Skip to content

fix: support Orchestration gRPC TLS endpoints#6280

Open
eamonnmoloney wants to merge 6 commits into
mainfrom
inc-33090-camunda-grpc-and-rest-endpoints
Open

fix: support Orchestration gRPC TLS endpoints#6280
eamonnmoloney wants to merge 6 commits into
mainfrom
inc-33090-camunda-grpc-and-rest-endpoints

Conversation

@eamonnmoloney

@eamonnmoloney eamonnmoloney commented Jun 1, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Support Orchestration REST and gRPC TLS independently across 8.8, 8.9, and 8.10.
  • Render chart-generated Web Modeler and Connectors gRPC defaults with secure schemes when CAMUNDA_API_GRPC_SSL_ENABLED=true, while keeping REST on HTTP unless SERVER_SSL_ENABLED=true.
  • Route the public Orchestration gRPC ingress to the backend with nginx.ingress.kubernetes.io/backend-protocol: GRPCS when the in-chart Orchestration gRPC server has TLS enabled.
  • Keep the existing REST-TLS ingress split so /orchestration can use HTTPS upstream when SERVER_SSL_ENABLED=true without changing the shared HTTP ingress backends.
  • Update orchestration-tls (estls) scenario values to match the SUPPORT-33090 customer shape: REST over HTTP, gRPC over TLS.

Why

  • SUPPORT-33090 clarified that the customer enables gRPC TLS with CAMUNDA_API_GRPC_SSL_ENABLED=true while leaving REST plaintext with SERVER_SSL_ENABLED=false.
  • The chart previously treated internal Orchestration gRPC defaults as plaintext, and the gRPC ingress used GRPC upstream even when the in-chart Orchestration gRPC server expected TLS.
  • Web Modeler expects grpcs:// for secure gRPC, while Connectors/Camunda client expects the secure gRPC endpoint as https://.

Notes

  • Explicit user overrides still win:
    • webModeler.restapi.clusters
    • connectors.configuration
  • The 8.10 opensearch-self-signed-os-trust / osot matrix entry is kept from the rebased branch using its dedicated opensearch-self-signed-os-trust persistence and pre-install wrapper.

Local Validation

  • go test ./common/... ./connectors/... ./web-modeler/... in 8.8 unit test dir.
  • go test ./common/... ./connectors/... ./web-modeler/... in 8.9 unit test dir.
  • go test ./common/... ./connectors/... ./web-modeler/... in 8.10 unit test dir.
  • make go.test chartPath=charts/camunda-platform-8.8
  • make go.test chartPath=charts/camunda-platform-8.9
  • make go.test chartPath=charts/camunda-platform-8.10
  • make helm.lint chartPath=charts/camunda-platform-8.8
  • make helm.lint chartPath=charts/camunda-platform-8.9
  • make helm.lint chartPath=charts/camunda-platform-8.10
  • go test ./matrix/... from scripts/deploy-camunda.
  • deploy-camunda matrix list --repo-root . --versions 8.10 --scenario-filter opensearch-self-signed-os-trust --shortname-filter osot --shortname-exact --flow-filter install --platform gke returns one osot entry.

GKE Validation

  • Deployed updated 8.8 estls scenario to GKE namespace matrix-88-estls-inst-gke:
    • deploy-camunda matrix run --repo-root . --versions 8.8 --shortname-filter estls --shortname-exact --platform gke --ingress-base-domain-gke ci.distro.ultrawombat.com --delete-namespace --timeout 30 --yes --ensure-docker-registry
  • deploy-camunda watch --namespace matrix-88-estls-inst-gke --release integration --interval 15 confirmed the Helm release is deployed and all pods are Ready.
  • Live gRPC ingress integration-camunda-platform-grpc has nginx.ingress.kubernetes.io/backend-protocol: GRPCS.
  • Live combined HTTP ingress routes /orchestration -> integration-zeebe-gateway:8080.
  • Live Connectors ConfigMap renders:
    • rest-address: http://integration-zeebe-gateway:8080/orchestration
    • grpc-address: https://integration-zeebe-gateway:26500
  • Live Web Modeler REST API ConfigMap renders:
    • grpc: grpcs://integration-zeebe-gateway:26500
    • rest: http://integration-zeebe-gateway:8080/orchestration
    • web-app: https://matrix-88-estls-inst-gke.ci.distro.ultrawombat.com/orchestration
  • https://matrix-88-estls-inst-gke.ci.distro.ultrawombat.com/orchestration/identity returns HTTP/2 401 with www-authenticate: Bearer, not a TLS protocol mismatch page.
  • MINOR_VERSION=SM-8.8 npx playwright test --project=chromium tests/SM-8.8/smoke-tests.spec.ts --workers=1 --trace on passed with 3 passed and 4 skipped.

CI Validation

  • Pushed commit 6a9545d66 to refresh PR CI after rebasing on the updated branch.
  • test-chart-version.yaml workflow dispatch currently does not expose orchestration-tls as a selectable scenario, so no narrower manual GKE workflow run was triggered from the workflow UI inputs.

@github-actions github-actions Bot added version/8.8 Camunda applications/cycle version version/8.9 Camunda applications/cycle version version/8.10 Camunda applications/cycle version labels Jun 1, 2026
@eamonnmoloney eamonnmoloney changed the title fix(8.8): use TLS schemes for Web Modeler internal endpoints fix: route Orchestration ingress over HTTPS with server TLS Jun 2, 2026
@eamonnmoloney eamonnmoloney marked this pull request as ready for review June 2, 2026 12:48
@eamonnmoloney eamonnmoloney requested a review from a team as a code owner June 2, 2026 12:48
@eamonnmoloney eamonnmoloney requested review from Ian-wang-liyang and Copilot and removed request for a team June 2, 2026 12:48
@eamonnmoloney eamonnmoloney requested a review from a team June 2, 2026 12:49
Copilot AI reviewed Jun 2, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a dedicated HTTPS-backed ingress for the Orchestration REST endpoint when SERVER_SSL_ENABLED is true on Orchestration, so the NGINX ingress-wide backend-protocol: HTTPS annotation doesn't break the other HTTP backends (Console, Identity, Web Modeler, Optimize, Connectors). The change is mirrored across charts 8.8, 8.9, and 8.10 and covered by new orchestration-tls (estls) GKE integration scenarios with explicit Web Modeler and Connectors TLS client wiring.

Changes:

  • Add new template templates/common/ingress-orchestration-http.yaml rendered only when Orchestration sets SERVER_SSL_ENABLED=true, annotated with nginx.ingress.kubernetes.io/backend-protocol: HTTPS; and a new helper camundaPlatform.orchestrationEnvIsTrue to inspect orchestration.env from templates.
  • Exclude the /orchestration path from the combined ingress-http.yaml when the new helper reports SERVER_SSL_ENABLED=true.
  • Add orchestration-tls CI scenarios with a pre-install-orchestration-tls.sh cert/truststore bootstrap script, a features/orchestration-tls.yaml values overlay (Orchestration TLS env/volumes, explicit Web Modeler restapi.clusters, explicit Connectors configuration), plus unit tests for both ingress paths.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated no comments.

Show a summary per file
File Description
charts/camunda-platform-8.{8,9,10}/templates/common/ingress-orchestration-http.yaml New HTTPS-upstream ingress for /orchestration, guarded on SERVER_SSL_ENABLED
charts/camunda-platform-8.{8,9,10}/templates/common/ingress-http.yaml Skip Orchestration path in the combined ingress when TLS is enabled on the server
charts/camunda-platform-8.{8,9,10}/templates/common/_helpers.tpl Add camundaPlatform.orchestrationEnvIsTrue helper used by the ingress guards
charts/camunda-platform-8.{8,9,10}/test/unit/common/ingress_test.go New tests for combined ingress omission and new orchestration-http ingress rendering
charts/camunda-platform-8.{8,9,10}/test/integration/scenarios/chart-full-setup/values/features/orchestration-tls.yaml New feature values overlay enabling Orchestration TLS and explicit Web Modeler/Connectors TLS clients
charts/camunda-platform-8.{8,9,10}/test/integration/scenarios/pre-setup-scripts/pre-install-orchestration-tls.sh New pre-install script generating cert/key and truststore Secrets (8.10 also seeds CloudNativePG)
charts/camunda-platform-8.{8,9,10}/test/ci-test-config.yaml Register the new estls scenario with features: [orchestration-tls] and pre-install hook

Ian-wang-liyang
Ian-wang-liyang approved these changes Jun 2, 2026
View reviewed changes

@Ian-wang-liyang Ian-wang-liyang left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@eamonnmoloney eamonnmoloney mentioned this pull request Jun 3, 2026
Open
41 tasks
@eamonnmoloney eamonnmoloney changed the title fix: route Orchestration ingress over HTTPS with server TLS fix: support Orchestration gRPC TLS endpoints Jun 8, 2026
@eamonnmoloney eamonnmoloney force-pushed the inc-33090-camunda-grpc-and-rest-endpoints branch from 8cfc31a to 6a9545d Compare June 8, 2026 05:52
@eamonnmoloney eamonnmoloney mentioned this pull request Jun 9, 2026
Open
@eamonnmoloney eamonnmoloney force-pushed the inc-33090-camunda-grpc-and-rest-endpoints branch from a26a387 to c4afe69 Compare June 9, 2026 08:26
@eamonnmoloney eamonnmoloney added this pull request to the merge queue Jun 9, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jun 9, 2026
@eamonnmoloney eamonnmoloney force-pushed the inc-33090-camunda-grpc-and-rest-endpoints branch from c0ed65a to 6d7b70f Compare June 9, 2026 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Ian-wang-liyang Ian-wang-liyang Ian-wang-liyang approved these changes

Assignees

No one assigned

Labels

component/connectors version/8.8 Camunda applications/cycle version version/8.9 Camunda applications/cycle version version/8.10 Camunda applications/cycle version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@eamonnmoloney @Ian-wang-liyang