camunda-platform-helm icon indicating copy to clipboard operation
camunda-platform-helm copied to clipboard

Published 20 hours ago verified publisher icon camunda

[ISSUE] setting global.identity.auth.identity.existingSecret causes identity to not be able to connect to keycloak

Open jessesimpson36 opened this issue 10 months ago • 0 comments

Describe the issue:

Many of the components use global.identity.auth.COMPONENT.existingSecret to specify passwords to connect through keycloak. Identity is a bit unique in not needing this as it's mechanism for interacting with keycloak, because identity is a service that configures keycloak, and already has credentials through other means.

The client id and client secret for identity are intended to be used only in situations where an OIDC provider (or microsoft Entra ID) is used instead of keycloak. However, most users don't know this intuitively, and they set existingSecret because it follows the pattern that every other component has an existingSecret.

When global.identity.auth.identity.existingSecret is set in values.yaml, a number of changes take place:

  1. the client-id and client-secret under identity gets set: https://github.com/camunda/camunda-platform-helm/blob/ac5a4cfd3ca471029ecd864299408e777e822d53/charts/camunda-platform/templates/identity/configmap.yaml#L21-L24
  2. The client-id and client-secret under camunda.identity gets set: https://github.com/camunda/camunda-platform-helm/blob/ac5a4cfd3ca471029ecd864299408e777e822d53/charts/camunda-platform/templates/identity/configmap.yaml#L234-L237
  3. The keycloak identity clientId gets set https://github.com/camunda/camunda-platform-helm/blob/ac5a4cfd3ca471029ecd864299408e777e822d53/charts/camunda-platform/templates/identity/configmap.yaml#L163-L165

Point 3 causes a problem because include "identity.authClientId" . evaluates to identity, whereas in an install where global.identity.auth.identity.existingSecret is not set, the default value camunda-identity gets used. when authClientId evaluates to identity instead of camunda-identity, identity is no longer able to connect to keycloak.

Actual behavior: Identity never becomes healthy.

Expected behavior:

Identity can connect to keycloak and a user can log into identity.

How to reproduce:

  1. install with the following command helm install -f /tmp/separated.yaml.txt camunda camunda/camunda-platform --version 10.0.2
  2. try to log into identity.

If you try with your own config to reproduce, make sure that global.identity.auth.identity.existingSecret is set.

Logs:

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

  • Platform: KIND
  • Helm CLI version: 3.4.14
  • Chart version: 10.0.2
  • Values file: separated.yaml.txt

jessesimpson36 avatar Apr 25 '24 15:04 jessesimpson36