I have just seen openshift deployment blog (Running Camunda 8 on OpenShift | Camunda) and I am also trying to deploy it . It is quite helpful .What I am missing in the video - How can I expose the Zeebe gateway ,so that modeler can connect with gateway and deploy a model ?
Hey @anisk.
Let me answer two-fold:
First, I did not add this information to the blog post, as I assumed the default is NOT to expose the gateway to the outside world, as most applications using Zeebe will live within your Kubernetes clusters. Let me know if this hypothesis is not true for your use case - then it would be interesting how you envision your architecture. Still, it make sense to deploy from the Camunda Desktop Modeler during development (and maybe also run job workers locally), but then you could also leverage Kubernetes port forwarding - or WDYT?
Second, you can of course expose the gateway using an OpenShift Route. The important thing is, that the route needs to be HTTP2 for gRPC to work. This is only possible, if you add TLS certification, which is conceptually easy, but practically a small nightmare to do I have some notes about it somewhere and can try to find them back if required.
Best
Bernd
Thanks for the response. I have a external task worker written in python which can run outside k8s cluster but need access to gateway to fetch and response to the task.
OK - thanks, that makes sense! I also had another discussion yesterday with an organization running one central Camunda installation provided as service to various applications, they also want the gateway being available to the outside, which is also totally valid. So I should probably write a part 2 of the blog post soon
Let me quickly recap how to add the gateway - I hope that is already sufficient for you to move forward:
- The challenge is, that you need to use HTTP2 for your route (Understanding the Ingress Operator | Networking | OpenShift Container Platform 4.11)
- Therefore first, get or create a TLS certificate (using pkcs8 syntax as netty only supports this)
- Create secrets from the certificate in Kubernetes
- Adjust your
zeebe-gateway
pod to mount this certificate and enable TLS on the route - which I just realized is already done in the gist I linked in the blog post (which is not correct, so I commented it now), see camunda-8-open-shift-values.yaml · GitHub :
zeebe-gateway:
[...]
env:
- name: ZEEBE_GATEWAY_SECURITY_ENABLED
value: 'true'
- name: ZEEBE_GATEWAY_SECURITY_CERTIFICATECHAINPATH
value: /usr/local/zeebe/config/tls.crt
- name: ZEEBE_GATEWAY_SECURITY_PRIVATEKEYPATH
value: /usr/local/zeebe/config/tls.key
extraVolumeMounts:
- name: certificate
mountPath: /usr/local/zeebe/config/tls.crt
subPath: tls.crt
- name: key
mountPath: /usr/local/zeebe/config/tls.key
subPath: tls.key
extraVolumes:
- name: certificate
secret:
secretName: tls-certificate
items:
- key: tls.crt
path: tls.crt
defaultMode: 420
- name: key
secret:
secretName: tls-certificate
items:
- key: tls.key
path: tls.key
defaultMode: 420
- Add the route to OpenShift and select
reencrypt
. If I recall correctly you also have to point to the TLS secret.
Let me know if this works or if there are any problems - I would need to kick off a new OpenShift instance to try myself - but I am also happy to take some feedback/Screenshots here to take a shortcut to the blog post part 2
PS: I just realized we have a PR merged to the docs for this piece of information - that should also help: Added section about Route for Zeebe Gateway on Openshift by jonathanlukas · Pull Request #1775 · camunda/camunda-platform-docs · GitHub
Thanks!
Bernd
@BerndRuecker Thanks for the direction. If TLS is terminated in Edge rather on POD ,we are seeing this is not working. Is it because it is GRPC ? Most HTTPS works with TLS termination on edge and no POD setting with certificate.