feat: add console auth vars (#1782)

* feat(console): add auth vars * feat(console): add auth vars * feat(console): add tests * fix(console): configmap test * fix(console): tests * fix(console): tests * fix(console): tests * fix(console): tests * update golden files --------- Co-authored-by: Ahmed AbouZaid <[email protected]>
camunda · Jul 13, 2024 · 81da51b · 81da51b
1 parent c2a5f15
commit 81da51b
Show file tree

Hide file tree

Showing 6 changed files with 74 additions and 3 deletions.
diff --git a/charts/camunda-platform-latest/README.md b/charts/camunda-platform-latest/README.md
@@ -517,9 +517,11 @@ Please see the corresponding [release guide](../../docs/release.md) to find out
 | `global.identity.auth.webModeler.publicApiAudience` | defines the audience which is used by WebModeler's public API.                                                                                           | `web-modeler-public-api`                              |
 | `global.identity.auth.webModeler.redirectUrl`       | defines the root URL which is used by Keycloak to access WebModeler.                                                                                     | `http://localhost:8084`                               |
 | `global.identity.auth.console`                      | configuration to configure Console authentication specifics on global level, which can be accessed by other sub-charts                                   |                                                       |
+| `global.identity.auth.console.clientId`             | defines the client id, which is used by Console in authentication flows.                                                                                 | `console`                                             |
+| `global.identity.auth.console.audience`             | defines the audience which is used by Console's client API.                                                                                              | `console-api`                                         |
+| `global.identity.auth.console.wellKnown`            | defines the uri for the well known config which is used by Console (optional).                                                                           | `https://well-known-uri`                              |
 | `global.identity.auth.console.existingSecret`       | can be used to use an own existing secret. If not set a random secret is generated.                                                                      | `nil`                                                 |
 | `global.identity.auth.console.redirectUrl`          | defines the root URL which is used by Keycloak to access WebModeler.                                                                                     | `http://localhost:8080`                               |
-| `global.identity.auth.console.audience`             | can be used to Console audience in Identity.                                                                                                             | `console-api`                                         |
 | `global.identity.auth.zeebe`                        | configuration to configure Zeebe authentication specifics on global level, which can be accessed by other sub-charts                                     |                                                       |
 | `global.identity.auth.zeebe.clientId`               | defines the client id, which is used by Zeebe in authentication flows.                                                                                   | `zeebe`                                               |
 | `global.identity.auth.zeebe.existingSecret`         | can be used to use an own existing secret. If not set a random secret is generated.                                                                      | `nil`                                                 |

diff --git a/charts/camunda-platform-latest/templates/console/configmap.yaml b/charts/camunda-platform-latest/templates/console/configmap.yaml
@@ -13,6 +13,13 @@ data:
     # https://docs.camunda.io/docs/self-managed/console-deployment/configuration/
     camunda:
       console:
+        oAuth:
+          audience: {{ .Values.global.identity.auth.console.audience | quote }}
+          clientId: {{ .Values.global.identity.auth.console.clientId | quote }}
+          issuer: {{ include "camundaPlatform.authIssuerUrl" . | quote }}
+          jwksUri: {{ include "camundaPlatform.authIssuerBackendUrlCertsEndpoint" . | quote }}
+          type: {{ include "camundaPlatform.authType" . | quote }}
+          wellKnown: {{ .Values.global.identity.auth.console.wellKnown | quote }}
         managed:
           method: plain
           releases:

diff --git a/charts/camunda-platform-latest/test/unit/console/configmap_test.go b/charts/camunda-platform-latest/test/unit/console/configmap_test.go
@@ -19,9 +19,13 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/gruntwork-io/terratest/modules/helm"
+	"github.com/gruntwork-io/terratest/modules/k8s"
 	"github.com/gruntwork-io/terratest/modules/random"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
+	"gopkg.in/yaml.v3"
+	corev1 "k8s.io/api/core/v1"
 )
 
