-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configure self-managed cluster credentials in properties #443
Comments
This is a pretty basic and important requirement for konsistent configuration. We found the way to configure the credentials with EDIT: I'm still searching for the OAuth variable. Do you know how to set this one? EDIT2: It might be |
@jonathanlukas do you know if the variables mentioned above are right? We like to connect an application with an authenticated instance now and are not really keen for reverse engineering to configure it correctly. :( |
Yes, they are correct: To ease your reverse engineering, please review this line: https://github.com/camunda-community-hub/spring-zeebe/blob/main/spring-boot-starter-camunda/src/main/java/io/camunda/zeebe/spring/client/properties/ZeebeClientConfigurationProperties.java#L690 |
Thanks for your fast reply. Yes, I'm aware of these lines. :) I was more concerned regarding the remaining OAUTH part. |
Unfortunately no luck :(
I currently have the following config:
It seems as if still the cloud branch is taken leading to the exception. |
Alright. The only thing you should care about is that you do not use the zeebe.client.cloud.clientId and clientSecret but only the env variables |
I don't :D That's why I'm so surprised to receive this error. I checked the whole configuration. |
Could you remove the Please note that here the broker gateway address could potentially be overridden by env |
Ah, the error was caused by a different scope where I accidently applied the zeebe client config. Setting it directly changed the error to the |
Ok, we were successful with the following config: Environment:
application.yaml:
We needed to change Figuring out the correct format of Now we have the following log a lot: Is this caused by not using SSL? This is really flooding the logs... |
I've made a workaround in my project, so that i can configure my own ZeebeClient like this: WorkaroundDependencies: application.yamlzeebe:
client:
id: <id>
secret: <secret>
broker:
gateway-address: <gateway-address>:443
#security:
# plaintext: true
token:
audience: zeebe-api
authorization-server-url: https://<URL>/auth/realms/camunda-platform/protocol/openid-connect/token/ ZeebeConfigurationProperties.javaimport jakarta.validation.Valid;
import jakarta.validation.constraints.NotEmpty;
import jakarta.validation.constraints.NotNull;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.validation.annotation.Validated;
@ConfigurationProperties(prefix = "zeebe")
@Validated
public record ZeebeConfigurationProperties(
@Valid @NotNull(message = "client must not be null") Client client,
@Valid @NotNull(message = "token must not be null") Token token,
@NotEmpty(message = "authorizationServerUrl must not be empty") String authorizationServerUrl) {
public record Client(@NotEmpty(message = "id must not be empty") String id,
@NotEmpty(message = "secret must not be empty") String secret,
@Valid @NotNull(message = "broker must not be null") Broker broker, @Valid Security security) {
public record Broker(@NotEmpty(message = "gatewayAddress must not be empty") String gatewayAddress) {
}
public record Security(boolean plaintext) {
}
}
public record Token(@NotEmpty String audience) {
}
} ZeebeConfig.javaimport io.camunda.zeebe.client.ZeebeClient;
import io.camunda.zeebe.client.impl.oauth.OAuthCredentialsProvider;
import io.camunda.zeebe.client.impl.oauth.OAuthCredentialsProviderBuilder;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.context.annotation.Configuration;
@Configuration
public class ZeebeConfig implements BeanPostProcessor {
private final ZeebeConfigurationProperties zeebeConfigurationProperties;
public ZeebeConfig(ZeebeConfigurationProperties zeebeConfigurationProperties) {
this.zeebeConfigurationProperties = zeebeConfigurationProperties;
}
@Override
public Object postProcessBeforeInitialization(Object bean, String beanName) throws BeansException {
//replace ZeebeClient Bean with our own configuration
if (bean instanceof ZeebeClient && "zeebeClient".equals(beanName)) {
//https://docs.camunda.io/docs/apis-tools/java-client/
OAuthCredentialsProvider credentialsProvider =
new OAuthCredentialsProviderBuilder()
.authorizationServerUrl(zeebeConfigurationProperties.authorizationServerUrl())
.audience(zeebeConfigurationProperties.token().audience())
.clientId(zeebeConfigurationProperties.client().id())
.clientSecret(zeebeConfigurationProperties.client().secret())
.build();
return ZeebeClient.newClientBuilder()
.gatewayAddress(zeebeConfigurationProperties.client().broker().gatewayAddress())
.credentialsProvider(credentialsProvider)
.build();
}
return BeanPostProcessor.super.postProcessBeforeInitialization(bean, beanName);
}
} How does it workWith With this workaround we can now set the crendetials with the above ZEEBE_CLIENT_ID=<id>
ZEEBE_CLIENT_SECRET=<secret>
ZEEBE_BROKER_GATEWAY_ADDRESS=<gateway-address>:443
ZEEBE_TOKEN_AUDIENCE=zeebe-api
ZEEBE_AUTHORIZATION_SERVER_URL=https://<URL>/auth/realms/camunda-platform/protocol/openid-connect/token/ Not sure what the I hope something like these properties can make it to a newer version of the spring-zeebe library, so that we can configure the ZeebeClient for use in a self managed environment with identity component activated. |
@rbcb-bedag any chance this could become a PR? Not the BeanPostProcessor obviously but the rest. |
Currently, only the gateway address of a self-managed cluster can be configured in properties.
As Camunda Platform 8 introduced a secured zeebe gateway by default in 8.2, this configuration should be applied by default in the future.
This is only possible by using environment variables at the moment:
https://github.com/camunda-community-hub/spring-zeebe/blob/main/spring-boot-starter-camunda/src/main/java/io/camunda/zeebe/spring/client/properties/ZeebeClientConfigurationProperties.java#L681
Here, client id and client secret are read from environment variables.
Actually, it is also required to configure an auth url (keycloak token endpoint).
This is part of the OAuthCredentialsProviderBuilder which also uses env variables to configure the auth url.
However, it could be set to the builder as well.
In the end, it should be possible to configure the whole client by using a spring boot configuration.
The required parameters are:
To better align with the new principle of a unified camunda client, the properties could be renamed to:
The text was updated successfully, but these errors were encountered: