From df5caa813ac3ce748bf097639f8cd933c2b61f4b Mon Sep 17 00:00:00 2001 From: Jesse Simpson Date: Thu, 13 Jun 2024 11:38:16 -0400 Subject: [PATCH 1/3] fix: unauthenticated external elasticsearch no longer forces passwords to be configured --- .../camunda-platform-latest/templates/operate/deployment.yaml | 2 +- .../camunda-platform-latest/templates/optimize/deployment.yaml | 2 +- .../camunda-platform-latest/templates/tasklist/deployment.yaml | 2 +- charts/camunda-platform-latest/templates/zeebe/statefulset.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/camunda-platform-latest/templates/operate/deployment.yaml b/charts/camunda-platform-latest/templates/operate/deployment.yaml index 35cde86e92..f79f92dbd4 100644 --- a/charts/camunda-platform-latest/templates/operate/deployment.yaml +++ b/charts/camunda-platform-latest/templates/operate/deployment.yaml @@ -37,7 +37,7 @@ spec: securityContext: {{- toYaml .Values.operate.containerSecurityContext | nindent 12 }} {{- end }} env: - {{- if .Values.global.elasticsearch.external }} + {{- if and .Values.global.elasticsearch.external (include "elasticsearch.authExistingSecret" .) }} - name: CAMUNDA_OPERATE_ELASTICSEARCH_PASSWORD valueFrom: secretKeyRef: diff --git a/charts/camunda-platform-latest/templates/optimize/deployment.yaml b/charts/camunda-platform-latest/templates/optimize/deployment.yaml index b676e352e5..fce22a26d6 100644 --- a/charts/camunda-platform-latest/templates/optimize/deployment.yaml +++ b/charts/camunda-platform-latest/templates/optimize/deployment.yaml @@ -39,7 +39,7 @@ spec: securityContext: {{- toYaml .Values.optimize.containerSecurityContext | nindent 12 }} {{- end }} env: - {{- if .Values.global.elasticsearch.external }} + {{- if and .Values.global.elasticsearch.external (include "elasticsearch.authExistingSecret" .) }} - name: CAMUNDA_OPTIMIZE_ELASTICSEARCH_SECURITY_PASSWORD valueFrom: secretKeyRef: diff --git a/charts/camunda-platform-latest/templates/tasklist/deployment.yaml b/charts/camunda-platform-latest/templates/tasklist/deployment.yaml index a4e4ef6a67..62b7cbdab1 100644 --- a/charts/camunda-platform-latest/templates/tasklist/deployment.yaml +++ b/charts/camunda-platform-latest/templates/tasklist/deployment.yaml @@ -41,7 +41,7 @@ spec: - name: SERVER_SERVLET_CONTEXT_PATH value: {{ .Values.tasklist.contextPath | quote }} {{- end }} - {{- if .Values.global.elasticsearch.external }} + {{- if and .Values.global.elasticsearch.external (include "elasticsearch.authExistingSecret" .) }} - name: CAMUNDA_TASKLIST_ELASTICSEARCH_PASSWORD valueFrom: secretKeyRef: diff --git a/charts/camunda-platform-latest/templates/zeebe/statefulset.yaml b/charts/camunda-platform-latest/templates/zeebe/statefulset.yaml index 2411fbe765..226ae0a532 100644 --- a/charts/camunda-platform-latest/templates/zeebe/statefulset.yaml +++ b/charts/camunda-platform-latest/templates/zeebe/statefulset.yaml @@ -74,7 +74,7 @@ spec: value: {{ .Values.zeebe.logLevel | quote }} - name: ZEEBE_BROKER_GATEWAY_ENABLE value: "false" - {{- if .Values.global.elasticsearch.external }} + {{- if and .Values.global.elasticsearch.external (include "elasticsearch.authExistingSecret" .) }} - name: ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_AUTHENTICATION_PASSWORD valueFrom: secretKeyRef: From 407d07858280ef8e0e02e73d8ad8b2fcb7c47006 Mon Sep 17 00:00:00 2001 From: Jesse Simpson Date: Fri, 14 Jun 2024 14:21:53 -0400 Subject: [PATCH 2/3] fix: fixup boolean expression --- .../templates/camunda/_helpers.tpl | 9 +++++++++ .../templates/operate/deployment.yaml | 2 +- .../templates/optimize/deployment.yaml | 4 ++-- .../templates/tasklist/deployment.yaml | 2 +- .../templates/zeebe/statefulset.yaml | 2 +- 5 files changed, 14 insertions(+), 5 deletions(-) diff --git a/charts/camunda-platform-latest/templates/camunda/_helpers.tpl b/charts/camunda-platform-latest/templates/camunda/_helpers.tpl index 5b688ee963..e7c4207527 100644 --- a/charts/camunda-platform-latest/templates/camunda/_helpers.tpl +++ b/charts/camunda-platform-latest/templates/camunda/_helpers.tpl @@ -290,6 +290,15 @@ https://docs.bitnami.com/kubernetes/apps/keycloak/configuration/manage-passwords {{- end }} {{- end -}} +{{/* +[elasticsearch] Used as a boolean to determine whether any password is defined. +do not use this for its string value. +*/}} +{{- define "elasticsearch.passwordIsDefined" -}} +{{- (cat .Values.global.elasticsearch.auth.existingSecret .Values.global.elasticsearch.auth.password) -}} +{{- end -}} + + {{/* [opensearch] Get name of elasticsearch auth existing secret. For more details: https://docs.bitnami.com/kubernetes/apps/keycloak/configuration/manage-passwords/ diff --git a/charts/camunda-platform-latest/templates/operate/deployment.yaml b/charts/camunda-platform-latest/templates/operate/deployment.yaml index f79f92dbd4..a108a4562a 100644 --- a/charts/camunda-platform-latest/templates/operate/deployment.yaml +++ b/charts/camunda-platform-latest/templates/operate/deployment.yaml @@ -37,7 +37,7 @@ spec: securityContext: {{- toYaml .Values.operate.containerSecurityContext | nindent 12 }} {{- end }} env: - {{- if and .Values.global.elasticsearch.external (include "elasticsearch.authExistingSecret" .) }} + {{- if and .Values.global.elasticsearch.external (include "elasticsearch.passwordIsDefined" .) }} - name: CAMUNDA_OPERATE_ELASTICSEARCH_PASSWORD valueFrom: secretKeyRef: diff --git a/charts/camunda-platform-latest/templates/optimize/deployment.yaml b/charts/camunda-platform-latest/templates/optimize/deployment.yaml index fce22a26d6..9db3b0f846 100644 --- a/charts/camunda-platform-latest/templates/optimize/deployment.yaml +++ b/charts/camunda-platform-latest/templates/optimize/deployment.yaml @@ -39,7 +39,7 @@ spec: securityContext: {{- toYaml .Values.optimize.containerSecurityContext | nindent 12 }} {{- end }} env: - {{- if and .Values.global.elasticsearch.external (include "elasticsearch.authExistingSecret" .) }} + {{- if and .Values.global.elasticsearch.external (include "elasticsearch.passwordIsDefined" .) }} - name: CAMUNDA_OPTIMIZE_ELASTICSEARCH_SECURITY_PASSWORD valueFrom: secretKeyRef: @@ -117,7 +117,7 @@ spec: securityContext: {{- toYaml .Values.optimize.containerSecurityContext | nindent 12 }} {{- end }} env: - {{- if .Values.global.elasticsearch.external }} + {{- if and .Values.global.elasticsearch.external (include "elasticsearch.passwordIsDefined" .) }} - name: CAMUNDA_OPTIMIZE_ELASTICSEARCH_SECURITY_PASSWORD valueFrom: secretKeyRef: diff --git a/charts/camunda-platform-latest/templates/tasklist/deployment.yaml b/charts/camunda-platform-latest/templates/tasklist/deployment.yaml index 62b7cbdab1..03d116d830 100644 --- a/charts/camunda-platform-latest/templates/tasklist/deployment.yaml +++ b/charts/camunda-platform-latest/templates/tasklist/deployment.yaml @@ -41,7 +41,7 @@ spec: - name: SERVER_SERVLET_CONTEXT_PATH value: {{ .Values.tasklist.contextPath | quote }} {{- end }} - {{- if and .Values.global.elasticsearch.external (include "elasticsearch.authExistingSecret" .) }} + {{- if and .Values.global.elasticsearch.external (include "elasticsearch.passwordIsDefined" .) }} - name: CAMUNDA_TASKLIST_ELASTICSEARCH_PASSWORD valueFrom: secretKeyRef: diff --git a/charts/camunda-platform-latest/templates/zeebe/statefulset.yaml b/charts/camunda-platform-latest/templates/zeebe/statefulset.yaml index 226ae0a532..89c0cc3811 100644 --- a/charts/camunda-platform-latest/templates/zeebe/statefulset.yaml +++ b/charts/camunda-platform-latest/templates/zeebe/statefulset.yaml @@ -74,7 +74,7 @@ spec: value: {{ .Values.zeebe.logLevel | quote }} - name: ZEEBE_BROKER_GATEWAY_ENABLE value: "false" - {{- if and .Values.global.elasticsearch.external (include "elasticsearch.authExistingSecret" .) }} + {{- if and .Values.global.elasticsearch.external (include "elasticsearch.passwordIsDefined" .) }} - name: ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_AUTHENTICATION_PASSWORD valueFrom: secretKeyRef: From 8d72751008f9c6bc1398a8e0c7ce94f8773bb08f Mon Sep 17 00:00:00 2001 From: Jesse Simpson Date: Fri, 14 Jun 2024 15:05:56 -0400 Subject: [PATCH 3/3] test: adds operate tests for elasticsearch auth