Skip to content

Commit

Permalink
feat: add support for authorizations configuration (#2593)
Browse files Browse the repository at this point in the history 
Co-authored-by: distro-ci[bot] <122795778+distro-ci[bot]@users.noreply.github.com>
  • Loading branch information
@houssain-barouni @distro-ci
houssain-barouni and distro-ci[bot] authored Dec 3, 2024
1 parent 678da17 commit ac4410e
Show file tree
Hide file tree
Showing 7 changed files with 266 additions and 5 deletions.
2 changes: 2 additions & 0 deletions charts/camunda-platform-alpha/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -414,6 +414,8 @@ Please see the corresponding [release guide](../../docs/release.md) to find out
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation) | `disabled` |
| `global.multitenancy` | | |
| `global.multitenancy.enabled` | if true, then enable multitenancy in all applicable components. | `false` |
| `global.authorizations` | | |
| `global.authorizations.enabled` | if true, then enable authorizations checks in all applicable components. | `false` |
| `global.createReleaseInfo` | Create config that will be used in Camunda Console. | `true` |
| `global.annotations` | Annotations can be used to define common annotations, which should be applied to all deployments | `{}` |
| `global.labels.app` | Name of the application | `camunda-platform` |
Expand Down
10 changes: 9 additions & 1 deletion charts/camunda-platform-alpha/templates/core/configmap.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ data:
experimental:
engine:
authorization:
enableAuthorization: true
enableAuthorization: {{ .Values.global.authorizations.enabled }}
# zeebe.broker.gateway
gateway:
Expand Down Expand Up @@ -188,6 +188,10 @@ data:
query:
enabled: true
security:
authorizations:
enabled: {{ .Values.global.authorizations.enabled }}
{{- if .Values.global.identity.auth.enabled }}
identity:
clientId: {{ include "core.authClientId" . | quote }}
Expand Down Expand Up @@ -231,6 +235,7 @@ data:
{{- if .Values.global.identity.auth.enabled }}
identity:
redirectRootUrl: "{{ tpl .Values.global.identity.auth.core.redirectUrl $ }}/operate"
resourcePermissionsEnabled: {{ .Values.global.authorizations.enabled }}
{{- end }}
# ELS instance to store Operate data
Expand Down Expand Up @@ -302,8 +307,11 @@ data:
enabled: true
{{- end }}
{{- if .Values.global.identity.auth.enabled }}
identity:
redirectRootUrl: "{{ tpl .Values.global.identity.auth.core.redirectUrl $ }}/tasklist"
resourcePermissionsEnabled: {{ .Values.global.authorizations.enabled }}
{{- end }}
# Set Tasklist username and password.
# If user with <username> does not exists it will be created.
Expand Down
16 changes: 16 additions & 0 deletions charts/camunda-platform-alpha/test/unit/core/configmap_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,22 @@ func TestGoldenConfigmapWithLog4j2(t *testing.T) {
})
}

func TestGoldenConfigmapWithAuthorizationsEnabled(t *testing.T) {
t.Parallel()

chartPath, err := filepath.Abs("../../../")
require.NoError(t, err)

suite.Run(t, &utils.TemplateGoldenTest{
ChartPath: chartPath,
Release: "camunda-platform-test",
Namespace: "camunda-platform-" + strings.ToLower(random.UniqueId()),
GoldenFileName: "configmap-authorizations",
Templates: []string{"templates/core/configmap.yaml"},
SetValues: map[string]string{"global.authorizations.enabled": "true"},
})
}

