How to install core 'identity' module?

How to install core ‘identity’ module?
I use this configuration file:

Looks like it is about changing ‘enabled’ true.

# Disable identity as part of the Camunda core
identity:
  enabled: false

But it will cast error ‘authIssuerBackendUrl’ (so identity requires keylock or any other auth provider).
My goal is to manage users, groups and roles in Camunda. I do not want keylock and exthernal auth provider - is that possible?

To do this you have realistically 2 choices.

  1. Use Identity → Keycloak (which then uses Postgres to store user data) which can be included in your helm configuration
  2. Use Identity → External OIDC authorization service (IdP)

There is no way to internally within Camunda 8 itself to manage users, which is why Keycloak is included in the Helm chart.

Thank you.
What is the correct yaml file to use helm keycloak configuration? I’m experimenting (again not clear at all in Camunda documentation):

global:
  identity:
    auth:
      enabled: true

identity:
  keycloak:
    clientSecret: some_secret
    url: http://camunda-platform-keycloak:80/auth
    realm: camunda-platform
    # https://hub.docker.com/r/bitnami/keycloak/tags
    image:
      repository: bitnami/keycloak
      tag: 22.0.5
    #how to set admin user and password?
    postgresql:
      # https://hub.docker.com/r/bitnami/postgresql/tags
      image:
        repository: bitnami/postgresql
        tag: 15.5.0

identityKeycloak:
  enabled: true

In Connect to an existing Keycloak instance | Camunda 8 Docs there is instruction:

* Set the `IDENTITY_CLIENT_SECRET` [environment variable](https://docs.camunda.io/docs/self-managed/identity/deployment/configuration-variables/) with the value from **Step 9**.
* Set the `KEYCLOAK_REALM` [environment variable](https://docs.camunda.io/docs/self-managed/identity/deployment/configuration-variables/) to the realm you selected in **Step 2**.

Where? For Identity pod?
And statement:
Start Identity.
What url?

Regards

Honestly, it sounds like you are starting from green-field, so starting from the full (not CORE) Helm chart is going to be your best bet.

I’m not a user of the Helm charts user at the moment, so can’t really point you in a specific direction. I’ve just really read the forum and the documentation pages.

From

With a KinD cluster with a functioning Helm, you should be able to

But… this is likely to run your system out of memory, and you still need to define your ingress configuration.

The KinD document (which I’m sure you already found) Local Kubernetes cluster | Camunda 8 Docs specifically tells you that it doesn’t use Identity

KinD is intended for a development box, so not everything you would expect in a production deployment is included in it – and that included Identity.

There might be a way to install Identity beside the KinD Core install, and configure both to work together, but that’s really a lot more in depth than I can provide input on.

I’ve been through this already:

helm repo add camunda https://helm.camunda.io
helm repo update
helm install camunda camunda/camunda-platform

For some reason that was not working on my PC (in addition I really do not need some big cluster for test purpose).

I go with installation:

.\kind.exe create cluster --name camunda-platform-local
helm install camunda-platform camunda/camunda-platform -f D:\Helm\camunda.yaml

And config:

global:
  identity:
    auth:
      enabled: true

identity:
  keycloak:
    clientSecret: some_secret
    url: http://camunda-platform-keycloak:80/auth
    realm: camunda-platform
    # https://hub.docker.com/r/bitnami/keycloak/tags
    image:
      repository: bitnami/keycloak
      tag: 22.0.5
    #how to set admin user and password?
    postgresql:
      # https://hub.docker.com/r/bitnami/postgresql/tags
      image:
        repository: bitnami/postgresql
        tag: 15.5.0

identityKeycloak:
  enabled: true

optimize:
  enabled: false

zeebe:
  clusterSize: 1
  partitionCount: 1
  replicationFactor: 1
  pvcSize: 10Gi

zeebeGateway:
  replicas: 1

connectors:
  enabled: true
  inbound:
    mode: disabled

elasticsearch:
  master:
    replicaCount: 1
    # Request smaller persistent volumes.
    persistence:
      size: 15Gi

I made it works. But had to define several variables manually. I believe I could have them in config to avoid this work after installation. Anyone could look at it and tell how correct config should be?
I think ‘url’ is not needed, I should add ‘auth-server-url’ probably… etc

So I manage permissions in Identity but create users in Keyloack?

There must be some bug because Identity session in the browser behaves very strangely. It expires for an unknown reason, and refreshing doesn’t help – just a blank page. I have to wait for a while for it to work again. I am looking into this.