[ISSUE] Can't solve "configure Keycloak, you have 3 options:"

[linonetwo]

Describe the issue:

Always get

coalesce.go:223: warning: destination for identity.postgresql.networkPolicy.egressRules.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for identity.postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for identity.postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.egressRules.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.egressRules.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
coalesce.go:223: warning: destination for keycloak.postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules is a table. Ignoring non-table value ([])
Error: INSTALLATION FAILED: execution error at (camunda-platform/charts/identity/templates/deployment.yaml:187:24):

[identity] To configure Keycloak, you have 3 options:

  - Case 1: If you want to deploy Keycloak chart as it is, then set the following:
    - keycloak.enabled: true

  - Case 2: If you want to customize the Keycloak chart URL, then set the following:
    - keycloak.enabled: true
    - global.identity.keycloak.url.protocol
    - global.identity.keycloak.url.host
    - global.identity.keycloak.url.port

  - Case 3: If you want to use already existing Keycloak, then set the following:
    - keycloak.enabled: false
    - global.identity.keycloak.url.protocol
    - global.identity.keycloak.url.host
    - global.identity.keycloak.url.port
    - global.identity.keycloak.auth.adminUser
    - global.identity.keycloak.auth.existingSecret

For more details, please check Camunda Helm chart documentation.

when install chart

Expected behavior:

Install chart and keycloak

How to reproduce:

I try to combine https://github.com/camunda/camunda-platform-helm/blob/main/kind/camunda-platform-core-kind-values.yaml and https://docs.camunda.io/docs/self-managed/platform-deployment/helm-kubernetes/guides/ingress-setup/

for my microk8s single node cluster.

diff here

# Chart values for the Camunda 8 Helm chart in combined Ingress setup.

# This file deliberately contains only the values that differ from the defaults.
# For changes and documentation, use your favorite diff tool to compare it with:
# https://github.com/camunda/camunda-platform-helm/blob/main/charts/camunda-platform

# IMPORTANT: Make sure to change "camunda.mydomain.xxx" to your domain.

global:
  ingress:
    enabled: true
    className: nginx
    host: "camunda.mydomain.xxx"
  identity:
    auth:
      publicIssuerUrl: "http://camunda.mydomain.xxx/auth/realms/camunda-platform"
      operate:
        redirectUrl: "http://camunda.mydomain.xxx/operate"
      tasklist:
        redirectUrl: "http://camunda.mydomain.xxx/tasklist"
      optimize:
        redirectUrl: "http://camunda.mydomain.xxx/optimize"
      webModeler:
        redirectUrl: "http://camunda.mydomain.xxx/modeler"

identity:
  keycloak:
    enabled: true
  contextPath: "/identity"
  fullURL: "http://camunda.mydomain.xxx/identity"

operate:
  contextPath: "/operate"

optimize:
  contextPath: "/optimize"

tasklist:
  contextPath: "/tasklist"

webModeler:
  # The context path is used for the web application that will be accessed by users in the browser.
  # In addition, a WebSocket endpoint will be exposed on "[contextPath]-ws", e.g. "/modeler-ws".
  contextPath: "/modeler"

# Reduce for Zeebe and Gateway the configured replicas and with that the required resources
# to get it running locally
zeebe:
  clusterSize: 1
  partitionCount: 1
  replicationFactor: 1
zeebe-gateway:
  replicas: 1
  ingress:
    enabled: true
    className: nginx
    host: "zeebe.camunda.mydomain.xxx"

# Configure elastic search to make it running for local development
elasticsearch:
  replicas: 1
  # Allow no backup for single node setups
  clusterHealthCheckParams: "wait_for_status=yellow&timeout=1s"

 keycloak:
  enabled: true

Logs:

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

• Platform: SelfHost
• Helm CLI version: 3 (kubeapps)
• Chart version: 8.3.2
• Values file: camunda-workflow-value.yml.zip

[linonetwo]

Is it possible to use https://github.com/casbin/node-casbin instead of keycloak?

[hsluoyz]

@linonetwo https://github.com/casbin/casdoor is another option

[linonetwo]

Yes, I found casdoor is the alternative to keycloak, and casbin is the underlying library.

I just want to use domain camunda.mydomain.xxx , and following the doc, I have to use keycloak?

[linonetwo]

Solved by using a simpler config

global:
  ingress:
    enabled: true
    host: "workflow.camunda.mydomain.xxx"
# Reduce for Zeebe and Gateway the configured replicas and with that the required resources
# to get it running locally
zeebe:
  clusterSize: 1
  partitionCount: 1
  replicationFactor: 1
zeebe-gateway:
  replicas: 1
  ingress:
    enabled: true
    className: nginx
    host: "zeebe.workflow.camunda.mydomain.xxx"

# Configure elastic search to make it running for local development
elasticsearch:
  replicas: 1

and auth will be in workflow.camunda.mydomain.xxx/auth ,just need to config how it work with casdoor.