Hello,
we evaluate self-managed Camunda Platform 8 and want to connect the Identity Service with our own already running Keycloak.
I exported the camunda-platform realm from the docker-compose demo and imported it into our Keycloak. After import I need to regenerate the client secrets. Configuration of the client secrets for operate and tasklist is documented and could be done via environment variables but I don’t know how to configure the client secret for the identity service. So I always get an 401 Unauthorized - Unable to connect to Keycloak - error on identity service startup.
What am I missing?
Or is the recommended way to integrate existing users via the Camunda Keycloak and configuring the existing Keycloak as User Federation Provider?
Best regards,
Nathanael
Hey @nathanael
thanks for trying Zeeb and I’m sorry that you’re currently running into issues. Did you considered the helm charts as an alternative? camunda-platform-helm/charts/camunda-platform at main · camunda/camunda-platform-helm · GitHub here it should be easier to bring your own keycloak instance. Be aware it is recommended to use the Helm charts for your production environment. You can also take a look at the templates, this might help you to setup the same with your docker compose or you check these camunda-platform/docker-compose.yaml at main · camunda/camunda-platform · GitHub docker compose files.
Greets
Chris
Hi @Zelldon
thanks for your answer. I looked at the helm charts and yes it seems there is the possibility to configure the keycloak.auth.adminUser and keycloak.auth.existingSecret for Identity.
Does these configuration variables also exist for docker-compose but are not documented?
Or is it not only recommended, but also not possible to use docker-compose for production because of missing configuration options?
Greets
Nathanael
Hey @nathanael
I would say yes, because at the end they just set some environment variables and maybe configure some secrets. Which docker-compose file do you use? Is it built by you or anything we provide? I guess you can check the configuration for keycloak here Docker Hub
Greets
Chris
I started with this docker-compose and removed the keycloak service and changed the KEYCLOAK_URL and IDENTITY_AUTH_PROVIDER_BACKEND_URL for the identity service to our Keycloak.
But now the Identity Service gets an 401 when calling Keycloak because our Keycloak Admin Password is not admin. Thats why the identity service needs some more environments variables but I find only these: Configuration variables | Camunda Platform 8
and there is nothing like keycloak.admin.password etc.
After looking into the identity.jar I found a environment variable KEYCLOAK_SETUP_PASSWORD which can be used for an existing Keycloak Admin account.
But I also understand now that I don’t need Identity necessarily for my application.
1 Like