Webmodeler 0.3.0-beta for Kubernetes and Istio

We got Camunda 8 self-managed running on Kubernetes and Istio.
Starting with the camunda helm charts, we have also added the webmodeler components (converted from docker-compose by kompose).

The really hard part was to add trusted cert stores in nearly all components - especially for the webmodeler components. Setting the following variables helped to allow deployments to be published to our clusters.

webmodeler restapi:

ZEEBE_CA_CERTIFICATE_PATH
JAVA_OPTIONS=-Djavax.net.ssl.trustStore=/etc/ssl/camunda/trust-store.jks -Djavax.net.ssl.trustStorePassword=*******

webmodeler webapp:

ZEEBE_CLIENT_SSL_ROOT_CERTS_PATH=/var/run/tls/ca.crt
ZEEBE_CLIENT_SSL_PRIVATE_KEY_PATH=/var/run/tls/tls.key
ZEEBE_CLIENT_SSL_CERT_CHAIN_PATH=/var/run/ssl/trusted.crt
ZEEBE_SECURE_CONNECTION=true

ZEEBE_CA_CERTIFICATE_PATH=/var/run/ssl/trusted.crt
NODE_EXTRA_CA_CERTS=/var/run/ssl/trusted.crt

Unfortunately with this settings (ZEEBE_SECURE_CONNECTION=true) a bunch of jars are missing in the restapi container.

grpc-census-1.49.0.jar
opencensus-api-0.31.1.jar
opencensus-impl-lite-0.31.1.jar
opencensus-impl-0.31.1.jar
opentelemetry-opencensus-shim-1.21.0-alpha.jar
opencensus-impl-core-0.31.0.jar
disruptor-4.0.0.RC1.jar
opencensus-contrib-grpc-metrics-0.31.1.jar
opentelemetry-context-prop-0.9.1.jar
opentelemetry-context-1.21.0.jar
opentelemetry-extension-trace-propagators-1.21.0.jar
opentelemetry-api-1.21.0.jar

We added them the kubernetes way (mount configmap with files).

But in the end, if we use “https://” the process fails because it does not find the host “https”, if we use “grcp://”, the host “grcp” is not found.

Caused by: java.lang.RuntimeException: java.net.UnknownHostException: https
at io.grpc.internal.DnsNameResolver.resolveAddresses(DnsNameResolver.java:223)
at io.grpc.internal.DnsNameResolver.doResolve(DnsNameResolver.java:282)
at io.grpc.internal.DnsNameResolver$Resolve.run(DnsNameResolver.java:318)
… 3 common frames omitted
Caused by: java.net.UnknownHostException: https
at java.base/java.net.InetAddress$CachedAddresses.get(Unknown Source)
at java.base/java.net.InetAddress.getAllByName0(Unknown Source)
at java.base/java.net.InetAddress.getAllByName(Unknown Source)
at io.grpc.internal.DnsNameResolver$JdkAddressResolver.resolveAddress(DnsNameResolver.java:631)
at io.grpc.internal.DnsNameResolver.resolveAddresses(DnsNameResolver.java:219)

without protocol the zeebe client connection check works and the process of deployment gets started. But in the end it is failing by replying

Caused by: java.util.concurrent.ExecutionException: io.grpc.StatusRuntimeException: UNAVAILABLE: io exception
at java.base/java.util.concurrent.CompletableFuture.reportGet(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture.get(Unknown Source)
at io.camunda.zeebe.client.impl.ZeebeClientFutureImpl.join(ZeebeClientFutureImpl.java:48)
… 144 common frames omitted
Caused by: io.grpc.StatusRuntimeException: UNAVAILABLE: io exception
at io.grpc.Status.asRuntimeException(Status.java:539)

Has anybody webmodeler 0.3.0-beta running with a Zeebe Gateway with TLS support?

Many thanks for your support!

Daniele

Check out my blog post on Camunda 8 with Istio:

1 Like

Thanks a lot @bluebossa63 appreciate you creating this post and sharing it.