IAM discovery on Camunda Cloud Self Managed

As far as I know 1.2.0 is out, and it brings a new authentication backend to Operate. It is mentioned in the release notes with some IAM documentation on the official camunda documentation site.

Operate used to only support:

  • User information in ES (not acceptable for us in production)
  • Camunda Cloud (not relevant for us, we use Camunda Cloud Self Managed)
  • LDAP (annoying, we have an SSO / OIDC stack and no LDAP)

IAM is the fourth authentication mechanism, and would also allow giving read only access to some users in Operate.

This is what we did to try and have this work:

  • Started from a working local docker-compose setup with
    • Zeebe 1.2.1
    • Operate 1.2.0
    • ES 7.12.1
  • Added IAM to the stack with its own PG database (based on the official documentation)
  • Tweaked the Operate configuration to authenticate with IAM (based on another official documentation

The docker-compose diff is basically

   operate:
     image: camunda/operate:1.2.0
+    environment:
+      - SPRING_PROFILES_ACTIVE=iam-auth
+
     ports:
       - 9080:8080
    volumes:
      - ./config/operate/application.yml:/usr/local/operate/config/application.yml
    depends_on:
      - zeebe
      - elasticsearch
+     - iam
@@ -168,3 +173,34 @@ services:
       - 5432:5432
     volumes:
       - postgres_data:/var/lib/postgresql/data/
+
+  iam:
+    image: camunda/iam:latest
+    environment:
+      DEFAULT_CLIENT_CREATE: "false"
+      IAM_CLIENT_ID: operate-iam-client
+      IAM_CLIENT_SECRET: d66eb844-0e14-4da0-939c-8794cc105e16
+      # For localhost usage
+      ENFORCE_HTTPS: "false"
+      FEATURE_USER_MANAGEMENT: "true"
+      DB_URL: jdbc:postgresql://postgres-iam:5432/pgiamdb
+      DB_USER: pgiamuser
+      DB_PASSWORD: e10b1d4a-9e77-43ed-82ba-293880d6481b
+    ports:
+      - 8080:8080
+    depends_on:
+      - postgres-iam
+
+  postgres-iam:
+    image: postgres:12.5
+    environment:
+      POSTGRES_DB: pgiamdb
+      POSTGRES_USER: pgiamuser
+      POSTGRES_PASSWORD: e10b1d4a-9e77-43ed-82ba-293880d6481b
+    volumes:
+      - postgres_iam_data:/var/lib/postgresql/data/
+    healthcheck:
+      test: pg_isready -d pgiamdb -U pgiamuser
+      interval: 30s
+      timeout: 15s
+      retries: 10

And the operate configuration diff (./config/operate/application.yml):

 # Operate configuration file
 # FROM https://raw.githubusercontent.com/zeebe-io/zeebe-docker-compose/master/lib/application.yml
 
 camunda.operate:
   # ELS instance to store Operate data
   elasticsearch:
     # Cluster name
     clusterName: elasticsearch
     # Host
     host: elasticsearch
     # Transport port
     port: 9200
   # Zeebe instance
   zeebe:
     # Broker contact point
     brokerContactPoint: zeebe:26500
   # ELS instance to export Zeebe data to
   zeebeElasticsearch:
     # Cluster name
     clusterName: elasticsearch
     # Host
     host: elasticsearch
     # Transport port
     port: 9200
     # Index prefix, configured in Zeebe Elasticsearch exporter
     prefix: caseflow-zeebe-record
+  # IAM configuration
+  iam:
+    issuer: http://localhost:9080
+    issuerUrl: http://localhost:9080
+    clientId: operate-iam-client
+    clientSecret: d66eb844-0e14-4da0-939c-8794cc105e16
 logging:
   level:
     ROOT: INFO
     org.camunda.operate: DEBUG
 #Spring Boot Actuator endpoints to be exposed
 management.endpoints.web.exposure.include: health,info,conditions,configprops,prometheus

