Unable to deploy process on Camunda 8

mhasan · January 12, 2023, 12:25pm

I have not been able to ingress the zeebe-gateway, hence i am unable to deploy to connect to zeebe brokers.

I have deployed the Camunda 8 Self Managed platform on our local kubernetes environment (Rancher), the deployment when very well and all services are active & healthy.

And the ingress for Operate, Tasklist & Optimize & Identity also working fine, but the ingress for zeebe-gateway for gprc on 26500 is not working as explained in the Camunda tutorials. here is my custom values.yaml

As per my current analysis, it has something to do with ingress controller which needs to be opened for listening at port 26500 as currently it only configured for listening on 80 & 443
Can someone help me with the exact ingress configuration for kubernetes helm chart (yaml) to enable the process deployment using zeebe client (I am currently using zbctl)?

# Chart values for the Camunda Platform 8 Helm chart in combined Ingress setup.

# This file deliberately contains only the values that differ from the defaults.
# For changes and documentation, use your favorite diff tool to compare it with:
# https://github.com/camunda/camunda-platform-helm/blob/main/charts/camunda-platform

# IMPORTANT: Make sure to change "camunda.example.com" to your domain.

global:
  ingress:
    enabled: true
    className: nginx
    host: "camunda.xxx.xxx.com"
  identity:
    auth:
      publicIssuerUrl: "https://camunda.xxx.xxx.com.com/auth/realms/camunda-platform"
      operate:
        redirectUrl: "https://camunda.xxx.xxx.com.com/operate"
      tasklist:
        redirectUrl: "https://camunda.xxx.xxx.com.com/tasklist"
      optimize:
        redirectUrl: "https://camunda.xxx.xxx.com.com/optimize"

identity:
  contextPath: "/identity"
  fullURL: "https://camunda.xxx.xxx.com.com/identity"

operate:
  contextPath: "/operate"

optimize:
  contextPath: "/optimize"

tasklist:
  contextPath: "/tasklist"

zeebe-gateway:
  ingress:
    enabled: true
    className: nginx
    # Ingress.annotations defines the ingress related annotations, consumed mostly by the ingress controller
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
    # Ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    host: "zeebe.camunda.xxx.xxx.com"
    # Ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      # Ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: true
      # Ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: "k8s-ingress-cert"
      hosts:
        zeebe.camunda.xxx.xxx.com
        
zeebe:
  pvcStorageClassName: "px-csi-db"
  
elasticsearch:
  volumeClaimTemplate:
    storageClassName: "px-csi-db"

jonathan.lukas · January 13, 2023, 3:34pm

Hello @mhasan ,

actually, you will not need to open port 26500 with the ingress controller. Instead, you can use 80 or 443.

Here is a snippet from an example that worked for me:

zeebe-gateway:
  replicas: 1
  ingress:
    enabled: true
    host: "zeebe.consulting-sandbox.camunda.cloud"
    className: 
    annotations:
      kubernetes.io/ingress.class: nginx
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
    tls:
      enabled: true
      secretName: "export-compliance-platform-tls"

Using this config, you will have to put port 443 instead of port 26500 when accessing from outside.

Note: In C8 SaaS, it is exactly the same.

Jonathan

mhasan · January 15, 2023, 10:51pm

Thanks @jonathan.lukas for your reply!
when i try with the 443 with the provided config

zbctl status --address 172.x.x.x:443 --certPath C:\kubeconfig\camunda\kube-root-ca.crt
zbctl status --host zeebe.mydomain.com --certPath C:\kubeconfig\camunda\kube-root-ca.crt

i still see error as below Error:
Error: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509: cannot validate certificate for 172.x.x.x because it doesn't contain any IP SANs"
But my root cert is allowed for *.mydomain.com

Does that mean i need to update SANs in my root certificate?

GotnOGuts · January 16, 2023, 5:42pm

When it comes to PKI, *.mydomain.com and 172.x.y.z are different hosts.
If you are going to use 172.x.y.z, then your certificate needs to list it in the Subject Alternate Names (SANs) for your server certificate (not the root cert)…

Better bet would be to update your local machine host file to point
c8-dev-mhasan.mydomain.com to 172.x.y.z then use your zbctl command like:
zbctl status --address c8-dev-mhasan.mydomain.com:443 --certPath C:\kubeconfig\camunda\kube-root-ca.crt

system · January 31, 2024, 10:37am