I have a cluster with a self-managed deployment of Camunda 8 (I am using the Helm chart). Every communication must be encrypted (external and internal) and its mandatory to use Istio service mesh.
Said so, my current setup consists of an istio ingress gateway which terminates TLS for external inbound traffic and my idea is to use a single pair of truststore and keystore based on a self-signed wildcard certificate that will be used for every Camunda component just for internal communications (correct me if this is not possible).
I have enabled TLS in Keycloak by creating the appropriate secrets and using this configuration while deploying the chart:
identity:
keycloak:
tls:
enabled: true
existingSecret: "keycloakstores"
truststoreFilename: "cacerts"
keystoreFilename: "keystore.jks"
passwordsSecret: "sslstorepass"
spi:
existingSecret: "keycloakstores"
truststoreFilename: "cacerts"
passwordsSecret: "sslstorepass"
hostnameVerificationPolicy: "ANY"
production: true
proxy: passthrough
containerSecurityContext:
enabled: false
With this configuration, I can see the logs of Keycloak displaying that TLS and SPI are correctly configured and I am able to access Keycloak from outside the cluster using the ingress (configuring a destinationrule with enabled TLS to the Camunda namespace).
But as soon as I deploy Keycloak with this configuration, other components stop working. I guess this is normal since I have not configured the trustedstore and keystore, so I went and configured for example Identity to use the same trustedstore and keystore:
identity:
env:
- name: SERVER_SSL_ENABLED
value: "true"
- name: SERVER_SSL_KEYSTORE
value: /etc/keystore/keystore.jks
- name: SERVER_SSL_KEYSTOREPASSWORD
valueFrom:
secretKeyRef:
name: sslstorepass
key: password
- name: SERVER_SSL_KEYSTORETYPE
value: JKS
- name: SERVER_SSL_TRUSTSTORE
value: /etc/truststore/cacerts
- name: SERVER_SSL_TRUSTSTOREPASSWORD
valueFrom:
secretKeyRef:
name: sslstorepass
key: password
# ExtraVolumes can be used to define extra volumes for the Operate pods, useful for tls and self-signed certificates
extraVolumes:
- name: keystore
secret:
secretName: sslkeystore
- name: truststore
secret:
secretName: sslcacerts
# ExtraVolumeMounts can be used to mount extra volumes for the Operate pods, useful for tls and self-signed certificates
extraVolumeMounts:
- name: keystore
mountPath: /etc/keystore
readOnly: false
- name: truststore
mountPath: /etc/truststore
readOnly: false
I can see the cacerts (truststore) and keystore are created inside the pod in the respective folders, but when I check the logs for the Identity pods, this is what I see:
k logs camunda-identity-c8478db84-fl45c -f
Identity is not able to connect to Keycloak as you can see even though Keycloak is reachable through ingress/service.
I have read multiple threads but cannot find an answer to this issue.
Is there something am I missing?