I can correctly start my docker-compose with this configuration

docker-compose up iam postgres-iam operate

With IAM logs looking good:

iam_1                  | 2021-10-22 14:49:34.320  INFO 1 --- [           main] o.apache.catalina.core.StandardService   : Starting service [Tomcat]
iam_1                  | 2021-10-22 14:49:34.321  INFO 1 --- [           main] org.apache.catalina.core.StandardEngine  : Starting Servlet engine: [Apache Tomcat/9.0.44]
iam_1                  | 2021-10-22 14:49:34.327  INFO 1 --- [           main] o.a.c.c.C.[Tomcat-1].[localhost].[/]     : Initializing Spring embedded WebApplicationContext
iam_1                  | 2021-10-22 14:49:34.327  INFO 1 --- [           main] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 146 ms
iam_1                  | 2021-10-22 14:49:34.352  INFO 1 --- [           main] o.s.b.a.e.web.EndpointLinksResolver      : Exposing 3 endpoint(s) beneath base path '/actuator'
iam_1                  | 2021-10-22 14:49:34.447  INFO 1 --- [           main] o.s.b.w.embedded.tomcat.TomcatWebServer  : Tomcat started on port(s): 8081 (http) with context path ''
iam_1                  | 2021-10-22 14:49:34.502  INFO 1 --- [           main] io.camunda.iam.IamApplicationKt          : Started IamApplicationKt in 27.945 seconds (JVM running for 29.378)

And operate logs showing that it is activating the IAM backend

operate_1              | 2021-10-22 14:49:12.220  INFO 8 --- [           main] i.c.o.Application                        : Starting Application using Java 11.0.12 on d1691fd254ce with PID 8 (/usr/local/operate/lib/operate-webapp-1.2.0-exec.jar started by root in /usr/local/operate)
operate_1              | 2021-10-22 14:49:12.244  INFO 8 --- [           main] i.c.o.Application                        : The following profiles are active: iam-auth
[...]
operate_1              | 2021-10-22 14:49:41.451  INFO 8 --- [           main] o.a.c.h.Http11NioProtocol                : Starting ProtocolHandler ["http-nio-8080"]
operate_1              | 2021-10-22 14:49:41.472  INFO 8 --- [           main] o.s.b.w.e.t.TomcatWebServer              : Tomcat started on port(s): 8080 (http) with context path ''
operate_1              | 2021-10-22 14:49:42.497  INFO 8 --- [           main] i.c.o.Application                        : Started Application in 32.237 seconds (JVM running for 36.304)
operate_1              | 2021-10-22 14:49:42.510  INFO 8 --- [           main] i.c.o.s.m.SchemaMigration                : SchemaMigration finished.

Now, I can’t quite understand what I need to do next.

Opening a browser at http://localhost:9080 (Operate URL) redirects to http://localhost:9080/api/authorize?client_id=operate-iam-client&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fiam-callback&response_type=code&scope=

This fails with a 401 and an error message

{"message":"Full authentication is required to access this resource"}

Did anyone get IAM to work for with a Self Managed setup?

Wow, you already tested it. I ​planned to do it also.

If i see your docker compose, I see something wrong with ports mapping. Operate should point to iam api.
issuer: http://localhost:9080
issuerUrl: http://localhost:9080

Try issuer: http://iam:8080
IssuierUrl: http://iam:8080

Tried to setup and failed too.
I see db is created and there is default user demo.
But if i try to login with demo demo, I have:

2021-10-23 10:02:20.793  WARN 1 --- [nio-8080-exec-4] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not supported]

And 405 Error

Hello @MaximMonin

Thanks for also looking into this. :smile:

You’re right that the port was wrong (doh) in the issuerUrl configuration. However I think that this URL should point at http://localhost:8080 because there seems to be some front end redirections, so this should not try to access the docker internal DNS iam.

And that seems to be a correct hunch:

I think we are on the right track, but it seems that we are missing some kind of role / permission for Operate… All permissions in the IAM ui are relevant only to IAM.

