Document self-managed Identity setup with ingress

[Zelldon]

If users want to use identity/keycloak and our web applications together with an ingress they need to adjust certain properties it would be nice to have a small guide for such use case.

See related discussion: https://camunda-platform.slack.com/archives/CSH81V16W/p1650888410470839

Also from internal slack by @ManuelDittmar https://camunda.slack.com/archives/C02UMKN3DTL/p1650551797623999

[Zelldon]

Might be something we want to do @felix-mueller for good self-managed start

[Zelldon]

https://camunda.slack.com/archives/C02UMKN3DTL/p1651474967125279?thread_ts=1650551797.623999&cid=C02UMKN3DTL

[samzph]

Is there any public documentation on this yet that can be accessed outside of slack? I am currently trying to configure Camunda 8 with our AWS ALB Ingress and am having issues, namely:

• Blank admin console with keycloak (maybe header issue? or proxy env var issue? or perhaps startup args?)
• Going to any of the services redirects to localhost:18080 even with the following install command (note I've redacted the website name to but it is a valid url):

  helm install camunda-ee camunda-ee/camunda-platform -n camunda-ee --values values.yaml \
  --set identity.auth.publicIssuerUrl="https://dev-camunda-keycloak.<website>.com/auth/realms/camunda-platform" \
  --set identity.auth.operate.redirectUrl="https://dev-camunda-operate.<website>.com" \
  --set identity.auth.optimize.redirectUrl="https://dev-camunda-optimize.<website>.com" \
  --set identity.auth.tasklist.redirectUrl="https://dev-camunda-tasklist.<website>.com"

Using the port-forward commands, identity functions as expected (although it does redirect to http://localhost:8080/applications after using the external ingress url dev-camunda-identity.<website>.com), but the other applications (operate, optimize, tasklist) show this:

The full text of the redirect url (and parameter) is: http://localhost:18080/auth/realms/camunda-platform/protocol/openid-connect/auth?client_id=operate&redirect_uri=https%3A%2F%2Fdev-camunda-operate.<website>.com%2Fidentity-callback&response_type=code&scope=openid+email&state=

[Zelldon]

Hey @samzph unfortunately there is no guide yet. Be aware that you have to use global.identity.auth.publicIssuerUrl, so you missed the global in your configurations. Hope this helps

[varuncobain]

Hey @samzph unfortunately there is no guide yet. Be aware that you have to use global.identity.auth.publicIssuerUrl, so you missed the global in your configurations. Hope this helps

where do i use this?

[Ben-Sheppard]

Hey @varuncobain - this issue has been open for quite some time and since then there have been several updates to our documentation surrounding the ingress configurations, does this page in our docs provide you with the answers you need?

If not, please let me know and we'll explore the issues further!

[conceptualshark]

@christinaausley @akeller it looks like the original ask here is now solved in our docs (or the state of the docs/product has sufficiently changed) ; do we feel comfortable closing this out?

[akeller]

I am good to close this! Thank you!