Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(alpha): add missing auth for grpc api #2691

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix(alpha): add missing auth for grpc api #2691

wants to merge 1 commit into from
+33 −1

Conversation

aabouzaid
Copy link
Member

@aabouzaid aabouzaid commented Dec 13, 2024
edited
Loading

Which problem does the PR fix?

Task: #2525

What's in this PR?

Add missing auth for gRPC API as it doesn't use the unified auth (yet).

Checklist

Please make sure to follow our Contributing Guide.

Before opening the PR:

  • In the repo's root dir, run make go.update-golden-only.
  • There is no other open pull request for the same update/change.
  • Tests for charts are added (if needed).
  • In-repo documentation are updated (if needed).

After opening the PR:

  • Did you sign our CLA (Contributor License Agreement)? It will show once you open the PR.
  • Did all checks/tests pass in the PR?

@aabouzaid aabouzaid added size/xs Relative effort/time: Extra Small cycle/alpha3 Tasks will be done in alpha3 cycle version/8.7 Camunda applications/cycle version component/core labels Dec 13, 2024
@aabouzaid aabouzaid self-assigned this Dec 13, 2024
@aabouzaid aabouzaid mentioned this pull request Dec 13, 2024
Closed
@aabouzaid aabouzaid requested review from a team and leiicamundi December 13, 2024 13:57
@aabouzaid aabouzaid marked this pull request as ready for review December 13, 2024 13:57
@leiicamundi
Copy link
Contributor

zeebelog2.log
zeebelog0.log
zeebelog1.log

I've tested it locally and it still fails.
I think the audience :
audience: {{ include "core.authClientId" . | quote }}

Should be core-api it's currently set on core. Even with modifying it, the connection check fails:

ERROR:
  Code: Unknown
  Message: 
[FAIL] gRPC connectivity
[INFO] Checking zbctl status to zeebe-camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com:443...
[INFO] Running command: ZEEBE_TOKEN_SCOPE=camunda-identity ZEEBE_ADDRESS=zeebe-camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com:443 ZEEBE_HOST= ZEEBE_PORT= zbctl status --authzUrl "https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com/auth/realms/camunda-platform/protocol/openid-connect/token" --clientId "test" --clientSecret "***" --audience "core-api" 
Error: rpc error: code = Unknown desc = 

[FAIL] zbctl status
[FAIL] ./checks/zeebe/connectivity.sh: At least one of the tests failed (error code: 6).

Here's the value file used for this deployment:

---
global:
    elasticsearch:
        enabled: true # use the embbeded elasticsearch

    secrets:
        name: "identity-secret-for-components"

    compatibility:
        openshift:
            adaptSecurityContext: force # enforce compatibility with SCCs
    # the ingress is manages directly by the Route manifests ../manifest/routes.yml
    ingress:
        enabled: true
        className: openshift-default
        host: camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com
        tls:
            enabled: true
            # explicitely no secret as we rely on the IngressOperator to handle the TLS secret, if you use a custom certificate, you might want to fill this value
            secretName: ''
        annotations:
            route.openshift.io/termination: edge
            # enforce HSTS
            haproxy.router.openshift.io/hsts_header: max-age=31536000; includeSubDomains;preload

    identity:
        auth:
            publicIssuerUrl: https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com/auth/realms/camunda-platform  # replace this with a port of your choice when you will do port forwarding

            optimize:
                redirectUrl: https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com/optimize  # replace this with a port of your choice when you will do port forwarding
                existingSecret:
                    name: "identity-secret-for-components"
            webModeler:
                redirectUrl: https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com/modeler
            console:
                redirectUrl: https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com/console
                existingSecret:
                    name: "identity-secret-for-components"
            core:
                redirectUrl: https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com
                existingSecret:
                    name: "identity-secret-for-components"
            connectors:
                existingSecret:
                    name: "identity-secret-for-components"
            admin:
                existingSecret:
                    name: "identity-secret-for-components"

identity:
    contextPath: /identity
    fullURL: https://camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com/identity
    firstUser:
        existingSecret: identity-secret-for-components

optimize:
    contextPath: /optimize


console:
    contextPath: /console
    enabled: false # by default, console is not enabled

identityKeycloak:
    postgresql:
        enabled: true # use the embbeded database
        auth:
            existingSecret: identity-secret-for-components
    auth:
        existingSecret: identity-secret-for-components

webModeler:
    contextPath: /modeler

    enabled: false # by default, webModeler is not enabled

    restapi:
        mail:
            fromAddress: [email protected]   # change this required value


connectors:
    contextPath: /connectors

    inbound:
        mode: oauth
    env:
        - name: ZEEBE_CLIENT_BROKER_GATEWAY-ADDRESS
          value: camunda-core.camunda.svc.cluster.local:26500
        - name: ZEEBE_CLIENT_SECURITY_PLAINTEXT
          value: 'false'
        - name: CAMUNDA_CLIENT_ZEEBE_CACERTIFICATEPATH
          value: /usr/local/certificates/tls.crt
    extraVolumeMounts:
        - name: certificate
          mountPath: /usr/local/certificates/tls.crt
          subPath: tls.crt
    extraVolumes:
        - name: certificate
          secret:
              secretName: camunda-platform-internal-service-certificate
              items:
                  - key: tls.crt
                    path: tls.crt
              defaultMode: 420

core:
    contextPath: "/"

    service:
        annotations:
            # enerate a TLS certificate for the Zeebe Gateway Service
            service.beta.openshift.io/serving-cert-secret-name: camunda-platform-internal-service-certificate

    ingress:
        enabled: true
        grpc:
            enabled: true
            annotations:
                haproxy.router.openshift.io/timeout: 300s
                route.openshift.io/termination: reencrypt
                # reference the re-encrypt secret
                route.openshift.io/destination-ca-certificate-secret: camunda-platform-internal-service-certificate
            className: openshift-default
            tls:
                enabled: true
                # explicitely no secret as we rely on the IngressOperator to handle the TLS secret, if you use a custom certificate, you might want to fill this value
                secretName: ''
            host: zeebe-camunda.apps.rosa.my-rosa.7gbb.p3.openshiftapps.com

    env:
        ##### Tasklist
        - name: CAMUNDA_TASKLIST_ZEEBE_SECURE
          value: 'true'
        - name: CAMUNDA_TASKLIST_ZEEBE_CERTIFICATEPATH
          value: /usr/local/core/config/tls.crt
        - name: CAMUNDA_TASKLIST_ZEEBE_GATEWAYADDRESS
          value: camunda-core.camunda.svc.cluster.local:26500

        ##### Gateway
        - name: ZEEBE_BROKER_GATEWAY_SECURITY_ENABLED
          value: 'true'
        - name: ZEEBE_BROKER_GATEWAY_SECURITY_CERTIFICATECHAINPATH
          value: /usr/local/core/config/tls.crt
        - name: ZEEBE_BROKER_GATEWAY_SECURITY_PRIVATEKEYPATH
          value: /usr/local/core/config/tls.key

        - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_ENABLED
          value: 'true'
        - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_CERTIFICATECHAINPATH
          value: /usr/local/core/config/tls.crt
        - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_PRIVATEKEYPATH
          value: /usr/local/core/config/tls.key

        ##### Operate
        - name: CAMUNDA_OPERATE_ZEEBE_SECURE
          value: 'true'
        - name: CAMUNDA_OPERATE_ZEEBE_CERTIFICATEPATH
          value: /usr/local/core/config/tls.crt
        - name: CAMUNDA_OPERATE_ZEEBE_GATEWAYADDRESS
          # camunda-core.<namespace>.svc.cluster.local
          value: camunda-core.camunda.svc.cluster.local:26500
    extraVolumeMounts:
        - name: certificate
          mountPath: /usr/local/core/config/tls.crt
          subPath: tls.crt
        - name: key
          mountPath: /usr/local/core/config/tls.key
          subPath: tls.key
    extraVolumes:
        - name: key
          secret:
              secretName: camunda-platform-internal-service-certificate
              items:
                  - key: tls.key
                    path: tls.key
              defaultMode: 420
        - name: certificate
          secret:
              secretName: camunda-platform-internal-service-certificate
              items:
                  - key: tls.crt
                    path: tls.crt
              defaultMode: 420

@github-actions github-actions bot added the version/alpha Camunda applications/cycle version (this is a pointer to alpha) label Dec 17, 2024
@aabouzaid
Copy link
Member Author

@leiicamundi, you are totally correct; I copied the wrong function (client id instead of the audience).
I've fixed it now.

@leiicamundi
Copy link
Contributor

Hi @aabouzaid, I've merged main into this fix, but the zeebe deployment still fails. Zeebe never gets healthy.
I have no clue as the logs are not very helpful. We can setup a troubleshooting meeting on Monday if you want

@leiicamundi leiicamundi mentioned this pull request Dec 20, 2024
Merged
@aabouzaid
Copy link
Member Author

@leiicamundi It's not Zeebe, it's Identity, so the auth will not work for now.
I will ping you again once the issue is fixed with Identity.

@aabouzaid aabouzaid added the test-persistent Don't delete the Helm deployment created by the PR and use fixed names label Dec 20, 2024
@distro-ci-manage-gh-envs distro-ci-manage-gh-envs bot temporarily deployed to gke-2691-intg-alpha-upgrade December 20, 2024 16:03 Destroyed
@distro-ci-manage-gh-envs distro-ci-manage-gh-envs bot temporarily deployed to gke-2691-intg-alpha-upgrade December 20, 2024 16:05 Destroyed
@distro-ci-manage-gh-envs distro-ci-manage-gh-envs bot temporarily deployed to gke-2691-intg-alpha-upgrade December 20, 2024 16:14 Destroyed
@aabouzaid aabouzaid marked this pull request as draft December 20, 2024 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leiicamundi leiicamundi Awaiting requested review from leiicamundi

At least 1 approving review is required to merge this pull request.

Assignees

@aabouzaid aabouzaid

Labels
component/core cycle/alpha3 Tasks will be done in alpha3 cycle size/xs Relative effort/time: Extra Small test-persistent Don't delete the Helm deployment created by the PR and use fixed names version/alpha Camunda applications/cycle version (this is a pointer to alpha) version/8.7 Camunda applications/cycle version
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aabouzaid @leiicamundi