func (s *configmapTemplateTest) TestContainerShouldContainExporterClassPerDefault() {
// given
options := &helm.Options{
Expand Down
219 changes: 219 additions & 0 deletions charts/camunda-platform-alpha/test/unit/core/golden/configmap-authorizations.golden.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,219 @@
---
# Source: camunda-platform/templates/core/configmap.yaml
kind: ConfigMap
metadata:
name: camunda-platform-test-core-configuration
labels:
app: camunda-platform
app.kubernetes.io/name: camunda-platform
app.kubernetes.io/instance: camunda-platform-test
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: camunda-platform
app.kubernetes.io/component: core
app.kubernetes.io/version: "8.7.0-alpha1"
apiVersion: v1
data:
startup.sh: |
# The Node ID depends on the Pod name so it cannot be templated in the StatefulSet level.
export ZEEBE_BROKER_CLUSTER_NODEID="${ZEEBE_BROKER_CLUSTER_NODEID:-$[${K8S_NAME##*-} * 1 + 0]}"
echo "export ZEEBE_BROKER_CLUSTER_NODEID=${ZEEBE_BROKER_CLUSTER_NODEID}"
exec /usr/local/camunda/bin/camunda
application.yaml: |
spring:
profiles:
active: "identity,operate,tasklist,broker,auth-oidc"
security:
oauth2:
client:
provider:
oidcclient:
issuer-uri: "http://localhost:18080/auth/realms/camunda-platform"
registration:
oidcclient:
client-id: "core"
client-secret: ${VALUES_CAMUNDA_CORE_CLIENT_SECRET:}
# authorization-grant-type: authorization_code
redirect-uri: "http://localhost:8082/login/oauth2/code/core"
provider: oidcclient
scope: openid,profile
management:
server:
port: 9600
server:
forward-headers-strategy: framework
address: 0.0.0.0
port: 8080
zeebe:
host: 0.0.0.0
log:
level: "info"
broker:
# zeebe.broker.experimental
experimental:
engine:
authorization:
enableAuthorization: true
# zeebe.broker.gateway
gateway:
enable: true
network:
host: 0.0.0.0
port: 26500
# zeebe.broker.network
network:
advertisedHost: "${K8S_NAME}.${K8S_SERVICE_NAME}"
host: 0.0.0.0
commandApi:
port: 26501
internalApi:
port: 26502
# zeebe.broker.cluster
cluster:
# The value of "nodeId" is set via the "ZEEBE_BROKER_CLUSTER_NODEID" env var.
# As it depends on the Pod name, which cannot be templated at the installation time.
# nodeId:
initialContactPoints:
- camunda-platform-test-zeebe-0.${K8S_SERVICE_NAME}:26502
- camunda-platform-test-zeebe-1.${K8S_SERVICE_NAME}:26502
- camunda-platform-test-zeebe-2.${K8S_SERVICE_NAME}:26502
clusterSize: "3"
replicationFactor: "3"
partitionsCount: "3"
clusterName: camunda-platform-test-zeebe
# zeebe.broker.data
data:
snapshotPeriod: 5m
freeSpace:
processing: 2GB
replication: 3GB
# zeebe.broker.threads
threads:
cpuThreadCount: "3"
ioThreadCount: "3"
# zeebe.broker.exporters
exporters:
elasticsearch:
className: "io.camunda.zeebe.exporter.ElasticsearchExporter"
args:
url: "http://camunda-platform-test-elasticsearch:9200"
index:
prefix: "zeebe-record"
CamundaExporter:
className: "io.camunda.exporter.CamundaExporter"
args:
connect:
type: elasticsearch
url: "http://camunda-platform-test-elasticsearch:9200"
createSchema: true
camunda:
rest:
query:
enabled: true
security:
authorizations:
enabled: true
identity:
clientId: "core"
audience: "core-api"
#
# Camunda Database Configuration.
#
database:
type: elasticsearch
# Cluster name
clusterName: elasticsearch
# Elasticsearch full url
url: "http://camunda-platform-test-elasticsearch:9200"
#
# Camunda Operate Configuration.
#
operate:
identity:
redirectRootUrl: "http://localhost:8082/operate"
resourcePermissionsEnabled: true
# ELS instance to store Operate data
elasticsearch:
# Cluster name
clusterName: elasticsearch
# Host
host: camunda-platform-test-elasticsearch
# Transport port
port: 9200
# Elasticsearch full url
url: "http://camunda-platform-test-elasticsearch:9200"
# ELS instance to export Zeebe data to
zeebeElasticsearch:
# Cluster name
clusterName: elasticsearch
# Host
host: camunda-platform-test-elasticsearch