Hi @ajeans and @MaximMonin,

I am the Engineering Manager for the team that takes care of Operate.

The issuerUrl should point to your iam actually.
About the permissions issue, we found an issue on it and we are updating the docs and releasing a fix for it (1.2.1).

I can let you know here as soon as it is public.

Thanks for raising those up!

2 Likes

Okay… Version 1.2.1 is published and we just updated the docs for the permissions.

Can you check (add iam permissions) and let me know how it goes?
Glad to support you on your tests.

Thanks

I am using docker images, and cannot see any updates on dockerhub

Hi,
the fix is in docker image: camunda/operate:1.2.1
Can you please try again?

i was trying initially with operate 1.2.1 and iam 1.2.1 few days ago

OK let’s recap:

Changes since my first question:

  • Used Operate 1.2.1 rather than 1.2.0
  • Changed the issuerUrl to point at the mapped port to IAM (localhost:8080).
    • On the assumption that the redirect is done by the front
    • If changed to the internal DNS address (iam:8080), browser simply gets a unknown DNS error when logging in

Status:

  • Getting a log error on Operate
operate_1              | 2021-10-25 09:51:07.386 ERROR 9 --- [nio-8080-exec-3] i.c.o.w.s.i.IAMController                : Error in authentication callback: 
operate_1              | 
operate_1              | io.camunda.iam.sdk.rest.exception.RestException: request to IAM API failed with status code '302' and body ''
operate_1              | 	at io.camunda.iam.sdk.RestClient.send(RestClient.java:112) ~[camunda-cloud-iam-sdk-1.2.1.jar!/:?]
operate_1              | 	at io.camunda.iam.sdk.RestClient.request(RestClient.java:92) ~[camunda-cloud-iam-sdk-1.2.1.jar!/:?]
operate_1              | 	at io.camunda.iam.sdk.Authentication.exchangeAuthCode(Authentication.java:110) ~[camunda-cloud-iam-sdk-1.2.1.jar!/:?]

Question

  • @Luiz_Santana I looked at the updated documentation, but AFAICT, default user “John Doe” (demo/demo) is attached to role “FULL ACCESS” which has both write:* and read:* permissions

  • Is this supposed to work with docker and a bridged network? Is issuerUrl a single URL to both the front location and the back location?

Docker compose

   ### Zeebe ecosystem
   # Config from flowing retail (no hazelcast-exporter, hence no simple-monitor)
   zeebe:
     image: camunda/zeebe:1.2.1
     environment:
       - ZEEBE_LOG_LEVEL=debug
     ports:
       - 26500:26500
       - 9600:9600
     volumes:
       - zeebe_data:/usr/local/zeebe/data
       - ./config/zeebe/application.yml:/usr/local/zeebe/config/application.yaml
     depends_on:
       - elasticsearch
 
   # Requires a licence to use in production
   operate:
     image: camunda/operate:1.2.0
+    environment:
+      - SPRING_PROFILES_ACTIVE=iam-auth
+
     ports:
       - 9080:8080
     volumes:
       - ./config/operate/application.yml:/usr/local/operate/config/application.yml
     depends_on:
       - zeebe
       - elasticsearch
+      - iam
 
   ### ES ecosystem
   elasticsearch:
     image: docker.elastic.co/elasticsearch/elasticsearch:7.12.1
     ports:
       - 9200:9200
     environment:
       - discovery.type=single-node
       - cluster.name=elasticsearch
       - "ES_JAVA_OPTS=-Xms750m -Xmx750m"
     volumes:
       - zeebe_elasticsearch_data:/usr/share/elasticsearch/data
 
   kibana:
     image: docker.elastic.co/kibana/kibana:7.12.1
     ports:
       - 5601:5601
     depends_on:
       - elasticsearch
 
