[BUG] Connection insecure on Operate with Keycloak enabled

[vctrmn]

Describe the bug:

Operate and Keycloak is exposed via a secure https endpoint. When I authenticate to Operate in the Keycloak UI, I have a "Connection insecure" warning.

Tested via Google Chrome and Mozilla Firefox.

Environment:

• Platform: IBM Cloud Kubernetes Service
• Chart version: 8.0.14
• Values file:

# Default values for Camunda Platform helm.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

# The values file follows helm best practices https://helm.sh/docs/chart_best_practices/values/
#
# This means:
#   * Variable names should begin with a lowercase letter, and words should be separated with camelcase.
#   * Every defined property in values.yaml should be documented. The documentation string should begin with the name of the property that it describes, and then give at least a one-sentence description
#
# Furthermore, we try to apply the following pattern: # [VarName] [conjunction] [definition]
#
# VarName:
#
#  * In the documentation the variable name is started with a big letter, similar to kubernetes resource documentation.
#  * If the variable is part of a subsection/object we use a json path expression (to make it more clear where the variable belongs to).
#    The root (chart name) is omitted (e.g. zeebe). This is useful for using --set in helm.
#
# Conjunction:
#   * [defines] for mandatory configuration
#   * [can be used] for optional configuration
#   * [if true] for toggles
#   * [configuration] for section/group of variables

# Global configuration for variables which can be accessed by all sub charts
global:

  # Annotations can be used to define common annotations, which should be applied to all deployments
  annotations: {}
  # Labels can be used to define common labels, which should be applied to all deployments
  labels:
    app: camunda-platform

  # Image configuration to be used in each sub chart
  image:
    # Image.tag defines the tag / version which should be used in the chart
    tag: 8.0.0
    # Image.pullPolicy defines the image pull policy which should be used https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
    pullPolicy: IfNotPresent
    # Image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  # Ingress configuration to configure the ingress resource
  ingress:
    # Ingress.enabled if true, an ingress resource is deployed. Only useful if an ingress controller is available, like Ingress-NGINX.
    enabled: true
    # Ingress.className defines the class or configuration of ingress which should be used by the controller
    className: public-iks-k8s-nginx
    # Ingress.annotations defines the ingress related annotations, consumed mostly by the ingress controller
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
    # Ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: cwa.xxxxxxxxxxxxxx.com
    # Ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      # Ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: true
      # Ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: xxxxxxxxxxxxxx.com

  # Elasticsearch configuration which is shared between the sub charts
  elasticsearch:
    # Elasticsearch.disableExporter if true, disables the elastic exporter in zeebe
    disableExporter: false
    # Elasticsearch.url can be used to configure the URL to access elasticsearch, if not set services fallback to host and port configuration
    url:
    # Elasticsearch.host defines the elasticsearch host, ideally the service name inside the namespace
    host: "elasticsearch-master"
    # Elasticsearch.port defines the elasticsearch port, under which elasticsearch can be accessed
    port: 9200
    # Elasticsearch.clusterName defines the cluster name which is used by Elasticsearch
    clusterName: "elasticsearch"
    # Elasticsearch.prefix defines the prefix which is used by the Zeebe Elasticsearch Exporter to create Elasticsearch indexes
    prefix: zeebe-record
  # ZeebeClusterName defines the cluster name for the Zeebe cluster. All Zeebe pods get this prefix in their name and the brokers uses that as cluster name.
  zeebeClusterName: "{{ .Release.Name }}-zeebe"
  # ZeebePort defines the port which is used for the Zeebe Gateway. This port accepts the GRPC Client messages and forwards them to the Zeebe Brokers.
  zeebePort: 26500

  # Identity configuration to configure identity specifics on global level, which can be accessed by other sub-charts
  identity:
    keycloak:
      # Identity.keycloak.fullname can be used to change the referenced Keycloak service name inside the sub-charts, like operate, optimize, etc.
      # Subcharts can't access values from other sub-charts or the parent, global only.
      # This is useful if the identity.keycloak.fullnameOverride is set, and specifies a different name for the Keycloak service.
      fullname: ""
    # Identity.auth configuration, to configure Identity authentication setup
    auth:
      # Identity.auth.enabled if true, enables the Identity authentication otherwise basic-auth will be used on all services.
      enabled: true

      # Identity.auth.publicIssuerUrl defines the token issuer (Keycloak) URL, where the services can request JWT tokens.
      # Should be public accessible, per default we assume a port-forward to Keycloak (18080) is created before login.
      # Can be overwritten if, ingress is in use and an external IP is available.
      publicIssuerUrl: "https://keycloak.xxxxxxxxxxxxxx.com/auth/realms/camunda-platform"

      # Identity.auth.operate configuration to configure Operate authentication specifics on global level, which can be accessed by other sub-charts
      operate:
        # Identity.auth.operate.existingSecret can be used to reference an existing secret. If not set, a random secret is generated.
        # The existing secret should contain an `operate-secret` field, which will be used as secret for the Identity-Operate communication.
        existingSecret:
        # Identity.auth.operate.redirectUrl defines the redirect URL, which is used by Keycloak to access Operate.
        # Should be public accessible, the default value works if port-forward to Operate is created to 8081.
        # Can be overwritten if, ingress is in use and an external IP is available.
        redirectUrl: "https://operate.xxxxxxxxxxxxxx.com"

      # Identity.auth.tasklist configuration to configure Tasklist authentication specifics on global level, which can be accessed by other sub-charts
      tasklist:
        # Identity.auth.tasklist.existingSecret can be used to use an own existing secret. If not set a random secret is generated.
        # The existing secret should contain an `tasklist-secret` field, which will be used as secret for the Identity-Tasklist communication.
        existingSecret:
        # Identity.auth.tasklist.redirectUrl defines the root (or redirect) URL, which is used by Keycloak to access Tasklist.
        # Should be public accessible, the default value works if port-forward to Tasklist is created to 8082.
        # Can be overwritten if, ingress is in use and an external IP is available.
        redirectUrl: "https://tasklist.xxxxxxxxxxxxxx.com"

      # Identity.auth.optimize configuration to configure Optimize authentication specifics on global level, which can be accessed by other sub-charts
      optimize:
        # Identity.auth.optimize.existingSecret can be used to use an own existing secret. If not set a random secret is generated.
        # The existing secret should contain an `optimize-secret` field, which will be used as secret for the Identity-Optimize communication.
        existingSecret:
        # Identity.auth.optimize.redirectUrl defines the root (or redirect) URL, which is used by Keycloak to access Optimize.
        # Should be public accessible, the default value works if port-forward to Optimize is created to 8082.
        # Can be overwritten if, ingress is in use and an external IP is available.
        redirectUrl: "https://optimize.xxxxxxxxxxxxxx.com"

# Zeebe configuration for the Zeebe sub chart. Contains configuration for the Zeebe broker and related resources.
zeebe:
  # Enabled if true, all zeebe related resources are deployed via the helm release
  enabled: true

  # Image configuration to configure the zeebe image specifics
  image:
    # Image.repository defines which image repository to use
    repository: camunda/zeebe
    # Image.tag can be set to overwrite the global tag, which should be used in that chart
    tag:
    # Image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  # ClusterSize defines the amount of brokers (=replicas), which are deployed via helm
  clusterSize: "1"
  # PartitionCount defines how many zeebe partitions are set up in the cluster
  partitionCount: "1"
  # ReplicationFactor defines how each partition is replicated, the value defines the number of nodes
  replicationFactor: "1"
  # Env can be used to set extra environment variables in each zeebe broker container
  env:
    - name: ZEEBE_BROKER_DATA_SNAPSHOTPERIOD
      value: "5m"
    - name: ZEEBE_BROKER_DATA_DISKUSAGECOMMANDWATERMARK
      value: "0.85"
    - name: ZEEBE_BROKER_DATA_DISKUSAGEREPLICATIONWATERMARK
      value: "0.87"
  # ConfigMap configuration which will be applied to the mounted config map.
  configMap:
    # ConfigMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
    # See https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623
    defaultMode: 0754
  # Command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []

  # LogLevel defines the log level which is used by the zeebe brokers
  logLevel: info
  # Log4j2 can be used to overwrite the log4j2 configuration of the zeebe brokers
  log4j2: ''
  # JavaOpts can be used to set java options for the zeebe brokers
  javaOpts: >-
    -XX:+HeapDumpOnOutOfMemoryError
    -XX:HeapDumpPath=/usr/local/zeebe/data
    -XX:ErrorFile=/usr/local/zeebe/data/zeebe_error%p.log
    -XX:+ExitOnOutOfMemoryError

 # Service configuration for the broker service
  service:
    # Service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    # Service.httpPort defines the port of the http endpoint, where for example metrics are provided
    httpPort: 9600
    # Service.httpName defines the name of the http endpoint, where for example metrics are provided
    httpName: "http"
    # Service.commandPort defines the port of the command api endpoint, where the broker commands are sent to
    commandPort: 26501
    # Service.commandName defines the name of the command api endpoint, where the broker commands are sent to
    commandName: "command"
    # Service.internalPort defines the port of the internal api endpoint, which is used for internal communication
    internalPort: 26502
    # Service.internalName defines the name of the internal api endpoint, which is used for internal communication
    internalName: "internal"
    # extraPorts can be used to expose any other ports which are required. Can be useful for exporters
    extraPorts: []
      # - name: hazelcast
      #   protocol: TCP
      #   port: 5701
      #   targetPort: 5701

