Helm chart for Camunda 8.6.x with OIDC Microsoft Entra ID and Identity on GKE

Hello Camunda gurus,
We are struggling to configure Camunda 8.6.x helm charts for OIDC Microsoft Entra ID with Identity. Has anyone had success with this configuration in GKE?

All services (tasklist, operate, console, zeebe, identity, optimize) deployed successfully along with their pods, however, “connectors” pod keeps failing with error Unable to connect to camunda-zeebe-gateway:26500

Also, when we navigate to /tasklist or /operate, we get no permissions to view tasklist / operate respectively. How do groups & users from Azure AD get populated into Identity postgres, so permissions, roles, groups, etc are auto-setup, or is that not possible?

We followed every step as described in this link

https://docs.camunda.io/docs/self-managed/setup/guides/connect-to-an-oidc-provider/

In addition to the the helm chart sample for Entra ID, we added the following to make sure, there is a postgres for Camunda identity.

identityPostgresql:
  enabled: true

# Disable keycloak
identityKeycloak:
  enabled: false

We had to comment out web-modeler, because we were experiencing errors:

* Deployment.apps "camunda-web-modeler-restapi" is invalid: spec.template.spec.containers[0].env[2].valueFrom.secretKeyRef.name: Invalid value: "": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9][a-z0-9])?(\.[a-z0-9]([-a-z0-9][a-z0-9])?)*')

Here is the entire values.yaml

global:
  identity:
    auth:
      enabled: true
      issuer: https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/v2.0
      # this is used for container to container communication
      issuerBackendUrl: https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/v2.0
      tokenUrl: https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/oauth2/v2.0/token
      jwksUrl: https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/discovery/v2.0/keys
      type: "MICROSOFT"
      publicIssuerUrl: https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/v2.0
      identity:
        clientId: "identity-client-id"
        existingSecret: "identity-secret"
        audience: "identity-client-id"
          # audience: "camunda-identity-resource-server"
        initialClaimName: "oid"  # default value
        initialClaimValue: "kshdks987-23874623h" # Object ID for my profile in Entra ID
        redirectUrl: "https://camunda-workflow-dev.abcdefg.com/auth/login-callback"
      operate:
        clientId: "jhgads-ejhgd7863-kjsb"
        audience: "jhgads-ejhgd7863-kjsb"
          # audience: "operate-api"
        existingSecret: "hello-there-where-are-ytou"
        redirectUrl: "https://camunda-workflow-dev.abcdefg.com/identity-callback"
      tasklist:
        clientId: "hakjdh-ajgad7864rjghsj-sdjhk8"
        audience: "hakjdh-ajgad7864rjghsj-sdjhk8"
          # audience: "tasklist-api"
        existingSecret: "skjhdk-sfdgsdhj-sdkjfhs9kjh-sdjgf"
        redirectUrl: "https://camunda-workflow-dev.abcdefg.com/identity-callback"
      optimize:
        clientId: "7ksjh-siusd98kjshf-sdkfjg67-skjfb"
        audience: "7ksjh-siusd98kjshf-sdkfjg67-skjfb"
          # audience: "optimize-api"
        existingSecret: "kshjdf-sukh76234ksjhfs98e-0sdkjh87sshdk"
        redirectUrl: "https://camunda-workflow-dev.abcdefg.com/api/authentication/callback"
      zeebe:
        clientId: "sdjh908348jshc9348ksj-isdh"
        audience: "sdjh908348jshc9348ksj-isdh"
          # audience: "zeebe-api"
        existingSecret: "ksjfdh-jsgdf765jghgsfd-sdjgsd765343-sjhbdfsjb"
        tokenScope: "sdjh908348jshc9348ksj-isdh/.default"
          # webModeler:
          # clientId: "sfkhk-sdkbjf87sdkhjf-sdjhf786ihk"
          # existingSecret: "skdhj-dskjh8743kjsf-sdkjbcg65r23ejhsdc"
          # clientApiAudience: "web-modeler-api"
          # publicApiAudience: "web-modeler-public-api"
          # redirectUrl: "https://camunda-workflow-dev.abcdefg.com/modeler"
      console:
        clientId: "skdhfj-sdfkjnh7864kjhsf-sdkjb876khdj"
        audience: "skdhfj-sdfkjnh7864kjhsf-sdkjb876khdj"
        existingSecret: "kjhsd-dksh78634kjsfc-sdfkjb87634js-"
          # audience: "console-api"
        redirectUrl: "https://camunda-workflow-dev.abcdefg.com/console"
      connectors:
        clientId: "skdjhkf-fkdshj7843-sdkjhc98"
        existingSecret: "fhij-sdlkfj98-sdlkfhk89437kjsf-dksjbfk"

          # webModeler:
          # nodeSelector:
          # cloud.google.com/gke-nodepool: camunda-nodepool
          # enabled: true
          # image:
          # pullSecrets:
          # - name: registry-camunda-cloud
          # contextPath: "/modeler"
          # fullURL: "https://camunda-workflow-dev.abcdefg.com/modeler"
  # replicas: 1
  # service:
  # annotations:
  # cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
      # cloud.google.com/backend-config: '{"default": "camunda-hc-modeler"}' # Attach the backend config to the service
      # postgresql:
      # enabled: true
      # restapi:
      # mail:
      # smtpHost: "smtp.makethemrave.dev"
      # smtpPort: 587
      # smtpUser: "user"
      # smtpPassword: "secret"
      # Email address to be displayed as sender of emails from Web Modeler
      # fromAddress: "no-reply@makethemrave.dev"

console:
  nodeSelector:
    cloud.google.com/gke-nodepool: camunda-nodepool
  contextPath: "/console"
  fullURL: "https://camunda-workflow-dev.abcdefg.com/console"
  enabled: true
  replicas: 1
  service:
    annotations:
      cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
      cloud.google.com/backend-config: '{"default": "camunda-hc-console"}' # Attach the backend config to the service

identity:
  nodeSelector:
    cloud.google.com/gke-nodepool: camunda-nodepool
  contextPath: "/identity"
  fullURL: "https://camunda-workflow-dev.abcdefg.com/identity"
  service:
    annotations:
      cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
      cloud.google.com/backend-config: '{"default": "camunda-hc-identity"}' # Attach the backend config to the service

identityPostgresql:
  enabled: true

operate:
  nodeSelector:
    cloud.google.com/gke-nodepool: camunda-nodepool
  contextPath: "/operate"
  service:
    annotations:
      cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
      cloud.google.com/backend-config: '{"default": "camunda-hc-operate"}' # Attach the backend config to the service

tasklist:
  nodeSelector:
    cloud.google.com/gke-nodepool: camunda-nodepool
  contextPath: "/tasklist"
  service:
    annotations:
      cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created
      cloud.google.com/backend-config: '{"default": "camunda-hc-tasklist"}' # Attach the backend config to the service

optimize:
  nodeSelector:
    cloud.google.com/gke-nodepool: camunda-nodepool
  contextPath: "/optimize"
  service:
    annotations:
      cloud.google.com/neg: '{"ingress": true}' # Creates a NEG after an Ingress is created

# Disable keycloak
identityKeycloak:
  enabled: false

connectors:
  enabled: true
  env:
    - name: ZEEBE_CLIENT_ID
      value: "sdjh908348jshc9348ksj-isdh"
    - name: ZEEBE_CLIENT_SECRET
      value: "ksjfdh-jsgdf765jghgsfd-sdjgsd765343-sjhbdfsjb"
    - name: ZEEBE_AUTHORIZATION_SERVER_URL
      value: "https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/v2.0"
    - name: ZEEBE_TOKEN_AUDIENCE
      value: "sdjh908348jshc9348ksj-isdh"
    - name: ZEEBE_TOKEN_SCOPE
      value: "sdjh908348jshc9348ksj-isdh/.default"
    - name: CAMUNDA_IDENTITY_TYPE
      value: "MICROSOFT"
    - name: CAMUNDA_IDENTITY_AUDIENCE
      value: "identity-client-id"
    - name: CAMUNDA_IDENTITY_CLIENT_ID
      value: "identity-client-id"
    - name: CAMUNDA_IDENTITY_CLIENT_SECRET
      value: "identity-secret"
    - name: CAMUNDA_IDENTITY_ISSUER_BACKEND_URL
      value: "https://login.microsoftonline.com/abcdef-ghity87-kjhgdao-876/v2.0"