Installation of Camunda 8.8 within a Kubernetes Cluster

Maurice_Tchangue · February 13, 2026, 8:30am

Hello,

I have been fighting since some days to find a way to install Camunda 8.8 within a Kubernetes cluster but I did not any solution till now. Almost all components are installed except for connectors where the connection to Zeebe gateway is refused.
I attached my current chart values to this post. Please do not hesitate to correct it, when something appears wrong.

Best regards,

Maurice.

camunda8-values.yaml (4.1 KB)

zee-bot · February 13, 2026, 8:31am

This looks like a common Kubernetes connectivity issue where Connectors can’t reach the Zeebe gateway service. I found the following relevant resources:

Does this help? If not, can anyone from the community jump in?

Hints: Use the Ask AI feature in Camunda’s documentation to chat with AI and get fast help. Report bugs and features in Camuda’s GitHub issue tracker. Trust the process.

Cris_Ron · February 14, 2026, 10:01pm

Hi, this seems most probably an authentication issue with Keycloak and the connectors client.

Check if you have configured the correct audience/scopes and Client ID from Orchestration and connectors together. Orchestration needs to know the Connectors Client ID and vice versa plus Connector needs the audience/scope from Orchestration configured, at least with an Entra ID authentication, but I think Keycloak should be equal.

As I don’t use Keycloak, I can’t really say what is exactly needed unfortunately.

Maurice_Tchangue · February 16, 2026, 7:00am

Thanks for your suggestion. Since you do not use keycloak can I ask you what you use for auth?

In addition, here is my config for orchestration:

orchestration:
enabled: true
clusterSize: “1” # String, not integer
partitionCount: “1” # String, not integer
replicationFactor: “1” # String, not integer

security:
    authentication:
      method: oidc
      oidc:
        redirectUrl: "https://camunda88-demo.k8s.amm.btc-ag.cloud/orchestration"
        secret:
          existingSecret: "ca-identity-secret-camunda88"
          existingSecretKey: "orchestration-secret"

env:
    # 1. Start the internal Gateway thread
    - name: ZEEBE_BROKER_GATEWAY_ENABLE
      value: "true"
    
    # 2. Bind to the public network interface (Crucial!)
    - name: ZEEBE_BROKER_GATEWAY_NETWORK_HOST
      value: "0.0.0.0"
    
    # 3. Explicitly set the port (This "unlocks" 26500)
    - name: CAMUNDA_API_GRPC_PORT
      value: "26500"
    
    # 4. Disable SSL for internal cluster traffic
    - name: CAMUNDA_API_GRPC_SSL_ENABLED
      value: "false"

    # 5. Ensure the data exporter is configured correctly
    - name: CAMUNDA_DATA_SECONDARY_STORAGE_ELASTICSEARCH_URL
      value: "http://camunda-elasticsearch:9200"

Maurice_Tchangue · February 17, 2026, 7:07am

I got a suggestion from a collegue, who told me that the REST_API_CLIENT_ADRESS and GRPC_ADDRESS for connectors should be http://orchestration:8080 insteas of http//:camunda-zeebe-gateway:26500 because that service does not exist on camunda 8.8

Cris_Ron · February 17, 2026, 12:46pm

sry for the late response, I’m using Entra ID auth with OIDC tokens.

Regarding that suggestion, this sercie is still available and used in Camunda 8.8, see my k get svc output:

camunda-dev-zeebe-gateway         ClusterIP   10.10.10.10    <none>        9600/TCP,8080/TCP,26500/TCP

Also I have only configured the gateway to be enabled and this is working fine so far:

orchestration
  configuration:|
   zeebe:
      broker:
        gateway:
          enable: true

Maurice_Tchangue · February 17, 2026, 1:32pm

I now have an issue with camunda identity which cannot connect to keycloak. Here is the latest config.

# GLOBAL
global:
  ingress:
    enabled: true
    className: nginx
    annotations:
      cert-manager.io/cluster-issuer: acme
      kubernetes.io/tls-acme: "true"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
    host: "camunda88-demo.k8s.amm.btc-ag.cloud"
    tls:
      enabled: true
      secretName: "camunda88-tls"

  elasticsearch:
    enabled: true
    external: false
    url:
      protocol: "http"
      port: 9200

  identity:
    auth:
      enabled: true
      publicIssuerUrl: "https://camunda88-demo.k8s.amm.btc-ag.cloud/auth/realms/camunda-platform"
      console:
        redirectUrl: "https://camunda88-demo.k8s.amm.btc-ag.cloud/console"
        secret:
          existingSecret: "ca-identity-secret-camunda88"
          existingSecretKey: "console-secret"
      webModeler:
        redirectUrl: "https://camunda88-demo.k8s.amm.btc-ag.cloud/modeler"
      optimize:
        redirectUrl: "https://camunda88-demo.k8s.amm.btc-ag.cloud/optimize"
        secret:
          existingSecret: "ca-identity-secret-camunda88"
          existingSecretKey: "optimize-secret"
      orchestration:
        redirectUrl: "https://camunda88-demo.k8s.amm.btc-ag.cloud/orchestration"
        secret:
          existingSecret: "ca-identity-secret-camunda88"
          existingSecretKey: "orchestration-secret"
      connectors:
        secret:
          existingSecret: "ca-identity-secret-camunda88"
          existingSecretKey: "connectors-secret"
      identity:
        redirectUrl: "https://camunda88-demo.k8s.amm.btc-ag.cloud/identity"


# ELASTICSEARCH
elasticsearch:
  enabled: true
  master:
    replicaCount: 1
  persistence:
    size: 10Gi


# IDENTITY
identity:
  enabled: true
  contextPath: /identity
  fullURL: "https://camunda88-demo.k8s.amm.btc-ag.cloud/identity"
  firstUser:
    secret:
      existingSecret: "camunda-credentials"
      existingSecretKey: "identity-firstuser-password"
  


# IDENTITY_KEYCLOAK
identityKeycloak:
  enabled: true
  postgresql:
    auth:
      existingSecret: "ca-identity-secret-camunda88"
      secretKeys:
        adminPasswordKey: "identity-keycloak-postgresql-admin-password"
        userPasswordKey: "identity-keycloak-postgresql-user-password"
  ingress:
    enabled: true
    tls: true
  auth:
    existingSecret: "ca-identity-secret-camunda88"
    passwordSecretKey: "identity-keycloak-admin-password"