts/camunda-platform-alpha/test/unit/web-modeler/configmap_restapi_test.go @@ -144,10 +144,11 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetCorrectIdentityType // given options := &helm.Options{ SetValues: map[string]string{ - "webModeler.enabled": "true", - "webModeler.restapi.mail.fromAddress": "example@example.com", - "global.identity.auth.type": "MICROSOFT", - "global.identity.auth.issuerBackendUrl": "https://example.com", + "webModeler.enabled": "true", + "webModeler.restapi.mail.fromAddress": "example@example.com", + "global.identity.auth.type": "MICROSOFT", + "global.identity.auth.issuerBackendUrl": "https://example.com", + "global.identity.auth.identity.existingSecret.name": "foo", }, KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), } @@ -280,40 +281,6 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldSetExternalDatabaseCon s.Require().Equal("modeler-user", configmapApplication.Spring.Datasource.Username) } -func (s *configmapRestAPITemplateTest) TestContainerShouldConfigureClusterFromSameHelmInstallationWithDefaultValues() { - // given - options := &helm.Options{ - SetValues: map[string]string{ - "webModeler.enabled": "true", - "webModeler.restapi.mail.fromAddress": "example@example.com", - "webModelerPostgresql.enabled": "false", - }, - KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), - } - - // when - output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) - var configmap corev1.ConfigMap - var configmapApplication WebModelerRestAPIApplicationYAML - helm.UnmarshalK8SYaml(s.T(), output, &configmap) - - err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication) - if err != nil { - s.Fail("Failed to unmarshal yaml. error=", err) - } - - // then - s.Require().Equal(1, len(configmapApplication.Camunda.Modeler.Clusters)) - s.Require().Equal("default-cluster", configmapApplication.Camunda.Modeler.Clusters[0].Id) - s.Require().Equal("camunda-platform-test-zeebe", configmapApplication.Camunda.Modeler.Clusters[0].Name) - s.Require().Equal("OAUTH", configmapApplication.Camunda.Modeler.Clusters[0].Authentication) - s.Require().Equal("grpc://camunda-platform-test-core:26500", configmapApplication.Camunda.Modeler.Clusters[0].Url.Zeebe.Grpc) - s.Require().Equal("http://camunda-platform-test-core:8080/v1", configmapApplication.Camunda.Modeler.Clusters[0].Url.Zeebe.Rest) - s.Require().Equal("http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform/protocol/openid-connect/token", configmapApplication.Camunda.Modeler.Clusters[0].Oauth.Url) - s.Require().Equal("core-api", configmapApplication.Camunda.Modeler.Clusters[0].Oauth.Audience.Zeebe) - s.Require().Equal("", configmapApplication.Camunda.Modeler.Clusters[0].Oauth.Scope) -} - func (s *configmapRestAPITemplateTest) TestContainerShouldConfigureClusterFromSameHelmInstallationWithCustomValues() { // given options := &helm.Options{ @@ -439,3 +406,85 @@ func (s *configmapRestAPITemplateTest) TestContainerShouldNotConfigureClustersIf // then s.Require().Empty(configmapApplication.Camunda.Modeler.Clusters) } + +func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromJwksUrlProperty() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "webModeler.enabled": "true", + "webModeler.restapi.mail.fromAddress": "example@example.com", + "global.identity.auth.jwksUrl": "https://example.com/auth/realms/test/protocol/openid-connect/certs", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var configmap corev1.ConfigMap + var configmapApplication WebModelerRestAPIApplicationYAML + helm.UnmarshalK8SYaml(s.T(), output, &configmap) + + err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication) + if err != nil { + s.Fail("Failed to unmarshal yaml. error=", err) + } + + // then + s.Require().Equal("https://example.com/auth/realms/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI) +} + +func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromIssuerBackendUrlProperty() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "webModeler.enabled": "true", + "webModeler.restapi.mail.fromAddress": "example@example.com", + "global.identity.auth.issuerBackendUrl": "http://test-keycloak/auth/realms/test", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var configmap corev1.ConfigMap + var configmapApplication WebModelerRestAPIApplicationYAML + helm.UnmarshalK8SYaml(s.T(), output, &configmap) + + err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication) + if err != nil { + s.Fail("Failed to unmarshal yaml. error=", err) + } + + // then + s.Require().Equal("http://test-keycloak/auth/realms/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI) +} + +func (s *configmapRestAPITemplateTest) TestContainerShouldSetJwkSetUriFromKeycloakUrlProperties() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "webModeler.enabled": "true", + "webModeler.restapi.mail.fromAddress": "example@example.com", + "global.identity.keycloak.url.protocol": "https", + "global.identity.keycloak.url.host": "example.com", + "global.identity.keycloak.url.port": "443", + "global.identity.keycloak.contextPath": "/", + "global.identity.keycloak.realm": "test", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var configmap corev1.ConfigMap + var configmapApplication WebModelerRestAPIApplicationYAML + helm.UnmarshalK8SYaml(s.T(), output, &configmap) + + err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication) + if err != nil { + s.Fail("Failed to unmarshal yaml. error=", err) + } + + // then + s.Require().Equal("https://example.com:443/test/protocol/openid-connect/certs", configmapApplication.Spring.Security.OAuth2.ResourceServer.JWT.JwkSetURI) +} diff --git a/charts/camunda-platform-alpha/test/unit/web-modeler/golden/configmap-restapi.golden.yaml b/charts/camunda-platform-alpha/test/unit/web-modeler/golden/configmap-restapi.golden.yaml new file mode 100644 index 0000000000..8abb8d3bb1 --- /dev/null +++ b/charts/camunda-platform-alpha/test/unit/web-modeler/golden/configmap-restapi.golden.yaml @@ -0,0 +1,85 @@ +--- +# Source: camunda-platform/templates/web-modeler/configmap-restapi.