feat: add openshift single region reference arch (#49)

aws/rosa-hcp-dual-region/README.md

@@ -0,0 +1,4 @@
+# Camunda on AWS ROSA with Dual-Region
+
+This folder describes the IaC of Camunda on AWS ROSA.
+Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/openshift/terraform-setup/

aws/rosa-hcp/README.md

@@ -0,0 +1,4 @@
+# Camunda on AWS ROSA
+
+This folder describes the IaC of Camunda on AWS ROSA.
+Instructions can be found on the official documentation: https://docs.camunda.io/docs/self-managed/setup/deploy/amazon/openshift/terraform-setup/

aws/rosa-hcp/camunda-versions/8.6/.tool-versions

@@ -0,0 +1 @@
+# TODO: must be filled for tests integration

aws/rosa-hcp/camunda-versions/8.6/cluster.tf

@@ -0,0 +1,67 @@
+locals {
+  rosa_cluster_name = "my-rosa" # Change this to a name of your choice
+
+  rosa_cluster_zones = ["eu-north-1a", "eu-north-1b", "eu-north-1c"] # Adjust to your needs and align with your value of AWS_REGION
+
+  rosa_admin_username = "kubeadmin"
+  rosa_admin_password = "CHANGEME1234r!" # Change the password of your admin password
+}
+
+module "rosa_cluster" {
+  source = "git::https://github.com/camunda/camunda-tf-rosa//modules/rosa-hcp?ref=v2.0.0"
+
+  cluster_name = local.rosa_cluster_name
+
+  availability_zones = local.rosa_cluster_zones
+
+  # Set CIDR ranges or use the defaults
+  vpc_cidr_block     = "10.0.0.0/16"
+  machine_cidr_block = "10.0.0.0/18"
+  service_cidr_block = "10.0.128.0/18"
+  pod_cidr_block     = "10.0.64.0/18"
+
+  # admin access
+  htpasswd_username = local.rosa_admin_username
+  htpasswd_password = local.rosa_admin_password
+
+  # Default node type for the OpenShift cluster
+  compute_node_instance_type = "m7i.xlarge"
+  replicas                   = 6
+}
+
+# Outputs of the parent module
+
+output "public_subnet_ids" {
+  value       = module.rosa_cluster.public_subnet_ids
+  description = "A comma-separated list of public subnet IDs in the VPC. These subnets are typically used for resources that require internet access."
+}
+
+output "private_subnet_ids" {
+  value       = module.rosa_cluster.private_subnet_ids
+  description = "A comma-separated list of private subnet IDs in the VPC. These subnets are typically used for internal resources that do not require direct internet access."
+}
+
+output "cluster_id" {
+  value       = module.rosa_cluster.cluster_id
+  description = "The unique identifier of the OpenShift cluster created on Red Hat OpenShift Service on AWS (ROSA). This ID is used to reference the cluster in subsequent operations."
+}
+
+output "oidc_provider_id" {
+  value       = module.rosa_cluster.oidc_provider_id
+  description = "OIDC provider for the ROSA cluster. Allows adding additional IAM Role for Service Accounts (IRSA) mappings."
+}
+
+output "aws_caller_identity_account_id" {
+  value       = module.rosa_cluster.aws_caller_identity_account_id
+  description = "The AWS account ID of the caller. This is the account under which the Terraform code is being executed."
+}
+
+output "openshift_api_url" {
+  value       = module.rosa_cluster.openshift_api_url
+  description = "The endpoint URL for accessing the OpenShift API. This endpoint is used to interact with the OpenShift cluster's API server."
+}
+
+output "cluster_console_url" {
+  value       = module.rosa_cluster.cluster_console_url
+  description = "The URL endpoint for accessing the OpenShift web console. This endpoint provides a web-based user interface for managing the OpenShift cluster."
+}

aws/rosa-hcp/camunda-versions/8.6/config.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.35.0"
+    }
+    rhcs = {
+      version = "1.6.6"
+      source  = "terraform-redhat/rhcs"
+    }
+  }
+
+  backend "s3" {
+    encrypt = true
+  }
+}
+
+# ensure  RHCS_TOKEN env variable is set with a value from https://console.redhat.com/openshift/token/rosa
+provider "rhcs" {}

aws/rosa-hcp/camunda-versions/8.6/procedure/install/.shellcheckrc

@@ -0,0 +1 @@
+disable=SC2148,SC2155

aws/rosa-hcp/camunda-versions/8.6/procedure/install/chart-env.sh

@@ -0,0 +1,3 @@
+# The Camunda 8 Helm Chart version
+# renovate: datasource=helm depName=camunda-platform versioning=regex:^11(\.(?<minor>\d+))?(\.(?<patch>\d+))?$ registryUrl=https://helm.camunda.io
+export CAMUNDA_HELM_CHART_VERSION="11.0.4"

aws/rosa-hcp/camunda-versions/8.6/procedure/install/create-identity-secret.sh

@@ -0,0 +1,10 @@
+kubectl create secret generic identity-secret-for-components \
+  --namespace camunda \
+  --from-literal=connectors-secret="$CONNECTORS_SECRET" \
+  --from-literal=console-secret="$CONSOLE_SECRET" \
+  --from-literal=operate-secret="$OPERATE_SECRET" \
+  --from-literal=optimize-secret="$OPTIMIZE_SECRET" \
+  --from-literal=tasklist-secret="$TASKLIST_SECRET" \
+  --from-literal=zeebe-secret="$ZEEBE_SECRET" \
+  --from-literal=admin-password="$ADMIN_PASSWORD" \
+  --from-literal=smtp-password=""

aws/rosa-hcp/camunda-versions/8.6/procedure/install/generate-passwords.sh

@@ -0,0 +1,7 @@
+export CONNECTORS_SECRET="$(openssl rand -hex 16)"
+export CONSOLE_SECRET="$(openssl rand -hex 16)"
+export OPERATE_SECRET="$(openssl rand -hex 16)"
+export OPTIMIZE_SECRET="$(openssl rand -hex 16)"
+export TASKLIST_SECRET="$(openssl rand -hex 16)"
+export ZEEBE_SECRET="$(openssl rand -hex 16)"
+export ADMIN_PASSWORD="$(openssl rand -hex 16)"

aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/base.yml

@@ -0,0 +1,21 @@
+---
+global:
+    elasticsearch:
+        enabled: true # use the embbeded elasticsearch
+
+identityKeycloak:
+    postgresql:
+        enabled: true # use the embbeded database
+    auth:
+        existingSecret: identity-secret-for-components
+
+console:
+    enabled: false # by default, console is not enabled
+
+webModeler:
+    enabled: false # by default, webModeler is not enabled
+
+    restapi:
+        mail:
+            existingSecret: identity-secret-for-components # reference the smtp password
+            fromAddress: changeme@example.com   # change this required value

aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/connectors-route.yml

@@ -0,0 +1,23 @@
+---
+connectors:
+    inbound:
+        mode: oauth
+    env:
+        - name: ZEEBE_CLIENT_BROKER_GATEWAY-ADDRESS
+          value: camunda-zeebe-gateway.camunda.svc.cluster.local:26500
+        - name: ZEEBE_CLIENT_SECURITY_PLAINTEXT
+          value: 'false'
+        - name: CAMUNDA_CLIENT_ZEEBE_CACERTIFICATEPATH
+          value: /usr/local/certificates/tls.crt
+    extraVolumeMounts:
+        - name: certificate
+          mountPath: /usr/local/certificates/tls.crt
+          subPath: tls.crt
+    extraVolumes:
+        - name: certificate
+          secret:
+              secretName: camunda-platform-internal-service-certificate
+              items:
+                  - key: tls.crt
+                    path: tls.crt
+              defaultMode: 420

aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/domain.yml

@@ -0,0 +1,71 @@
+---
+global:
+
+    # the ingress is manages directly by the Route manifests ../manifest/routes.yml
+    ingress:
+        enabled: true
+        className: openshift-default
+        host: ${DOMAIN_NAME}
+        tls:
+            enabled: true
+            # explicitely no secret as we rely on the IngressOperator to handle the TLS secret, if you use a custom certificate, you might want to fill this value
+            secretName: ''
+        annotations:
+            route.openshift.io/termination: edge
+            # enforce HSTS
+            haproxy.router.openshift.io/hsts_header: max-age=31536000; includeSubDomains;preload
+
+    identity:
+
+        auth:
+            publicIssuerUrl: https://${DOMAIN_NAME}/auth/realms/camunda-platform  # replace this with a port of your choice when you will do port forwarding
+
+            zeebe:
+                existingSecret:
+                    name: identity-secret-for-components
+            connectors:
+                existingSecret:
+                    name: identity-secret-for-components
+            operate:
+                redirectUrl: https://${DOMAIN_NAME}/operate # replace this with a port of your choice when you will do port forwarding
+                existingSecret:
+                    name: identity-secret-for-components
+            tasklist:
+                redirectUrl: https://${DOMAIN_NAME}/tasklist  # replace this with a port of your choice when you will do port forwarding
+                existingSecret:
+                    name: identity-secret-for-components
+            optimize:
+                redirectUrl: https://${DOMAIN_NAME}/optimize  # replace this with a port of your choice when you will do port forwarding
+                existingSecret:
+                    name: identity-secret-for-components
+            webModeler:
+                redirectUrl: https://${DOMAIN_NAME}/modeler
+            console:
+                redirectUrl: https://${DOMAIN_NAME}/console
+                existingSecret:
+                    name: identity-secret-for-components
+
+identity:
+    contextPath: /identity
+    fullURL: https://${DOMAIN_NAME}/identity
+
+operate:
+    contextPath: /operate
+
+tasklist:
+    contextPath: /tasklist
+
+webModeler:
+    contextPath: /modeler
+
+optimize:
+    contextPath: /optimize
+
+zeebeGateway:
+    contextPath: /zeebe
+
+console:
+    contextPath: /console
+
+connectors:
+    contextPath: /connectors

aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/no-domain.yml

@@ -0,0 +1,34 @@
+---
+global:
+    identity:
+
+        auth:
+            publicIssuerUrl: http://localhost:18080/auth/realms/camunda-platform  # replace this with a port of your choice when you will do port forwarding
+
+            zeebe:
+                existingSecret:
+                    name: identity-secret-for-components
+            connectors:
+                existingSecret:
+                    name: identity-secret-for-components
+            operate:
+                redirectUrl: http://localhost:8081  # replace this with a port of your choice when you will do port forwarding
+                existingSecret:
+                    name: identity-secret-for-components
+            tasklist:
+                redirectUrl: http://localhost:8082  # replace this with a port of your choice when you will do port forwarding
+                existingSecret:
+                    name: identity-secret-for-components
+            optimize:
+                redirectUrl: http://localhost:8083  # replace this with a port of your choice when you will do port forwarding
+                existingSecret:
+                    name: identity-secret-for-components
+            webModeler:
+                redirectUrl: http://localhost:8084
+            console:
+                redirectUrl: http://localhost:8085
+                existingSecret:
+                    name: identity-secret-for-components
+
+identity:
+    fullURL: http://localhost:8080 # replace this with a port of your choice when you will do port forwarding

aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/no-scc.yml

@@ -0,0 +1,5 @@
+---
+global:
+    compatibility:
+        openshift:
+            adaptSecurityContext: disabled # do not enforce SCCs, default

aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/operate-route.yml

@@ -0,0 +1,22 @@
+---
+operate:
+    env:
+        - name: CAMUNDA_OPERATE_ZEEBE_SECURE
+          value: 'true'
+        - name: CAMUNDA_OPERATE_ZEEBE_CERTIFICATEPATH
+          value: /usr/local/operate/config/tls.crt
+        - name: CAMUNDA_OPERATE_ZEEBE_GATEWAYADDRESS
+          # camunda-zeebe-gateway.<namespace>.svc.cluster.local
+          value: camunda-zeebe-gateway.camunda.svc.cluster.local:26500
+    extraVolumeMounts:
+        - name: certificate
+          mountPath: /usr/local/operate/config/tls.crt
+          subPath: tls.crt
+    extraVolumes:
+        - name: certificate
+          secret:
+              secretName: camunda-platform-internal-service-certificate
+              items:
+                  - key: tls.crt
+                    path: tls.crt
+              defaultMode: 420

aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/scc.yml

@@ -0,0 +1,5 @@
+---
+global:
+    compatibility:
+        openshift:
+            adaptSecurityContext: force # enforce compatibility with SCCs

aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/tasklist-route.yml

@@ -0,0 +1,21 @@
+---
+tasklist:
+    env:
+        - name: CAMUNDA_TASKLIST_ZEEBE_SECURE
+          value: 'true'
+        - name: CAMUNDA_TASKLIST_ZEEBE_CERTIFICATEPATH
+          value: /usr/local/tasklist/config/tls.crt
+        - name: CAMUNDA_TASKLIST_ZEEBE_GATEWAYADDRESS
+          value: camunda-zeebe-gateway.camunda.svc.cluster.local:26500
+    extraVolumeMounts:
+        - name: certificate
+          mountPath: /usr/local/tasklist/config/tls.crt
+          subPath: tls.crt
+    extraVolumes:
+        - name: certificate
+          secret:
+              secretName: camunda-platform-internal-service-certificate
+              items:
+                  - key: tls.crt
+                    path: tls.crt
+              defaultMode: 420

aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/zeebe-gateway-route.yml

@@ -0,0 +1,60 @@
+---
+zeebeGateway:
+
+    service:
+        annotations:
+            # enerate a TLS certificate for the Zeebe Gateway Service
+            service.beta.openshift.io/serving-cert-secret-name: camunda-platform-internal-service-certificate
+
+    ingress:
+        enabled: true
+        grpc:
+            annotations:
+                haproxy.router.openshift.io/timeout: 300s
+                route.openshift.io/termination: reencrypt
+                # reference the re-encrypt secret
+                route.openshift.io/destination-ca-certificate-secret: camunda-platform-internal-service-certificate
+            className: openshift-default
+            tls:
+                enabled: true
+                # explicitely no secret as we rely on the IngressOperator to handle the TLS secret, if you use a custom certificate, you might want to fill this value
+                secretName: ''
+            host: zeebe-${DOMAIN_NAME}
+
+    # mount the Service certificate in the pod
+    env:
+        - name: ZEEBE_GATEWAY_SECURITY_ENABLED
+          value: 'true'
+        - name: ZEEBE_GATEWAY_SECURITY_CERTIFICATECHAINPATH
+          value: /usr/local/zeebe/config/tls.crt
+        - name: ZEEBE_GATEWAY_SECURITY_PRIVATEKEYPATH
+          value: /usr/local/zeebe/config/tls.key
+
+        - name: ZEEBE_GATEWAY_CLUSTER_SECURITY_ENABLED
+          value: 'true'
+        - name: ZEEBE_GATEWAY_CLUSTER_SECURITY_CERTIFICATECHAINPATH
+          value: /usr/local/zeebe/config/tls.crt
+        - name: ZEEBE_GATEWAY_CLUSTER_SECURITY_PRIVATEKEYPATH
+          value: /usr/local/zeebe/config/tls.key
+    extraVolumeMounts:
+        - name: certificate
+          mountPath: /usr/local/zeebe/config/tls.crt
+          subPath: tls.crt
+        - name: key
+          mountPath: /usr/local/zeebe/config/tls.key
+          subPath: tls.key
+    extraVolumes:
+        - name: certificate
+          secret:
+              secretName: camunda-platform-internal-service-certificate
+              items:
+                  - key: tls.crt
+                    path: tls.crt
+              defaultMode: 420
+        - name: key
+          secret:
+              secretName: camunda-platform-internal-service-certificate
+              items:
+                  - key: tls.key
+                    path: tls.key
+              defaultMode: 420