Self-managed local cluster with ingress controller does not diaplay /identity

Hi all. I’ve made self signed certificate and deploy nginx ingress controller with kind.
operate, optimize and tasklist displays ui but identity does not.

When I trying https://camunda-demo-ingress.committed.co.kr/identity/,
It redirect to http://localhost:8080/identity/auth/login instead of https:///camunda-demo-ingress.committed.co.kr/identity/auth/login

I found “http://localhost:8080/identity/auth/login” in the Clients Valid redirect URIs in the keycloak client ‘camunda-identity’ settings.

Where can I put the redirect url in the following yaml?

######## camunda-platform-kind-local-values.yaml
global:
  ingress:
    enabled: true
    className: nginx
    host: "camunda-demo-ingress.committed.co.kr"
    tls:
      enabled: true
      secretName: camunda-demo-ingress-tls
  identity:
    auth:
      # Disable the Identity authentication for local development
      # it will fall back to basic-auth: demo/demo as default user
      enabled: true
      publicIssuerUrl: "https://camunda-demo-ingress.committed.co.kr/auth/realms/camunda-platform"
      operate:
        redirectUrl: "https://camunda-demo-ingress.committed.co.kr/operate"
      tasklist:
        redirectUrl: "https://camunda-demo-ingress.committed.co.kr/tasklist"
      optimize:
        redirectUrl: "https://camunda-demo-ingress.committed.co.kr/optimize"
      webModeler:
        redirectUrl: "https://camunda-demo-ingress.committed.co.kr/modeler"

# enable identity as part of the Camunda core
identity:
  enabled: true
  contextPath: "/identity"

optimize:
  enabled: true
  contextPath: "/optimize"

operate:
  enabled: true
  contextPath: "/operate"

tasklist:
  enabled: true
  contextPath: "/tasklist"
# Reduce for Zeebe and Gateway the configured replicas and with that the required resources
# to get it running locally
zeebe:
  clusterSize: 1
  partitionCount: 1
  replicationFactor: 1
  pvcSize: 10Gi

zeebe-gateway:
  replicas: 1
  ingress:
    enabled: true
    className: nginx
    host: "zeebe.camunda-demo-ingress.committed.co.kr"
    tls:
      enabled: true
      secretName: camunda-demo-ingress-tls

connectors:
  enabled: true
  inbound:
    mode: disabled
  env:
    - name: JAVA_OPTS
      value: "-Dlogging.level.io.camunda.zeebe.client.impl.ZeebeCallCredentials=ERROR"

elasticsearch:
  master:
    replicaCount: 1
    # Request smaller persistent volumes.
    persistence:
      size: 15Gi

In other words, when I issue

curl -i https://camunda-demo-ingress.committed.co.kr/identity/

The response is :

HTTP/2 302
date: Thu, 15 Feb 2024 10:19:14 GMT
content-length: 0
location: http://localhost:8080/identity/auth/login
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
set-cookie: IDENTITY_STATE=/; Path=/identity; Domain=localhost; Max-Age=600; Expires=Thu, 15 Feb 2024 10:29:14 GMT; Secure; HttpOnly
x-content-type-options: nosniff
x-xss-protection: 0
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
strict-transport-security: max-age=31536000; includeSubDomains
x-frame-options: DENY

When I issuing following, the response looks right.

curl -i https://camunda-demo-ingress.committed.co.kr/identity/auth/login

HTTP/2 302
date: Thu, 15 Feb 2024 10:40:02 GMT
content-length: 0
location: https://camunda-demo-ingress.committed.co.kr/auth/realms/camunda-platform/protocol/openid-connect/auth?client_id=camunda-identity&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fidentity%2Fauth%2Flogin-callback&response_type=code&scope=openid+email&state=
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
x-content-type-options: nosniff
x-xss-protection: 0
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
strict-transport-security: max-age=31536000; includeSubDomains
x-frame-options: DENY

Hi @msjo - I think you’re missing the fullURL value for Identity:

identity:
  fullURL: "https://camunda-demo-ingress.committed.co.kr/identity/"

Try that and let me know if the problem still persists!

(docs reference)

identity.fullURL works. but there are one strange issues remained.
My desktop is macOS. Safari browser worked well as I’ve registered my self signed certificate to KeyChain.app.
But when I used chrome(restarted after register the certificate to KeyChain.app), https://camunda-demo-ingress.committed.co.kr/identity/ authentication was successful but the first page of /identity/, which displays registered applications, does not appeared.

this chrome browser issue seems not be related to camunda, I could close this issue.

But I have another problem regarding zeebe client(zbctl, modeler, application) under tls enabled. I’ll raise another issue.

Thank you.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.