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: camunda-platform-test-web-modeler-restapi-configuration + labels: + app: camunda-platform + app.kubernetes.io/name: web-modeler + app.kubernetes.io/instance: camunda-platform-test + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: camunda-platform + app.kubernetes.io/component: web-modeler + app.kubernetes.io/version: "8.7.0-alpha2" + annotations: + {} +data: + application.yaml: | + camunda: + identity: + base-url: "http://camunda-platform-test-identity:80" + issuer: "http://localhost:18080/auth/realms/camunda-platform" + issuerBackendUrl: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform" + type: "KEYCLOAK" + + modeler: + pusher: + host: "camunda-platform-test-web-modeler-websockets" + port: 80 + + security: + jwt: + issuer: + backend-url: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform" + audience: + internal-api: "web-modeler-api" + public-api: "web-modeler-public-api" + mail: + from-address: "example@example.com" + from-name: "Camunda 8" + + server: + url: "http://localhost:8084" + clusters: + - id: "default-cluster" + name: "camunda-platform-test-zeebe" + version: "8.7.0-alpha2" + authentication: "OAUTH" + url: + zeebe: + grpc: "grpc://camunda-platform-test-core:26500" + rest: "http://camunda-platform-test-core:8080/v1" + operate: "http://camunda-platform-test-core:8080/v1" + tasklist: "http://camunda-platform-test-core:8080/tasklist" + oauth: + url: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform/protocol/openid-connect/token" + audience: + zeebe: "core-api" + operate: "core-api" + tasklist: "core-api" + scope: "" + + spring: + datasource: + url: "jdbc:postgresql://camunda-platform-test-postgresql-web-modeler:5432/web-modeler" + username: "web-modeler" + + mail: + host: "" + port: 587 + properties: + mail.smtp.auth: false + mail.smtp.starttls.enable: true + mail.smtp.starttls.required: true + + security: + oauth2: + resourceserver: + jwt: + issuer-uri: "http://localhost:18080/auth/realms/camunda-platform" + jwk-set-uri: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform/protocol/openid-connect/certs" + logging: + level: + io.camunda.modeler: DEBUG + io.grpc: TRACE \ No newline at end of file diff --git a/charts/camunda-platform-alpha/test/unit/web-modeler/goldenfiles_test.go b/charts/camunda-platform-alpha/test/unit/web-modeler/goldenfiles_test.go index dfbb4d57c4..4602948fed 100644 --- a/charts/camunda-platform-alpha/test/unit/web-modeler/goldenfiles_test.go +++ b/charts/camunda-platform-alpha/test/unit/web-modeler/goldenfiles_test.go @@ -31,6 +31,7 @@ func TestGoldenDefaultsTemplate(t *testing.T) { chartPath, err := filepath.Abs("../../../") require.NoError(t, err) templateNames := []string{ + "configmap-restapi", "configmap-shared", "deployment-restapi", "deployment-webapp", diff --git a/charts/camunda-platform-alpha/test/unit/web-modeler/types.go b/charts/camunda-platform-alpha/test/unit/web-modeler/types.go index 1a64bf52a9..2d72222d77 100644 --- a/charts/camunda-platform-alpha/test/unit/web-modeler/types.go +++ b/charts/camunda-platform-alpha/test/unit/web-modeler/types.go @@ -7,8 +7,9 @@ type WebModelerRestAPIApplicationYAML struct { } type SpringYAML struct { - Mail MailYAML `yaml:"mail"` - Datasource DatasourceYAML `yaml:"datasource"` + Mail MailYAML `yaml:"mail"` + Datasource DatasourceYAML `yaml:"datasource"` + Security SpringSecurityYAML `yaml:"security"` } type DatasourceYAML struct { Url string `yaml:"url"` @@ -19,6 +20,22 @@ type MailYAML struct { Username string `yaml:"username"` } +type SpringSecurityYAML struct { + OAuth2 OAuth2YAML `yaml:"oauth2"` +} + +type OAuth2YAML struct { + ResourceServer ResourceServerYAML `yaml:"resourceserver"` +} + +type ResourceServerYAML struct { + JWT SpringJwtYAML `yaml:"jwt"` +} + +type SpringJwtYAML struct { + JwkSetURI string `yaml:"jwk-set-uri"` +} + type CamundaYAML struct { Modeler ModelerYAML `yaml:"modeler"` Identity IdentityYAML `yaml:"identity"` @@ -29,15 +46,15 @@ type IdentityYAML struct { Type string `yaml:"type"` } type ModelerYAML struct { - Security SecurityYAML `yaml:"security"` - Clusters []ClusterYAML `yaml:"clusters"` + Security ModelerSecurityYAML `yaml:"security"` + Clusters []ClusterYAML `yaml:"clusters"` } -type SecurityYAML struct { - JWT JwtYAML `yaml:"jwt"` +type ModelerSecurityYAML struct { + JWT ModelerJwtYAML `yaml:"jwt"` } -type JwtYAML struct { +type ModelerJwtYAML struct { Audience AudienceYAML `yaml:"audience"` Issuer IssuerYAML `yaml:"issuer"` }