Version: 8.9 (unreleased)

Set up the Helm chart with basic authentication

By default, Camunda 8 Self-Managed uses basic authentication for all components deployed through the Helm chart. This method requires no additional configuration and is ideal for local or development environments.

note

Because basic authentication is enabled by default, components that depend on Management Identity (which implements OIDC/OAuth authentication) are disabled by default. These components include:

Management Identity
Console
Web Modeler
Keycloak
Optimize

In this guide, you'll learn how to:

Deploy the Orchestration Cluster and Connectors with basic authentication.
Add additional components, using a hybrid approach, combining basic authentication and OIDC.

Enable the Orchestration Cluster and Connectors

The Orchestration Cluster and Connectors are enabled, by default, with basic authentication. No additional configuration is required—simply deploy the Helm chart, and these components will be available.

Default users

Two users are created by default:

Username	Password	Role	Description
`demo`	`demo`	`admin`	Initial administrative user
`connector`	`connector`	`connectors`	Used by the Connectors component to authenticate with the Orchestration Cluster API

For details on configuring initial users and their roles, see Orchestration Cluster Identity initialization.

Helm arrays

In Helm, arrays must be overwritten in full. If you change these configuration settings, keep in mind that the default array must be configured in your custom values.yaml if you want to keep those users and role assignments. For example, when adding the user foo or assigning roles to foo, keep also the values for the demo and connectors user.

Connect to the cluster

To access the Orchestration Cluster and Connectors from your local machine using kubectl port-forward, refer to Accessing components without Ingress.

Username: demo
Password: demo

Enable additional components

The following components require Management Identity with an OIDC provider and, therefore, don't support basic authentication:

Console
Web Modeler
Optimize

However, you can still enable these components alongside a basic authentication Orchestration Cluster by using a hybrid authentication setup:

Orchestration Cluster and Connectors use basic authentication
Console, Web Modeler, Optimize, and Management Identity use OIDC

In this section, you'll learn how to configure hybrid authentication with internal Keycloak. You can also apply this approach with other OIDC setups, such as external Keycloak or an external OIDC provider

When deploying process models from Web Modeler to a basic authentication Orchestration Cluster, you'll be prompted to enter credentials in the deployment dialog.

Configuration steps

Follow the internal Keycloak guide with these modifications:

When you create a secret, omit the following keys. They aren't needed for basic authentication setups:
- identity-connectors-client-token
- identity-orchestration-client-token
Set basic as the authentication method for the Orchestration Cluster and Connectors:

orchestration:
  security:
    authentication:
      method: basic

connectors:
  security:
    authentication:
      method: basic

Skip the OIDC sections for the Orchestration Cluster and Connectors.

Full configuration example

This example shows a complete configuration of hybrid authentication with internal Keycloak:

global:
  identity:
    auth:
      enabled: true
      optimize:
        secret:
          existingSecret: "camunda-credentials"
          existingSecretKey: "identity-optimize-client-token"

identity:
  enabled: true
  firstUser:
    secret:
      existingSecret: "camunda-credentials"
      existingSecretKey: "identity-firstuser-password"

identityKeycloak:
  enabled: true
  auth:
    existingSecret: "camunda-credentials"
    passwordSecretKey: "identity-keycloak-admin-password"
  postgresql:
    auth:
      existingSecret: "camunda-credentials"
      secretKeys:
        adminPasswordKey: "identity-keycloak-postgresql-admin-password"
        userPasswordKey: "identity-keycloak-postgresql-user-password"

optimize:
  enabled: true

connectors:
  security:
    authentication:
      method: basic

webModeler:
  enabled: true
  restapi:
    mail:
      fromAddress: noreply@example.com

webModelerPostgresql:
  enabled: true
  auth:
    existingSecret: "camunda-credentials"
    secretKeys:
      adminPasswordKey: "webmodeler-postgresql-admin-password"
      userPasswordKey: "webmodeler-postgresql-user-password"

orchestration:
  security:
    authentication:
      method: basic

console:
  enabled: true

Connect to the cluster

To access the additional components, refer to Connect to the cluster in the internal Keycloak guide.

Enable the Orchestration Cluster and Connectors​

Default users​

Connect to the cluster​

Enable additional components​

Configuration steps​

Full configuration example​

Connect to the cluster​

Next steps​

Enable the Orchestration Cluster and Connectors

Default users

Connect to the cluster

Enable additional components

Configuration steps

Full configuration example

Connect to the cluster

Next steps