disabled --- .../test/unit/operate/deployment_test.go | 102 ++++++++++++++++++ 1 file changed, 102 insertions(+) diff --git a/charts/camunda-platform-latest/test/unit/operate/deployment_test.go b/charts/camunda-platform-latest/test/unit/operate/deployment_test.go index 56c17e5675..6af148580b 100644 --- a/charts/camunda-platform-latest/test/unit/operate/deployment_test.go +++ b/charts/camunda-platform-latest/test/unit/operate/deployment_test.go @@ -879,3 +879,105 @@ func (s *deploymentTemplateTest) TestOperateWithLog4j2Configuration() { s.Require().Equal("config", volume.Name) s.Require().Equal("camunda-platform-test-operate-configuration", volume.ConfigMap.Name) } + +func (s *deploymentTemplateTest) TestOperateDoesNotSetElasticsearchPasswordIfNoneProvidedAndExternal() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "global.elasticsearch.external": "true", + "global.elasticsearch.url.protocol": "http", + "global.elasticsearch.url.host": "elasticexternal", + "global.elasticsearch.url.port": "9200", + "elasticsearch.enabled": "false", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(s.T(), output, &deployment) + + // then + envVars := deployment.Spec.Template.Spec.Containers[0].Env + + for _, envVar := range envVars { + if envVar.Name == "CAMUNDA_OPERATE_ELASTICSEARCH_PASSWORD" || envVar.Name == "CAMUNDA_OPERATE_ZEEBE_ELASTICSEARCH_PASSWORD" { + s.Fail("The elasticsearch password vars should not be set when external elasticsearch is unauthenticated") + } + } +} +func (s *deploymentTemplateTest) TestOperateSetsElasticsearchPasswordIfProvidedByExplicitValueAndExternal() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "global.elasticsearch.external": "true", + "global.elasticsearch.url.protocol": "http", + "global.elasticsearch.url.host": "elasticexternal", + "global.elasticsearch.url.port": "9200", + "elasticsearch.enabled": "false", + "global.elasticsearch.auth.password": "supersecret", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(s.T(), output, &deployment) + + // then + envVars := deployment.Spec.Template.Spec.Containers[0].Env + + var camundaOperateElasticPassword corev1.EnvVar + var camundaOperateZeebeElasticPassword corev1.EnvVar + for _, envVar := range envVars { + if envVar.Name == "CAMUNDA_OPERATE_ELASTICSEARCH_PASSWORD" { + camundaOperateElasticPassword = envVar + continue + } + if envVar.Name == "CAMUNDA_OPERATE_ZEEBE_ELASTICSEARCH_PASSWORD" { + camundaOperateZeebeElasticPassword = envVar + } + } + + s.Require().Equal(camundaOperateElasticPassword.ValueFrom.SecretKeyRef.Name, "camunda-platform-test-elasticsearch") + s.Require().Equal(camundaOperateZeebeElasticPassword.ValueFrom.SecretKeyRef.Name, "camunda-platform-test-elasticsearch") +} +func (s *deploymentTemplateTest) TestOperateSetsElasticsearchPasswordIfProvidedBySecretNameAndExternal() { + // given + options := &helm.Options{ + SetValues: map[string]string{ + "global.elasticsearch.external": "true", + "global.elasticsearch.url.protocol": "http", + "global.elasticsearch.url.host": "elasticexternal", + "global.elasticsearch.url.port": "9200", + "elasticsearch.enabled": "false", + "global.elasticsearch.auth.existingSecret": "supersecret", + }, + KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace), + } + + // when + output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates) + var deployment appsv1.Deployment + helm.UnmarshalK8SYaml(s.T(), output, &deployment) + + // then + envVars := deployment.Spec.Template.Spec.Containers[0].Env + + var camundaOperateElasticPassword corev1.EnvVar + var camundaOperateZeebeElasticPassword corev1.EnvVar + for _, envVar := range envVars { + if envVar.Name == "CAMUNDA_OPERATE_ELASTICSEARCH_PASSWORD" { + camundaOperateElasticPassword = envVar + continue + } + if envVar.Name == "CAMUNDA_OPERATE_ZEEBE_ELASTICSEARCH_PASSWORD" { + camundaOperateZeebeElasticPassword = envVar + } + } + + s.Require().Equal(camundaOperateElasticPassword.ValueFrom.SecretKeyRef.Name, "supersecret") + s.Require().Equal(camundaOperateZeebeElasticPassword.ValueFrom.SecretKeyRef.Name, "supersecret") +}