Hello Camunda gurus,
We are struggling to configure Camunda 8.6.x helm charts for OIDC Microsoft Entra ID with Identity. Has anyone had success with this configuration in GKE?
All services (tasklist, operate, console, zeebe, identity, optimize) deployed successfully along with their pods, however, “connectors” pod keeps failing with error Unable to connect to camunda-zeebe-gateway:26500
Also, when we navigate to /tasklist or /operate, we get no permissions to view tasklist / operate respectively. How do groups & users from Azure AD get populated into Identity postgres, so permissions, roles, groups, etc are auto-setup, or is that not possible?
We followed every step as described in this link
https://docs.camunda.io/docs/self-managed/setup/guides/connect-to-an-oidc-provider/
In addition to the the helm chart sample for Entra ID, we added the following to make sure, there is a postgres for Camunda identity.
identityPostgresql:
enabled: true
# Disable keycloak
identityKeycloak:
enabled: false
We had to comment out web-modeler, because we were experiencing errors:
* Deployment.apps "camunda-web-modeler-restapi" is invalid: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name: Invalid value: "": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9][a-z0-9])?(\.[a-z0-9]([-a-z0-9][a-z0-9])?)*')
Here is the entire values.yaml
global:
identity:
auth:
enabled: true
issuer: https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/v2.0
# this is used for container to container communication
issuerBackendUrl: https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/v2.0
tokenUrl: https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/oauth2/v2.0/token
jwksUrl: https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/discovery/v2.0/keys
type: "MICROSOFT"
publicIssuerUrl: https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/v2.0
identity:
clientId: "identity-client-id"
existingSecret: "identity-secret"
audience: "identity-client-id"
# audience: "camunda-identity-resource-server"
initialClaimName: "oid" # default value
initialClaimValue: "kshdks987-23874623h" # Object ID for my profile in Entra ID
redirectUrl: "https://camunda-workflow-dev.abcdefg.com/auth/login-callback"
operate:
clientId: "jhgads-ejhgd7863-kjsb"
audience: "jhgads-ejhgd7863-kjsb"
# audience: "operate-api"
existingSecret: "hello-there-where-are-ytou"
redirectUrl: "https://camunda-workflow-dev.abcdefg.com/identity-callback"
tasklist:
clientId: "hakjdh-ajgad7864rjghsj-sdjhk8"
audience: "hakjdh-ajgad7864rjghsj-sdjhk8"
# audience: "tasklist-api"
existingSecret: "skjhdk-sfdgsdhj-sdkjfhs9kjh-sdjgf"
redirectUrl: "https://camunda-workflow-dev.abcdefg.com/identity-callback"
optimize:
clientId: "7ksjh-siusd98kjshf-sdkfjg67-skjfb"
audience: "7ksjh-siusd98kjshf-sdkfjg67-skjfb"
# audience: "optimize-api"
existingSecret: "kshjdf-sukh76234ksjhfs98e-0sdkjh87sshdk"
redirectUrl: "https://camunda-workflow-dev.abcdefg.com/api/authentication/callback"
zeebe:
clientId: "sdjh908348jshc9348ksj-isdh"
audience: "sdjh908348jshc9348ksj-isdh"
# audience: "zeebe-api"
existingSecret: "ksjfdh-jsgdf765jghgsfd-sdjgsd765343-sjhbdfsjb"
tokenScope: "sdjh908348jshc9348ksj-isdh/.default"
# webModeler:
# clientId: "sfkhk-sdkbjf87sdkhjf-sdjhf786ihk"
# existingSecret: "skdhj-dskjh8743kjsf-sdkjbcg65r23ejhsdc"
# clientApiAudience: "web-modeler-api"
# publicApiAudience: "web-modeler-public-api"
# redirectUrl: "https://camunda-workflow-dev.abcdefg.com/modeler"
console:
clientId: "skdhfj-sdfkjnh7864kjhsf-sdkjb876khdj"
audience: "skdhfj-sdfkjnh7864kjhsf-sdkjb876khdj"
existingSecret: "kjhsd-dksh78634kjsfc-sdfkjb87634js-"
# audience: "console-api"
redirectUrl: "https://camunda-workflow-dev.abcdefg.com/console"
connectors:
clientId: "skdjhkf-fkdshj7843-sdkjhc98"
existingSecret: "fhij-sdlkfj98-sdlkfhk89437kjsf-dksjbfk"
# webModeler:
# nodeSelector:
# cloud.google.com/gke-nodepool: camunda-nodepool
# enabled: true
# image:
# pullSecrets:
# - name: registry-camunda-cloud
# contextPath: "/modeler"
# fullURL: "https://camunda-workflow-dev.abcdefg.com/modeler"
# replicas: 1
# service:
# annotations:
# cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
# cloud.google.com/backend-config: '{"default": "camunda-hc-modeler"}' # Attach the backend config to the service
# postgresql:
# enabled: true
# restapi:
# mail:
# smtpHost: "smtp.makethemrave.dev"
# smtpPort: 587
# smtpUser: "user"
# smtpPassword: "secret"
# Email address to be displayed as sender of emails from Web Modeler
# fromAddress: "no-reply@makethemrave.dev"
console:
nodeSelector:
cloud.google.com/gke-nodepool: camunda-nodepool
contextPath: "/console"
fullURL: "https://camunda-workflow-dev.abcdefg.com/console"
enabled: true
replicas: 1
service:
annotations:
cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
cloud.google.com/backend-config: '{"default": "camunda-hc-console"}' # Attach the backend config to the service
identity:
nodeSelector:
cloud.google.com/gke-nodepool: camunda-nodepool
contextPath: "/identity"
fullURL: "https://camunda-workflow-dev.abcdefg.com/identity"
service:
annotations:
cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
cloud.google.com/backend-config: '{"default": "camunda-hc-identity"}' # Attach the backend config to the service
identityPostgresql:
enabled: true
operate:
nodeSelector:
cloud.google.com/gke-nodepool: camunda-nodepool
contextPath: "/operate"
service:
annotations:
cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
cloud.google.com/backend-config: '{"default": "camunda-hc-operate"}' # Attach the backend config to the service
tasklist:
nodeSelector:
cloud.google.com/gke-nodepool: camunda-nodepool
contextPath: "/tasklist"
service:
annotations:
cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
cloud.google.com/backend-config: '{"default": "camunda-hc-tasklist"}' # Attach the backend config to the service
optimize:
nodeSelector:
cloud.google.com/gke-nodepool: camunda-nodepool
contextPath: "/optimize"
service:
annotations:
cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
# Disable keycloak
identityKeycloak:
enabled: false
connectors:
enabled: true
env:
- name: ZEEBE_CLIENT_ID
value: "sdjh908348jshc9348ksj-isdh"
- name: ZEEBE_CLIENT_SECRET
value: "ksjfdh-jsgdf765jghgsfd-sdjgsd765343-sjhbdfsjb"
- name: ZEEBE_AUTHORIZATION_SERVER_URL
value: "https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/v2.0"
- name: ZEEBE_TOKEN_AUDIENCE
value: "sdjh908348jshc9348ksj-isdh"
- name: ZEEBE_TOKEN_SCOPE
value: "sdjh908348jshc9348ksj-isdh/.default"
- name: CAMUNDA_IDENTITY_TYPE
value: "MICROSOFT"
- name: CAMUNDA_IDENTITY_AUDIENCE
value: "identity-client-id"
- name: CAMUNDA_IDENTITY_CLIENT_ID
value: "identity-client-id"
- name: CAMUNDA_IDENTITY_CLIENT_SECRET
value: "identity-secret"
- name: CAMUNDA_IDENTITY_ISSUER_BACKEND_URL
value: "https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/v2.0"