Connect to Zeebe-Gateway over ingress-controller with node-js-sdk

Hi everyone,

i just started to learn using camunda self managed with an ingress controller in a local kind cluster while following this guide: https://camunda.com/blog/2024/01/camunda-self-managed-absolute-beginners-part-2-ingress-tls-ssl/

Everythink works, i can access the components (e.g. operate) via the browser and the zeebe-gateway with zbctl (under zeebe.camunda.local:443).

But when i try to connect to zeebe in Node i get the following error:

zeebe | ERROR: [deployResource]: 14 UNAVAILABLE: No connection established. Last error: Client network socket disconnected before secure TLS connection was established

This is my index.ts:

import { Camunda8 } from "@camunda8/sdk";
import path from "path";

const camunda = new Camunda8({
	ZEEBE_GRPC_ADDRESS: 'zeebe.camunda.local:443',
	ZEEBE_CLIENT_ID: 'zeebe',
	ZEEBE_CLIENT_SECRET: 'zecret',
    CAMUNDA_OAUTH_DISABLED: true, // Identity is disabled
});
const zeebe = camunda.getZeebeGrpcApiClient();

async function main() {
    const deploy = await zeebe.deployResource({
      processFilename: path.join(process.cwd(), "process.bpmn"),
    });
    console.log(
      `[Zeebe] Deployed process ${deploy.deployments[0].process.bpmnProcessId}`
    );
}
  
main();

I assume i have to pass my generated cert anywhere because when i use zbctl i pass the certificate aswell.
There is an option called CAMUNDA_CUSTOM_ROOT_CERT_PATH but i dont know if thats what i need (putting the cert in my folder and adding the path does not help).

Strange is that it does not matter what the ZEEBE_GRPC_ADDRESS is, i always get the error. So maybe its a general problem and not because of the missing cert? Are there any major differences when trying to connect to zeebe with the node sdk over an ingress?

Any help is appreciated :slight_smile:

Ideally, it shouldn’t be an cert issue. With the details you shared, I can guess it can be due to ZEEBE_CLIENT_ID.
Did you change or configure the value for ZEEBE_CLIENT_ID? Usually it will be zeebe-api not zeebe in Camunda identity.

Below is the high level of how identity works in a client app (node/springboot) integration:

  1. Create new credentails for the Node client app. Generally will be M2M connection.
  2. Configure ID and Secret for the Node app. Identity will authenticate the client app and generates a access token.
  3. The access token is passed while making the call to Zeebe gateway.

Hope this help!

Hey and thanks for the response!

I did not configure anything and strictly followed the guide for the local kind-ingress-setup. As i said, identity is disabled:

global:
  ingress:
    enabled: true
    className: nginx
    host: "camunda.local"
    tls:
      enabled: true
      secretName: "tls-secret"
  identity:
    auth:
      # Disable Identity authentication for local development
      # it will fall back to basic-auth: demo/demo as default user
      enabled: false

# Disable Identity for local development
identity:
  enabled: false

# Disable Optimize
optimize:
  enabled: false

operate:
  contextPath: "/operate"

tasklist:
  contextPath: "/tasklist"

# Reduce for Zeebe and Gateway the configured replicas and with that the required resources
# to get it running locally
zeebe:
  clusterSize: 1
  partitionCount: 1
  replicationFactor: 1
  pvcSize: 10Gi
  resources: {}
  initResources: {}

zeebe-gateway:
  replicas: 1
  ingress:
    enabled: true
    className: nginx
    host: "zeebe.camunda.local"
    tls:
      enabled: true
      secretName: "tls-secret-zeebe"

connectors:
  enabled: true
  inbound:
    mode: disabled

elasticsearch:
  master:
    replicaCount: 1
    # Request smaller persistent volumes.
    persistence:
      size: 15Gi

Do i need to enable identity to be able to connect to zeebe-gateway with the node-sdk? The documentation (github) states that it should work with an minimal setup too (without identity).

You als mentioned the client credentials. The only thing i found on how to configure these is with the camunda console which is an enterprise feature for self managed. So do i need an enterprise license to get this whole thing working or is there a “standard” client that i can use (i tought this would be the ZEEBE_CLIENT_ID=‘zeebe’ as shown in the documentation)?

Best regards.

I found the solution. I had to use ZEEBE_ADDRESS and not ZEEBE_GRPC_ADDRESS:

import { Camunda8 } from "@camunda8/sdk";
import path from "path";

const camunda = new Camunda8({
	ZEEBE_ADDRESS: 'zeebe.camunda.local:443',
	ZEEBE_CLIENT_ID: 'zeebe',
	ZEEBE_CLIENT_SECRET: 'zecret',
    CAMUNDA_OAUTH_DISABLED: true,
    CAMUNDA_CUSTOM_ROOT_CERT_PATH: path.join(process.cwd(), "cert-zeebe.pem")
});
const zeebe = camunda.getZeebeGrpcApiClient();
1 Like