# Transport port
port: 9200
# Index prefix, configured in Zeebe Elasticsearch exporter
prefix: zeebe-record
# Elasticsearch full url
url: "http://camunda-platform-test-elasticsearch:9200"
# Zeebe instance
zeebe:
# Gateway address
gatewayAddress: "camunda-platform-test-core:26500"
#
# Camunda Tasklist Configuration.
#
tasklist:
identity:
redirectRootUrl: "http://localhost:8082/tasklist"
resourcePermissionsEnabled: true
# Set Tasklist username and password.
# If user with <username> does not exists it will be created.
# Default: demo/demo
#username:
#password:
# ELS instance to store Tasklist data
elasticsearch:
# Cluster name
clusterName: elasticsearch
# Host
host: camunda-platform-test-elasticsearch
# Transport port
port: 9200
# Elasticsearch full url
url: "http://camunda-platform-test-elasticsearch:9200"
# ELS instance to export Zeebe data to
zeebeElasticsearch:
# Cluster name
clusterName: elasticsearch
# Host
host: camunda-platform-test-elasticsearch
# Transport port
port: 9200
# Index prefix, configured in Zeebe Elasticsearch exporter
prefix: zeebe-record
# Elasticsearch full url
url: "http://camunda-platform-test-elasticsearch:9200"
# Zeebe instance
zeebe:
# Gateway address
gatewayAddress: camunda-platform-test-core:26500
restAddress: "http://camunda-platform-test-core:8080"
log4j2.xml: |
9 changes: 7 additions & 2 deletions charts/camunda-platform-alpha/test/unit/core/golden/configmap-log4j2.golden.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ data:
experimental:
engine:
authorization:
enableAuthorization: true
enableAuthorization: false
# zeebe.broker.gateway
gateway:
Expand Down Expand Up @@ -122,6 +122,10 @@ data:
rest:
query:
enabled: true
security:
authorizations:
enabled: false
identity:
clientId: "core"
audience: "core-api"
Expand All @@ -142,6 +146,7 @@ data:
operate:
identity:
redirectRootUrl: "http://localhost:8082/operate"
resourcePermissionsEnabled: false
# ELS instance to store Operate data
elasticsearch:
Expand Down Expand Up @@ -174,9 +179,9 @@ data:
# Camunda Tasklist Configuration.
#
tasklist:
identity:
redirectRootUrl: "http://localhost:8082/tasklist"
resourcePermissionsEnabled: false
# Set Tasklist username and password.
# If user with <username> does not exists it will be created.
Expand Down
9 changes: 7 additions & 2 deletions charts/camunda-platform-alpha/test/unit/core/golden/configmap.golden.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ data:
experimental:
engine:
authorization:
enableAuthorization: true
enableAuthorization: false
# zeebe.broker.gateway
gateway:
Expand Down Expand Up @@ -122,6 +122,10 @@ data:
rest:
query:
enabled: true
security:
authorizations:
enabled: false
identity:
clientId: "core"
audience: "core-api"
Expand All @@ -142,6 +146,7 @@ data:
operate:
identity:
redirectRootUrl: "http://localhost:8082/operate"
resourcePermissionsEnabled: false
# ELS instance to store Operate data
elasticsearch:
Expand Down Expand Up @@ -174,9 +179,9 @@ data:
# Camunda Tasklist Configuration.
#
tasklist:
identity:
redirectRootUrl: "http://localhost:8082/tasklist"
resourcePermissionsEnabled: false
# Set Tasklist username and password.
# If user with <username> does not exists it will be created.
Expand Down
6 changes: 6 additions & 0 deletions charts/camunda-platform-alpha/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,12 @@ global:
## @param global.multitenancy.enabled if true, then enable multitenancy in all applicable components.
enabled: false

## Authorizations configuration.
## @extra global.authorizations
authorizations:
## @param global.authorizations.enabled if true, then enable authorizations checks in all applicable components.
enabled: false

## @param global.createReleaseInfo Create config that will be used in Camunda Console.
createReleaseInfo: true

Expand Down

0 comments on commit ac4410e

Please sign in to comment.