UPDATE 1: I made progress thanks to this topic on manually disabling SSL in Keycloak. We don’t use the whitelisted IP ranges by Keycloak so SSL is required.
- Under “master” realm, setting “Require SSL” to “None” will allow creation of “camunda-platform” realm.
- Once created, under “camunda-platform” realm, setting “Require SSL” to “None” will allow creation of roles and “demo” user and Identity to eventually start.
Remaining issues:
- Manually disabling SSL is just a workaround but I’m yet to find a long term solution for production.
- Logging out in Operate or Identity won’t work.
- Logging in will redirect to http only: (e.g. my-operate-fullname-service.domain.tld/api/login) even though my Open Shift route specifies “insecureEdgeTerminationPolicy: Redirect”
- When connection token expires Identity will no longer be accessible and logs will show the following error:
io.camunda.identity.sdk.impl.rest.exception.RestException: request failed with status code '400' and body '{"error":"invalid_grant","error_description":"Session not active"}'