Troubleshooting
Keycloak requires SSL for requests from external sources
When deploying Camunda to a provider, it is important to confirm the IP ranges used for container to container communication align with the IP ranges Keycloak considers "local". By default, Keycloak considers all IPs outside those listed in their external requests documentation to be external and therefore require SSL.
As the Camunda Helm Charts currently do not provide support for the distribution of the Keycloak TLS key to the other containers, we recommend viewing the solution available in the Identity documentation.
Identity redirect URL
If HTTP to HTTPS redirection is enabled in the load-balancer or ingress, make sure to use the HTTPS
protocol in the values file under global.identity.auth.[COMPONENT].redirectUrl
.
Otherwise, you will get a redirection error in Keycloak.
For example:
global:
identity:
auth:
operate
redirectUrl: https://operate.example.com
Changing this property after the initial install will require manual corrections in Keycloak.
Zeebe Ingress (gRPC)
Zeebe requires an Ingress controller that supports gRPC
which is built on top of HTTP/2
transport layer. Therefore, to expose Zeebe Gateway externally, you need the following:
- An Ingress controller that supports
gRPC
(ingress-nginx controller supports it out of the box). - TLS (HTTPS) via Application-Layer Protocol Negotiation (ALPN) enabled in the Zeebe Gateway Ingress object.
However, according to the official Kubernetes documentation about Ingress TLS:
There is a gap between TLS features supported by various Ingress controllers. Please refer to documentation on nginx, GCE, or any other platform specific Ingress controller to understand how TLS works in your environment.
Therefore, if you are not using the ingress-nginx controller, ensure you pay attention to TLS configuration of the Ingress controller of your choice. Find more details about the Zeebe Ingress setup in the Kubernetes platforms supported by Camunda.
Identity contextPath
Camunda 8 Self-Managed can be accessed externally via different methods. One such method is the combined Ingress setup. In that configuration, Camunda Identity is accessed using a specific path, configured by setting the contextPath
variable, for example https://camunda.example.com/identity
.
For security reasons, Camunda Identity requires secure access (HTTPS) when a contextPath
is configured. If you want to use Camunda Identity with HTTP, use a separate Ingress setup (applications such as Operate, Optimize, etc, can still be accessed in a combined setup).
Due to limitations, the Identity contextPath
approach is unavailable when using a browser in Incognito mode.
Web Modeler database schema
The Web Modeler restapi
component requires a database connection. This connection should not point to the same database as Keycloak does.
Gateway timeout on redirect
A gateway timeout can occur if the headers of a response are too big (for example, if a JWT is returned as Set-Cookie
header). To avoid this, you can increase the proxy-buffer-size
of your Ingress controller or Ingress. The setting for ingress-nginx can be found here.