For the complete documentation index, see llms.txt.
Skip to main content
Version: 8.9

Configure Docker Compose environments

Use this page to choose the Docker Compose file that matches your local setup, find component URLs, and review authentication defaults.

Choose a Docker Compose configuration

Camunda provides three Docker Compose configurations in the Camunda Distributions repository:

Configuration fileDescription
docker-compose.yamlDefault lightweight configuration. Includes the Orchestration Cluster, Connectors, and Elasticsearch. Use this for most local development scenarios.
docker-compose-full.yamlFull configuration. Includes the Orchestration Cluster, Connectors, Optimize, Console, Management Identity, Keycloak, PostgreSQL, and Web Modeler. Use this when you need management components, process optimization, or browser-based modeling.
docker-compose-web-modeler.yamlStandalone Web Modeler configuration. Runs only Web Modeler and its dependencies. For deployment details, see deploy with Web Modeler.

To start a specific configuration, run one of the following commands:

  • Default lightweight configuration:

    docker compose up -d
  • Full configuration:

    docker compose -f docker-compose-full.yaml up -d
  • Standalone Web Modeler:

    docker compose -f docker-compose-web-modeler.yaml up -d
note

In these quickstart configurations, the Orchestration Cluster uses Elasticsearch as secondary storage by default. The PostgreSQL container in the full configuration is used by management components such as Management Identity and Web Modeler, not as Orchestration Cluster secondary storage.

If you want to run the Orchestration Cluster with RDBMS secondary storage, see configure secondary storage with Docker Compose.

Access components

Once the containers are running, you can access the components in your browser.

Use the following default credentials for web interfaces:

  • Username: demo
  • Password: demo

Orchestration Cluster

The Orchestration Cluster is the core of Camunda 8 and provides process automation capabilities.

ComponentURLDescription
Operatehttp://localhost:8080/operateMonitor and troubleshoot process instances. See Introduction to Operate and Process instance creation.
Tasklisthttp://localhost:8080/tasklistComplete user tasks in running process instances. See User tasks.
Orchestration Cluster Adminhttp://localhost:8080/adminManage users and permissions in the lightweight configuration.
Orchestration Cluster REST APIhttp://localhost:8080/v2REST API for process automation.
Orchestration Cluster gRPC APIlocalhost:26500gRPC API for high-performance process automation.

Management and modeling components

The following components are available in the full configuration only:

ComponentURLDescription
Consolehttp://localhost:8087Manage clusters and component configurations.
Optimizehttp://localhost:8083Analyze and improve process performance.
Management Identityhttp://localhost:8084Manage users for Console, Optimize, and Web Modeler.
Web Modelerhttp://localhost:8070Model BPMN processes, DMN decisions, and forms.

External dependencies

ComponentConfigurationURLDescription
ElasticsearchLightweight and fullhttp://localhost:9200Used by the Orchestration Cluster as secondary storage, and by Optimize in the full configuration.
KeycloakFullhttp://localhost:18080/auth/OIDC provider for Management Identity. The lightweight configuration uses the embedded Orchestration Cluster Admin instead. Access Keycloak with admin / admin.
PostgreSQLFulllocalhost:5432Database for Management Identity and Web Modeler. In these quickstart configurations, the Orchestration Cluster continues to use Elasticsearch as secondary storage.

Authentication

note

By default, the lightweight configuration uses Basic authentication for the Orchestration Cluster. The full configuration uses Keycloak for Management Identity authentication.

Lightweight configuration

  • Web UI: Log in to Operate and Tasklist with demo / demo.
  • APIs: REST and gRPC APIs are publicly accessible by default.

Full configuration

  • Web UI: Log in to Operate, Tasklist, Console, Optimize, and Web Modeler with demo / demo.
  • APIs: REST and gRPC APIs require OAuth with the following settings:
    • Client ID: orchestration
    • Client secret: secret
    • OAuth URL: http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token
    • Audience: orchestration-api

For details, see Orchestration Cluster REST API authentication.

Enable multi-tenancy

Multi-tenancy requires an authenticated API. How you enable it depends on the configuration you run.

Lightweight configuration

Create a docker-compose.override.yaml next to the compose file that protects the API and switches on the tenancy checks:

services:
orchestration:
environment:
CAMUNDA_SECURITY_AUTHENTICATION_UNPROTECTEDAPI: "false"
CAMUNDA_SECURITY_MULTITENANCY_CHECKSENABLED: "true"
CAMUNDA_SECURITY_MULTITENANCY_APIENABLED: "true"
connectors:
environment:
CAMUNDA_CLIENT_AUTH_METHOD: basic
CAMUNDA_CLIENT_AUTH_USERNAME: demo
CAMUNDA_CLIENT_AUTH_PASSWORD: demo

Start the stack with docker compose up -d and manage tenants through the Orchestration Cluster API or the Orchestration Cluster Admin UI at http://localhost:8080/admin:

# Create a tenant
curl -u demo:demo -X POST http://localhost:8080/v2/tenants \
-H 'Content-Type: application/json' -d '{"tenantId": "tenant-a", "name": "Tenant A"}'
# Assign the demo user to it
curl -u demo:demo -X PUT http://localhost:8080/v2/tenants/tenant-a/users/demo

With the API protected, clients must authenticate with Basic authentication (camunda.client.auth.method=basic plus username and password in the Camunda client SDKs).

Full configuration

The full configuration already protects the API through Keycloak, so only the tenancy checks need to be switched on. Add the following to .env:

CAMUNDA_SECURITY_MULTITENANCY_CHECKSENABLED=true
CAMUNDA_SECURITY_MULTITENANCY_APIENABLED=true

Start the stack with docker compose -f docker-compose-full.yaml up -d and manage tenants through the Orchestration Cluster API with an OAuth token, or the Orchestration Cluster Admin UI at http://localhost:8080/admin:

TOKEN=$(curl -s -X POST 'http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/token' \
-d 'grant_type=client_credentials' -d 'client_id=orchestration' -d 'client_secret=secret' | jq -r .access_token)
# Create a tenant
curl -X POST http://localhost:8080/v2/tenants -H "Authorization: Bearer $TOKEN" \
-H 'Content-Type: application/json' -d '{"tenantId": "tenant-a", "name": "Tenant A"}'
# Assign the demo user to it
curl -X PUT http://localhost:8080/v2/tenants/tenant-a/users/demo -H "Authorization: Bearer $TOKEN"

Next steps