   postgres:
     image: postgres:12.5
     environment:
       POSTGRES_DB: casedb
       POSTGRES_USER: demo
       POSTGRES_PASSWORD: demo
     ports:
       - 5432:5432
     volumes:
       - postgres_data:/var/lib/postgresql/data/
+
+  iam:
+    image: camunda/iam:latest
+    environment:
+      DEFAULT_CLIENT_CREATE: "false"
+      IAM_CLIENT_ID: operate-iam-client
+      IAM_CLIENT_SECRET: d66eb844-0e14-4da0-939c-8794cc105e16
+      # For localhost usage
+      ENFORCE_HTTPS: "false"
+      FEATURE_USER_MANAGEMENT: "true"
+      DB_URL: jdbc:postgresql://postgres-iam:5432/pgiamdb
+      DB_USER: pgiamuser
+      DB_PASSWORD: e10b1d4a-9e77-43ed-82ba-293880d6481b
+    ports:
+      - 8080:8080
+    depends_on:
+      - postgres-iam
+
+  postgres-iam:
+    image: postgres:12.5
+    environment:
+      POSTGRES_DB: pgiamdb
+      POSTGRES_USER: pgiamuser
+      POSTGRES_PASSWORD: e10b1d4a-9e77-43ed-82ba-293880d6481b
+    volumes:
+      - postgres_iam_data:/var/lib/postgresql/data/
+    healthcheck:
+      test: pg_isready -d pgiamdb -U pgiamuser
+      interval: 30s
+      timeout: 15s
+      retries: 10

Operate configuration changes

 # Operate configuration file
 # FROM https://raw.githubusercontent.com/zeebe-io/zeebe-docker-compose/master/lib/application.yml
 
 camunda.operate:
   # ELS instance to store Operate data
   elasticsearch:
     # Cluster name
     clusterName: elasticsearch
     # Host
     host: elasticsearch
     # Transport port
     port: 9200
   # Zeebe instance
   zeebe:
     # Broker contact point
     brokerContactPoint: zeebe:26500
   # ELS instance to export Zeebe data to
   zeebeElasticsearch:
     # Cluster name
     clusterName: elasticsearch
     # Host
     host: elasticsearch
     # Transport port
     port: 9200
     # Index prefix, configured in Zeebe Elasticsearch exporter
     prefix: caseflow-zeebe-record
+  # IAM configuration
+  iam:
+    issuer: http://localhost:9080
+    issuerUrl: http://localhost:9080
+    clientId: operate-iam-client
+    clientSecret: d66eb844-0e14-4da0-939c-8794cc105e16
 logging:
   level:
     ROOT: INFO
     org.camunda.operate: DEBUG
 #Spring Boot Actuator endpoints to be exposed
 management.endpoints.web.exposure.include: health,info,conditions,configprops,prometheus

@ajeans FULL ACCESS role just gives access read:* and write:* to IAM itself. You have to create permissions for Operate under the permissions tab, there you have a drop down to select which application you are creating the permission.
Then add this new permission (read:* for Operate) to the role you want.

@Luiz_Santana Thanks that makes more sense.

Unfortunately, on a completely pristine install, I get a nasty error when clicking on “Add” in the Permissions tab.

Under Firefox

Under Chromium

Does that ring a bell?

@ajeans

Your client configuration is misconfigured, looks like there is something missing in the docs. Instead of these three lines

You should add following variables to the docker-compose configuration of iam

      CLIENTS_0_BASE_URL: http://localhost:9080/
      CLIENTS_0_CLIENT_ID: operate-iam-client
      CLIENTS_0_LOGOUT_URL: http://localhost:9080/api/logout
      CLIENTS_0_NAME: Operate
      CLIENTS_0_CLIENT_SECRET: d66eb844-0e14-4da0-939c-8794cc105e16

Let me know if it fixes your problem

Hello @dlavrenuek

Well now IAM doesn’t start at all :sweat:

iam_1                  | Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
iam_1                  | 2021-10-25 12:47:17.826 ERROR 1 --- [           main] o.s.boot.SpringApplication               : Application run failed
iam_1                  | 
iam_1                  | org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'permissionsInitializer' defined in URL [jar:file:/app/iam.jar!/BOOT-INF/classes!/io/camunda/iam/init/permission/PermissionsInitializer.class]: Unexpected exception during bean creation; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'IAM_CLIENT_SECRET' in value "${IAM_CLIENT_SECRET}"
iam_1                  | 	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:537)
iam_1                  | 	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335)
iam_1                  | 	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234)
iam_1                  | 	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333)

Looks like IAM_CLIENT_ID really is required.

@ajeans

actually IAM_CLIENT_SECRET is required, I have missed that one. It can be any 32 characters string as stated in the docs. This could be a random UUID like

IAM_CLIENT_SECRET: f66eb844-0e14-4da0-939c-9794cc105e1a

@dlavrenuek

Thanks, adding this config key makes IAM start correctly, and I can now declare an Operate read permission and assign it to FULL ACCESS

However, I still cannot log in Operate

operate_1              | 2021-10-25 13:18:01.861  WARN 7 --- [nio-8080-exec-8] i.c.o.w.ForwardErrorController           : Requested path /api/token, but not authenticated. Redirect to  /api/login 
operate_1              | 2021-10-25 13:18:01.864  WARN 7 --- [nio-8080-exec-6] i.c.o.u.RetryOperation                   : request to IAM API failed with status code '302' and body ''
operate_1              | 2021-10-25 13:18:01.864 ERROR 7 --- [nio-8080-exec-6] i.c.o.w.s.i.IAMController                : Error in authentication callback: 
operate_1              | 
operate_1              | io.camunda.iam.sdk.rest.exception.RestException: request to IAM API failed with status code '302' and body ''
operate_1              | 	at io.camunda.iam.sdk.RestClient.send(RestClient.java:112) ~[camunda-cloud-iam-sdk-1.2.1.jar!/:?]
operate_1              | 	at io.camunda.iam.sdk.RestClient.request(RestClient.java:92) ~[camunda-cloud-iam-sdk-1.2.1.jar!/:?]
operate_1              | 	at io.camunda.iam.sdk.Authentication.exchangeAuthCode(Authentication.java:110) ~[camunda-cloud-iam-sdk-1.2.1.jar!/:?]
operate_1              | 	at io.camunda.operate.webapp.security.iam.IAMAuthentication.lambda$retrieveTokens$0(IAMAuthentication.java:141) ~[classes!/:?]
operate_1              | 	at io.camunda.operate.util.RetryOperation.retry(RetryOperation.java:117) ~[operate-common-1.2.1.jar!/:?]

And I get the infamous No permission for Operate - Please check your operate configuration or cloud configuration. in my browser on http://localhost:9080

Can you try with the issuerUrl pointing to IAM please?
I guess localhost:8080 on your case

Thanks

@ajeans

Now I see that the local docker setup requires some additional steps. Due to the nature of how OAuth2 works, the authentication flow requires the IAM to be accessible in the browser and for backend to backend communication. When Operate tries to call http://localhost:8080/xxx it will connect to Operate instead of IAM container. The easiest solution that I know is to use a local domain to make docker use dns resolving of your machine.

First add an entry in your /etc/hosts (From your screenshots I assume that you run Linux). Replace your_network_ip with your local network IP - could be something like 192.168.x.x and not 127.0.0.1

your_network_ip iam.localhost

Then adjust the iam part of the Operate configuration as follows:

  issuer: http://iam.localhost:8080/
  issuerUrl: http://iam.localhost:8080/

And finally add following env variables to the iam container in docker-compose

  IAM_CLIENT_BASE_URL: http://iam.localhost:8080
  BACKEND_URL: http://iam.localhost:8080/api

The configuration is easier when the applications are accessible at real domains

@Luiz_Santana Sorry, my message above still said 9080, but I am actually on 8080. Not sure how I messed up the diff :sweat:

@dlavrenuek thanks for the steps

With those changes done, I did:

