-
Notifications
You must be signed in to change notification settings - Fork 141
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(alpha): add missing auth for grpc api #2691
base: main
Are you sure you want to change the base?
Conversation
e6904a9
to
fb4c6f0
Compare
fb4c6f0
to
4aa3fad
Compare
zeebelog2.log I've tested it locally and it still fails. Should be
Here's the value file used for this deployment: ---
global:
elasticsearch:
enabled: true # use the embbeded elasticsearch
secrets:
name: "identity-secret-for-components"
compatibility:
openshift:
adaptSecurityContext: force # enforce compatibility with SCCs
# the ingress is manages directly by the Route manifests ../manifest/routes.yml
ingress:
enabled: true
className: openshift-default
host: camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com
tls:
enabled: true
# explicitely no secret as we rely on the IngressOperator to handle the TLS secret, if you use a custom certificate, you might want to fill this value
secretName: ''
annotations:
route.openshift.io/termination: edge
# enforce HSTS
haproxy.router.openshift.io/hsts_header: max-age=31536000; includeSubDomains;preload
identity:
auth:
publicIssuerUrl: https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com/auth/realms/camunda-platform # replace this with a port of your choice when you will do port forwarding
optimize:
redirectUrl: https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com/optimize # replace this with a port of your choice when you will do port forwarding
existingSecret:
name: "identity-secret-for-components"
webModeler:
redirectUrl: https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com/modeler
console:
redirectUrl: https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com/console
existingSecret:
name: "identity-secret-for-components"
core:
redirectUrl: https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com
existingSecret:
name: "identity-secret-for-components"
connectors:
existingSecret:
name: "identity-secret-for-components"
admin:
existingSecret:
name: "identity-secret-for-components"
identity:
contextPath: /identity
fullURL: https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com/identity
firstUser:
existingSecret: identity-secret-for-components
optimize:
contextPath: /optimize
console:
contextPath: /console
enabled: false # by default, console is not enabled
identityKeycloak:
postgresql:
enabled: true # use the embbeded database
auth:
existingSecret: identity-secret-for-components
auth:
existingSecret: identity-secret-for-components
webModeler:
contextPath: /modeler
enabled: false # by default, webModeler is not enabled
restapi:
mail:
fromAddress: changeme@example.com # change this required value
connectors:
contextPath: /connectors
inbound:
mode: oauth
env:
- name: ZEEBE_CLIENT_BROKER_GATEWAY-ADDRESS
value: camunda-core.camunda.svc.cluster.local:26500
- name: ZEEBE_CLIENT_SECURITY_PLAINTEXT
value: 'false'
- name: CAMUNDA_CLIENT_ZEEBE_CACERTIFICATEPATH
value: /usr/local/certificates/tls.crt
extraVolumeMounts:
- name: certificate
mountPath: /usr/local/certificates/tls.crt
subPath: tls.crt
extraVolumes:
- name: certificate
secret:
secretName: camunda-platform-internal-service-certificate
items:
- key: tls.crt
path: tls.crt
defaultMode: 420
core:
contextPath: "/"
service:
annotations:
# enerate a TLS certificate for the Zeebe Gateway Service
service.beta.openshift.io/serving-cert-secret-name: camunda-platform-internal-service-certificate
ingress:
enabled: true
grpc:
enabled: true
annotations:
haproxy.router.openshift.io/timeout: 300s
route.openshift.io/termination: reencrypt
# reference the re-encrypt secret
route.openshift.io/destination-ca-certificate-secret: camunda-platform-internal-service-certificate
className: openshift-default
tls:
enabled: true
# explicitely no secret as we rely on the IngressOperator to handle the TLS secret, if you use a custom certificate, you might want to fill this value
secretName: ''
host: zeebe-camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com
env:
##### Tasklist
- name: CAMUNDA_TASKLIST_ZEEBE_SECURE
value: 'true'
- name: CAMUNDA_TASKLIST_ZEEBE_CERTIFICATEPATH
value: /usr/local/core/config/tls.crt
- name: CAMUNDA_TASKLIST_ZEEBE_GATEWAYADDRESS
value: camunda-core.camunda.svc.cluster.local:26500
##### Gateway
- name: ZEEBE_BROKER_GATEWAY_SECURITY_ENABLED
value: 'true'
- name: ZEEBE_BROKER_GATEWAY_SECURITY_CERTIFICATECHAINPATH
value: /usr/local/core/config/tls.crt
- name: ZEEBE_BROKER_GATEWAY_SECURITY_PRIVATEKEYPATH
value: /usr/local/core/config/tls.key
- name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_ENABLED
value: 'true'
- name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_CERTIFICATECHAINPATH
value: /usr/local/core/config/tls.crt
- name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_PRIVATEKEYPATH
value: /usr/local/core/config/tls.key
##### Operate
- name: CAMUNDA_OPERATE_ZEEBE_SECURE
value: 'true'
- name: CAMUNDA_OPERATE_ZEEBE_CERTIFICATEPATH
value: /usr/local/core/config/tls.crt
- name: CAMUNDA_OPERATE_ZEEBE_GATEWAYADDRESS
# camunda-core.<namespace>.svc.cluster.local
value: camunda-core.camunda.svc.cluster.local:26500
extraVolumeMounts:
- name: certificate
mountPath: /usr/local/core/config/tls.crt
subPath: tls.crt
- name: key
mountPath: /usr/local/core/config/tls.key
subPath: tls.key
extraVolumes:
- name: key
secret:
secretName: camunda-platform-internal-service-certificate
items:
- key: tls.key
path: tls.key
defaultMode: 420
- name: certificate
secret:
secretName: camunda-platform-internal-service-certificate
items:
- key: tls.crt
path: tls.crt
defaultMode: 420 |
4aa3fad
to
66b6926
Compare
@leiicamundi, you are totally correct; I copied the wrong function (client id instead of the audience). |
66b6926
to
b5010a9
Compare
Hi @aabouzaid, I've merged main into this fix, but the zeebe deployment still fails. Zeebe never gets healthy. |
@leiicamundi It's not Zeebe, it's Identity, so the auth will not work for now. |
3afc6d1
to
d9099c9
Compare
7d6040f
to
e45836c
Compare
Which problem does the PR fix?
Task: #2525
What's in this PR?
Add missing auth for gRPC API as it doesn't use the unified auth (yet).
Checklist
Please make sure to follow our Contributing Guide.
Before opening the PR:
make go.update-golden-only
.After opening the PR: