Camunda 8 on Kubernetes with Keycloak

I have set up Camunda 8 on an Azure Kubernetes (AKS) cluster by following the instructions given in the wonderful blog post Using Helm and Kubernetes to deploy Camunda 8 by @Hafflgav.
Thanks to @Zelldon who helped me resolve some issues concerning the ingress usage (see forum post 38364), Camunda is up and running now.

However, at the moment, only basic security is available as I have not yet managed to get Keycloak properly configured so that it could be used. Whenever I try to install the full Camunda 8 Helm package including Identity and Optimize (which depends on Identity), a few pods fail to start up after the installation. I can see in the logs that the pod belonging to the Keycloak StatefulSet shows a ReadinessProbe failure. Without Keycloak, the Identity deployment does not work either and Optimize cannot run without Identity.

Unfortunately, I do not (yet) understand how Identity and Keycloak correlate in the Camunda setup and how Keycloak would need to be reconfigured to make it work. @Hafflgav mentioned in his blog post a port-forward at port 18080 but obviously, this specific port cannot be exposed via the ingress controller that I use. What service(s) do I need to expose to enable Identity? Are special ports or paths required?

Can anyone explain me in brief how a valid setup is supposed to look like? I would love to understand how the Keycloak-based access management is integrated into the Camunda architecture on Kubernetes and what that means for the involved Kubernetes resources and their respective interaction. I could not find much documentation, so any help is highly appreciated! :slightly_smiling_face:

Hey @Greg,

Identity uses keycloak.

If you are not in production. Then can you please try to delete the PVC’s and retry the installation.

You can follow my blog as well: Deploy Camunda 8 on Kubernetes using Helm | by Krishna Kumar Dey | Jul, 2022 | Medium

Hey @Greg

for an overview of the components you might want to check out the image I draw once Camunda Helm charts | Camunda Platform 8 maybe this helps.

If you upgrade/change your installation make sure to either delete the PVC as suggested by @krishnadey or follow this guide Camunda Helm charts | Camunda Platform 8

If you do an upgrade/reinstallation the PVC’s are still existing since they’re not managed by Helm. This causes issues for Keycloak etc. since passwords are regenerated and will not match with the persisted passwords in the PVC.

Hope that helps.


Hello @krishnadey and @Zelldon, my apologies for the late response. I have been on vacation for the past weeks.
Your hints regarding the PVCs were really helpful! I did not realize that the PVCs were not managed by Helm like the other Kubernetes resources. Since I had to retry the installation several times, the PVCs remaining from the previous attempt(s) apparently caused some conflicts, which resulted in the reported Keycloak issues. Removing the old PVCs solved the problem.
Many thanks for your help!

1 Like