ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE:none does not disable Identity-based authentication

[nicpuppa]

Describe the bug

It should be possible to set the env var ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE=none, then use the Zeebe REST API without authenticating via Identity/Keycloak as mentioned in our docs

To Reproduce

• Install using separated-ingress-values.yaml and helm charts 10.0.5.
• Port forwarding the zeebe-gateway pod
• Try to execute the GET topology REST API with no bearer token: rest.zeebe.c8.dev.local/v1/topology.

The result is a 401 Unauthorized error.

Expected behavior

Setting ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE to none should disable Identity-based authentication.

Hint

Customer said that: If the spring.profiles.active: identity-auth in zeebe-gateway/configmap.yaml is commented-out/deactivated, then the Identity-based authentication is disabled.

Environment:

• Camunda version: 8.5
• Helm chart version: 10.0.4

Related to support case SUPPORT-22024

[korthout]

Likelihood high because it is documented as such, and severity mid because there is a workaround present.

We should probably resolve this in the helm charts.

[korthout]

I believe the culprit is: https://github.com/camunda/camunda-platform-helm/blob/95625f4295bcf141cf434a50f2005f7489aa00d9/charts/camunda-platform-alpha/templates/zeebe-gateway/configmap.yaml#L18-L21

{{- if .Values.zeebe.enabled -}}
kind: ConfigMap
metadata:
  name: {{ include "zeebe.fullname.gateway" . }}-configuration
  labels:
    {{- include "zeebe.labels.gateway" . | nindent 4 }}
apiVersion: v1
data:
  gateway-log4j2.xml: |
{{- if .Values.zeebeGateway.log4j2 }}
    {{ .Values.zeebeGateway.log4j2 | indent 4 | trim }}
{{- end }}
{{- if .Values.zeebeGateway.configuration }}
  application.yaml: |
    {{ .Values.zeebeGateway.configuration | indent 4 | trim }}
{{- else }}
  application.yaml: |
    {{- if .Values.global.identity.auth.enabled }}
    spring:
      profiles:
        active: "identity-auth"

[korthout]

My thought is that we should change that the profile is not made active on the gateway if the security.authentication.mode=none.

[korthout]

@aabouzaid and I investigated resolving this in the helm charts.

---

Our first thought was that the value of the environment variable ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE=none could be problematic in helm charts, due to a quirk in yaml: none can be interpreted as null by some yaml parsers. We tested this by setting ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE=NONE instead and unsuccessfully rerunning the test:

curl https://89t564-gke-2039.ci.distro.ultrawombat.com/zeebe/v1/topology
{"type":"about:blank","title":"Unauthorized","status":401,"detail":"Not Authenticated","instance":"https://89t564-gke-2039.ci.distro.ultrawombat.com/zeebe/v1/topology"}%

---

We then explored some ideas how we could ensure that the spring profile identity-auth is not set to active when the ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE env var is set to none. However, this leads to complex logic in the helm charts and is typically not suggested.

A better solution is to allow users of Zeebe Gateway to both enable the identity-auth profile and set ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE=none simultaneously. The result should be that ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE=none disables the authentication, regardless of the auto configuration provided by the identity-auth spring profile. This way, users are in control and can override settings explicitly.

Next, I'll explore what the identity-auth profile actually does in Zeebe Gateway, to see what the best way is to allow ZEEBE_GATEWAY_SECURITY_AUTHENTICATION_MODE=none to take precedence.