  # ServiceAccount configuration for the service account where the broker pods are assigned to
  serviceAccount:
    # ServiceAccount.enabled if true, enables the broker service account
    enabled: true
    # ServiceAccount.name can be used to set the name of the broker service account
    name: ""
    # ServiceAccount.annotations can be used to set the annotations of the broker service account
    annotations: {}

  # CpuThreadCount defines how many threads can be used for the processing on each broker pod
  cpuThreadCount: "3"
  # IoThreadCount defines how many threads can be used for the exporting on each broker pod
  ioThreadCount: "3"
  # Resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  resources:
    requests:
      cpu: 800m
      memory: 1200Mi
    limits:
      cpu: 960m
      memory: 1920Mi

  # PersistenceType defines the type of persistence which is used by Zeebe. Possible values are: disk, local and memory.
  #   disk  - means a persistence volume claim is configured and used
  #   local - means the data is stored into the container, no volumeMount nor volume nor claim is configured
  #   memory   - means zeebe uses a tmpfs for the data persistence, be aware that this takes the limits into account
  persistenceType: disk
  # PvcSize defines the persistent volume claim size, which is used by each broker pod https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims
  pvcSize: "16Gi"
  # PvcAccessModes can be used to configure the persistent volume claim access mode https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes
  pvcAccessModes: ["ReadWriteOnce"]
  # PvcStorageClassName can be used to set the storage class name which should be used by the persistent volume claim. It is recommended to use a storage class, which is backed with a SSD.
  pvcStorageClassName: ''

  # ExtraVolumes can be used to define extra volumes for the broker pods, useful for additional exporters
  extraVolumes: []
  # ExtraVolumeMounts can be used to mount extra volumes for the broker pods, useful for additional exporters
  extraVolumeMounts: []
  # ExtraInitContainers can be used to set up extra init containers for the broker pods, useful for additional exporters
  extraInitContainers: []

  # PodAnnotations can be used to define extra broker pod annotations
  podAnnotations: {}
  # PodLabels can be used to define extra broker pod labels
  podLabels: {}
  # PodDisruptionBudget configuration to configure a pod disruption budget for the broker pods https://kubernetes.io/docs/tasks/run-application/configure-pdb/
  podDisruptionBudget:
    # PodDisruptionBudget.enabled if true a pod disruption budget is defined for the brokers
    enabled: false
    # PodDisruptionBudget.minAvailable can be used to set how many pods should be available. Be aware that if minAvailable is set, maxUnavailable will not be set (they are mutually exclusive).
    minAvailable:
    # podDisruptionBudget.maxUnavailable can be used to set how many pods should be at max. unavailable
    maxUnavailable: 1

  # PodSecurityContext defines the security options the Zeebe broker pod should be run with
  podSecurityContext: {}

  # ContainerSecurityContext defines the security options the Zeebe broker container should be run with
  containerSecurityContext: {}

  # NodeSelector can be used to define on which nodes the broker pods should run
  nodeSelector: {}
  # Tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  # Affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  # The default defined PodAntiAffinity allows constraining on which nodes the Zeebe pods are scheduled on https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
  # It uses a hard requirement for scheduling and works based on the Zeebe pod labels
  affinity:
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchExpressions:
              - key: "app.kubernetes.io/component"
                operator: In
                values:
                  - zeebe-broker
          topologyKey: "kubernetes.io/hostname"

  # PriorityClassName can be used to define the broker pods priority https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass
  priorityClassName: ""

  # ReadinessProbe configuration for the zeebe broker readiness probe
  readinessProbe:
    # ReadinessProbe.probePath defines the readiness probe route used on the zeebe brokers
    probePath: /ready
    # ReadinessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 10
    # ReadinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    # ReadinessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

# Gateway configuration to define properties related to the standalone gateway
zeebe-gateway:
  # Replicas defines how many standalone gateways are deployed
  replicas: 1
  # Image configuration to configure the zeebe-gateway image specifics
  image:
    # Image.repository defines which image repository to use
    repository: camunda/zeebe
    # Image.tag can be set to overwrite the global tag, which should be used in that chart
    tag:
    # Image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []
  # PodAnnotations can be used to define extra gateway pod annotations
  podAnnotations: {}
  # PodLabels can be used to define extra gateway pod labels
  podLabels: {}

  # LogLevel defines the log level which is used by the gateway
  logLevel: info
  # Log4j2 can be used to overwrite the log4j2 configuration of the gateway
  log4j2: ''
  # JavaOpts can be used to set java options for the zeebe gateways
  javaOpts: >-
    -XX:+ExitOnOutOfMemoryError

  # Env can be used to set extra environment variables in each gateway container
  env: []
  # ConfigMap configuration which will be applied to the mounted config map.
  configMap:
    # ConfigMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
    # See https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623
    defaultMode: 0744
  # Command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []

  # PodDisruptionBudget configuration to configure a pod disruption budget for the gateway pods https://kubernetes.io/docs/tasks/run-application/configure-pdb/
  podDisruptionBudget:
    # PodDisruptionBudget.enabled if true a pod disruption budget is defined for the gateways
    enabled: false
    # PodDisruptionBudget.minAvailable can be used to set how many pods should be available. Be aware that if minAvailable is set, maxUnavailable will not be set (they are mutually exclusive).
    minAvailable: 1
    # PodDisruptionBudget.maxUnavailable can be used to set how many pods should be at max. unavailable
    maxUnavailable:

  # Resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  resources:
    requests:
      cpu: 400m
      memory: 450Mi
    limits:
      cpu: 400m
      memory: 450Mi

  # PriorityClassName can be used to define the gateway pods priority https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass
  priorityClassName: ""

  # PodSecurityContext defines the security options the gateway pod should be run with
  podSecurityContext: {}

  # ContainerSecurityContext defines the security options the gateway container should be run with
  containerSecurityContext: {}

  # NodeSelector can be used to define on which nodes the gateway pods should run
  nodeSelector: {}
  # Tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  # Affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  # The default defined PodAntiAffinity allows constraining on which nodes the Zeebe gateway pods are scheduled on https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
  # It uses a hard requirement for scheduling and works based on the Zeebe gateway pod labels
  affinity:
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchExpressions:
              - key: "app.kubernetes.io/component"
                operator: In
                values:
                  - zeebe-gateway
          topologyKey: "kubernetes.io/hostname"

  # ExtraVolumeMounts can be used to mount extra volumes for the gateway pods, useful for enabling tls between gateway and broker
  extraVolumeMounts: []
  # ExtraVolumes can be used to define extra volumes for the gateway pods, useful for enabling tls between gateway and broker
  extraVolumes: []
  # ExtraInitContainers can be used to set up extra init containers for the gateway pods, useful for adding interceptors
  extraInitContainers: []

  # Service configuration for the gateway service
  service:
    # Service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    # Service.loadBalancerIP defines public ip of the load balancer if the type is LoadBalancer
    loadBalancerIP: ""
    # Service.loadBalancerSourceRanges defines list of allowed source ip address ranges if the type is LoadBalancer
    loadBalancerSourceRanges: []
    # Service.httpPort defines the port of the http endpoint, where for example metrics are provided
    httpPort: 9600
    # Service.httpName defines the name of the http endpoint, where for example metrics are provided
    httpName: "http"
    # Service.gatewayPort defines the port of the gateway endpoint, where client commands (grpc) are sent to
    gatewayPort: 26500
    # Service.gatewayName defines the name of the gateway endpoint, where client commands (grpc) are sent to
    gatewayName: "gateway"
    # Service.internalPort defines the port of the internal api endpoint, which is used for internal communication
    internalPort: 26502
    # Service.internalName defines the name of the internal api endpoint, which is used for internal communication
    internalName: "internal"
    # Service.annotations can be used to define annotations, which will be applied to the zeebe-gateway service
    annotations: {}

  # ServiceAccount configuration for the service account where the gateway pods are assigned to
  serviceAccount:
    # ServiceAccount.enabled if true, enables the gateway service account
    enabled: true
    # ServiceAccount.name can be used to set the name of the gateway service account
    name: ""
    # ServiceAccount.annotations can be used to set the annotations of the gateway service account
    annotations: {}

  # Ingress configuration to configure the ingress resource
  ingress:
    # Ingress.enabled if true, an ingress resource is deployed with the Zeebe gateway deployment. Only useful if an ingress controller is available, like nginx.
    enabled: true
    # Ingress.className defines the class or configuration of ingress which should be used by the controller
    className: public-iks-k8s-nginx
    # Ingress.annotations defines the ingress related annotations, consumed mostly by the ingress controller
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
    # Ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    # Ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: zeebe.xxxxxxxxxxxxxx.com
    # Ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      # Ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: true
      # Ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: xxxxxxxxxxxxxx.com

# Operate configuration for the Operate sub chart.
operate:
  # Enabled if true, the Operate deployment and its related resources are deployed via a helm release
  enabled: true

  # Image configuration to configure the Operate image specifics
  image:
    # Image.repository defines which image repository to use
    repository: camunda/operate
    # Image.tag can be set to overwrite the global tag, which should be used in that chart
    tag:
    # Image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  # ContextPath can be used to make Operate web application works on a custom sub-path. This is mainly used to run Camunda Platform web applications under a single domain.
  # contextPath: "/operate"

  # PodAnnotations can be used to define extra Operate pod annotations
  podAnnotations: {}
  # PodLabels can be used to define extra Operate pod labels
  podLabels: {}

  # Logging configuration for the Operate logging. This template will be directly included in the Operate configuration yaml file
  logging:
    level:
      ROOT: INFO
      io.camunda.operate: DEBUG

  # Service configuration to configure the Operate service.
  service:
    # Service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    # Service.port defines the port of the service, where the Operate web application will be available
    port: 80
    # Service.annotations can be used to define annotations, which will be applied to the Operate service
    annotations: {}

  # Resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  resources:
    requests:
      cpu: 600m
      memory: 400Mi
    limits:
      cpu: 2000m
      memory: 2Gi

  # Env can be used to set extra environment variables in each Operate container
  env: []
  # ConfigMap configuration which will be applied to the mounted config map.
  configMap:
    # ConfigMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
    # See https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623
    defaultMode: 0744
  # Command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []
  # ExtraVolumes can be used to define extra volumes for the Operate pods, useful for tls and self-signed certificates
  extraVolumes: []
  # ExtraVolumeMounts can be used to mount extra volumes for the Operate pods, useful for tls and self-signed certificates
  extraVolumeMounts: []

  # ServiceAccount configuration for the service account where the Operate pods are assigned to
  serviceAccount:
    # ServiceAccount.enabled if true, enables the Operate service account
    enabled: true
    # ServiceAccount.name can be used to set the name of the Operate service account
    name: ""
    # ServiceAccount.annotations can be used to set the annotations of the Operate service account
    annotations: {}

  # Ingress configuration to configure the ingress resource
  ingress:
    # Ingress.enabled if true, an ingress resource is deployed with the Operate deployment. Only useful if an ingress controller is available, like nginx.
    enabled: true
    # Ingress.className defines the class or configuration of ingress which should be used by the controller
    className: public-iks-k8s-nginx
    # Ingress.annotations defines the ingress related annotations, consumed mostly by the ingress controller
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
    # Ingress.path defines the path which is associated with the Operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    # Ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: operate.xxxxxxxxxxxxxx.com
    # Ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      # Ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: true
      # Ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: xxxxxxxxxxxxxx.com

  # PodSecurityContext defines the security options the Operate pod should be run with
  podSecurityContext: {}

  # ContainerSecurityContext defines the security options the Operate container should be run with
  containerSecurityContext: {}

  # NodeSelector can be used to define on which nodes the Operate pods should run
  nodeSelector: {}
  # Tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  # Affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}

# Tasklist configuration for the tasklist sub chart.
tasklist:
  # Enabled if true, the tasklist deployment and its related resources are deployed via a helm release
  enabled: true

  # Image configuration to configure the tasklist image specifics
  image:
    # Image.repository defines which image repository to use
    repository: camunda/tasklist
    # Image.tag can be set to overwrite the global tag, which should be used in that chart
    tag:
    # Image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  # ContextPath can be used to make Tasklist web application works on a custom sub-path. This is mainly used to run Camunda Platform web applications under a single domain.
  # contextPath: "/tasklist"

  # Env can be used to set extra environment variables on each Tasklist container
  env: []

  # PodAnnotations can be used to define extra Tasklist pod annotations
  podAnnotations: {}
  # PodLabels can be used to define extra tasklist pod labels
  podLabels: {}

  # ConfigMap configuration which will be applied to the mounted config map.
  configMap:
    # ConfigMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
    # See https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623
    defaultMode: 0744
  # Command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []
  # Service configuration to configure the tasklist service.
  service:
    # Service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    # Service.port defines the port of the service, where the tasklist web application will be available
    port: 80

  # GraphqlPlaygroundEnabled if true, enables the graphql playground
  graphqlPlaygroundEnabled: ""
  # GraphqlPlaygroundEnabled can be set to include the credentials in each request, should be set to "include" if graphql playground is enabled
  graphqlPlaygroundRequestCredentials: ""

  # ExtraVolumes can be used to define extra volumes for the Tasklist pods, useful for tls and self-signed certificates
  extraVolumes: []
  # ExtraVolumeMounts can be used to mount extra volumes for the Tasklist pods, useful for tls and self-signed certificates
  extraVolumeMounts: []

  # PodSecurityContext defines the security options the Tasklist pod should be run with
  podSecurityContext: {}

  # ContainerSecurityContext defines the security options the Tasklist container should be run with
  containerSecurityContext: {}

  # NodeSelector can be used to define on which nodes the Tasklist pods should run
  nodeSelector: {}
  # Tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  # Affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}

  # Resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  resources:
    requests:
      cpu: 400m
      memory: 1Gi
    limits:
      cpu: 1000m
      memory: 2Gi

  # Ingress configuration to configure the ingress resource
  ingress:
    # Ingress.enabled if true, an ingress resource is deployed with the tasklist deployment. Only useful if an ingress controller is available, like nginx.
    enabled: true
    # Ingress.className defines the class or configuration of ingress which should be used by the controller
    className: public-iks-k8s-nginx
    # Ingress.annotations defines the ingress related annotations, consumed mostly by the ingress controller
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
    # Ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    # Ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: tasklist.xxxxxxxxxxxxxx.com
    tls:
      # Ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: true
      # Ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: xxxxxxxxxxxxxx.com

# Optimize configuration for the Optimize sub chart.
optimize:
  # Enabled if true, the Optimize deployment and its related resources are deployed via a helm release
  enabled: true

  # Image configuration to configure the Optimize image specifics
  image:
    # Image.repository defines which image repository to use
    repository: camunda/optimize
    # Image.tag can be set to overwrite the global tag, which should be used in that chart
    tag: 3.9.0-preview-2
    # Image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  # ContextPath can be used to make Optimize web application works on a custom sub-path. This is mainly used to run Camunda Platform web applications under a single domain.
  # contextPath: "/optimize"

  # PodAnnotations can be used to define extra Optimize pod annotations
  podAnnotations: {}
  # PodLabels can be used to define extra Optimize pod labels
  podLabels: {}

  # PartitionCount defines how many Zeebe partitions are set up in the cluster and which should be imported by Optimize
  partitionCount: "1"
  # Env can be used to set extra environment variables in each Optimize container
  env: []
  # Command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []
  # ExtraVolumes can be used to define extra volumes for the Optimize pods, useful for tls and self-signed certificates
  extraVolumes: []
  # ExtraVolumeMounts can be used to mount extra volumes for the Optimize pods, useful for tls and self-signed certificates
  extraVolumeMounts: []

  # ServiceAccount configuration for the service account where the Optimize pods are assigned to
  serviceAccount:
    # ServiceAccount.enabled if true, enables the Optimize service account
    enabled: true
    # ServiceAccount.name can be used to set the name of the Optimize service account
    name: ""
    # ServiceAccount.annotations can be used to set the annotations of the Optimize service account
    annotations: {}

  # Service configuration to configure the Optimize service.
  service:
    # Service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    # Service.port defines the port of the service, where the Optimize web application will be available
    port: 80
    # Service.annotations can be used to define annotations, which will be applied to the Optimize service
    annotations: {}

  # PodSecurityContext defines the security options the Optimize pod should be run with
  podSecurityContext: {}

  # ContainerSecurityContext defines the security options the Optimize container should be run with
  containerSecurityContext: {}

  # NodeSelector can be used to define on which nodes the Optimize pods should run
  nodeSelector: {}
  # Tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  # Affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}

  # Resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  resources:
    requests:
      cpu: 600m
      memory: 1Gi
    limits:
      cpu: 2000m
      memory: 2Gi

  # Ingress configuration to configure the ingress resource
  ingress:
    # Ingress.enabled if true, an ingress resource is deployed with the Optimize deployment. Only useful if an ingress controller is available, like nginx.
    enabled: true
    # Ingress.className defines the class or configuration of ingress which should be used by the controller
    className: public-iks-k8s-nginx
    # Ingress.annotations defines the ingress related annotations, consumed mostly by the ingress controller
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
    # Ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    # Ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: optimize.xxxxxxxxxxxxxx.com
    # Ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      # Ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: true
      # Ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: xxxxxxxxxxxxxx.com

# RetentionPolicy configuration to configure the elasticsearch index retention policies
retentionPolicy:
  # RetentionPolicy.enabled if true, elasticsearch curator cronjob and configuration will be deployed.
  enabled: false
  # RetentionPolicy.schedule defines how often/when the curator should run
  schedule: "0 0 * * *"
  # RetentionPolicy.zeebeIndexTTL defines after how many days a zeebe index can be deleted
  zeebeIndexTTL: 1
  # RetentionPolicy.zeebeIndexMaxSize can be set to configure the maximum allowed zeebe index size in gigabytes.
  # After reaching that size, curator will delete that corresponding index on the next run.
  # To benefit from that configuration the schedule needs to be configured small enough, like every 15 minutes.
  zeebeIndexMaxSize:
  # RetentionPolicy.operateIndexTTL defines after how many days an operate index can be deleted
  operateIndexTTL: 30
  # RetentionPolicy.tasklistIndexTTL defines after how many days a tasklist index can be deleted
  tasklistIndexTTL: 30

  # Image configuration for the elasticsearch curator cronjob
  image:
    # Image.repository defines which image repository to use
    repository: bitnami/elasticsearch-curator
    # Image.tag defines the tag / version which should be used in the chart
    tag: 5.8.4

# PrometheusServiceMonitor configuration to configure a prometheus service monitor
prometheusServiceMonitor:
  # PrometheusServiceMonitor.enabled if true then a service monitor will be deployed, which allows an installed prometheus controller to scrape metrics from the deployed pods
  enabled: false
  # PromotheuServiceMonitor.labels can be set to configure extra labels, which will be added to the servicemonitor and can be used on the prometheus controller for selecting the servicemonitors
  labels:
    release: metrics
  # PromotheuServiceMonitor.scrapeInterval can be set to configure the interval at which metrics should be scraped
  # Should be *less* than 60s if the provided grafana dashboard is used, which can be found here https://github.com/camunda/zeebe/tree/main/monitor/grafana,
  # otherwise it isn't able to show any metrics which is aggregated over 1 min.
  scrapeInterval: 10s

# Identity configuration for the identity sub chart.
identity:
  # Enabled if true, the identity deployment and its related resources are deployed via a helm release
  #
  # Note: Identity is required by Optimize. If Identity is disabled, then Optimize will be unusable.
  #       If you don't need Optimize, then make sure to disable both: set global.identity.auth.enabled=false AND optimize.enabled=false.
  enabled: true

  # FirstUser configuration to configure properties of the first Identity user, which can be used to access all
  # web applications
  firstUser:
    # FirstUser.username defines the username of the first user, needed to log in into the web applications
    username: demo
    # FirstUser.password defines the password of the first user, needed to log in into the web applications
    password: demo

  # Image configuration to configure the identity image specifics
  image:
    # Image.repository defines which image repository to use
    repository: camunda/identity
    # Image.tag can be set to overwrite the global tag, which should be used in that chart
    tag:
    # Image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  # FullURL can be used when Ingress is configured (for both multi and single domain setup).
  # Note: If the `ContextPath` is configured, then value of `ContextPath` should be included in the URL too.
  # fullURL: "https://camunda.example.com/identity"

  # ContextPath can be used to make Identity web application works on a custom sub-path. This is mainly used to run Camunda Platform web applications under a single domain.
  # contextPath: "/identity"

  # PodAnnotations can be used to define extra Identity pod annotations
  podAnnotations: {}

  # Service configuration to configure the identity service.
  service:
    # Service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    # Service.port defines the port of the service, where the identity web application will be available
    port: 80
    # Service.annotations can be used to define annotations, which will be applied to the identity service
    annotations: {}

  # PodSecurityContext defines the security options the Identity pod should be run with
  podSecurityContext: {}

  # ContainerSecurityContext defines the security options the Identity container should be run with
  containerSecurityContext: {}

  # NodeSelector can be used to define on which nodes the Identity pods should run
  nodeSelector: {}
  # Tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  # Affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}

  # Resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  resources:
    requests:
      cpu: 600m
      memory: 400Mi
    limits:
      cpu: 2000m
      memory: 2Gi

  # Env can be used to set extra environment variables in each identity container. See the documentation https://docs.camunda.io/docs/self-managed/identity/deployment/configuration-variables/ for more details.
  env: []
  # Command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []
  # ExtraVolumes can be used to define extra volumes for the identity pods, useful for tls and self-signed certificates
  extraVolumes: []
  # ExtraVolumeMounts can be used to mount extra volumes for the identity pods, useful for tls and self-signed certificates
  extraVolumeMounts: []