This seems to be due to a redirection still going to http://localhost:8080

  • First HTTP Call to authorize does http://iam.localhost:8080/api/authorize?client_id=operate-iam-client&redirect_uri=http://localhost:9080/iam-callback&response_type=code&scope=
  • Next HTTP call to login does http://localhost:8080/login?client_id=operate-iam-client&success_url=http://iam.localhost:8080/api/authorize?client_id=operate-iam-client&redirect_uri=http%3A%2F%2Flocalhost%3A9080%2Fiam-callback&response_type=code&scope=

I have no idea where this localhost:8080 comes from, my configuration below

[...]
   # Requires a licence to use in production
   operate:
-    image: camunda/operate:1.2.0
+    image: camunda/operate:1.2.1
+    environment:
+      - SPRING_PROFILES_ACTIVE=iam-auth
+
     ports:
       - 9080:8080
     volumes:
       - ./config/operate/application.yml:/usr/local/operate/config/application.yml
     depends_on:
       - zeebe
       - elasticsearch
+      - iam
 
   ### ES ecosystem
   elasticsearch:
     image: docker.elastic.co/elasticsearch/elasticsearch:7.12.1
     ports:
       - 9200:9200
     environment:
       - discovery.type=single-node
       - cluster.name=elasticsearch
       - "ES_JAVA_OPTS=-Xms750m -Xmx750m"
     volumes:
       - zeebe_elasticsearch_data:/usr/share/elasticsearch/data
 
   kibana:
     image: docker.elastic.co/kibana/kibana:7.12.1
     ports:
       - 5601:5601
     depends_on:
       - elasticsearch
 
   postgres:
     image: postgres:12.5
     environment:
       POSTGRES_DB: casedb
       POSTGRES_USER: demo
       POSTGRES_PASSWORD: demo
     ports:
       - 5432:5432
     volumes:
       - postgres_data:/var/lib/postgresql/data/
+
+  iam:
+    image: camunda/iam:latest
+    environment:
+      IAM_CLIENT_BASE_URL: http://iam.localhost:8080
+      BACKEND_URL: http://iam.localhost:8080/api
+      IAM_CLIENT_SECRET: 43cc9055-e396-4274-b2ed-c8154fc3be4e
+      CLIENTS_0_BASE_URL: http://localhost:9080/
+      CLIENTS_0_CLIENT_ID: operate-iam-client
+      CLIENTS_0_LOGOUT_URL: http://localhost:9080/api/logout
+      CLIENTS_0_NAME: Operate
+      CLIENTS_0_CLIENT_SECRET: d66eb844-0e14-4da0-939c-8794cc105e16
+      # For localhost usage
+      ENFORCE_HTTPS: "false"
+      FEATURE_USER_MANAGEMENT: "true"
+      DB_URL: jdbc:postgresql://postgres-iam:5432/pgiamdb
+      DB_USER: pgiamuser
+      DB_PASSWORD: e10b1d4a-9e77-43ed-82ba-293880d6481b
+    ports:
+      - 8080:8080
+    depends_on:
+      - postgres-iam
+
+  postgres-iam:
+    image: postgres:12.5
+    environment:
+      POSTGRES_DB: pgiamdb
+      POSTGRES_USER: pgiamuser
+      POSTGRES_PASSWORD: e10b1d4a-9e77-43ed-82ba-293880d6481b
+    volumes:
+      - postgres_iam_data:/var/lib/postgresql/data/
+    healthcheck:
+      test: pg_isready -d pgiamdb -U pgiamuser
+      interval: 30s
+      timeout: 15s
+      retries: 10

