Skip to content

fix: add constraints for ES and Basic auth in noSecondaryStorage mode #4170

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 18, 2025
Merged

fix: add constraints for ES and Basic auth in noSecondaryStorage mode #4170

merged 1 commit into from
Sep 18, 2025

Conversation

@abremard
Copy link
Contributor

@abremard abremard commented Sep 16, 2025
edited
Loading

Which problem does the PR fix?

The Helm chart continues to enable Elasticsearch, even though the no-db flag global.noSecondaryStorage=true is set. Output:


- Console:
  - Enabled: false
- Orchestration:
  - Enabled: true
  - Docker Image used for Zeebe: camunda/camunda:8.8.0-alpha8
  - Zeebe Cluster Name: "my-camunda-devel-zeebe"
  - Prometheus ServiceMonitor Enabled: false
- Connectors:
  - Enabled: true
  - Docker Image used for Connectors: camunda/connectors-bundle:8.8.0-alpha8
- Identity:
  - Enabled: false
- Web Modeler:
  - Enabled: false
- Elasticsearch:
  - Enabled: true
  - Docker Image used for Elasticsearch: bitnamilegacy/elasticsearch:8.18.0

We still need to configure OIDC authentication with "no-secondary-storage" mode as Basic authentication is not supported.
There is some bad UX in the Helm chart, as users only discover this limitation when inspecting logs of crash-looping Zeebe Brokers. Example:

ERROR - io.camunda.application - Failed to start application with message: Error creating bean with name 'basicAuthenticationNoDbFailFastBean' defined in class path resource [io/camunda/authentication/config/WebSecurityConfig$BasicAuthenticationNoDbConfiguration.class]: Failed to instantiate [io.camunda.authentication.config.WebSecurityConfig$BasicAuthenticationNoDbFailFastBean]: Factory method 'basicAuthenticationNoDbFailFastBean' threw exception with message: Basic Authentication is not supported when secondary storage is disabled (
camunda.database.type=none). Basic Authentication requires access to user data stored in secondary storage.
Please either enable secondary storage by configuring camunda.database.type to a supported database type,
or use another authentication method by updating the camunda.security.authentication.method configuration.

What's in this PR?

I'm adding 2 new constraints

  • on Basic Auth : we should warn users trying to deploy noSecondaryStorage mode with basic auth, it's not supported
  • on elasticsearch.enable : this should be false when noSecondaryStorage is true (this config is different from globale.elasticsearch.enable)

Checklist

Please make sure to follow our Contributing Guide.

Before opening the PR:

  • In the repo's root dir, run make go.update-golden-only.
  • There is no other open pull request for the same update/change.
  • Tests for charts are added (if needed).
  • In-repo documentation are updated (if needed).

After opening the PR:

  • Did you sign our CLA (Contributor License Agreement)? It will show once you open the PR.
  • Did all checks/tests pass in the PR?

#closes camunda/camunda#38186

@abremard abremard requested a review from a team as a code owner September 16, 2025 08:11
@github-actions github-actions bot added the version/8.8 Camunda applications/cycle version label Sep 16, 2025
@distro-ci-manage-gh-envs distro-ci-manage-gh-envs bot temporarily deployed to gke-4170-intg-8-8-gke-eske September 16, 2025 08:13 Destroyed
@abremard abremard force-pushed the 38186-constraints-for-ES-and-basic-auth branch from 2e43f31 to 847cbef Compare September 16, 2025 08:14
@distro-ci-manage-gh-envs distro-ci-manage-gh-envs bot temporarily deployed to gke-4170-intg-8-8-gke-eske September 16, 2025 08:16 Destroyed
@abremard abremard requested a review from aabouzaid September 16, 2025 11:28
@aabouzaid aabouzaid added the size/xs 1-2 days label Sep 16, 2025
@abremard abremard force-pushed the 38186-constraints-for-ES-and-basic-auth branch from 847cbef to 0e8ff5e Compare September 18, 2025 02:03
@abremard abremard merged commit 68051c8 into main Sep 18, 2025
6 of 7 checks passed
@abremard abremard deleted the 38186-constraints-for-ES-and-basic-auth branch September 18, 2025 02:03
@eamonnmoloney
Copy link
Contributor

eamonnmoloney commented Sep 18, 2025

@abremard This one broke the unit tests. Can you have a look?

@hisImminence
Copy link
Contributor

hisImminence commented Sep 18, 2025

@abremard This one broke the unit tests. Can you have a look?

Just to update - no need anymore @abremard - Unit test was fixed now by #4223.

@distro-ci distro-ci bot mentioned this pull request Oct 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aabouzaid aabouzaid aabouzaid approved these changes

@eamonnmoloney eamonnmoloney Awaiting requested review from eamonnmoloney eamonnmoloney is a code owner automatically assigned from camunda/distribution

Assignees

@abremard abremard

Labels

size/xs 1-2 days version/8.8 Camunda applications/cycle version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Constraints on ES and Basic auth for noSecondaryStorage

5 participants

@abremard @eamonnmoloney @hisImminence @aabouzaid