  # Keycloak configuration, for the keycloak dependency chart which is used by identity. See the chart documentation https://github.com/bitnami/charts/tree/master/bitnami/keycloak#parameters for more details.
  keycloak:
    # Keycloak.service configuration, to configure the service which is deployed along with keycloak
    service:
      # Keycloak.service.type can be set to change the service type.
      # We use clusterIP for keycloak service, since per default LoadBalancer is used, which is not supported on all cloud providers.
      # This might prevent scheduling of the service.
      type: ClusterIP
    ## Keycloak authentication parameters
    ## ref: https://github.com/bitnami/bitnami-docker-keycloak#admin-credentials
    ##
    ## Identity uses the secrets generated by keycloak, to access keycloak.
    auth:
      # Keycloak.auth.adminUser defines the keycloak administrator user
      adminUser: admin
      # Keycloak.auth.existingSecret can be used to reuse an existing secret containing authentication information.
      # See https://docs.bitnami.com/kubernetes/apps/keycloak/configuration/manage-passwords/ for more details.
      #
      # Example:
      #
      # Keycloak.auth.existingSecret:
      #   name: mySecret
      #   keyMapping:
      #     admin-password: myPasswordKey
      #     management-password: myManagementPasswordKey
      #     tls-keystore-password: myTlsKeystorePasswordKey
      #     tls-truestore-password: myTlsTruestorePasswordKey
      existingSecret: ""

  # ServiceAccount configuration for the service account where the identity pods are assigned to
  serviceAccount:
    # ServiceAccount.enabled if true, enables the identity service account
    enabled: true
    # ServiceAccount.name can be used to set the name of the identity service account
    name: ""
    # ServiceAccount.annotations can be used to set the annotations of the identity service account
    annotations: {}

  # Ingress configuration to configure the ingress resource
  ingress:
    # Ingress.enabled if true, an ingress resource is deployed with the identity deployment. Only useful if an ingress controller is available, like nginx.
    enabled: true
    # Ingress.className defines the class or configuration of ingress which should be used by the controller
    className: public-iks-k8s-nginx
    # Ingress.annotations defines the ingress related annotations, consumed mostly by the ingress controller
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
    # Ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    # Ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: identity.xxxxxxxxxxxxxx.com
    # Ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      # Ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: true
      # Ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: xxxxxxxxxxxxxx.com

elasticsearch:
  enabled: true
  extraEnvs:
    - name: "xpack.security.enabled"
      value: "false"

  replicas: 1

  persistence:
    labels:
      enabled: true

  volumeClaimTemplate:
    accessModes: ["ReadWriteOnce"]
    resources:
      requests:
        storage: 16Gi

  esJavaOpts: "-Xmx1g -Xms1g"

  resources:
    requests:
      cpu: 1
      memory: 1Gi
    limits:
      cpu: 2
      memory: 2Gi

[aabouzaid]

Hi @vctrmn How did you setup the TLS in the ingress?

Also the values file doesn't show how the Ingress is setup for Keycloak. It should be under the identity key like this:

identity:
  [...]
  keycloak:
    ingress:
      enabled: true
      ingressClassName: nginx
      hostname: "keycloak.camunda.example.com"
    extraEnvVars:
      - name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
        value: "true"
      - name: KEYCLOAK_FRONTEND_URL
        value: "https://keycloak.camunda.example.com"

For more details on the setup, please take a look at the Ingress setup guide.

[vctrmn]

Hi @aabouzaid,

Thank you for your help ! Your configuration effectively fix the issue. Would it be possible to add this configuration (at least as a comment) in the default values.yaml ?

https://github.com/camunda/camunda-platform-helm/blob/main/charts/camunda-platform/values.yaml

Also, would it be possible to add the tls configuration in the keycloak ingress ? Below is the generated ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    meta.helm.sh/release-name: demo
    meta.helm.sh/release-namespace: default
  creationTimestamp: "2022-10-18T08:43:40Z"
  generation: 1
  labels:
    app.kubernetes.io/component: keycloak
    app.kubernetes.io/instance: demo
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: keycloak
    helm.sh/chart: keycloak-7.1.6
  name: demo-keycloak
  namespace: default
  resourceVersion: "356570"
  uid: 466259b4-065c-471f-8cf7-3598deb09845
spec:
  ingressClassName: public-iks-k8s-nginx
  rules:
  - host: keycloak.xxxxxxxxxxxxxxxxxxx.com
    http:
      paths:
      - backend:
          service:
            name: demo-keycloak
            port:
              name: http
        path: /
        pathType: ImplementationSpecific
status:
  loadBalancer:
    ingress:
    - hostname: xxxxxxxxxxxxxxxxxxxxxx

[aabouzaid]

For visiablity, I've added the Ingress key to the values file with a link to Keycloak repo for more details.