--- a/config/operate/application.yml
+++ b/config/operate/application.yml
@@ -1,32 +1,38 @@
 # Operate configuration file
 # FROM https://raw.githubusercontent.com/zeebe-io/zeebe-docker-compose/master/lib/application.yml
 
 camunda.operate:
   # ELS instance to store Operate data
   elasticsearch:
     # Cluster name
     clusterName: elasticsearch
     # Host
     host: elasticsearch
     # Transport port
     port: 9200
   # Zeebe instance
   zeebe:
     # Broker contact point
     brokerContactPoint: zeebe:26500
   # ELS instance to export Zeebe data to
   zeebeElasticsearch:
     # Cluster name
     clusterName: elasticsearch
     # Host
     host: elasticsearch
     # Transport port
     port: 9200
     # Index prefix, configured in Zeebe Elasticsearch exporter
     prefix: caseflow-zeebe-record
+  # IAM configuration
+  iam:
+    issuer: http://iam.localhost:8080
+    issuerUrl: http://iam.localhost:8080
+    clientId: operate-iam-client
+    clientSecret: d66eb844-0e14-4da0-939c-8794cc105e16
 logging:
   level:
     ROOT: INFO
     org.camunda.operate: DEBUG
 #Spring Boot Actuator endpoints to be exposed
 management.endpoints.web.exposure.include: health,info,conditions,configprops,prometheus

IMHO, it would be nice to be able to configure different locations for browser access and backend access. Some of us doing k8s will want traffic between operate and IAM to be internal to the cluster, and not go through the ingress.

Ok i setuped 1.2.2 everywhere:
Iam UI now works ok:

  iam:
    image: camunda/iam:1.2.2
    container_name: zeebe-cluster-iam-$ENVIRONMENT
    restart: always
    depends_on:
      - iam-db
    ports:
      - "$IAM_PORT:8080"
    networks:
      zeebe_network:
        ipv4_address: $CLUSTER_NETWORK.12
    volumes:
      - ./cfg/iam.yml:/app/application.yml:ro
      - /etc/localtime:/etc/localtime:ro
    environment:
      # Operate
      - CLIENTS_0_BASE_URL=$IAM_HOST:2700/zeebe/operate
      - CLIENTS_0_CLIENT_ID=operate
      - CLIENTS_0_LOGOUT_URL=$IAM_HOST:2700/zeebe/operate/api/logout
      - CLIENTS_0_NAME=Operate
      - CLIENTS_0_CLIENT_SECRET=$IAM_CLIENT_SECRET
      # TaskList
      - CLIENTS_1_BASE_URL=$IAM_HOST:2700/zeebe/tasklist
      - CLIENTS_1_CLIENT_ID=tasklist
      - CLIENTS_1_LOGOUT_URL=$IAM_HOST:2700/zeebe/tasklist/api/logout
      - CLIENTS_1_NAME=Tasklist
      - CLIENTS_1_CLIENT_SECRET=$IAM_CLIENT_SECRET
      # IAM UI
      - IAM_CLIENT_SECRET=$IAM_CLIENT_SECRET
      - IAM_CLIENT_BASE_URL=$IAM_HOST:2729
      # IAM
      - ENFORCE_HTTPS=true
      - FRONTEND_URL=$IAM_HOST:2729
      - BACKEND_URL=$IAM_HOST:2729/api
      - FEATURE_USER_MANAGEMENT=true
      - DB_URL=jdbc:postgresql://iam-db:5432/iam
      - DB_USER=zeebe
      - DB_PASSWORD=zeebe

  iam-db:
    image: postgres:14.0
    restart: always
    container_name: zeebe-cluster-iamdb-$ENVIRONMENT
    expose:
      - 5432
    networks:
      zeebe_network:
        ipv4_address: $CLUSTER_NETWORK.13
    volumes:
      - ./db/iam:/var/lib/postgresql/data
      - /etc/localtime:/etc/localtime:ro
    environment:
      - POSTGRES_DB=iam
      - POSTGRES_USER=zeebe
      - POSTGRES_PASSWORD=zeebe
    healthcheck:
        test: pg_isready -d iam -U zeebe
        interval: 30s
        timeout: 15s
        retries: 5

I see 3 client auto created in DB and permissions setuped to IAM UI client
I added to all clients:

So Iam is working ok on port https:/myserver:2729

I am trying login to operate and getting:


I see http instead https

I manually changing http to https: