Remove swagger from run distribution

[toco-cam]

Acceptance Criteria (Required on creation)

• Swagger is removed from the run distribution
• Swagger is removed from the docs

Hints

Links

Breakdown

camunda-bpm-platform PR

Preview Give feedback

1. chore(distro/run): Remove Swagger from camunda-run #4497
   ci:run ci:skipTests +2
   
2. chore(project): Remove Swagger References #4535
   ci:jdk ci:skipTests +2
   

camunda-bpm-platform-ee PR

Preview Give feedback

1. https://github.com/camunda/camunda-bpm-platform-ee/pull/969

camunda-bpm-license-book-generator-ee PR

Preview Give feedback

1. https://github.com/camunda/camunda-bpm-license-book-generator-ee/pull/23

camunda-bpm-rpa-bridge-ee PR

Preview Give feedback

1. https://github.com/camunda/camunda-bpm-rpa-bridge-ee/pull/102

camunda-docs-manual PR

Preview Give feedback

1. chore(content): Remove Swagger from Docs camunda-docs-manual#1668
   +0
   

Dev2QA handover

• Does this ticket need a QA test and the testing goals are not clear from the description? Add a Dev2QA handover comment

[amardeep2006]

May I know what is the reason for removing swagger ? This was a good feature.

Please clarify it does not impact following artifact (OPENAPI specifications) and only impacts camunda run.

<dependency>
  <groupId>org.camunda.bpm</groupId>
  <artifactId>camunda-engine-rest-openapi</artifactId>
  <version>${version.camunda}</version>
</dependency>

[toco-cam]

Hello @amardeep2006

May I know what is the reason for removing swagger ?

SwaggerUI has faced many security problems recently, resulting in high maintenance efforts on our side. The alternative to SwaggerUI is OpenAPI and a REST client like Postman. The REST client with the OpenAPI can, in our opinion, cover the intended use case for SwaggerUI: "Easy testing of API interfaces".

Please clarify it does not impact following artifact (OPENAPI specifications) and only impacts camunda run.

There was no impact on OpenAPI. And yes, only Camunda Run, as the other distributions never supported SwaggerUI.

Regards Tobias (Product Management)

[amardeep2006]

Thanks for clarification. We are using https://springdoc.org/ with camunda provided openapi specs in our project and has proven to be low maintenance . We scan daily for security.

[psavidis]

Kickoff

Context

Swagger is removed from the camunda-run distribution.

Business Value

The removal of swagger will reduce the maintenance effort required for keeping up with all the security updates that swagger requires from time to time.

Customer Requirements

Swagger is removed entirely from camunda-run.

Backwards compatibility

Starting from version 7.22, swagger will not be accessible. Our users can simply use the OpenAPI in combination with a REST client like Postman. That should be sufficient to cover their existing needs.

Technical Solution Proposal

The technical proposal is pretty straightforward for this case, the changes will consist of removing swagger entirely from the camunda-run module.

Changes Required

A. Adjust assembly module

• 1. Remove SwaggerUI references from README
• 2. Remove Swagger Parameterization from the run scripts (run.bat, run.sh). That includes:
  • --swaggerui blocks
  • All swagger related parameters (swaggerPath, swaggeruiChosen)
  • Echoes to the STD OUT related to swagger
  • Comments
• 3. Remove camunda-bpm-run-modules-swaggerui import from run's assembly module `pom.xml`
• 4. Remove Swagger Entries from assembly.xml
  • The above descriptor is responsible for putting together the swagger files into the zipped camunda run installation camunda-bpm-run-{camunda.version}/internal/swaggerui folder

B. Adjust core module- Remove Comment references

C. Adjust modules module - Delete swaggerui Module

D. Adjust QA Tests

• 1. Remove Test from ProductionConfigurationIT
• 2. Remove Test SwaggerUIGetRequestIT
• 3. Adjust ComponentAvailabilityIT
  • Delete shouldFindSwaggerUI test
  • Remove --swaggerui parameter from commands
  • Remove swaggerUIAvailable parameter from runStartScript

E. Adjust Documentation

• 1. Installation | Remote Engine Distribution | Installation Procedure - Remove point 7 which references swagger
• 2. User Guide | Camunda 7 Run
  • 2.1 What is Camunda Run - Remove list element mentioning swagger
  • 2.2 Starting with Camunda Run - Remove swagger reference from the paragraph
  • 2.3. Start Script Arguments - Remove swagger reference from the available arguments
  • 2.4. Optional Components - Remove references a and b
  • 2.5 Example Application - Remove swagger reference
  • 2.6 Choose between default and production configuration - Remove swagger reference, only the example application is disabled on production mode anymore. Also, rephrase that only only example application can be explicitly enabled (not swagger).
• 3. Content | Update | Minor | 7.21-to-7.22 - Add a Camunda Run and Swagger Update
  • For administrators and developers: State that camunda-run SwaggerUI will be discontinued and mention the alternative of using OpenAPI along with a REST client of choice
• 4. Introduction | Third-Party Libraries | Camunda 7 License Book | Swagger UI Javascript Dependencies - Delete the whole section
• 5. Reference | REST API | Open API - Delete the section which mentions camunda-run and swagger

Breakdown

All the above changes can be incorporated into a simple task (this ticket can be used for simplicity sake).

[psavidis]

Decision Update

Due to the size of this item being minimal, a kickoff meeting is not required.
The Kickoff Document | Technical Proposal can still be used to ease up the review.

[psavidis]

Assigning to @mboskamp for the Review

[psavidis]

Update

Clarify if the CE license-book file needs to be adjusted before the minor release.

Answer: here

[psavidis]

Opened two pull requests to remove swagger from these repositories as well:

• Remove the Swagger parameter from camunda-bpm-license-book-generator-ee [PR]
• Remove from the calls RPA Bridge repository makes against the license book generator (PR)

Kudos to @mboskamp.

[psavidis]

Update

Clarify if the CE license-book file needs to be adjusted before the minor release.

No update is required on the license-book of 7.22.

[psavidis]

Update

Merged changes to camunda-bpm-license-book-generator-ee.

Next step: Release license-book-generator:1.1.14

[psavidis]

Update

license-book-generator-ee has been released

[psavidis]

Update

camunda-bpm-rpa-bridge-ee PR is closed. No need to update RPA Bridge.

[psavidis]

All Tasks are completed. Closing the ticket.

[psavidis]

Reopening the issue due to swagger reference leftovers in the repo

[psavidis]

Assigning to @yanavasileva for reviewing the fix of the failing jdk11 stages