Self-managed local cluster with ingress controller does not diaplay /identity

msjo · February 15, 2024, 9:00am

Hi all. I’ve made self signed certificate and deploy nginx ingress controller with kind.
operate, optimize and tasklist displays ui but identity does not.

When I trying https://camunda-demo-ingress.committed.co.kr/identity/,
It redirect to http://localhost:8080/identity/auth/login instead of https:///camunda-demo-ingress.committed.co.kr/identity/auth/login

I found “http://localhost:8080/identity/auth/login” in the Clients Valid redirect URIs in the keycloak client ‘camunda-identity’ settings.

Where can I put the redirect url in the following yaml?

######## camunda-platform-kind-local-values.yaml
global:
  ingress:
    enabled: true
    className: nginx
    host: "camunda-demo-ingress.committed.co.kr"
    tls:
      enabled: true
      secretName: camunda-demo-ingress-tls
  identity:
    auth:
      # Disable the Identity authentication for local development
      # it will fall back to basic-auth: demo/demo as default user
      enabled: true
      publicIssuerUrl: "https://camunda-demo-ingress.committed.co.kr/auth/realms/camunda-platform"
      operate:
        redirectUrl: "https://camunda-demo-ingress.committed.co.kr/operate"
      tasklist:
        redirectUrl: "https://camunda-demo-ingress.committed.co.kr/tasklist"
      optimize:
        redirectUrl: "https://camunda-demo-ingress.committed.co.kr/optimize"
      webModeler:
        redirectUrl: "https://camunda-demo-ingress.committed.co.kr/modeler"

# enable identity as part of the Camunda core
identity:
  enabled: true
  contextPath: "/identity"

optimize:
  enabled: true
  contextPath: "/optimize"

operate:
  enabled: true
  contextPath: "/operate"

tasklist:
  enabled: true
  contextPath: "/tasklist"
# Reduce for Zeebe and Gateway the configured replicas and with that the required resources
# to get it running locally
zeebe:
  clusterSize: 1
  partitionCount: 1
  replicationFactor: 1
  pvcSize: 10Gi

zeebe-gateway:
  replicas: 1
  ingress:
    enabled: true
    className: nginx
    host: "zeebe.camunda-demo-ingress.committed.co.kr"
    tls:
      enabled: true
      secretName: camunda-demo-ingress-tls

connectors:
  enabled: true
  inbound:
    mode: disabled
  env:
    - name: JAVA_OPTS
      value: "-Dlogging.level.io.camunda.zeebe.client.impl.ZeebeCallCredentials=ERROR"

elasticsearch:
  master:
    replicaCount: 1
    # Request smaller persistent volumes.
    persistence:
      size: 15Gi

msjo · February 15, 2024, 10:20am

In other words, when I issue

curl -i https://camunda-demo-ingress.committed.co.kr/identity/

The response is :

HTTP/2 302
date: Thu, 15 Feb 2024 10:19:14 GMT
content-length: 0
location: http://localhost:8080/identity/auth/login
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
set-cookie: IDENTITY_STATE=/; Path=/identity; Domain=localhost; Max-Age=600; Expires=Thu, 15 Feb 2024 10:29:14 GMT; Secure; HttpOnly
x-content-type-options: nosniff
x-xss-protection: 0
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
strict-transport-security: max-age=31536000; includeSubDomains
x-frame-options: DENY

msjo · February 15, 2024, 10:41am

When I issuing following, the response looks right.

curl -i https://camunda-demo-ingress.committed.co.kr/identity/auth/login

HTTP/2 302
date: Thu, 15 Feb 2024 10:40:02 GMT
content-length: 0
location: https://camunda-demo-ingress.committed.co.kr/auth/realms/camunda-platform/protocol/openid-connect/auth?client_id=camunda-identity&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fidentity%2Fauth%2Flogin-callback&response_type=code&scope=openid+email&state=
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
x-content-type-options: nosniff
x-xss-protection: 0
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
strict-transport-security: max-age=31536000; includeSubDomains
x-frame-options: DENY

nathan.loding · February 15, 2024, 4:08pm

Hi @msjo - I think you’re missing the fullURL value for Identity:

identity:
  fullURL: "https://camunda-demo-ingress.committed.co.kr/identity/"

Try that and let me know if the problem still persists!

(docs reference)

msjo · February 18, 2024, 3:21am

identity.fullURL works. but there are one strange issues remained.
My desktop is macOS. Safari browser worked well as I’ve registered my self signed certificate to KeyChain.app.
But when I used chrome(restarted after register the certificate to KeyChain.app), https://camunda-demo-ingress.committed.co.kr/identity/ authentication was successful but the first page of /identity/, which displays registered applications, does not appeared.

this chrome browser issue seems not be related to camunda, I could close this issue.

But I have another problem regarding zeebe client(zbctl, modeler, application) under tls enabled. I’ll raise another issue.

Thank you.

system · February 25, 2024, 3:22am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.