Camunda 8.8 I dont have tab authorization in module identity

Hamza_Masood · November 12, 2025, 11:51am

I am from engineering side. I maintain the Helm chart. I’m sorry you are having problems.
I would like to ask some questions:

Could you please outline the exact Helm configuration that you were struggling with on the Camunda docs? Additionally, please specify precisely what is wrong with the configurations so we can correct it. I appreciate you bringing this to our attention.

Also, I would like to know the architecture that you are targeting. From my reading of this thread, I notice that you would like to install the Camunda 8.8 Helm chart with internal Keycloak and Management Identity dependent components enabled. Is that correct?

Finally, assuming that you would like to install the 8.8 Helm chart with internal keycloak, could you please send a complete values.yaml file that you are having trouble with? I can debug it for you.

Thanks.

LuckyLuk · November 13, 2025, 2:45pm

LuckyLuk:

```yaml

global:
  ingress:
    enabled: true
    className: nginx
    host: camunda.my.domain.com
    tls:
      enabled: true
      secretName: camunda-tls
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt
      acme.cert-manager.io/http01-ingress-class: nginx
  multitenancy:
    enabled: false

  secrets:
    autoGenerated: false
    name: camunda-credentials

  identity:
    auth:
      enabled: true
      type: KEYCLOAK
      publicIssuerUrl: "https://camunda.my.domain.com/auth/realms/camunda-platform"

      webModeler:
        redirectUrl: "https://camunda.my.domain.com/modeler"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-webmodeler-client-token"

      console:
        redirectUrl: "https://camunda.my.domain.com/console"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-console-client-token"

      optimize:
        redirectUrl: "https://camunda.my.domain.com/optimize"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-optimize-client-token"

      orchestration:
        redirectUrl: "https://camunda.my.domain.com"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-orchestration-client-token"

      connectors:
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-connectors-client-token"

identity:
  enabled: true
  contextPath: "/identity"
  fullURL: "https://camunda.my.domain.com/identity"
  firstUser:
    secret:
      existingSecret: "camunda-credentials"
      existingSecretKey: "identity-firstuser-password"

identityPostgresql:
  enabled: true
  auth:
    existingSecret: "camunda-credentials"
    secretKeys:
      adminPasswordKey: "identity-postgresql-admin-password"
      userPasswordKey: "identity-postgresql-user-password"

identityKeycloak:
  enabled: true
  auth:
    existingSecret: "camunda-credentials"
    passwordSecretKey: "identity-keycloak-admin-password"
  postgresql:
    auth:
      existingSecret: "camunda-credentials"
      secretKeys:
        adminPasswordKey: "identity-keycloak-postgresql-admin-password"
        userPasswordKey: "identity-keycloak-postgresql-user-password"


optimize:
  enabled: true
  contextPath: "/optimize"

console:
  enabled: true
  contextPath: "/console"

webModeler:
  enabled: true
  contextPath: "/modeler"
  restapi:
    mail:

      fromAddress: noreply@example.com


webModelerPostgresql:
  enabled: true
  auth:
    existingSecret: "camunda-credentials"
    secretKeys:
      adminPasswordKey: "webmodeler-postgresql-admin-password"
      userPasswordKey: "webmodeler-postgresql-user-password"


orchestration:
  contextPath: /
  enabled: true
  clusterSize: "1"
  partitionCount: "1"
  replicationFactor: "1"
  security:
    authentication:
      unprotectedApi: false
      method: oidc
      oidc:
        redirectUrl: "https://camunda.my.domain.com/identity"
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-orchestration-client-token"
    authorizations:
      enabled: true


  ingress:
    grpc:
      enabled: true
      host: zeebe-camunda.my.domain.com
      tls:
        enabled: true
        secretName: zeebe-c8-tls-grpc
      annotations:
        kubernetes.io/tls-acme: 'true'

connectors:
  enabled: true
  security:
    authentication:
      method: oidc
      oidc:
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-connectors-client-token"

elasticsearch:
  enabled: true
  master:
    replicaCount: 1
    persistence:
      size: 10Gi

Yes, exactly — I’d like to install Camunda 8.8 with the internal components that depend on Keycloak and Management Identity.
I’ve of course sent it above; it looks like Orchestration is not being installed.
Everything works for me, except that when I go to /identity the Authorization tab is missing, even though it is enabled according to the documentation.

Hamza_Masood · November 14, 2025, 6:58pm

@LuckyLuk
In 8.8, we have 2 Identity components. We have Management Identity and also Identity in the Orchestration Cluster.Management Identity does not have an authorization tab. The authorization tab exists in Identity, within the Orchestration Cluster.

Having that said, I see that you set the Orchestration cluster context path to / and the Management Identity context path to /identity. Then you try to access the Orchestration Cluster Identity through /identity. This will not work because the sub-paths of Orchestration Cluster will conflict with the context path you have set for Management Identity.

To explain further, these are the conflicting paths:

/ → Orchestration Cluster
/identity → Identity in the Orchestratoin Cluster
/identity → Management Identity

I also see that the redirectUrl for the Orchestration Cluster is pointing to /identity , which is the path for Management Identity. Is there a specific reason why you did this? The redirectUrl for the Orchestration Cluster should point to the Orchestration Cluster, not Management Identity.

If the reason is just a lack of understanding of how context paths work then I would recommend you to stick with the context paths we have mentioned here: Configure the Helm chart with Ingress | Camunda 8 Docs

If you follow the context paths that we recommend then you can access:

Management Identity through: /identity
Identity within the Orchestration Cluster through: /orchestration/identity
Operate: /orchestration/operate
Tasklist: /orchestration/tasklist