[ISSUE] Identity UI responds with HTTP Error 500 after some time

[PSanetra]

Describe the issue:

I have deployed the camunda in a local kind environment and can successfully access all applications including the identity application, but after some time on that UI I get only HTTP 500 errors from the backend.

The error is resolved for some time when I delete the IDENTITY_REFRESH_JWT cookie in my browser, so I guess the backend can not successfully refreshing the token. The refresh token issuer url is not reachable from inside the cluster so probably the identity application is not considering the global.identity.auth.issuerBackendUrl.

Actual behavior:

• The UI responds with HTTP status code 500 after some time
• The backend prints an exception (see Logs section)

Expected behavior:

• Refreshing the identity ui token should work when global.identity.auth.issuerBackendUrl is set

Logs:

ERROR 1 --- [nio-8080-exec-3] i.s.e.RestResponseEntityExceptionHandler : Unexpected error

io.camunda.identity.sdk.impl.rest.exception.RestException: request failed
    at io.camunda.identity.sdk.impl.rest.RestClient.send(RestClient.java:130) ~[identity-sdk-8.6.0-SNAPSHOT.jar!/:8.6.0-SNAPSHOT]
    at io.camunda.identity.sdk.impl.rest.RestClient.request(RestClient.java:106) ~[identity-sdk-8.6.0-SNAPSHOT.jar!/:8.6.0-SNAPSHOT]
    at io.camunda.identity.sdk.impl.keycloak.KeycloakAuthentication.renewToken(KeycloakAuthentication.java:105) ~[identity-sdk-8.6.0-SNAPSHOT.jar!/:8.6.0-SNAPSHOT]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[na:na]
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[na:na]
    at java.base/java.lang.reflect.Method.invoke(Unknown Source) ~[na:na]
    at io.camunda.identity.sdk.annotation.AnnotationProcessor.lambda$apply$0(AnnotationProcessor.java:33) ~[identity-sdk-8.6.0-SNAPSHOT.jar!/:8.6.0-SNAPSHOT]
    at jdk.proxy2/jdk.proxy2.$Proxy171.renewToken(Unknown Source) ~[na:na]
    at io.camunda.identity.impl.sm.security.spring.filter.SmJwtFilter.doFilterInternal(SmJwtFilter.java:78) ~[!/:na]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at io.camunda.identity.security.spring.filter.FilterExceptionHandler.doFilterInternal(FilterExceptionHandler.java:31) ~[!/:na]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.web.filter.CorsFilter.doFilterInternal(CorsFilter.java:91) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:323) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:224) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.3.0.jar!/:6.3.0]
    at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:195) ~[spring-webmvc-6.1.10.jar!/:6.1.10]
    at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:230) ~[spring-security-config-6.2.5.jar!/:6.2.5]
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:107) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.1.10.jar!/:6.1.10]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:731) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:389) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:904) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63) ~[tomcat-embed-core-10.1.25.jar!/:na]
    at java.base/java.lang.Thread.run(Unknown Source) ~[na:na]
Caused by: java.net.ConnectException: null
    at java.net.http/jdk.internal.net.http.HttpClientImpl.send(Unknown Source) ~[java.net.http:na]
    at java.net.http/jdk.internal.net.http.HttpClientFacade.send(Unknown Source) ~[java.net.http:na]
    at io.camunda.identity.sdk.impl.rest.RestClient.send(RestClient.java:119) ~[identity-sdk-8.6.0-SNAPSHOT.jar!/:8.6.0-SNAPSHOT]
    ... 94 common frames omitted
Caused by: java.net.ConnectException: null
    at java.net.http/jdk.internal.net.http.common.Utils.toConnectException(Unknown Source) ~[java.net.http:na]
    at java.net.http/jdk.internal.net.http.PlainHttpConnection.connectAsync(Unknown Source) ~[java.net.http:na]
    at java.net.http/jdk.internal.net.http.PlainHttpConnection.checkRetryConnect(Unknown Source) ~[java.net.http:na]
    at java.net.http/jdk.internal.net.http.PlainHttpConnection.lambda$connectAsync$1(Unknown Source) ~[java.net.http:na]
    at java.base/java.util.concurrent.CompletableFuture.uniHandle(Unknown Source) ~[na:na]
    at java.base/java.util.concurrent.CompletableFuture$UniHandle.tryFire(Unknown Source) ~[na:na]
    at java.base/java.util.concurrent.CompletableFuture.postComplete(Unknown Source) ~[na:na]
    at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(Unknown Source) ~[na:na]
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) ~[na:na]
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) ~[na:na]
    ... 1 common frames omitted
Caused by: java.nio.channels.ClosedChannelException: null
    at java.base/sun.nio.ch.SocketChannelImpl.ensureOpen(Unknown Source) ~[na:na]
    at java.base/sun.nio.ch.SocketChannelImpl.beginConnect(Unknown Source) ~[na:na]
    at java.base/sun.nio.ch.SocketChannelImpl.connect(Unknown Source) ~[na:na]
    at java.net.http/jdk.internal.net.http.PlainHttpConnection.lambda$connectAsync$0(Unknown Source) ~[java.net.http:na]
    at java.base/java.security.AccessController.doPrivileged(Unknown Source) ~[na:na]
    ... 10 common frames omitted

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

• Platform: Kind 0.24.0
• Helm CLI version: version.BuildInfo{Version:"v3.16.1", GitCommit:"v3.16.1", GitTreeState:"", GoVersion:"go1.22.7"}
• Chart version: 11.0.1
• local entry in /etc/hosts: 127.0.0.2 kind-devspace.local
• Ingress controller listens on 127.0.0.2 on the host
• Values file:

  
  global:
  secrets:
  autoGenerated: true
  name: "camunda-secrets"
  ingress:
  enabled: true
  annotations:
    cert-manager.io/cluster-issuer: devspace-ca
    external-dns.alpha.kubernetes.io/hostname: "{{ .Values.global.ingress.host }}"
    external-dns.alpha.kubernetes.io/ttl: "60"
  host: kind-devspace.local
  tls:
    enabled: true
    secretName: camunda-crt
  identity:
  auth:
    enabled: true
    publicIssuerUrl: "https://{{ .Values.global.ingress.host }}/auth/realms/camunda-platform"
    issuerBackendUrl: "http://keycloak/auth/realms/camunda-platform"
    type: "KEYCLOAK"
    admin:
      existingSecret:
        name: "camunda-secrets"
      existingSecretKey: "identity-admin-client-password"
    connectors:
      existingSecret:
        name: "camunda-secrets"
    console:
      redirectUrl: "https://{{ .Values.global.ingress.host }}/console"
      existingSecret:
        name: "camunda-secrets"
    identity:
      redirectUrl: "https://{{ .Values.global.ingress.host }}/identity"
    operate:
      redirectUrl: "https://{{ .Values.global.ingress.host }}/operate"
      existingSecret:
        name: "camunda-secrets"
    tasklist:
      redirectUrl: "https://{{ .Values.global.ingress.host }}/tasklist"
      existingSecret:
        name: "camunda-secrets"
    optimize:
      redirectUrl: "https://{{ .Values.global.ingress.host }}/optimize"
      existingSecret:
        name: "camunda-secrets"
    webModeler:
      redirectUrl: "https://{{ .Values.global.ingress.host }}/modeler"
    zeebe:
      existingSecret:
        name: "camunda-secrets"

console: enabled: true contextPath: /console startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

operate: contextPath: /operate startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

tasklist: contextPath: /tasklist startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

Disable identity as part of the Camunda core

identity: enabled: true contextPath: /identity env:

• name: KEYCLOAK_CLIENTS_2_NAME value: "MyClient"
• name: KEYCLOAK_CLIENTS_2_ID value: "my-client"
• name: KEYCLOAK_CLIENTS_2_SECRET value: "my-client-s3cret"
• name: KEYCLOAK_CLIENTS_2_TYPE value: M2M
• name: KEYCLOAK_CLIENTS_2_PERMISSIONS_0_RESOURCE_SERVER_ID value: zeebe-api
• name: KEYCLOAK_CLIENTS_2_PERMISSIONS_0_DEFINITION value: write:* keycloak: enabled: true contextPath: /auth firstUser: username: "demo" email: "demo@kind-devspace.local" existingSecret: "camunda-secrets" startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

Disable keycloak

identityKeycloak: enabled: true fullnameOverride: keycloak postgresql: auth: existingSecret: "camunda-secrets" auth: existingSecret: "camunda-secrets" startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

identityPostgresql: auth: existingSecret: "camunda-secrets" primary: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5 readReplicas: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5 metrics: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

postgresql: primary: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5 readReplicas: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5 metrics: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

optimize: enabled: true contextPath: /optimize startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

webModeler: contextPath: /modeler restapi: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5 webapp: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5 websockets: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

Reduce for Zeebe and Gateway the configured replicas and with that the required resources

to get it running locally

zeebe: clusterSize: 1 partitionCount: 1 replicationFactor: 1 pvcSize: 10Gi startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

zeebeGateway: replicas: 1 contextPath: /zeebe startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

connectors: enabled: true contextPath: /connectors inbound: mode: disabled startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

elasticsearch: master: replicaCount: 1

Request smaller persistent volumes.

persistence:
  size: 15Gi
startupProbe:
  enabled: true
  initialDelaySeconds: 0
  periodSeconds: 2
  failureThreshold: 600
readinessProbe:
  initialDelaySeconds: 0
  periodSeconds: 5

data: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5 coordinating: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5 ingest: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5 metrics: startupProbe: enabled: true initialDelaySeconds: 0 periodSeconds: 2 failureThreshold: 600 readinessProbe: initialDelaySeconds: 0 periodSeconds: 5

[jessesimpson36]

@jessesimpson36 link relevant issues to this

[jessesimpson36]

Related issues

https://github.com/camunda/camunda-platform-helm/issues/1704 First occurrence of the identity 500 after 5 minutes error ^

https://github.com/spring-projects/spring-security/issues/14633 Spring security layer issue which is pretty similar

https://github.com/camunda-cloud/identity/issues/2865 Identity component tracking of this issue

https://github.com/camunda/camunda-platform-helm/issues/1826 Issue tracking how we should document coredns rewrite rules as a workaround for localhost clusters

https://github.com/keycloak/keycloak/issues/29783 Keycloak issue tracking this (keycloak introduced this bug as a security feature. it's unclear if they will walk this back or make it configurable)