C8.8 Self-Managed: Minimal OIDC Auth using Orchestration Cluster without Management Identity

Hello,

I’m new to Camunda 8.8 and trying to achieve a minimal setup. I want to use OIDC authentication for the Orchestration Cluster (Zeebe, Operate, Tasklist) but without deploying the standalone Management Identity component.

My setup requirements:

• Orchestration Cluster only (using its internal Identity logic).

• OIDC enabled (connected to an internal Keycloak).

• No Management Identity

I am struggling to find the correct Helm configuration to spin the cluster up. Could you help me to start my minimalistic config:

global:
  elasticsearch:
    enabled: true
  identity:
    auth:
#      console:
#        redirectUrl: https://camunda.example.com/console
#      enabled: true
#      identity:
#        redirectUrl: https://camunda.example.com/managementidentity
#      issuer: https://camunda.example.com/auth/realms/camunda-platform
#      issuerBackendUrl: http://camunda-keycloak:80/auth/realms/camunda-platform
#      optimize:
#        redirectUrl: https://camunda.example.com/optimize
#        secret:
#          existingSecret: camunda-credentials
#          existingSecretKey: identity-optimize-client-token
#      publicIssuerUrl: https://camunda.example.com/auth/realms/camunda-platform
      type: KEYCLOAK
#      webModeler:
#        redirectUrl: https://camunda.example.com/modeler
#    enabled: true
  ingress:
    annotations:
      nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
    className: nginx
    enabled: true
    host: camunda.example.com
    tls:
      enabled: true
      secretName: camunda-platform
  secrets:
    autoGenerated: true
    name: camunda-credentials
  security:
    authentication:
      method: oidc

orchestration:
  clusterSize: "1"
  contextPath: /
  extraVolumeMounts:
    - mountPath: /mkcert-ca
      name: mkcert-ca
      readOnly: true
    - mountPath: /opt/java-truststore
      name: java-truststore
  extraVolumes:
    - configMap:
        name: mkcert-ca
      name: mkcert-ca
    - emptyDir: {}
      name: java-truststore
  ingress:
    grpc:
      className: nginx
      enabled: true
      host: zeebe-camunda.example.com
      tls:
        enabled: true
        secretName: camunda-platform
  initContainers:
    - command:
        - sh
        - -c
        - |
          cp $JAVA_HOME/lib/security/cacerts /opt/java-truststore/cacerts
          chmod 644 /opt/java-truststore/cacerts
          keytool -import -trustcacerts -keystore /opt/java-truststore/cacerts -storepass changeit -noprompt -alias mkcert-ca -file /mkcert-ca/ca.crt
      image: camunda/camunda:latest
      name: import-ca-cert
      securityContext:
        allowPrivilegeEscalation: false
        runAsNonRoot: true
        runAsUser: 1001
      volumeMounts:
        - mountPath: /mkcert-ca
          name: mkcert-ca
          readOnly: true
        - mountPath: /opt/java-truststore
          name: java-truststore
  javaOpts: -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/usr/local/camunda/data
    -XX:ErrorFile=/usr/local/camunda/data/camunda_error%p.log -XX:+ExitOnOutOfMemoryError
    -Djavax.net.ssl.trustStore=/opt/java-truststore/cacerts -Djavax.net.ssl.trustStorePassword=changeit
  partitionCount: "1"
  pvcSize: 10Gi
  replicationFactor: "1"
  resources:
    limits:
      cpu: 2000m
      memory: 2Gi
    requests:
      cpu: 300m
      memory: 512Mi
  security:
    authentication:
      oidc:
        redirectUrl: https://camunda.example.com
        secret:
          existingSecret: camunda-credentials
          existingSecretKey: identity-orchestration-client-token
    initialization:
      defaultRoles:
        admin:
          users:
            - admin


elasticsearch:
  enabled: true
  master:
    heapSize: 1g
    persistence:
      size: 15Gi
    replicaCount: 1
    resources:
      limits:
        cpu: 2
        memory: 3Gi
      requests:
        cpu: 0.5
        memory: 1536Mi

identity:
  enabled: false
identityKeycloak:
  enabled: false
connectors:
  enabled: false
console:
  enabled: false
optimize:
  enabled: false
webModeler:
  enabled: false
webModelerPostgresql:
  enabled: false 

Also, I have several questions:

• Does Camunda 8.8 require Management Identity to be explicitly enabled for the internal Keycloak to function?

• What should be enabled in global.identity block? (global.identity.enabled or global.identity.auth.enabled (I do not need Management Identity))

• Do I need identityKeycloak and thereafter postgresql for identityKeycloak?

I’m a little confused, please help.

You can run Camunda 8.8 Orchestration Cluster with OIDC authentication without Management Identity by setting global.security.authentication.method: oidc, configuring OIDC directly on orchestration.security.authentication.oidc, and disabling both identity.enabled: false and identityKeycloak.enabled: false. I found the following relevant resources:

• Camunda 8.7 to 8.8 Helm chart upgrade - Authentication
• Connect Camunda to any OIDC provider - Complete configuration example
• Connect Camunda to any OIDC provider - Configure Orchestration Cluster
• Enable additional Camunda components
• Camunda 8 Helm Chart - Orchestration Cluster Parameters

Does this help? If not, can anyone from the community jump in?

Hints: Use the Ask AI feature in Camunda’s documentation to chat with AI and get fast help. Report bugs and features in Camuda’s GitHub issue tracker. Trust the process.

Keep in mind, I would like to use internal Keycloak. And, I would like to have the internal Keycloak preconfigured.

Friends, please help me to fix my minimalistic config. I do not useless config values.

Hello!

For a minimal Camunda 8.8 setup with OIDC via Keycloak but without the standalone Management Identity, the key is to configure global.identity.auth correctly and keep identity.enabled off so the Management Identity component doesn’t deploy. Instead, you rely on the internal Identity logic of the orchestration cluster (Zeebe, Operate, Tasklist).