Please supply a valid client secret for Optimize

ziansari · May 8, 2025, 1:27pm

Hi,
I am trying to install Camunda 8.6 on AKS Cluster. Identity pod is failing to start due to below error.
I have verified the the optimize secret is setup correctly and being set as env variable in identity pod (KEYCLOAK_INIT_OPTIMIZE_SECRET).
Unable to identify what may cause this. Can someone please help on this .

Please supply a valid client secret for Optimize.

. ____ _ __ _ _
/\ / ’ __ _ () __ __ _ \ \ \
( ( )__ | '_ | '| | ’ / ` | \ \ \
\/ )| |)| | | | | || (| | ) ) ) )
’ || .__|| ||| |_, | / / / /
=========||==============|/=////

:: Spring Boot :: (v3.3.9)

2025-05-07 18:14:52.472 INFO 1 — [ main] i.c.i.Application : Starting Application using Java 17.0.14 with PID 1 (/app/identity.jar started by camunda in /app)
2025-05-07 18:14:52.482 INFO 1 — [ main] i.c.i.Application : The following 1 profile is active: “keycloak”
2025-05-07 18:14:54.887 WARN 1 — [ main trationDelegate$BeanPostProcessorChecker : Bean ‘globalMethodSecurityConfig’ of type [io.camunda.identity.security.config.GlobalMethodSecurityConfig$$SpringCGLIB$$0] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying). Is this bean getting eagerly injected/applied to a currently created BeanPostProcessor [healthEndpointGroupsBeanPostProcessor]? Check the corresponding BeanPostProcessor declaration and its dependencies/advisors. If this bean does not have to be post-processed, declare it with ROLE_INFRASTRUCTURE.
Standard Commons Logging discovery in action with spring-jcl: please remove commons-logging.jar from classpath in order to avoid potential conflicts
Standard Commons Logging discovery in action with spring-jcl: please remove commons-logging.jar from classpath in order to avoid potential conflicts
2025-05-07 18:14:58.173 INFO 1 — [ main] i.c.i.Application : Started Application in 6.879 seconds (process running for 8.428)
2025-05-07 18:15:01.688 ERROR 1 — [ main] .c.i.i.k.i.s.ClientInitializationService : Please supply a valid client secret for Optimize

cpbpm · May 8, 2025, 1:53pm

Would you please share the chart file you are trying to deploy the Camunda. Are you deploying with default values or any customized values?

ziansari · May 8, 2025, 3:19pm

values-latest.yaml (3.8 KB)

PFA Values files. I am using customized values file.

cpbpm · May 8, 2025, 4:00pm

How did you create secrets, i see all the places you mentioned same secret name, how object key is created?

you can check the environment variables to make sure all the variables are set.

https://docs.camunda.io/docs/next/self-managed/identity/deployment/configuration-variables/?_gl=1*19urzyb*_gcl_au*ODUxNTQ5NjQ4LjE3NDI4Mzc0OTIuOTA5MDIxNDMyLjE3NDY3MTkyMDcuMTc0NjcxOTY2Mg…FPAUODUxNTQ5NjQ4LjE3NDI4Mzc0OTI._gaMTE2NDc4NzczNC4xNzQyODM3MTgw*_ga_4EYN8X5FNR*czE3NDY3MTcwNjAkbzEwNSRnMSR0MTc0NjcxOTY2MiRqMCRsMCRoMTg4MjQ1NDY5NQ…#component-configuration

Also you can refer the old thread,

ziansari · May 8, 2025, 5:35pm

I have created the secrets as below -

apiVersion: v1
kind: Secret
metadata:
name: camunda-secret-for-components
type: Opaque
data:
connectors-secret: <base64_secret>
console-secret: <base64_secret>
operate-secret: <base64_secret>
optimize-secret: <base64_secret>
tasklist-secret: <base64_secret>
zeebe-secret: <base64_secret>
admin-password: <base64_secret>
postgres-password: <base64_secret>
password: <base64_secret>
smtp-password: <base64_secret>

I have verified below environment variables are being set , I will check for the remaining ones -

KEYCLOAK_INIT_CONSOLE_SECRET=<secret_value>
KEYCLOAK_INIT_OPERATE_SECRET=<secret_value>
KEYCLOAK_INIT_OPTIMIZE_SECRET=<secret_value>
KEYCLOAK_INIT_TASKLIST_SECRET=<secret_value>

aravindhrs · May 25, 2025, 5:05pm

Hi @ziansari ,

The error message:

ClientInitializationService : Please supply a valid client secret for Optimize

means that Camunda Optimize is unable to start or connect properly because it wasn’t provided with a valid client secret for authentication (usually with Keycloak or Identity service).

Why this happens?

Camunda Optimize needs to authenticate against Camunda Identity (or another OIDC provider like Keycloak). This requires a client ID and client secret that must be configured correctly.

Check your Optimize configuration

If you’re using environment variables or a values.yaml file in Helm, locate the equivalent.

Ensure this section is configured (example for Identity):

camundaIdentity:
  enabled: true
  url: http://<identity-host>:8080
  clientId: optimize
  clientSecret: YOUR_SECRET_HERE

Or in environment variables:

OPTIMIZE_CAMUNDAIDENTITY_ENABLED=true
OPTIMIZE_CAMUNDAIDENTITY_URL=http://<identity-host>:8080
OPTIMIZE_CAMUNDAIDENTITY_CLIENTID=optimize
OPTIMIZE_CAMUNDAIDENTITY_CLIENTSECRET=YOUR_SECRET_HERE

Replace YOUR_SECRET_HERE with the actual secret configured in Identity or Keycloak.

Verify the client in Identity (or Keycloak)

If you’re using Camunda Identity:

Log in to Identity admin panel (usually http://<identity-host>:8080)
Check the client named optimize exists
Ensure it has a client secret configured
Ensure that the client is allowed to request scopes like profile, email, etc.

If using Keycloak:

Go to the Clients section
Find the optimize client
Make sure it is:
- Enabled
- Has a valid client secret
- Is configured for confidential access type

Restart Optimize

After making these changes, restart the Optimize service to pick up the new configuration.

Debug

Enable debug logs for auth:

logging:
  level:
    com.camunda.optimize: DEBUG

This can help trace issues with secret validation or identity service connection.