Camunda 8 Helm Chart

Please also refer to the documentation on how to use Helm charts.

Architecture
Requirements
Dependencies
Versioning
Installation
- Local Kubernetes
- OpenShift
Backporting
Uninstalling Charts
Configuration
Notes on Configuration
Development
Releasing the Charts
Parameters

Architecture

Requirements

Helm >= 3.9.x
Kubernetes >= 1.20+
Minimum cluster requirements include the following to run this chart with default settings.
- All of these settings are configurable.
- Three Kubernetes nodes to respect the default "hard" affinity settings
- 2GB of RAM for the JVM heap

Dependencies

Camunda 8 Helm chart is an umbrella chart for different components. Some are internal (sub-charts), and some are external (third-party). The dependency management is fully automated and managed by Helm itself; however, it's good to understand the dependency structure. This third-party dependency is reflected in the Helm chart as follows:

camunda-platform
  |_ elasticsearch
  |_ identity
    |_ keycloak
      |_ postgresql
  |_ optimize
  |_ operate
  |_ tasklist
  |_ zeebe
  |_ postgresql

Note

Please note that the Connectors and Web Modeler components are part of the main chart and not implemented as sub-charts.

For example, Camunda Identity utilizes Keycloak and allows you to manage users, roles, and permissions for Camunda 8 components.

Keycloak is a dependency for Camunda Identity, and PostgreSQL is a dependency for Keycloak.
Elasticsearch is a dependency for the Camunda chart, which is used in Zeebe, Operate, Tasklist, and Optimize.
PostgreSQL is an optional dependency for the Camunda chart and is used by Web Modeler.

The values for the dependencies Keycloak and PostgreSQL can be set in the same hierarchy:

identity:
  [identity values]
  keycloak:
    [keycloak values]
    postgresql:
      [postgresql values]
postgresql:
  [postgresql values]

Versioning

After the 8.4 release (January 2024), the Camunda Helm chart version is decoupled from the version of the application (e.g., the chart version is 9.0.0 and the application version is 8.4.x).

Before the 8.4 release, the Camunda Helm chart version was coupled with the applications version (e.g., chart version is 8.3.x and applications version is 8.3.x).

For more details, check out the full version matrix.

Installation

The first command adds the official Camunda Helm charts repo, and the second installs the Camunda chart to your current Kubernetes context.

helm repo add camunda https://helm.camunda.io
helm install camunda-platform camunda/camunda-platform

Although the Camunda 8 Helm chart gets the latest version of Camunda 8 applications, the version is still possible to diverge slightly between the chart and the apps (more details about that can be found in versioning).

To have the latest version of the chart and apps at any time, install the chart as follows:

helm install camunda-platform camunda/camunda-platform \
    --values https://helm.camunda.io/camunda-platform/values/values-latest.yaml

For the previous version, you can get the latest applications patch version using our backporting mechanism.

Local Kubernetes

We recommend using Helm on KIND for local environments, as the Helm configurations are battle-tested and much closer to production systems.

For more details, follow the Camunda 8 local Kubernetes cluster guide.

OpenShift

Check out OpenShift Support to get started with deploying the charts on Red Hat OpenShift.

Backporting

Our Helm chart is highly customizable and constantly evolving. Hence, currently, we backport the older charts by providing an extra value file per version. That covers most backporting cases, like updating the application's image tags to the latest patch version, setting env var, etc.

To install a previous chart version with the latest app patch image tags for that version, use the values file for the minor release. For example (the values file could also be downloaded):

helm install camunda-platform camunda/camunda-platform --version 8.1 \
    --values https://helm.camunda.io/camunda-platform/values/values-v8.1.yaml

Uninstalling Charts

You can remove these charts by running:

helm uninstall camunda

Note

Notice that all the Services and Pods will be deleted, but not the PersistentVolumeClaims (PVC) which are used to hold the storage for the data generated by the cluster and Elasticsearch.

To free up the storage, you need to delete all the PVCs manually.

First, view the PVCs:

kubectl get pvc -l app.kubernetes.io/instance=camunda
kubectl get pvc -l release=camunda

Then delete the ones that you don't want to keep:

kubectl delete pvc -l app.kubernetes.io/instance=camunda
kubectl delete pvc -l release=camunda

Or you can delete the related Kubernetes namespace, which contains all PVCs.

Configuration

The following sections contain the configuration values for the chart and each sub-chart. All of them can be overwritten via a separate values.yaml file.

Check out the default values.yaml file, which contains the same content and documentation.

Note

For more details about deploying Camunda 8 on Kubernetes, please visit the Helm/Kubernetes installation instructions docs.

Notes on Configuration

Web Modeler

Note

Non-production installations of Web Modeler are restricted to five collaborators per project. Refer to the documentation for more information.

Database

Web Modeler requires a PostgreSQL database to store the data. You can either:

Deploy a PostgreSQL instance as part of the Helm release by setting postgresql.enabled to true (which will enable the postgresql chart dependency).
Configure a connection to an (existing) external database by setting postgresql.enabled to false and providing the values under restapi.externalDatabase.

SMTP server

Web Modeler requires an SMTP server to send (notification) emails to users. The SMTP connection can be configured with the values under restapi.mail.

Updating Environment Variables

When configuring the env options in the settings listed above, the environment variables you specify in values.yaml may show up twice when running kubectl describe deployment <deployment>. However, the environment variable is specified in values.yaml will have precedence when the pod actually runs. To verify this, you can check the output from the following command:

kubectl exec pod/<podName> -- env

Outbound Connectors

To learn more about outbound connectors, visit related documentation article.

Inbound Connectors

To learn more about inbound connectors, visit related documentation article.

Using Connector Secrets

Connector secrets are generally configured via environment variables.

You can set them via values.yaml, or command line. For example, if you need to set a Slack token, you should configure the following:

connectors:
  env:
    - name: SLACK_TOKEN
      value: <your actual token value>

After that, a Modeler user can set in their BPMN diagram a value secrets.SLACK_TOKEN without ever knowing the actual token.

Visit using secrets in manual installation to learn more.

Elasticsearch

Camunda 8 Helm chart has a dependency on the Elasticsearch 8 Helm Chart. All variables related to Elasticsearch can be set under elasticsearch.

Note

The default setup of the Elasticsearch 8 part of Camunda 8 uses nodes that have all roles (master, data, coordinating, and ingest). For high-demand deployments, it's recommended to deploy the Elasticsearch master-eligible nodes as master-only nodes.

Section	Parameter	Description	Default
`elasticsearch`	`enabled`	If true, enables Elasticsearch deployment as part of the Camunda Helm chart	`true`

Example:

elasticsearch:
  enabled: true
  image:
    tag: <YOUR_VERSION_HERE>

Elasticsearch Retention

Since moving to Elasticsearch 8, Curator is deprecated in favor of Manage the index lifecycle (ILM). Hence, each component in Camunda 8 controls its Elasticsearch index retention.

Keycloak

When Camunda 8 Identity component is enabled by default, and it depends on Bitnami Keycloak chart. Since Keycloak is a dependency for Identity, all variables related to Keycloak can be found in bitnami/keycloak/values.yaml and can be set under identity.keycloak.

Section	Parameter	Description	Default
`identity.keycloak`	`enabled`	If true, enables Keycloak chart deployment as part of the Camunda Helm chart	`true`

Example:

identity:
  keycloak:
    enabled: true

Keycloak Theme

Camunda provides a custom theme for the login page used in all apps. The theme is copied from the Identity image.

The theme is added to Keycloak by default, however, since Helm v3 (the latest checked 3.10.x) doesn't merge lists with custom values files, then you will need to add this to your own values file if you override any of extraVolumes, initContainers, or extraVolumeMounts.

identity:
  keycloak:
    extraVolumes:
    - name: camunda-theme
      emptyDir:
        sizeLimit: 10Mi
    initContainers:
    - name: copy-camunda-theme
      image: >-
        {{- $identityImageParams := (dict "base" .Values.global "overlay" .Values.global.identity) -}}
        {{- include "camundaPlatform.imageByParams" $identityImageParams }}
      imagePullPolicy: "{{ .Values.global.image.pullPolicy }}"
      command: ["sh", "-c", "cp -a /app/keycloak-theme/* /mnt"]
      volumeMounts:
      - name: camunda-theme
        mountPath: /mnt
    extraVolumeMounts:
    - name: camunda-theme
      mountPath: /opt/bitnami/keycloak/themes/identity

Development

For development purposes, you might want to deploy and test the charts without creating a new helm chart release. To do this you can run the following:

 helm install camunda --atomic --debug ./charts/camunda-platform

--atomic if set, the installation process deletes the installation on failure. The --wait flag will be set automatically if --atomic is used
--debug enable verbose output

To generate the resources/manifests without really installing them, you can use:

--dry-run simulate an install

If you see errors like:

Error: found in Chart.yaml, but missing in charts/ directory: elasticsearch

Then you need to download the dependencies first.

Run the following to add resolve the dependencies:

make helm.repos-add

After this, you can run: make helm.dependency-update, which will update and download the dependencies for all charts.

The execution should look like this:

$ make helm.dependency-update
helm dependency update charts/camunda-platform
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "camunda-platform" chart repository
...Successfully got an update from the "bitnami" chart repository
Update Complete. ⎈Happy Helming!⎈
Saving 6 charts
Dependency zeebe did not declare a repository. Assuming it exists in the charts directory
Dependency zeebe-gateway did not declare a repository. Assuming it exists in the charts directory
Dependency operate did not declare a repository. Assuming it exists in the charts directory
Dependency tasklist did not declare a repository. Assuming it exists in the charts directory
Dependency identity did not declare a repository. Assuming it exists in the charts directory
Deleting outdated charts
helm dependency update charts/camunda-platform/charts/identity
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "camunda-platform" chart repository
...Successfully got an update from the "bitnami" chart repository
Update Complete. ⎈Happy Helming!⎈
Saving 2 charts
Downloading keycloak from repo https://charts.bitnami.com/bitnami
Downloading common from repo https://charts.bitnami.com/bitnami

Releasing the Charts

Please see the corresponding release guide to find out how to release the chart.

Parameters

Global parameters

Name	Description	Value
`global`
`global.secrets`	configuration for auto-generated secrets which is only used during the installation.
`global.secrets.autoGenerated`	if true, a secret object will be generated with auto-generated passwords. This secret object is NOT managed with corresponding releases and NOR part of Helm deployment/upgrade! It's generated once, and if it's deleted, you will lose the secrets.	`false`
`global.secrets.name`	defines the name of the secret object that has the auto-generated passwords.	`camunda-credentials-autogen`
`global.secrets.annotations`	defines the secret object annotations that utilize Helm hooks to keep that object out of the Helm deployment.	`{}`
`global.license`
`global.license.key`	if set, it will be exposed as "CAMUNDA_LICENSE_KEY" in the apps.	`nil`
`global.license.existingSecret`	you can provide an existing secret name for Camunda license secret.	`nil`
`global.license.existingSecretKey`	you can provide the key within the existing secret object for Camunda license key.	`nil`
`global.compatibility`	Compatibility adaptations for Kubernetes platforms
`global.compatibility.openshift.adaptSecurityContext`	Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation)	`disabled`
`global.multitenancy`
`global.multitenancy.enabled`	if true, then enable multitenancy in all applicable components.	`false`
`global.createReleaseInfo`	Create config that will be used in Camunda Console.	`true`
`global.annotations`	Annotations can be used to define common annotations, which should be applied to all deployments	`{}`
`global.labels.app`	Name of the application	`camunda-platform`
`global.image.registry`	Can be used to set container image registry.	`""`
`global.image.tag`	defines the tag / version which should be used in the most of the apps.	`nil`
`global.image.pullPolicy`	defines the image pull policy which should be used https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy	`Always`
`global.image.pullSecrets`	can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod	`[]`
`global.ingress`
`global.ingress.enabled`	if true, an ingress resource is deployed. Only useful if an ingress controller is available, like Ingress-NGINX.	`false`
`global.ingress.className`	Ingress.className defines the class or configuration of ingress which should be used by the controller	`nginx`
`global.ingress.annotations`	defines the ingress related annotations, consumed mostly by the ingress controller	`{}`
`global.ingress.host`	If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.	`""`
`global.ingress.pathType`	can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types	`Prefix`
`global.ingress.tls`	configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
`global.ingress.tls.enabled`	if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.	`false`
`global.ingress.tls.secretName`	defines the secret name which contains the TLS private key and certificate	`camunda-platform`
`global.elasticsearch`
`global.elasticsearch.enabled`	if true, enables elasticsearch for all components	`true`
`global.elasticsearch.external`	if true, tries to connect to an external elasticsearch	`false`
`global.elasticsearch.tls`
`global.elasticsearch.tls.enabled`	enable tls for external elasticsearch	`false`
`global.elasticsearch.tls.existingSecret`	provide an already existing tls secret for connecting to external elasticsearch	`nil`
`global.elasticsearch.auth`
`global.elasticsearch.auth.username`	the username for external elasticsearch	`nil`
`global.elasticsearch.auth.password`	the password for external elasticsearch	`nil`
`global.elasticsearch.auth.existingSecret`	you can provide an existing secret for the external elasticsearch password	`nil`
`global.elasticsearch.auth.existingSecretKey`	you can provide an existing secret key for the external elasticsearch password	`password`
`global.elasticsearch.disableExporter`	DEPRECATED: this value is not needed anymore. Use global.elasticsearch.enabled	`false`
`global.elasticsearch.url`	Configuration to configure elasticsearch url
`global.elasticsearch.url.protocol`	defines the elasticsearch access protocol.	`http`
`global.elasticsearch.url.host`	Elasticsearch.host defines the elasticsearch host, ideally the service name inside the namespace	`{{ .Release.Name }}-elasticsearch`
`global.elasticsearch.url.port`	Elasticsearch.port defines the elasticsearch port, under which elasticsearch can be accessed	`9200`
`global.elasticsearch.clusterName`	Elasticsearch.clusterName defines the cluster name which is used by Elasticsearch	`elasticsearch`
`global.elasticsearch.prefix`	Elasticsearch.prefix defines the prefix which is used by the Zeebe Elasticsearch Exporter to create Elasticsearch indexes	`zeebe-record`
`global.opensearch`
`global.opensearch.enabled`	enabled external opensearch	`false`
`global.opensearch.aws.enabled`	Enabling AWS IRSA	`false`
`global.opensearch.tls`
`global.opensearch.tls.enabled`	enable tls for external opensearch	`false`
`global.opensearch.tls.existingSecret`	provide an already existing tls secret for connecting to external opensearch	`nil`
`global.opensearch.auth`
`global.opensearch.auth.username`	the username for external opensearch	`nil`
`global.opensearch.auth.password`	the password for external opensearch	`nil`
`global.opensearch.auth.existingSecret`	you can provide an existing secret for the external opensearch password	`nil`
`global.opensearch.auth.existingSecretKey`	you can provide an existing secret key for the external opensearch password	`password`
`global.opensearch.url`	Configuration to configure opensearch url
`global.opensearch.url.protocol`	defines the external opensearch access protocol	`https`
`global.opensearch.url.host`	defines the external opensearch host, ideally the service name inside the namespace	`nil`
`global.opensearch.url.port`	defines the external opensearch port, under which opensearch can be accessed	`443`
`global.zeebeClusterName`	ZeebeClusterName defines the cluster name for the Zeebe cluster. All Zeebe pods get this prefix in their name and the brokers uses that as cluster name.	`{{ .Release.Name }}-zeebe`
`global.identity.service.url`		`nil`
`global.identity.keycloak.internal`	It's useful for using existing Keycloak in another namespace with and access it with the combined Ingress.	`false`
`global.identity.keycloak.url`	can be used incorporate with "identityKeycloak.enabled: false" to use your own Keycloak instead of the one comes with Camunda Helm chart.	`{}`
`global.identity.keycloak.contextPath`	In Keycloak v16.x.x it's hard-coded as '/auth', but in v19.x.x it's '/'.	`/auth`
`global.identity.keycloak.realm`	defines Keycloak realm path used for Camunda.	`/realms/camunda-platform`
`global.identity.keycloak.auth`	same as "identityKeycloak.auth" but it's used for existing Keycloak.	`{}`
`global.identity.auth`	configuration, to configure identity authentication setup
`global.identity.auth.enabled`	if true, enables the identity authentication otherwise basic-auth will be used on all services.	`true`
`global.identity.auth.issuer`	defines the issuer name, which is used by the services to validate the JWT tokens.	`""`
`global.identity.auth.issuerBackendUrl`	defines the issuer backend URL, which is used by the services to validate the JWT tokens in a container to container context.	`""`
`global.identity.auth.tokenUrl`	defines the token URL, which is used by the services to request JWT tokens.	`""`
`global.identity.auth.jwksUrl`	defines the JWKS URL, which is used by the services to validate the JWT tokens.	`""`
`global.identity.auth.type`	defines the type of authentication which should be used. Defaults to Keycloak	`KEYCLOAK`
`global.identity.auth.publicIssuerUrl`	Can be overwritten if ingress is in use and an external IP is available.	`http://localhost:18080/auth/realms/camunda-platform`
`global.identity.auth.identity`	configuration to configure Identity authentication specifics on global level, which can be accessed by other sub-charts
`global.identity.auth.identity.clientId`	defines the client id, which is used by Identity in authentication flows.	`camunda-identity`
`global.identity.auth.identity.audience`	defines the audience, which is used by Identity.	`camunda-identity-resource-server`
`global.identity.auth.identity.existingSecret`	can be used to reference an existing secret. This should ONLY be used for an external OIDC provider. If not set, a random secret is generated.	`nil`
`global.identity.auth.identity.existingSecretKey`	defines the key within the existing secret object.	`identity-secret`
`global.identity.auth.identity.redirectUrl`	defines the redirect URL, which is used by the auth platform to access Identity.	`http://localhost:8085`
`global.identity.auth.identity.initialClaimName`	defines the initial claim name, which is used by Identity to configure initial mapping rules,	`oid`
`global.identity.auth.identity.initialClaimValue`	defines the initial claim value, which is used by Identity to configure initial mapping rules.	`nil`
`global.identity.auth.console`	configuration to configure Console authentication specifics on global level, which can be accessed by other sub-charts
`global.identity.auth.console.clientId`	defines the client id, which is used by Console in authentication flows.	`console`
`global.identity.auth.console.audience`	defines the audience which is used by Console's client API.	`console-api`
`global.identity.auth.console.wellKnown`	defines the uri for the well known config which is used by Console (optional).	`https://well-known-uri`
`global.identity.auth.console.existingSecret`	can be used to use an own existing secret. If not set a random secret is generated.	`nil`
`global.identity.auth.console.existingSecretKey`	defines the key within the existing secret object.	`console-secret`
`global.identity.auth.console.redirectUrl`	defines the root URL which is used by Keycloak to access WebModeler.	`http://localhost:8080`
`global.identity.auth.webModeler`	configuration to configure WebModeler authentication specifics on global level, which can be accessed by other sub-charts
`global.identity.auth.webModeler.clientId`	defines the client id, which is used by WebModeler in authentication flows.	`web-modeler`
`global.identity.auth.webModeler.clientApiAudience`	defines the audience which is used by WebModeler's client API.	`web-modeler-api`
`global.identity.auth.webModeler.publicApiAudience`	defines the audience which is used by WebModeler's public API.	`web-modeler-public-api`
`global.identity.auth.webModeler.redirectUrl`	defines the root URL which is used by Keycloak to access WebModeler.	`http://localhost:8084`
`global.identity.auth.connectors`	configuration to configure Connectors authentication specifics on global level, which can be accessed by other sub-charts
`global.identity.auth.connectors.clientId`	defines the client id, which is used by Connectors in authentication flows.	`connectors`
`global.identity.auth.connectors.existingSecret`	can be used to use an own existing secret. If not set a random secret is generated.	`nil`
`global.identity.auth.connectors.existingSecretKey`	defines the key within the existing secret object.	`connectors-secret`
`global.identity.auth.core`	configuration to configure authentication specifics on global level, which can be accessed by other sub-charts
`global.identity.auth.core.audience`	defines the audience, which is used by Core.	`core-api`
`global.identity.auth.core.clientId`	defines the client id, which is used by Core in authentication flows.	`core`
`global.identity.auth.core.existingSecret`	can be used to use an own existing secret. If not set a random secret is generated.	`nil`
`global.identity.auth.core.existingSecretKey`	defines the key within the existing secret object.	`core-secret`
`global.identity.auth.core.redirectUrl`	defines the root (or redirect) URL, which is used by Keycloak to access Tasklist.	`http://localhost:8082`
`global.identity.auth.core.tokenScope`	defines the token scope, which is used by Core.	`nil`
`global.identity.auth.optimize`	configuration to configure Optimize authentication specifics on global level, which can be accessed by other sub-charts
`global.identity.auth.optimize.audience`	defines the audience, which is used by Optimize.	`optimize-api`
`global.identity.auth.optimize.clientId`	defines the client id, which is used by Optimize in authentication flows.	`optimize`
`global.identity.auth.optimize.existingSecret`	can be used to use an own existing secret. If not set a random secret is generated.	`nil`
`global.identity.auth.optimize.existingSecretKey`	defines the key within the existing secret object.	`optimize-secret`
`global.identity.auth.optimize.redirectUrl`	defines the root (or redirect) URL, which is used by Keycloak to access Optimize.	`http://localhost:8083`

Identity Parameters

Name	Description	Value
`identity.enabled`	if true, the identity deployment and its related resources are deployed via a helm release	`true`
`identity.fullnameOverride`	can be used to override the full name of the Identity resources	`""`
`identity.nameOverride`	can be used to partly override the name of the Identity resources (names will still be prefixed with the release name)	`""`
`identity.firstUser`	configuration to configure properties of the first Identity user, which can be used to access all
`identity.firstUser.enabled`	if true, Identity will seed the first user in Keycloak.	`true`
`identity.firstUser.username`	defines the username of the first user, needed to log in into the web applications	`demo`
`identity.firstUser.password`	defines the password of the first user, needed to log in into the web applications	`demo`
`identity.firstUser.email`	defines the email address of the first user; a valid email address is required to use WebModeler	`demo@example.org`
`identity.firstUser.firstName`	defines the first name of the first user; a name is required to use WebModeler	`Demo`
`identity.firstUser.lastName`	defines the last name of the first user; a name is required to use WebModeler	`User`
`identity.firstUser.existingSecret`	can be used to use an own existing secret for Identity first user.	`""`
`identity.firstUser.existingSecretKey`	defines the key within the existing secret object.	`identity-firstuser-password`
`identity.image`	configuration to configure the identity image specifics
`identity.image.registry`	can be used to set container image registry.	`""`
`identity.image.repository`	defines which image repository to use	`camunda/identity`
`identity.image.tag`	can be set to overwrite the global tag, which should be used in that chart	`8.7.0-alpha1`
`identity.image.pullSecrets`	can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod	`[]`
`identity.sidecars`	can be used to attach extra containers to the identity deployment	`[]`
`identity.initContainers`	can be used to set up extra init containers for the application Pod	`[]`
`identity.fullURL`	can be used when Ingress is configured (for both multi and single domain setup).	`""`
`identity.contextPath`	can be used to make Identity web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain.	`""`
`identity.podAnnotations`	can be used to define extra Identity pod annotations	`{}`
`identity.podLabels`	can be used to define extra Identity pod labels	`{}`
`identity.logging`	configuration for the identity logging. This template will be directly included in the identity configuration YAML file
`identity.logging.level.ROOT`		`DEBUG`
`identity.logging.level.io.camunda.identity`	https://docs.camunda.io/docs/next/self-managed/identity/user-guide/configuration/configure-logging/#general-configuration-options	`DEBUG`
`identity.service`	configuration to configure the identity service.
`identity.service.annotations`	can be used to define annotations, which will be applied to the identity service	`{}`
`identity.service.type`	defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types	`ClusterIP`
`identity.service.port`	defines the port of the service on which the identity application will be available	`80`
`identity.service.metricsPort`	defines the port of the service on which the identity metrics will be available	`82`
`identity.service.metricsName`	defines the name of the service on which the identity metrics will be available	`metrics`
`identity.podSecurityContext`	defines the security options the Identity pod should be run with
`identity.podSecurityContext.runAsNonRoot`		`true`
`identity.podSecurityContext.fsGroup`		`1001`
`identity.podSecurityContext.seccompProfile`
`identity.podSecurityContext.seccompProfile.type`		`RuntimeDefault`
`identity.containerSecurityContext`	defines the security options the Identity container should be run with
`identity.containerSecurityContext.allowPrivilegeEscalation`		`false`
`identity.containerSecurityContext.privileged`		`false`
`identity.containerSecurityContext.readOnlyRootFilesystem`		`true`
`identity.containerSecurityContext.runAsNonRoot`		`true`
`identity.containerSecurityContext.runAsUser`		`1001`
`identity.containerSecurityContext.seccompProfile`
`identity.containerSecurityContext.seccompProfile.type`		`RuntimeDefault`
`identity.startupProbe`	configuration
`identity.startupProbe.enabled`	if true, the startup probe is enabled in app container	`false`
`identity.startupProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`identity.startupProbe.probePath`	defines the startup probe route used on the app	`/actuator/health`
`identity.startupProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated.	`30`
`identity.startupProbe.periodSeconds`	defines how often the probe is executed	`30`
`identity.startupProbe.successThreshold`	defines how often it needs to be true to be marked as ready, after failure	`1`
`identity.startupProbe.failureThreshold`	defines when the probe is considered as failed so the Pod will be marked Unready	`5`
`identity.startupProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`identity.readinessProbe`	configuration
`identity.readinessProbe.enabled`	if true, the readiness probe is enabled in app container	`true`
`identity.readinessProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`identity.readinessProbe.probePath`	defines the readiness probe route used on the app	`/actuator/health`
`identity.readinessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated.	`30`
`identity.readinessProbe.periodSeconds`	defines how often the probe is executed	`30`
`identity.readinessProbe.successThreshold`	defines how often it needs to be true to be marked as ready, after failure	`1`
`identity.readinessProbe.failureThreshold`	defines when the probe is considered as failed so the Pod will be marked Unready	`5`
`identity.readinessProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`identity.livenessProbe`	configuration
`identity.livenessProbe.enabled`	if true, the liveness probe is enabled in app container	`false`
`identity.livenessProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`identity.livenessProbe.probePath`	defines the liveness probe route used on the app	`/actuator/health`
`identity.livenessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before	`30`
`identity.livenessProbe.periodSeconds`	defines how often the probe is executed	`30`
`identity.livenessProbe.successThreshold`	defines how often it needs to be true to be considered successful after having failed	`1`
`identity.livenessProbe.failureThreshold`	defines when the probe is considered as failed so the container will be restarted	`5`
`identity.livenessProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`identity.metrics.prometheus`	Prometheus metrics endpoint	`/actuator/prometheus`
`identity.nodeSelector`	can be used to define on which nodes the Identity pods should run	`{}`
`identity.tolerations`	can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/	`[]`
`identity.affinity`	can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity	`{}`
`identity.resources`	configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
`identity.resources.requests.memory`		`400Mi`
`identity.resources.limits.cpu`		`2000m`
`identity.resources.requests.cpu`		`600m`
`identity.resources.limits.memory`		`2Gi`
`identity.env`	can be used to set extra environment variables in each identity container. See the documentation https://docs.camunda.io/docs/self-managed/identity/deployment/configuration-variables/ for more details.	`[]`
`identity.envFrom`	list of environment variables to import from configMapRef and secretRef	`[]`
`identity.command`	can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/	`[]`
`identity.extraVolumes`	can be used to define extra volumes for the identity pods, useful for tls and self-signed certificates	`[]`
`identity.extraVolumeMounts`	can be used to mount extra volumes for the identity pods, useful for tls and self-signed certificates	`[]`
`identity.serviceAccount`	configuration for the service account where the identity pods are assigned to
`identity.serviceAccount.enabled`	if true, enables the identity service account	`true`
`identity.serviceAccount.name`	can be used to set the name of the identity service account	`""`
`identity.serviceAccount.annotations`	can be used to set the annotations of the identity service account	`{}`
`identity.serviceAccount.automountServiceAccountToken`	can be used to control whether the service account token should be automatically mounted	`true`
`identity.ingress.enabled`	if true, an ingress resource is deployed with the identity deployment. Only useful if an ingress controller is available, like nginx. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead.	`false`
`identity.ingress.className`	defines the class or configuration of ingress which should be used by the controller	`nginx`
`identity.ingress.annotations`	defines the ingress related annotations, consumed mostly by the ingress controller	`{}`
`identity.ingress.path`	defines the path which is associated with the service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules	`/`
`identity.ingress.pathType`	can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types	`Prefix`
`identity.ingress.host`	can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules	`""`
`identity.ingress.tls`	configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
`identity.ingress.tls.enabled`	if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.	`false`
`identity.ingress.tls.secretName`	defines the secret name which contains the TLS private key and certificate	`camunda-platform-identity`
`identity.externalDatabase.enabled`		`false`
`identity.externalDatabase.host`	Database host	`nil`
`identity.externalDatabase.port`	Database port number	`nil`
`identity.externalDatabase.username`	Non-root username	`nil`
`identity.externalDatabase.password`	Password for the non-root username	`nil`
`identity.externalDatabase.database`	The database name	`nil`
`identity.externalDatabase.existingSecret`	Name of an existing secret resource containing the database credentials	`nil`
`identity.externalDatabase.existingSecretPasswordKey`	Name of an existing secret key containing the database credentials	`nil`
`identity.configuration`	if specified, contents will be used as the application.yaml	`""`
`identity.extraConfiguration`	if specified, contents will be used for any extra configuration files such as the log4j2.xml	`{}`
`identity.dnsPolicy`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy	`""`
`identity.dnsConfig`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config	`{}`

Identity - PostgreSQL Parameters

Name	Description	Value
`identityPostgresql`	configuration for the PostgreSQL dependency chart used by Identity. For more details, check Bitnami package for PostgreSQL documentation.
`identityPostgresql.enabled`	Enable Identity PostgreSQL Helm chart. Required for Multi-Tenancy.	`false`
`identityPostgresql.global.compatibility`	Compatibility adaptations for Kubernetes platforms
`identityPostgresql.global.compatibility.openshift.adaptSecurityContext`	Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation)	`{{ .Values.global.compatibility.openshift.adaptSecurityContext
`identityPostgresql.image.repository`	PostgreSQL repo	`bitnami/postgresql`
`identityPostgresql.image.tag`	PostgreSQL image tag	`15.9.0-debian-12-r0`
`identityPostgresql.nameOverride`	the name used for Identity PostgreSQL.	`identity-postgresql`
`identityPostgresql.auth.username`	Non-root username	`identity`
`identityPostgresql.auth.database`	The database name	`identity`
`identityPostgresql.auth.password`	Password for the non-root username	`nil`
`identityPostgresql.auth.existingSecret`	Name of an existing secret resource containing the database credentials	`nil`
`identityPostgresql.auth.secretKeys.adminPasswordKey`	defines the key within the existing secret object for PostgreSQL admin.	`postgres-password`
`identityPostgresql.auth.secretKeys.userPasswordKey`	defines the key within the existing secret object for PostgreSQL user.	`password`

Identity - Keycloak Parameters

Name	Description	Value
`identityKeycloak`	configuration, for the Keycloak dependency chart which is used by Identity. For more details, check Bitnami package for Keycloak documentation.
`identityKeycloak.enabled`	Enable Identity Keycloak Helm chart. It is used incorporate with "global.identity.keycloak" to use your own Keycloak instead of the one comes with Camunda Helm chart	`true`
`identityKeycloak.global.compatibility`	Compatibility adaptations for Kubernetes platforms
`identityKeycloak.global.compatibility.openshift.adaptSecurityContext`	Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation)	`{{ .Values.global.compatibility.openshift.adaptSecurityContext
`identityKeycloak.nameOverride`	the name used for Keycloak.	`keycloak`
`identityKeycloak.image`	configuration.
`identityKeycloak.image.repository`	image repo	`camunda/keycloak`
`identityKeycloak.image.tag`	image tag	`25.0.4`
`identityKeycloak.postgresql`	configuration.
`identityKeycloak.postgresql.image.repository`	image repo	`bitnami/postgresql`
`identityKeycloak.postgresql.image.tag`	image tag	`15.9.0-debian-12-r0`
`identityKeycloak.postgresql.auth.existingSecret`	defines the existing secret resource containing the database credentials	`nil`
`identityKeycloak.postgresql.auth.secretKeys.adminPasswordKey`	defines the key within the existing secret object for PostgreSQL admin.	`postgres-password`
`identityKeycloak.postgresql.auth.secretKeys.userPasswordKey`	defines the key within the existing secret object for PostgreSQL user.	`password`
`identityKeycloak.postgresql.primary.containerSecurityContext.enabled`		`true`
`identityKeycloak.postgresql.primary.containerSecurityContext.privileged`		`false`
`identityKeycloak.postgresql.primary.containerSecurityContext.readOnlyRootFilesystem`		`true`
`identityKeycloak.postgresql.primary.containerSecurityContext.allowPrivilegeEscalation`		`false`
`identityKeycloak.postgresql.primary.containerSecurityContext.runAsNonRoot`		`true`
`identityKeycloak.postgresql.primary.containerSecurityContext.runAsUser`		`1001`
`identityKeycloak.postgresql.primary.containerSecurityContext.capabilities.drop`		`["ALL"]`
`identityKeycloak.postgresql.primary.containerSecurityContext.seccompProfile.type`		`RuntimeDefault`
`identityKeycloak.postgresql.primary.podSecurityContext.enabled`		`true`
`identityKeycloak.postgresql.primary.podSecurityContext.runAsNonRoot`		`true`
`identityKeycloak.postgresql.primary.podSecurityContext.fsGroup`		`1001`
`identityKeycloak.proxy`	keycloak proxy	`edge`
`identityKeycloak.tls`	can be used to enable TLS encryption. Required for HTTPs traffic.
`identityKeycloak.tls.enabled`	enabling tls	`false`
`identityKeycloak.extraVolumeMounts[0].name`		`data-tmp`
`identityKeycloak.extraVolumeMounts[0].mountPath`		`/opt/bitnami/keycloak/data/tmp`
`identityKeycloak.containerSecurityContext.privileged`		`false`
`identityKeycloak.containerSecurityContext.readOnlyRootFilesystem`		`true`
`identityKeycloak.containerSecurityContext.allowPrivilegeEscalation`		`false`
`identityKeycloak.containerSecurityContext.runAsNonRoot`		`true`
`identityKeycloak.containerSecurityContext.runAsUser`		`1001`
`identityKeycloak.containerSecurityContext.capabilities.drop`		`["ALL"]`
`identityKeycloak.containerSecurityContext.seccompProfile.type`		`RuntimeDefault`
`identityKeycloak.podSecurityContext.runAsNonRoot`		`true`
`identityKeycloak.podSecurityContext.fsGroup`		`1001`
`identityKeycloak.httpRelativePath`	defines the context for Keycloak. This config is valid for Keycloak v19.x.x only	`/auth/`
`identityKeycloak.extraEnvVars`
`identityKeycloak.extraEnvVars[0].name`		`KEYCLOAK_PROXY_ADDRESS_FORWARDING`
`identityKeycloak.extraEnvVars[0].value`		`{{ .Values.global.ingress.tls.enabled }}`
`identityKeycloak.ingress.enabled`	can be used enable ingress record generation for Keycloak.	`false`
`identityKeycloak.ingress.tls`	can be used to enable TLS configuration for the host defined at ingress.hostname parameter.	`false`
`identityKeycloak.ingress.extraTls`	configuration for additional hostnames to be covered with this ingress record.	`[]`
`identityKeycloak.ingress.annotations`	configures annotations to be applied to the ingress record.	`{}`
`identityKeycloak.ingress.pathType`	defines Ingress path type.	`Prefix`
`identityKeycloak.service`	configuration, to configure the service which is deployed along with keycloak
`identityKeycloak.service.type`	can be set to change the service type.	`ClusterIP`
`identityKeycloak.auth`	uses the secrets generated by keycloak, to access keycloak.
`identityKeycloak.auth.adminUser`	defines the keycloak administrator user	`admin`
`identityKeycloak.auth.existingSecret`	can be used to reuse an existing secret containing authentication information.	`""`
`identityKeycloak.auth.passwordSecretKey`	defines the key within the existing secret object.	`admin-password`

Console Parameters

Name	Description	Value
`console`	configuration for the Console.
`console.enabled`	if true, the Console deployment and its related resources are deployed via a helm release	`false`
`console.configuration`	Configuration passed directly to Console as YAML file. More details on Console official documenations	`""`
`console.image.registry`	can be used to set container image registry.	`""`
`console.image.repository`	defines which image repository to use	`camunda/console`
`console.image.tag`	can be used to set the Docker image tag for the Console image (overwrites global.image.tag)	`8.7.0-alpha1`
`console.image.pullSecrets`	can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod	`[]`
`console.sidecars`	can be used to attach extra containers to the console deployment	`[]`
`console.replicas`	Number of Console replicas	`1`
`console.keycloak.realm`	Specifies the Keycloak realm used for authentication.	`camunda-platform`
`console.contextPath`	can be used to make Console web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain.	`""`
`console.initContainers`	can be used to set up extra init containers for the application Pod	`[]`
`console.podAnnotations`	can be used to define extra Console pod annotations	`{}`
`console.podLabels`	can be used to define extra Console pod labels	`{}`
`console.logging`	configuration for the Console logging. This template will be directly included in the configuration YAML file	`{}`
`console.service.annotations`	can be used to define annotations, which will be applied to the Console service	`{}`
`console.service.type`	defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types	`ClusterIP`
`console.service.port`	defines the port number where the web application will be available	`80`
`console.service.serverName`	defines the port name where the web application will be available	`http`
`console.service.managementPort`	defines the management port used to access metrics and app status	`9100`
`console.resources.requests.memory`		`1Gi`
`console.resources.limits.cpu`		`2`
`console.resources.limits.memory`		`2Gi`
`console.resources.requests.cpu`		`1`
`console.env`	can be used to set extra environment variables in each app container	`[]`
`console.envFrom`	list of environment variables to import from configMapRef and secretRef	`[]`
`console.command`	can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/	`[]`
`console.extraVolumes`	can be used to define extra volumes for the Console pods, useful for TLS and self-signed certificates	`[]`
`console.extraVolumeMounts`	can be used to mount extra volumes for the Console pods, useful for TLS and self-signed certificates	`[]`
`console.startupProbe.enabled`	if true, the startup probe is enabled in app container	`false`
`console.startupProbe.scheme`	defines the startup probe scheme used on calling the probePath	`HTTP`
`console.startupProbe.probePath`	defines the startup probe route used on the app	`/health/readiness`
`console.startupProbe.initialDelaySeconds`	defines the number of seconds after the container has started before	`30`
`console.startupProbe.periodSeconds`	defines how often the probe is executed	`30`
`console.startupProbe.successThreshold`	defines how often it needs to be true to be marked as ready, after failure	`1`
`console.startupProbe.failureThreshold`	defines when the probe is considered as failed so the Pod will be marked Unready	`5`
`console.startupProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`console.readinessProbe.enabled`	if true, the readiness probe is enabled in app container	`true`
`console.readinessProbe.scheme`	defines the startup probe scheme used on calling the probePath	`HTTP`
`console.readinessProbe.probePath`	defines the readiness probe route used on the app	`/health/readiness`
`console.readinessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before	`30`
`console.readinessProbe.periodSeconds`	defines how often the probe is executed	`30`
`console.readinessProbe.successThreshold`	defines how often it needs to be true to be marked as ready, after failure	`1`
`console.readinessProbe.failureThreshold`	defines when the probe is considered as failed so the Pod will be marked Unready	`5`
`console.readinessProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`console.livenessProbe.enabled`	if true, the liveness probe is enabled in app container	`false`
`console.livenessProbe.scheme`	defines the startup probe scheme used on calling the probePath	`HTTP`
`console.livenessProbe.probePath`	defines the liveness probe route used on the app	`/health/liveness`
`console.livenessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before	`30`
`console.livenessProbe.periodSeconds`	defines how often the probe is executed	`30`
`console.livenessProbe.successThreshold`	defines how often it needs to be true to be considered successful after having failed	`1`
`console.livenessProbe.failureThreshold`	defines when the probe is considered as failed so the container will be restarted	`5`
`console.livenessProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`console.metrics.prometheus`	Prometheus metrics endpoint	`/prometheus`
`console.serviceAccount.enabled`	if true, enables the Console service account	`true`
`console.serviceAccount.name`	can be used to set the name of the Console service account	`""`
`console.serviceAccount.annotations`	can be used to set the annotations of the service account	`{}`
`console.serviceAccount.automountServiceAccountToken`	can be used to control whether the service account token should be automatically mounted	`false`
`console.ingress.enabled`	if true, an ingress resource is deployed with the Console deployment. Only useful if an ingress controller is available, like nginx. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead.	`false`
`console.ingress.className`	defines the class or configuration of ingress which should be used by the controller	`nginx`
`console.ingress.annotations`	defines the ingress related annotations, consumed mostly by the ingress controller	`{}`
`console.ingress.path`	defines the path which is associated with the Console service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules	`/`
`console.ingress.pathType`	can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types	`Prefix`
`console.ingress.host`	can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules	`""`
`console.ingress.tls.enabled`	if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.	`false`
`console.ingress.tls.secretName`	defines the secret name which contains the TLS private key and certificate	`camunda-platform-console`
`console.podSecurityContext`	defines the security options the Console broker pod should be run with
`console.podSecurityContext.runAsNonRoot`	run as non root	`true`
`console.podSecurityContext.fsGroup`		`1001`
`console.podSecurityContext.seccompProfile`
`console.podSecurityContext.seccompProfile.type`		`RuntimeDefault`
`console.containerSecurityContext.allowPrivilegeEscalation`		`false`
`console.containerSecurityContext.privileged`		`false`
`console.containerSecurityContext.readOnlyRootFilesystem`		`true`
`console.containerSecurityContext.runAsNonRoot`		`true`
`console.containerSecurityContext.runAsUser`		`1001`
`console.containerSecurityContext.seccompProfile`
`console.containerSecurityContext.seccompProfile.type`		`RuntimeDefault`
`console.nodeSelector`	can be used to define on which nodes the Console pods should run	`{}`
`console.tolerations`	can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/	`[]`
`console.affinity`	can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity	`{}`
`console.dnsPolicy`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy	`""`
`console.dnsConfig`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config	`{}`

WebModeler Parameters

Name	Description	Value
`webModeler.enabled`	if true, the WebModeler deployment and its related resources are deployed via a helm release	`false`
`webModeler.fullnameOverride`	can be used to override the full name of the WebModeler resources	`""`
`webModeler.nameOverride`	can be used to partly override the name of the WebModeler resources (names will still be prefixed with the release name)	`""`
`webModeler.image`	configuration of the WebModeler Docker images
`webModeler.image.registry`	can be used to set the Docker registry for the WebModeler images (overwrites global.image.registry)	`""`
`webModeler.image.tag`	can be used to set the Docker image tag for the WebModeler images (overwrites global.image.tag)	`8.7.0-alpha1`
`webModeler.image.pullSecrets`	can be used to configure image pull secrets, see https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod	`[]`
`webModeler.contextPath`	can be used to make WebModeler available on a custom sub-path. This is mainly used to run the Camunda web applications under a single domain.	`""`

WebModeler - RestAPI Parameters

Name	Description	Value
`webModeler.restapi`	configuration of the WebModeler restapi component
`webModeler.restapi.image`	configuration of the restapi Docker image
`webModeler.restapi.image.repository`	defines which image repository to use for the restapi Docker image	`camunda/web-modeler-restapi`
`webModeler.restapi.sidecars`	can be used to attach extra containers to the restapi deployment	`[]`
`webModeler.restapi.initContainers`	can be used to set up extra init containers for the application Pod	`[]`
`webModeler.restapi.externalDatabase`	can be used to configure a connection to an external database; will only be applied if the postgresql dependency chart is disabled (with `postgresql.enabled=false`)
`webModeler.restapi.externalDatabase.url`	defines the JDBC url of the database instance	`""`
`webModeler.restapi.externalDatabase.user`	defines the database user	`""`
`webModeler.restapi.externalDatabase.password`	can be used to provide the database user's password; ignored if `webModeler.restapi.externalDatabase.existingSecret` is set	`""`
`webModeler.restapi.externalDatabase.existingSecret`	can be used to provide the name of an existing secret resource containing the database password	`nil`
`webModeler.restapi.externalDatabase.existingSecretPasswordKey`	can be used to provide the name of an existing secret key containing the database password	`database-password`
`webModeler.restapi.mail`	configuration for emails sent by WebModeler
`webModeler.restapi.mail.smtpHost`	defines the host name of the SMTP server to be used by WebModeler	`""`
`webModeler.restapi.mail.smtpPort`	defines the port number of the SMTP server	`587`
`webModeler.restapi.mail.smtpUser`	can be used to provide a user for the SMTP server	`""`
`webModeler.restapi.mail.smtpPassword`	can be used to provide a password for the SMTP server; ignored if `webModeler.restapi.mail.existingSecret` is set	`""`
`webModeler.restapi.mail.smtpTlsEnabled`	if true, enforces TLS encryption for SMTP connections (using STARTTLS)	`true`
`webModeler.restapi.mail.existingSecret`	can be used to provide the name of an existing secret resource containing the SMTP password	`nil`
`webModeler.restapi.mail.existingSecretPasswordKey`	can be used to provide the name of an existing secret key containing the SMTP password	`smtp-password`
`webModeler.restapi.mail.fromAddress`	defines the email address that will be displayed as the sender of emails sent by WebModeler	`""`
`webModeler.restapi.mail.fromName`	defines the name that will be displayed as the sender of emails sent by WebModeler	`Camunda 8`
`webModeler.restapi.clusters`	can be used to configure Camunda 8 clusters that will be available in Web Modeler (will override default cluster configuration that is used if `zeebe.enabled=true`)	`[]`
`webModeler.restapi.podAnnotations`	can be used to define extra restapi pod annotations	`{}`
`webModeler.restapi.podLabels`	can be used to define extra restapi pod labels	`{}`
`webModeler.restapi.logging`	configuration for the restapi logging. This template will be directly included in the webModeler.restapi configuration YAML file
`webModeler.restapi.logging.level.io.camunda.modeler`	https://docs.camunda.io/docs/next/self-managed/modeler/web-modeler/troubleshooting/troubleshoot-zeebe-connection/#how-can-i-debug-log-grpc--zeebe-communication	`DEBUG`
`webModeler.restapi.logging.level.io.grpc`		`TRACE`
`webModeler.restapi.env`	can be used to set extra environment variables in each restapi container	`[]`
`webModeler.restapi.envFrom`	list of environment variables to import from configMapRef and secretRef	`[]`
`webModeler.restapi.command`	can be used to override the default command provided by the container image, see https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/	`[]`
`webModeler.restapi.extraVolumes`	can be used to define extra volumes for the restapi pods, useful for TLS and self-signed certificates	`[]`
`webModeler.restapi.extraVolumeMounts`	can be used to mount extra volumes for the restapi pods, useful for TLS and self-signed certificates	`[]`
`webModeler.restapi.podSecurityContext`	can be used to define the security options the restapi pod should be run with
`webModeler.restapi.podSecurityContext.runAsNonRoot`		`true`
`webModeler.restapi.podSecurityContext.fsGroup`		`1001`
`webModeler.restapi.podSecurityContext.seccompProfile`
`webModeler.restapi.podSecurityContext.seccompProfile.type`		`RuntimeDefault`
`webModeler.restapi.containerSecurityContext`	can be used to define the security options the restapi container should be run with
`webModeler.restapi.containerSecurityContext.privileged`		`false`
`webModeler.restapi.containerSecurityContext.readOnlyRootFilesystem`		`true`
`webModeler.restapi.containerSecurityContext.allowPrivilegeEscalation`		`false`
`webModeler.restapi.containerSecurityContext.runAsNonRoot`		`true`
`webModeler.restapi.containerSecurityContext.runAsUser`		`1001`
`webModeler.restapi.containerSecurityContext.seccompProfile`
`webModeler.restapi.containerSecurityContext.seccompProfile.type`		`RuntimeDefault`
`webModeler.restapi.startupProbe`	configuration of the restapi startup probe
`webModeler.restapi.startupProbe.enabled`	if true, the startup probe will be enabled for the restapi container	`false`
`webModeler.restapi.startupProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`webModeler.restapi.startupProbe.probePath`	defines the HTTP endpoint used for the startup probe	`/health/liveness`
`webModeler.restapi.startupProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated	`30`
`webModeler.restapi.startupProbe.periodSeconds`	defines how often the probe is executed	`30`
`webModeler.restapi.startupProbe.successThreshold`	defines how often the probe needs to succeed to be considered successful after having failed	`1`
`webModeler.restapi.startupProbe.failureThreshold`	defines when the probe is considered failed so the container will be restarted	`5`
`webModeler.restapi.startupProbe.timeoutSeconds`	defines the number of seconds after which the probe times out	`1`
`webModeler.restapi.readinessProbe`	configuration of the restapi readiness probe
`webModeler.restapi.readinessProbe.enabled`	if true, the readiness probe will be enabled for the restapi container	`true`
`webModeler.restapi.readinessProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`webModeler.restapi.readinessProbe.probePath`	defines the HTTP endpoint used for the readiness probe	`/health/readiness`
`webModeler.restapi.readinessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated	`30`
`webModeler.restapi.readinessProbe.periodSeconds`	defines how often the probe is executed	`30`
`webModeler.restapi.readinessProbe.successThreshold`	defines how often the probe needs to succeed to be considered successful after having failed	`1`
`webModeler.restapi.readinessProbe.failureThreshold`	defines when the probe is considered failed so the Pod will be marked unready	`5`
`webModeler.restapi.readinessProbe.timeoutSeconds`	defines the number of seconds after which the probe times out	`1`
`webModeler.restapi.livenessProbe`	configuration of the restapi liveness probe
`webModeler.restapi.livenessProbe.enabled`	if true, the liveness probe will be enabled for the restapi container	`false`
`webModeler.restapi.livenessProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`webModeler.restapi.livenessProbe.probePath`	defines the HTTP endpoint used for the liveness probe	`/health/liveness`
`webModeler.restapi.livenessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated	`30`
`webModeler.restapi.livenessProbe.periodSeconds`	defines how often the probe is executed	`30`
`webModeler.restapi.livenessProbe.successThreshold`	defines how often the probe needs to succeed to be considered successful after having failed	`1`
`webModeler.restapi.livenessProbe.failureThreshold`	defines when the probe is considered failed so the container will be restarted	`5`
`webModeler.restapi.livenessProbe.timeoutSeconds`	defines the number of seconds after which the probe times out	`1`
`webModeler.restapi.metrics.prometheus`	Prometheus metrics endpoint	`/metrics`
`webModeler.restapi.nodeSelector`	can be used to select the nodes the restapi pods should run on	`{}`
`webModeler.restapi.tolerations`	can be used to define pod tolerations, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/	`[]`
`webModeler.restapi.affinity`	can be used to define pod affinity or anti-affinity, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity	`{}`
`webModeler.restapi.resources`	configuration of resource requests and limits for the container, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
`webModeler.restapi.resources.requests.cpu`		`500m`
`webModeler.restapi.resources.requests.memory`		`1Gi`
`webModeler.restapi.resources.limits.cpu`		`1000m`
`webModeler.restapi.resources.limits.memory`		`2Gi`
`webModeler.restapi.service`	configuration of the WebModeler restapi service
`webModeler.restapi.service.annotations`	can be used to define annotations which will be applied to the service	`{}`
`webModeler.restapi.service.type`	defines the type of the service, see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types	`ClusterIP`
`webModeler.restapi.service.port`	defines the default port of the service	`80`
`webModeler.restapi.service.managementPort`	defines the management port of the service	`8091`
`webModeler.restapi.configuration`	if specified, contents will be used as the application.yaml	`""`
`webModeler.restapi.extraConfiguration`	if specified, contents will be used for any extra configuration files such as log4j2.xml	`{}`
`webModeler.restapi.dnsPolicy`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy	`""`
`webModeler.restapi.dnsConfig`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config	`{}`

WebModeler - WebApp Parameters

Name	Description	Value
`webModeler.webapp.`	configuration of the WebModeler webapp component
`webModeler.webapp.image`	configuration of the webapp Docker image
`webModeler.webapp.image.repository`	defines which image repository to use for the webapp Docker image	`camunda/web-modeler-webapp`
`webModeler.webapp.sidecars`	can be used to attach extra containers to the modeler webapp deployment	`[]`
`webModeler.webapp.initContainers`	can be used to set up extra init containers for the application Pod	`[]`
`webModeler.webapp.podAnnotations`	can be used to define extra webapp pod annotations	`{}`
`webModeler.webapp.podLabels`	can be used to define extra webapp pod labels	`{}`
`webModeler.webapp.env`	can be used to set extra environment variables in each webapp container	`[]`
`webModeler.webapp.envFrom`	list of environment variables to import from configMapRef and secretRef	`[]`
`webModeler.webapp.command`	can be used to override the default command provided by the container image, see https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/	`[]`
`webModeler.webapp.extraVolumes`	can be used to define extra volumes for the webapp pods, useful for TLS and self-signed certificates	`[]`
`webModeler.webapp.extraVolumeMounts`	can be used to mount extra volumes for the webapp pods, useful for TLS and self-signed certificates	`[]`
`webModeler.webapp.podSecurityContext`	can be used to define the security options the webapp pod should be run with
`webModeler.webapp.podSecurityContext.runAsNonRoot`		`true`
`webModeler.webapp.podSecurityContext.fsGroup`		`1001`
`webModeler.webapp.podSecurityContext.seccompProfile`
`webModeler.webapp.podSecurityContext.seccompProfile.type`		`RuntimeDefault`
`webModeler.webapp.containerSecurityContext`	can be used to define the security options the webapp container should be run with
`webModeler.webapp.containerSecurityContext.privileged`		`false`
`webModeler.webapp.containerSecurityContext.readOnlyRootFilesystem`		`true`
`webModeler.webapp.containerSecurityContext.allowPrivilegeEscalation`		`false`
`webModeler.webapp.containerSecurityContext.runAsNonRoot`		`true`
`webModeler.webapp.containerSecurityContext.runAsUser`		`1001`
`webModeler.webapp.containerSecurityContext.seccompProfile`
`webModeler.webapp.containerSecurityContext.seccompProfile.type`		`RuntimeDefault`
`webModeler.webapp.startupProbe`	configuration of the webapp startup probe
`webModeler.webapp.startupProbe.enabled`	if true, the startup probe will be enabled for the webapp container	`false`
`webModeler.webapp.startupProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`webModeler.webapp.startupProbe.probePath`	defines the HTTP endpoint used for the startup probe	`/health/liveness`
`webModeler.webapp.startupProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated	`15`
`webModeler.webapp.startupProbe.periodSeconds`	defines how often the probe is executed	`30`
`webModeler.webapp.startupProbe.successThreshold`	defines how often the probe needs to succeed to be considered successful after having failed	`1`
`webModeler.webapp.startupProbe.failureThreshold`	defines when the probe is considered failed so the container will be restarted	`5`
`webModeler.webapp.startupProbe.timeoutSeconds`	defines the number of seconds after which the probe times out	`1`
`webModeler.webapp.readinessProbe`	configuration of the webapp readiness probe
`webModeler.webapp.readinessProbe.enabled`	if true, the readiness probe will be enabled for the webapp container	`true`
`webModeler.webapp.readinessProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`webModeler.webapp.readinessProbe.probePath`	defines the HTTP endpoint used for the readiness probe	`/health/readiness`
`webModeler.webapp.readinessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated	`15`
`webModeler.webapp.readinessProbe.periodSeconds`	defines how often the probe is executed	`30`
`webModeler.webapp.readinessProbe.successThreshold`	defines how often the probe needs to succeed to be considered successful after having failed	`1`
`webModeler.webapp.readinessProbe.failureThreshold`	defines when the probe is considered failed so the Pod will be marked unready	`5`
`webModeler.webapp.readinessProbe.timeoutSeconds`	defines the number of seconds after which the probe times out	`1`
`webModeler.webapp.livenessProbe`	configuration of the webapp liveness probe
`webModeler.webapp.livenessProbe.enabled`	if true, the liveness probe will be enabled for the webapp container	`false`
`webModeler.webapp.livenessProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`webModeler.webapp.livenessProbe.probePath`	defines the HTTP endpoint used for the liveness probe	`/health/liveness`
`webModeler.webapp.livenessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated	`15`
`webModeler.webapp.livenessProbe.periodSeconds`	defines how often the probe is executed	`30`
`webModeler.webapp.livenessProbe.successThreshold`	defines how often the probe needs to succeed to be considered successful after having failed	`1`
`webModeler.webapp.livenessProbe.failureThreshold`	defines when the probe is considered failed so the container will be restarted	`5`
`webModeler.webapp.livenessProbe.timeoutSeconds`	defines the number of seconds after which the probe times out	`1`
`webModeler.webapp.metrics.prometheus`	Prometheus metrics endpoint	`/metrics`
`webModeler.webapp.nodeSelector`	can be used to select the nodes the webapp pods should run on	`{}`
`webModeler.webapp.tolerations`	can be used to define pod tolerations, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/	`[]`
`webModeler.webapp.affinity`	can be used to define pod affinity or anti-affinity, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity	`{}`
`webModeler.webapp.resources`	configuration of resource requests and limits for the container, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
`webModeler.webapp.resources.requests.cpu`		`400m`
`webModeler.webapp.resources.requests.memory`		`256Mi`
`webModeler.webapp.resources.limits.cpu`		`800m`
`webModeler.webapp.resources.limits.memory`		`512Mi`
`webModeler.webapp.service`	configuration of the WebModeler webapp service
`webModeler.webapp.service.annotations`	can be used to define annotations which will be applied to the service	`{}`
`webModeler.webapp.service.type`	defines the type of the service, see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types	`ClusterIP`
`webModeler.webapp.service.port`	defines the port of the service	`80`
`webModeler.webapp.service.managementPort`	defines the management port of the service	`8071`
`webModeler.webapp.configuration`	if specified, contents will be used as the application.yaml	`""`
`webModeler.webapp.extraConfiguration`	if specified, contents will be used for any extra configuration files such as log4j2.xml	`{}`
`webModeler.webapp.dnsPolicy`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy	`""`
`webModeler.webapp.dnsConfig`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config	`{}`

