[ISSUE] Using external keycloak

[jlett1990]

Describe the issue:

Can't get external Keycloak to work with existing values.

Actual behavior:

Identity can't connect to keycloak.

Expected behavior:

Using the global identity.keycloak section would configure keycloak.

How to reproduce:

  global:
    identity:
      auth:
        # Disable the Identity authentication for local development
        # it will fall back to basic-auth: demo/demo as default user
        enabled: false
      keycloak:
        url:
          protocol: http
          host: keycloak-linux
          port: 8080
        realm: "camunda-platform"
        auth:
          adminUser: test
          existingSecret: keycloak-password
          existingSecretKey: password

I believe this section of the identity deployment.yaml should be updated, I don't actually see these in the values.yaml. Sorry if I'm mistaken.

            - name: KEYCLOAK_URL
              value: {{ include "identity.keycloak.url" . | quote }}
            - name: KEYCLOAK_SETUP_USER
              value: {{ include "identity.keycloak.authAdminUser" . | quote }}
            - name: KEYCLOAK_SETUP_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ include "identity.keycloak.authExistingSecret" . }}
                  key: {{ include "identity.keycloak.authExistingSecretKey" . }}

Logs:

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

• Platform: Docker Desktop]
• Helm CLI version: v3.15.3
• Chart version: Latest
• Values file: Below

camunda-platform:
  global:
    identity:
      auth:
        # Disable the Identity authentication for local development
        # it will fall back to basic-auth: demo/demo as default user
        enabled: false
      keycloak:
        url:
          protocol: http
          host: mcm-keycloak-linux
          port: 8080
        realm: "camunda-platform"
        auth:
          adminUser: test
          existingSecret: keycloak-password
          existingSecretKey: password

    ingress:
      enabled: true
      className: nginx
      host: "camunda.local"

  # Disable identity as part of the Camunda core
  identity:
    enabled: true
    firstUser:
      enabled: true
      username: test
      password: test

  # Disable keycloak
  identityKeycloak:
    enabled: false

  optimize:
    enabled: false

  operate:
    contextPath: "/operate"
  tasklist:
    contextPath: "/tasklist"

  # Reduce for Zeebe and Gateway the configured replicas and with that the required resources
  # to get it running locally
  zeebe:

    connectors:
      inbound:
        enabled: true
      outbound:
        enabled: true
    clusterSize: 1
    partitionCount: 1
    replicationFactor: 1
    pvcSize: 10Gi

  zeebeGateway:
    ingress:
      enabled: true
      className: nginx
      host: "zeebe.camunda.local"
    replicas: 1

    inbound:
      mode: disabled

  elasticsearch:
    master:
      replicaCount: 1
      # Request smaller persistent volumes.
      persistence:
        size: 15Gi

[aabouzaid]

@jlett1990 Did you follow the official guide for using external Keycloak?
https://docs.camunda.io/docs/8.5/self-managed/setup/guides/using-existing-keycloak/

Also, according to the values you provide, if you use the Camunda chart directly, there is no need to use camunda-platform key:

camunda-platform:
  global:
    identity:
      auth:

It should be:

global:
  identity:
    auth:

One more thing, please provide the info about Chart version.

[ggrames]

Hi, i have seen this problem also in my configuration:
These two lines
name: {{ include "identity.keycloak.authExistingSecret" . }}
key: {{ include "identity.keycloak.authExistingSecretKey" . }}
are accessing a value from the values.xml which are not existing.
So in my opinion there is missing a dot "." between auth and ExistingSecret
it should be:
name: {{ include "identity.keycloak.auth.ExistingSecret" . }}
key: {{ include "identity.keycloak.auth.ExistingSecretKey" . }}

my Chart version is: --version=11.0.1