 type configMapTemplateTest struct {
@@ -45,3 +49,30 @@ func TestConfigMapTemplate(t *testing.T) {
 		templates: []string{"templates/console/configmap.yaml"},
 	})
 }
+
+func (s *configMapTemplateTest) TestContainerShouldSetCorrectIdentityType() {
+	// given
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"console.enabled":                       "true",
+			"global.identity.auth.type":             "MICROSOFT",
+			"global.identity.auth.issuer":           "https://example.com",
+			"global.identity.auth.issuerBackendUrl": "https://example.com",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace),
+	}
+
+	// when
+	output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates)
+	var configmap corev1.ConfigMap
+	var configmapApplication ConsoleYAML
+	helm.UnmarshalK8SYaml(s.T(), output, &configmap)
+
+	err := yaml.Unmarshal([]byte(configmap.Data["application.yaml"]), &configmapApplication)
+	if err != nil {
+		s.Fail("Failed to unmarshal yaml. error=", err)
+	}
+
+	// then
+	s.Require().Equal("MICROSOFT", configmapApplication.Camunda.Console.OAuth.Type)
+}
diff --git a/charts/camunda-platform-latest/test/unit/console/golden/configmap.golden.yaml b/charts/camunda-platform-latest/test/unit/console/golden/configmap.golden.yaml
@@ -17,6 +17,13 @@ data:
     # https://docs.camunda.io/docs/self-managed/console-deployment/configuration/
     camunda:
       console:
+        oAuth:
+          audience: "console-api"
+          clientId: "console"
+          issuer: "http://localhost:18080/auth/realms/camunda-platform"
+          jwksUri: "http://camunda-platform-test-keycloak:80/auth/realms/camunda-platform/protocol/openid-connect/certs"
+          type: "KEYCLOAK"
+          wellKnown: "https://well-known-uri"
         managed:
           method: plain
           releases:

diff --git a/charts/camunda-platform-latest/test/unit/console/types.go b/charts/camunda-platform-latest/test/unit/console/types.go
@@ -0,0 +1,20 @@
+package console
+
+type ConsoleYAML struct {
+	Camunda CamundaConfig `yaml:"camunda"`	
+}
+
+type CamundaConfig struct {
+	Console ConsoleConfig `yaml:"console"`
+}
+
+type ConsoleConfig struct {
+	OAuth OAuth2Config `yaml:"oAuth"`
+}
+
+type OAuth2Config struct {
+	ClientId string `yaml:"clientId"`
+	Type     string `yaml:"type"`
+	Audience string `yaml:"audience"`
+	JwksUri  string `yaml:"jwksUri"`
+}
diff --git a/charts/camunda-platform-latest/values.yaml b/charts/camunda-platform-latest/values.yaml
@@ -303,15 +303,19 @@ global:
 
       ## @extra global.identity.auth.console configuration to configure Console authentication specifics on global level, which can be accessed by other sub-charts
       console:
+        ## @param global.identity.auth.console.clientId defines the client id, which is used by Console in authentication flows.
+        clientId: console
+        ## @param global.identity.auth.console.audience defines the audience which is used by Console's client API.
+        audience: console-api
+        ## @param global.identity.auth.console.wellKnown defines the uri for the well known config which is used by Console (optional).
+        wellKnown: https://well-known-uri
         ## @param global.identity.auth.console.existingSecret can be used to use an own existing secret. If not set a random secret is generated.
         # The existing secret should contain an `console-secret` field, which will be used as secret for the identity-console communication.
         existingSecret:
         ## @param global.identity.auth.console.redirectUrl defines the root URL which is used by Keycloak to access WebModeler.
         # Should be publicly accessible, the default value works if a port-forward to WebModeler is created to 8080.
         # Can be overwritten if ingress is in use and an external IP is available.
         redirectUrl: "http://localhost:8080"
-        ## @param global.identity.auth.console.audience can be used to Console audience in Identity.
-        audience: console-api
 
       ## @extra global.identity.auth.zeebe configuration to configure Zeebe authentication specifics on global level, which can be accessed by other sub-charts
       zeebe: