Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(broker): add multitenancy configuration #3171

Merged
merged 8 commits into from
Feb 12, 2024
Merged

fix(broker): add multitenancy configuration #3171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
95b3704
fix(broker): add multitenancy configuration
nloding Jan 5, 2024
1ad1786
fix(broker): add gateway security variables
nloding Jan 5, 2024
9b955bd
merge main
akeller Jan 9, 2024
fc46f32
run format
akeller Jan 9, 2024
b0c3f5b
rework config
akeller Feb 8, 2024
1685436
Merge branch 'main' into nloding-broker-mt
akeller Feb 8, 2024
19c32f8
Merge branch 'main' into nloding-broker-mt
akeller Feb 9, 2024
794fcc7
backport 8.3, 8.4
akeller Feb 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 73 additions & 0 deletions docs/self-managed/zeebe-deployment/configuration/broker.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -565,3 +565,76 @@ processing: maxCommandsInBatch = 100
See the experimental section of the [broker.yaml.template](https://github.com/camunda/zeebe/blob/main/dist/src/main/config/broker.yaml.template#L733).

Be aware that all configuration's which are part of the experimental section are subject to change and can be dropped at any time.

### Multitenancy configuration

For an embedded gateway setup, any gateway property can be passed along to the `StandaloneBroker` by prefixing `zeebe.broker`.

#### zeebe.broker.gateway.multitenancy

Multi-tenancy in Zeebe can be configured with the following configuration properties.
Multi-tenancy is disabled by default.
Read more [in the multi-tenancy documentation](../../../self-managed/concepts/multi-tenancy.md).

:::note
For now, multi-tenancy is only supported in combination with Identity.
To use multi-tenancy, you must set [`authentication.mode`](#zeebebrokergatewaysecurityauthentication) to `'identity'` and specify the
`camunda.identity.baseUrl` property or the [corresponding Camunda Identity environment variable](../../identity/deployment/configuration-variables.md#core-configuration)
as well.
:::

:::note
If you are using a standalone gateway, refer to the [gateway configuration guide](./gateway.md/#zeebegatewaymultitenancy).
:::

| Field | Description | Example value |
| ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------- |
| enabled | Enable multitenancy in the embedded gateway. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_MULTITENANCY_ENABLED`. | False |

##### YAML snippet

```yaml
broker:
gateway:
multitenancy:
enabled: false
```

#### zeebe.broker.gateway.security.authentication

| Field | Description | Example value |
| ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------- |
| mode | Controls which authentication mode is active; supported modes are `none` and `identity`. If `identity` is set, authentication will be done using [camunda-identity](/self-managed/identity/what-is-identity.md), which needs to be configured in the corresponding subsection. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_MODE`. | none |

##### YAML snippet

```yaml
security:
authentication:
mode: none
```

#### zeebe.broker.gateway.security.authentication.identity

:::note
The Zeebe configuration properties for Camunda Identity are deprecated as of version `8.4.0`. Use the dedicated
Camunda Identity properties or the [corresponding environment variables](../../identity/deployment/configuration-variables.md#core-configuration).
:::

| Field | Description | Example value |
| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- |
| issuerBackendUrl | The URL to the auth provider backend, used to validate tokens. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_ISSUERBACKENDURL`. | http://keycloak:8080/auth/realms/camunda-platform |
| audience | The required audience of the auth token. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_AUDIENCE`. | zeebe-api |
| baseUrl | The URL to the Identity instance. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_BASEURL`. | http://identity:8084 |

##### YAML snippet

```yaml
security:
authentication:
mode: identity
identity:
issuerBackendUrl: http://keycloak:8080/auth/realms/camunda-platform
audience: zeebe-api
type: keycloak
```
4 changes: 4 additions & 0 deletions docs/self-managed/zeebe-deployment/configuration/gateway.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -340,6 +340,10 @@ To use multi-tenancy, you must set [`authentication.mode`](#zeebegatewayclusters
as well.
:::

:::note
If you are using an embedded gateway, refer to the [broker configuration guide](./broker.md/#multitenancy-configuration).
:::

| Field | Description | Example value |
| ------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| enabled | Enables multi-tenancy for the cluster. This setting can also be overridden using the environment variable `ZEEBE_GATEWAY_MULTITENANCY_ENABLED`. | true |
Expand Down
73 changes: 73 additions & 0 deletions versioned_docs/version-8.3/self-managed/zeebe-deployment/configuration/broker.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -565,3 +565,76 @@ processing: maxCommandsInBatch = 100
See the experimental section of the [broker.yaml.template](https://github.com/camunda/zeebe/blob/main/dist/src/main/config/broker.yaml.template#L733).

Be aware that all configuration's which are part of the experimental section are subject to change and can be dropped at any time.

### Multitenancy configuration

For an embedded gateway setup, any gateway property can be passed along to the `StandaloneBroker` by prefixing `zeebe.broker`.

#### zeebe.broker.gateway.multitenancy

Multi-tenancy in Zeebe can be configured with the following configuration properties.
Multi-tenancy is disabled by default.
Read more [in the multi-tenancy documentation](../../../self-managed/concepts/multi-tenancy.md).

:::note
For now, multi-tenancy is only supported in combination with Identity.
To use multi-tenancy, you must set [`authentication.mode`](#zeebebrokergatewaysecurityauthentication) to `'identity'` and specify the
`camunda.identity.baseUrl` property or the [corresponding Camunda Identity environment variable](../../identity/deployment/configuration-variables.md#core-configuration)
as well.
:::

:::note
If you are using a standalone gateway, refer to the [gateway configuration guide](./gateway.md/#zeebegatewaymultitenancy).
:::

| Field | Description | Example value |
| ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------- |
| enabled | Enable multitenancy in the embedded gateway. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_MULTITENANCY_ENABLED`. | False |

##### YAML snippet

```yaml
broker:
gateway:
multitenancy:
enabled: false
```

#### zeebe.broker.gateway.security.authentication

| Field | Description | Example value |
| ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------- |
| mode | Controls which authentication mode is active; supported modes are `none` and `identity`. If `identity` is set, authentication will be done using [camunda-identity](/self-managed/identity/what-is-identity.md), which needs to be configured in the corresponding subsection. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_MODE`. | none |

##### YAML snippet

```yaml
security:
authentication:
mode: none
```

#### zeebe.broker.gateway.security.authentication.identity

:::note
The Zeebe configuration properties for Camunda Identity are deprecated as of version `8.4.0`. Use the dedicated
Camunda Identity properties or the [corresponding environment variables](../../identity/deployment/configuration-variables.md#core-configuration).
:::

| Field | Description | Example value |
| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- |
| issuerBackendUrl | The URL to the auth provider backend, used to validate tokens. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_ISSUERBACKENDURL`. | http://keycloak:8080/auth/realms/camunda-platform |
| audience | The required audience of the auth token. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_AUDIENCE`. | zeebe-api |
| baseUrl | The URL to the Identity instance. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_BASEURL`. | http://identity:8084 |

##### YAML snippet

```yaml
security:
authentication:
mode: identity
identity:
issuerBackendUrl: http://keycloak:8080/auth/realms/camunda-platform
audience: zeebe-api
type: keycloak
```
4 changes: 4 additions & 0 deletions versioned_docs/version-8.3/self-managed/zeebe-deployment/configuration/gateway.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,6 +333,10 @@ To use multi-tenancy, you must set [`authentication.mode`](#zeebegatewayclusters
[`identity.baseUrl`](#zeebegatewayclustersecurityauthenticationidentity) as well.
:::

:::note
If you are using an embedded gateway, refer to the [broker configuration guide](./broker.md/#multitenancy-configuration).
:::

| Field | Description | Example value |
| ------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| enabled | Enables multi-tenancy for the cluster. This setting can also be overridden using the environment variable `ZEEBE_GATEWAY_MULTITENANCY_ENABLED`. | True |
Expand Down
73 changes: 73 additions & 0 deletions versioned_docs/version-8.4/self-managed/zeebe-deployment/configuration/broker.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -565,3 +565,76 @@ processing: maxCommandsInBatch = 100
See the experimental section of the [broker.yaml.template](https://github.com/camunda/zeebe/blob/main/dist/src/main/config/broker.yaml.template#L733).

Be aware that all configuration's which are part of the experimental section are subject to change and can be dropped at any time.

### Multitenancy configuration

For an embedded gateway setup, any gateway property can be passed along to the `StandaloneBroker` by prefixing `zeebe.broker`.

#### zeebe.broker.gateway.multitenancy

Multi-tenancy in Zeebe can be configured with the following configuration properties.
Multi-tenancy is disabled by default.
Read more [in the multi-tenancy documentation](../../../self-managed/concepts/multi-tenancy.md).

:::note
For now, multi-tenancy is only supported in combination with Identity.
To use multi-tenancy, you must set [`authentication.mode`](#zeebebrokergatewaysecurityauthentication) to `'identity'` and specify the
`camunda.identity.baseUrl` property or the [corresponding Camunda Identity environment variable](../../identity/deployment/configuration-variables.md#core-configuration)
as well.
:::

:::note
If you are using a standalone gateway, refer to the [gateway configuration guide](./gateway.md/#zeebegatewaymultitenancy).
:::

| Field | Description | Example value |
| ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------- |
| enabled | Enable multitenancy in the embedded gateway. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_MULTITENANCY_ENABLED`. | False |

##### YAML snippet

```yaml
broker:
gateway:
multitenancy:
enabled: false
```

#### zeebe.broker.gateway.security.authentication

| Field | Description | Example value |
| ----- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------- |
| mode | Controls which authentication mode is active; supported modes are `none` and `identity`. If `identity` is set, authentication will be done using [camunda-identity](/self-managed/identity/what-is-identity.md), which needs to be configured in the corresponding subsection. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_MODE`. | none |

##### YAML snippet

```yaml
security:
authentication:
mode: none
```

#### zeebe.broker.gateway.security.authentication.identity

:::note
The Zeebe configuration properties for Camunda Identity are deprecated as of version `8.4.0`. Use the dedicated
Camunda Identity properties or the [corresponding environment variables](../../identity/deployment/configuration-variables.md#core-configuration).
:::

| Field | Description | Example value |
| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- |
| issuerBackendUrl | The URL to the auth provider backend, used to validate tokens. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_ISSUERBACKENDURL`. | http://keycloak:8080/auth/realms/camunda-platform |
| audience | The required audience of the auth token. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_AUDIENCE`. | zeebe-api |
| baseUrl | The URL to the Identity instance. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_BASEURL`. | http://identity:8084 |

##### YAML snippet

```yaml
security:
authentication:
mode: identity
identity:
issuerBackendUrl: http://keycloak:8080/auth/realms/camunda-platform
audience: zeebe-api
type: keycloak
```
4 changes: 4 additions & 0 deletions versioned_docs/version-8.4/self-managed/zeebe-deployment/configuration/gateway.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -340,6 +340,10 @@ To use multi-tenancy, you must set [`authentication.mode`](#zeebegatewayclusters
as well.
:::

:::note
If you are using an embedded gateway, refer to the [broker configuration guide](./broker.md/#multitenancy-configuration).
:::

| Field | Description | Example value |
| ------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
| enabled | Enables multi-tenancy for the cluster. This setting can also be overridden using the environment variable `ZEEBE_GATEWAY_MULTITENANCY_ENABLED`. | true |
Expand Down
Loading