Ingress-nginx on GKE unable to get /auth on SSL

atultewari · November 13, 2024, 4:24am

Hello Camunda,
We are using ingress-nginx in a GKE cluster. We used the following camunda-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: camunda-ingress
spec:
  tls:
    - hosts:
      - dev-camunda.abcdefg.dev      
      secretName: tls-secret
  ingressClassName: nginx
  rules:
    - host: dev-camunda.abcdefg.dev
      http:
        paths:
        - path: /operate
          pathType: Prefix
          backend:
            # This assumes http-svc exists and routes to healthy endpoints
            service:
              name: camunda-operate
              port:
                number: 80
        - path: /tasklist
          pathType: Prefix
          backend:
            # This assumes http-svc exists and routes to healthy endpoints
            service:
              name: camunda-tasklist
              port:
                number: 80
        - path: /optimize
          pathType: Prefix
          backend:
            # This assumes http-svc exists and routes to healthy endpoints
            service:
              name: camunda-optimize
              port:
                number: 80
        # - path: /auth
        #   pathType: Prefix
        #   backend:
        #     # This assumes http-svc exists and routes to healthy endpoints
        #     service:
        #       name: camunda-keycloak
        #       port:
        #         number: 80

As you can see, the /auth endpoint is commented out. The reason for that is because if we include that in our ingress we get the following error

Error: INSTALLATION FAILED: 1 error occurred:
	* admission webhook "validate.nginx.ingress.kubernetes.io" denied the request: 
-------------------------------------------------------------------------------
Error: exit status 1
2024/11/13 04:12:09 [emerg] 2469#2469: duplicate location "/auth/" in /tmp/nginx/nginx-cfg90617931:1382
nginx: [emerg] duplicate location "/auth/" in /tmp/nginx/nginx-cfg90617931:1382
nginx: configuration file /tmp/nginx/nginx-cfg90617931 test failed
-------------------------------------------------------------------------------

However, now that we don’t add the ingress for /auth using https, we are unable to enable TLS that terminates at the nginx-controller. And because keycloak requires https we cannot proceed.

What might we be missing? Any insight would be appreciated. Here is the camunda-values.yaml we used. I presume we don’t need SSL for zeebe-dev-camunda.abcdefg.dev

global:
  identity:
    auth:
      publicIssuerUrl: "https://dev-camunda.abcdefg.dev/auth/realms/camunda-platform"
      operate:
        redirectUrl: "https://dev-camunda.abcdefg.dev/operate"
      tasklist:
        redirectUrl: "https://dev-camunda.abcdefg.dev/tasklist"
      optimize:
        redirectUrl: "https://dev-camunda.abcdefg.dev/optimize"
  ingress:
    enabled: true
    className: nginx
    host: "dev-camunda.abcdefg.dev"

operate:
  contextPath: "/operate"

tasklist:
  contextPath: "/tasklist"

optimize:
  contextPath: "/optimize"

zeebeGateway:
  ingress:
    enabled: true
    className: nginx
    host: "zeebe-dev-camunda.abcdefg.dev"

system · February 11, 2025, 4:25am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.