Camunda 8 Self Managed Implementation

Camunda 8 Topics
1

Caused by: io.grpc.StatusRuntimeException: UNAUTHENTICATED: Failed to parse bearer token, see cause for details


io.camunda.operate.zeebe.PartitionHolder - Partition ids can’t be fetched from Zeebe. Try next round (1).

Camunda 8 - Operate and Tasklist is giving above error when I try to deploy into Openshift Kubernetes

2

@vinothkumar Based on the error described in your Camunda 8 self-managed deployment on OpenShift Kubernetes, you’re experiencing authentication issues between Operate/Tasklist and the Zeebe cluster. Here’s a comprehensive solution to resolve these issues:

Root Cause Analysis

The errors indicate two main problems:

  1. Authentication failure: The bearer token parsing is failing, preventing proper authentication between components
  2. Partition communication failure: Operate cannot fetch partition information from Zeebe due to authentication issues

Solution Steps

1. Configure Authentication Mode

The most common solution is to disable authentication for internal component communication. Set the following environment variable in your Zeebe Gateway deployment:

env:
  - name: ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE
    value: "none"

2. Update Helm Chart Values

If you’re using Helm charts, modify your values.yaml file to include authentication configuration:

zeebe-gateway:
  env:
    - name: ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE
      value: "none"

operate:
  env:
    - name: CAMUNDA_OPERATE_ZEEBE_GRPC_SECURITY_PLAINTEXT
      value: "true"

tasklist:
  env:
    - name: CAMUNDA_TASKLIST_ZEEBE_GRPC_SECURITY_PLAINTEXT
      value: "true"

3. Configure Logging for OpenShift

Since OpenShift has specific security policies that may restrict file writing, configure logging to output only to stdout/stderr:

operate:
  env:
    - name: CAMUNDA_LOG_FILE_APPENDER_ENABLED
      value: "false"

tasklist:
  env:
    - name: CAMUNDA_LOG_FILE_APPENDER_ENABLED
      value: "false"

zeebe:
  env:
    - name: CAMUNDA_LOG_FILE_APPENDER_ENABLED
      value: "false"

4. Verify Network Connectivity

Ensure that Operate and Tasklist can reach the Zeebe Gateway service. Check your OpenShift network policies and service configurations:

# Test connectivity from Operate pod to Zeebe Gateway
kubectl exec -it <operate-pod-name> -- nc -zv <zeebe-gateway-service> 26500

5. Alternative: Configure Proper Authentication

If you need to maintain authentication (for production environments), configure proper OAuth2/OIDC authentication[3][4]:

  1. Create M2M applications in Identity for Operate and Tasklist
  2. Configure client credentials in your component configurations:
operate:
  env:
    - name: CAMUNDA_OPERATE_IDENTITY_AUDIENCE
      value: "operate-api"
    - name: ZEEBE_CLIENT_ID
      value: "<your-client-id>"
    - name: ZEEBE_CLIENT_SECRET
      value: "<your-client-secret>"
    - name: ZEEBE_AUTHORIZATION_SERVER_URL
      value: "http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token"

tasklist:
  env:
    - name: CAMUNDA_TASKLIST_IDENTITY_AUDIENCE
      value: "tasklist-api"
    - name: ZEEBE_CLIENT_ID
      value: "<your-client-id>"
    - name: ZEEBE_CLIENT_SECRET
      value: "<your-client-secret>"
    - name: ZEEBE_AUTHORIZATION_SERVER_URL
      value: "http://keycloak:8080/auth/realms/camunda-platform/protocol/openid-connect/token"

6. Deployment Commands

Apply the configuration changes using:

# If using Helm
helm upgrade <release-name> camunda/camunda-platform -f values.yaml

# If using direct kubectl
kubectl apply -f your-deployment-files.yaml

7. Verification

After applying the changes, verify the solution:

  1. Check pod logs for authentication errors:
kubectl logs -f deployment/camunda-platform-operate
kubectl logs -f deployment/camunda-platform-tasklist
  1. Verify partition discovery:
# Look for successful partition fetching in Operate logs
kubectl logs deployment/camunda-platform-operate | grep -i "partition"

Additional Considerations

  • Security: For production environments, avoid disabling authentication entirely. Use proper OAuth2/OIDC configuration instead
  • OpenShift-specific: Ensure your SecurityContextConstraints (SCCs) allow the necessary permissions for Camunda components
  • Resource limits: Verify that your pods have sufficient CPU and memory resources allocated

This solution addresses the core authentication issues while providing both quick fixes for development environments and secure configurations for production deployments.