fix: unauthenticated external elasticsearch no longer forces password…

charts/camunda-platform-latest/templates/camunda/_helpers.tpl

@@ -290,6 +290,15 @@ https://docs.bitnami.com/kubernetes/apps/keycloak/configuration/manage-passwords
     {{- end }}
 {{- end -}}
 
+{{/*
+[elasticsearch] Used as a boolean to determine whether any password is defined.
+do not use this for its string value.
+*/}}
+{{- define "elasticsearch.passwordIsDefined" -}}
+{{- (cat .Values.global.elasticsearch.auth.existingSecret .Values.global.elasticsearch.auth.password) -}}
+{{- end -}}
+
+
 {{/*
 [opensearch] Get name of elasticsearch auth existing secret. For more details:
 https://docs.bitnami.com/kubernetes/apps/keycloak/configuration/manage-passwords/

charts/camunda-platform-latest/templates/operate/deployment.yaml

@@ -37,7 +37,7 @@ spec:
           securityContext: {{- toYaml .Values.operate.containerSecurityContext | nindent 12 }}
           {{- end }}
           env:
-            {{- if .Values.global.elasticsearch.external }}
+            {{- if and .Values.global.elasticsearch.external (include "elasticsearch.passwordIsDefined" .) }}
             - name: CAMUNDA_OPERATE_ELASTICSEARCH_PASSWORD
               valueFrom:
                 secretKeyRef:

charts/camunda-platform-latest/templates/optimize/deployment.yaml

@@ -39,7 +39,7 @@ spec:
           securityContext: {{- toYaml .Values.optimize.containerSecurityContext | nindent 12 }}
           {{- end }}
           env:
-            {{- if .Values.global.elasticsearch.external }}
+            {{- if and .Values.global.elasticsearch.external  (include "elasticsearch.passwordIsDefined" .) }}
             - name: CAMUNDA_OPTIMIZE_ELASTICSEARCH_SECURITY_PASSWORD
               valueFrom:
                 secretKeyRef:
@@ -117,7 +117,7 @@ spec:
           securityContext: {{- toYaml .Values.optimize.containerSecurityContext | nindent 12 }}
           {{- end }}
           env:
-            {{- if .Values.global.elasticsearch.external }}
+            {{- if and .Values.global.elasticsearch.external  (include "elasticsearch.passwordIsDefined" .) }}
             - name: CAMUNDA_OPTIMIZE_ELASTICSEARCH_SECURITY_PASSWORD
               valueFrom:
                 secretKeyRef:

charts/camunda-platform-latest/templates/tasklist/deployment.yaml

@@ -41,7 +41,7 @@ spec:
             - name: SERVER_SERVLET_CONTEXT_PATH
               value: {{ .Values.tasklist.contextPath | quote }}
             {{- end }}
-            {{- if .Values.global.elasticsearch.external }}
+            {{- if and .Values.global.elasticsearch.external (include "elasticsearch.passwordIsDefined" .) }}
             - name: CAMUNDA_TASKLIST_ELASTICSEARCH_PASSWORD
               valueFrom:
                 secretKeyRef:

charts/camunda-platform-latest/templates/zeebe/statefulset.yaml

@@ -74,7 +74,7 @@ spec:
               value: {{ .Values.zeebe.logLevel | quote }}
             - name: ZEEBE_BROKER_GATEWAY_ENABLE
               value: "false"
-            {{- if .Values.global.elasticsearch.external }}
+            {{- if and .Values.global.elasticsearch.external (include "elasticsearch.passwordIsDefined" .) }}
             - name: ZEEBE_BROKER_EXPORTERS_ELASTICSEARCH_ARGS_AUTHENTICATION_PASSWORD
               valueFrom:
                 secretKeyRef:

charts/camunda-platform-latest/test/unit/operate/deployment_test.go

@@ -879,3 +879,105 @@ func (s *deploymentTemplateTest) TestOperateWithLog4j2Configuration() {
 	s.Require().Equal("config", volume.Name)
 	s.Require().Equal("camunda-platform-test-operate-configuration", volume.ConfigMap.Name)
 }
+
+func (s *deploymentTemplateTest) TestOperateDoesNotSetElasticsearchPasswordIfNoneProvidedAndExternal() {
+	// given
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"global.elasticsearch.external":     "true",
+			"global.elasticsearch.url.protocol": "http",
+			"global.elasticsearch.url.host":     "elasticexternal",
+			"global.elasticsearch.url.port":     "9200",
+			"elasticsearch.enabled":             "false",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace),
+	}
+
+	// when
+	output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates)
+	var deployment appsv1.Deployment
+	helm.UnmarshalK8SYaml(s.T(), output, &deployment)
+
+	// then
+	envVars := deployment.Spec.Template.Spec.Containers[0].Env
+
+	for _, envVar := range envVars {
+		if envVar.Name == "CAMUNDA_OPERATE_ELASTICSEARCH_PASSWORD" || envVar.Name == "CAMUNDA_OPERATE_ZEEBE_ELASTICSEARCH_PASSWORD" {
+			s.Fail("The elasticsearch password vars should not be set when external elasticsearch is unauthenticated")
+		}
+	}
+}
+func (s *deploymentTemplateTest) TestOperateSetsElasticsearchPasswordIfProvidedByExplicitValueAndExternal() {
+	// given
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"global.elasticsearch.external":      "true",
+			"global.elasticsearch.url.protocol":  "http",
+			"global.elasticsearch.url.host":      "elasticexternal",
+			"global.elasticsearch.url.port":      "9200",
+			"elasticsearch.enabled":              "false",
+			"global.elasticsearch.auth.password": "supersecret",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace),
+	}
+
+	// when
+	output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates)
+	var deployment appsv1.Deployment
+	helm.UnmarshalK8SYaml(s.T(), output, &deployment)
+
+	// then
+	envVars := deployment.Spec.Template.Spec.Containers[0].Env
+
+	var camundaOperateElasticPassword corev1.EnvVar
+	var camundaOperateZeebeElasticPassword corev1.EnvVar
+	for _, envVar := range envVars {
+		if envVar.Name == "CAMUNDA_OPERATE_ELASTICSEARCH_PASSWORD" {
+			camundaOperateElasticPassword = envVar
+			continue
+		}
+		if envVar.Name == "CAMUNDA_OPERATE_ZEEBE_ELASTICSEARCH_PASSWORD" {
+			camundaOperateZeebeElasticPassword = envVar
+		}
+	}
+
+	s.Require().Equal(camundaOperateElasticPassword.ValueFrom.SecretKeyRef.Name, "camunda-platform-test-elasticsearch")
+	s.Require().Equal(camundaOperateZeebeElasticPassword.ValueFrom.SecretKeyRef.Name, "camunda-platform-test-elasticsearch")
+}
+func (s *deploymentTemplateTest) TestOperateSetsElasticsearchPasswordIfProvidedBySecretNameAndExternal() {
+	// given
+	options := &helm.Options{
+		SetValues: map[string]string{
+			"global.elasticsearch.external":            "true",
+			"global.elasticsearch.url.protocol":        "http",
+			"global.elasticsearch.url.host":            "elasticexternal",
+			"global.elasticsearch.url.port":            "9200",
+			"elasticsearch.enabled":                    "false",
+			"global.elasticsearch.auth.existingSecret": "supersecret",
+		},
+		KubectlOptions: k8s.NewKubectlOptions("", "", s.namespace),
+	}
+
+	// when
+	output := helm.RenderTemplate(s.T(), options, s.chartPath, s.release, s.templates)
+	var deployment appsv1.Deployment
+	helm.UnmarshalK8SYaml(s.T(), output, &deployment)
+
+	// then
+	envVars := deployment.Spec.Template.Spec.Containers[0].Env
+
+	var camundaOperateElasticPassword corev1.EnvVar
+	var camundaOperateZeebeElasticPassword corev1.EnvVar
+	for _, envVar := range envVars {
+		if envVar.Name == "CAMUNDA_OPERATE_ELASTICSEARCH_PASSWORD" {
+			camundaOperateElasticPassword = envVar
+			continue
+		}
+		if envVar.Name == "CAMUNDA_OPERATE_ZEEBE_ELASTICSEARCH_PASSWORD" {
+			camundaOperateZeebeElasticPassword = envVar
+		}
+	}
+
+	s.Require().Equal(camundaOperateElasticPassword.ValueFrom.SecretKeyRef.Name, "supersecret")
+	s.Require().Equal(camundaOperateZeebeElasticPassword.ValueFrom.SecretKeyRef.Name, "supersecret")
+}