feat: adding TLS support to console (#2505)

Co-authored-by: distro-ci[bot] <122795778+distro-ci[bot]@users.noreply.github.com>

charts/camunda-platform-8.6/templates/console/deployment.yaml

@@ -52,6 +52,8 @@ spec:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.licenseSecretName" . }}
                   key: {{ include "camundaPlatform.licenseSecretKey" . }}
+            - name: NODE_EXTRA_CA_CERTS
+              value: {{ printf "/usr/local/console/certificates/%s" .Values.console.tls.certKeyFilename | quote }}
             - name: NODE_ENV
               value: prod
             {{- if eq .Values.global.identity.auth.type "KEYCLOAK"}}
@@ -126,6 +128,11 @@ spec:
           volumeMounts:
             - name: console-configuration
               mountPath: /var/run/config
+          {{- if .Values.console.tls.enabled }}
+            - name: console-certificates
+              mountPath: /usr/local/console/certificates
+              readOnly: true
+          {{- end }}
           {{- if .Values.console.extraVolumeMounts }}
             {{- .Values.console.extraVolumeMounts | toYaml | nindent 12 }}
           {{- end }}
@@ -136,6 +143,11 @@ spec:
         - name: console-configuration
           configMap:
             name: {{ include "console.fullname" . }}-configuration
+      {{- if .Values.console.tls.enabled }}
+        - name: console-certificates
+          secret:
+            secretName: {{ .Values.console.tls.existingSecret }}
+      {{- end }}
       {{- if .Values.console.extraVolumes }}
         {{- .Values.console.extraVolumes | toYaml | nindent 8 }}
       {{- end }}

charts/camunda-platform-8.6/test/unit/console/golden/deployment.golden.yaml

@@ -65,6 +65,8 @@ spec:
                 secretKeyRef:
                   name: camunda-platform-test-license
                   key: CAMUNDA_LICENSE_KEY
+            - name: NODE_EXTRA_CA_CERTS
+              value: "/usr/local/console/certificates/"
             - name: NODE_ENV
               value: prod
             - name: KEYCLOAK_INTERNAL_BASE_URL

charts/camunda-platform-8.6/values.yaml

@@ -416,6 +416,14 @@ console:
   ## @param console.replicas Number of Console replicas
   replicas: 1
 
+  ## console.tls Configure the Console TLS options
+  tls:
+    ## @param console.tls.enabled Enable TLS traffic for console
+    enabled: false
+    ## @param tls.existingSecret The name of the existing secret that contains the TLS certificates. Each key of the secret corresponds to a certificate filename, and each value of a key corresponds to the content of the certificate file.
+    existingSecret: ""
+    ## @param tls.certKeyFilename Certificate Key filename
+    certKeyFilename: ""
   ## console.keycloak configuration to configure Keycloak authentication settings.
   keycloak:
     ## @param console.keycloak.realm Specifies the Keycloak realm used for authentication.

charts/camunda-platform-alpha/templates/console/deployment.yaml

@@ -52,6 +52,8 @@ spec:
                 secretKeyRef:
                   name: {{ include "camundaPlatform.licenseSecretName" . }}
                   key: {{ include "camundaPlatform.licenseSecretKey" . }}
+            - name: NODE_EXTRA_CA_CERTS
+              value: {{ printf "/usr/local/console/certificates/%s" .Values.console.tls.certKeyFilename | quote }}
             - name: NODE_ENV
               value: prod
             {{- if eq .Values.global.identity.auth.type "KEYCLOAK"}}
@@ -126,6 +128,11 @@ spec:
           volumeMounts:
             - name: console-configuration
               mountPath: /var/run/config
+          {{- if .Values.console.tls.enabled }}
+            - name: console-certificates
+              mountPath: /usr/local/console/certificates
+              readOnly: true
+          {{- end }}
           {{- if .Values.console.extraVolumeMounts }}
             {{- .Values.console.extraVolumeMounts | toYaml | nindent 12 }}
           {{- end }}
@@ -136,6 +143,11 @@ spec:
         - name: console-configuration
           configMap:
             name: {{ include "console.fullname" . }}-configuration
+      {{- if .Values.console.tls.enabled }}
+        - name: console-certificates
+          secret:
+            secretName: {{ .Values.console.tls.existingSecret }}
+      {{- end }}
       {{- if .Values.console.extraVolumes }}
         {{- .Values.console.extraVolumes | toYaml | nindent 8 }}
       {{- end }}

charts/camunda-platform-alpha/test/unit/console/golden/deployment.golden.yaml

@@ -65,6 +65,8 @@ spec:
                 secretKeyRef:
                   name: camunda-platform-test-license
                   key: CAMUNDA_LICENSE_KEY
+            - name: NODE_EXTRA_CA_CERTS
+              value: "/usr/local/console/certificates/"
             - name: NODE_ENV
               value: prod
             - name: KEYCLOAK_INTERNAL_BASE_URL

charts/camunda-platform-alpha/values.yaml

@@ -930,6 +930,15 @@ console:
   ## @param console.replicas Number of Console replicas
   replicas: 1
 
+  ## console.tls Configure the Console TLS options
+  tls:
+    ## @param console.tls.enabled Enable TLS traffic for console
+    enabled: false
+    ## @param console.tls.existingSecret The name of the existing secret that contains the TLS certificates. Each key of the secret corresponds to a certificate filename, and each value of a key corresponds to the content of the certificate file.
+    existingSecret: ""
+    ## @param console.tls.certKeyFilename Certificate Key filename
+    certKeyFilename: ""
+
   ## console.keycloak configuration to configure Keycloak authentication settings.
   keycloak:
     ## @param console.keycloak.realm Specifies the Keycloak realm used for authentication.