WebModeler - WebSockets Parameters

Name	Description	Value
`webModeler.websockets`	configuration of the WebModeler websockets component
`webModeler.websockets.image`	configuration of the websockets Docker image
`webModeler.websockets.image.repository`	defines which image repository to use for the websockets Docker image	`camunda/web-modeler-websockets`
`webModeler.websockets.sidecars`	can be used to attach extra containers to the modeler websockets deployment	`[]`
`webModeler.websockets.initContainers`	can be used to set up extra init containers for the application Pod	`[]`
`webModeler.websockets.publicHost`	can be used to define the host on which the WebSockets server can be reached from the WebModeler client in the browser.	`localhost`
`webModeler.websockets.publicPort`	can be used to define the port number on which the WebSockets server can be reached from the WebModeler client in the browser.	`8085`
`webModeler.websockets.podAnnotations`	can be used to define extra websockets pod annotations	`{}`
`webModeler.websockets.podLabels`	can be used to define extra websockets pod labels	`{}`
`webModeler.websockets.env`	can be used to set extra environment variables in each websockets container	`[]`
`webModeler.websockets.envFrom`	list of environment variables to import from configMapRef and secretRef	`[]`
`webModeler.websockets.command`	can be used to override the default command provided by the container image, see https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/	`[]`
`webModeler.websockets.extraVolumes`	can be used to define extra volumes for the websockets pod; useful for logging to a file	`[]`
`webModeler.websockets.extraVolumeMounts`	can be used to mount extra volumes for the websockets pod; useful for logging to a file	`[]`
`webModeler.websockets.podSecurityContext`	can be used to define the security options the websockets pod should be run with
`webModeler.websockets.podSecurityContext.runAsNonRoot`		`true`
`webModeler.websockets.podSecurityContext.fsGroup`		`1001`
`webModeler.websockets.podSecurityContext.seccompProfile`
`webModeler.websockets.podSecurityContext.seccompProfile.type`		`RuntimeDefault`
`webModeler.websockets.containerSecurityContext`	can be used to define the security options the websockets container should be run with
`webModeler.websockets.containerSecurityContext.privileged`		`false`
`webModeler.websockets.containerSecurityContext.readOnlyRootFilesystem`		`true`
`webModeler.websockets.containerSecurityContext.allowPrivilegeEscalation`		`false`
`webModeler.websockets.containerSecurityContext.runAsNonRoot`		`true`
`webModeler.websockets.containerSecurityContext.runAsUser`		`1001`
`webModeler.websockets.containerSecurityContext.seccompProfile`
`webModeler.websockets.containerSecurityContext.seccompProfile.type`		`RuntimeDefault`
`webModeler.websockets.startupProbe`	configuration of the websockets startup probe
`webModeler.websockets.startupProbe.enabled`	if true, the startup probe will be enabled for the websockets container	`false`
`webModeler.websockets.startupProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated	`10`
`webModeler.websockets.startupProbe.periodSeconds`	defines how often the probe is executed	`30`
`webModeler.websockets.startupProbe.successThreshold`	defines how often the probe needs to succeed to be considered successful after having failed	`1`
`webModeler.websockets.startupProbe.failureThreshold`	defines when the probe is considered failed so the container will be restarted	`5`
`webModeler.websockets.startupProbe.timeoutSeconds`	defines the number of seconds after which the probe times out	`1`
`webModeler.websockets.readinessProbe`	configuration of the websockets readiness probe
`webModeler.websockets.readinessProbe.enabled`	if true, the readiness probe will be enabled for the websockets container	`true`
`webModeler.websockets.readinessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated	`10`
`webModeler.websockets.readinessProbe.periodSeconds`	defines how often the probe is executed	`30`
`webModeler.websockets.readinessProbe.successThreshold`	defines how often the probe needs to succeed to be considered successful after having failed	`1`
`webModeler.websockets.readinessProbe.failureThreshold`	defines when the probe is considered failed so the Pod will be marked unready	`5`
`webModeler.websockets.readinessProbe.timeoutSeconds`	defines the number of seconds after which the probe times out	`1`
`webModeler.websockets.livenessProbe`	configuration of the websockets liveness probe
`webModeler.websockets.livenessProbe.enabled`	if true, the liveness probe will be enabled for the websockets container	`false`
`webModeler.websockets.livenessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated	`10`
`webModeler.websockets.livenessProbe.periodSeconds`	defines how often the probe is executed	`30`
`webModeler.websockets.livenessProbe.successThreshold`	defines how often the probe needs to succeed to be considered successful after having failed	`1`
`webModeler.websockets.livenessProbe.failureThreshold`	defines when the probe is considered failed so the container will be restarted	`5`
`webModeler.websockets.livenessProbe.timeoutSeconds`	defines the number of seconds after which the probe times out	`1`
`webModeler.websockets.nodeSelector`	can be used to select the nodes the websockets pods should run on	`{}`
`webModeler.websockets.tolerations`	can be used to define pod tolerations, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/	`[]`
`webModeler.websockets.affinity`	can be used to define pod affinity or anti-affinity, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity	`{}`
`webModeler.websockets.resources`	configuration of resource requests and limits for the container, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
`webModeler.websockets.resources.requests.cpu`		`100m`
`webModeler.websockets.resources.requests.memory`		`64Mi`
`webModeler.websockets.resources.limits.cpu`		`200m`
`webModeler.websockets.resources.limits.memory`		`128Mi`
`webModeler.websockets.service`	configuration of the WebModeler websockets service
`webModeler.websockets.service.annotations`	can be used to define annotations which will be applied to the service	`{}`
`webModeler.websockets.service.type`	defines the type of the service, see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types	`ClusterIP`
`webModeler.websockets.service.port`	defines the port of the service	`80`
`webModeler.websockets.configuration`	if specified, contents will be used as the application.yaml	`""`
`webModeler.websockets.extraConfiguration`	if specified, contents will be used for any extra configuration files such as log4j2.xml	`{}`
`webModeler.websockets.dnsPolicy`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy	`""`
`webModeler.websockets.dnsConfig`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config	`{}`
`webModeler.serviceAccount`	configuration for the service account the WebModeler pods are assigned to
`webModeler.serviceAccount.enabled`	if true, enables the WebModeler service account	`true`
`webModeler.serviceAccount.name`	can be used to set the name of the WebModeler service account	`""`
`webModeler.serviceAccount.annotations`	can be used to set the annotations of the WebModeler service account	`{}`
`webModeler.serviceAccount.automountServiceAccountToken`	can be used to control whether the service account token should be automatically mounted	`false`
`webModeler.ingress.enabled`	if true, an Ingress resource will be deployed with the WebModeler deployment. Only useful if an Ingress controller like NGINX is available. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead.	`false`
`webModeler.ingress.className`	defines the class or configuration of ingress which should be used by the controller	`nginx`
`webModeler.ingress.annotations`	defines the ingress related annotations, consumed mostly by the ingress controller	`{}`
`webModeler.ingress.webapp`	configuration of the webapp ingress
`webModeler.ingress.webapp.host`	defines the host of the ingress rule, see https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules; this is the host name on which the WebModeler web application will be available	`""`
`webModeler.ingress.webapp.pathType`	can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types	`Prefix`
`webModeler.ingress.webapp.tls`	configuration for TLS on the ingress resource, see https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
`webModeler.ingress.webapp.tls.enabled`	if true, TLS will be configured on the ingress resource	`false`
`webModeler.ingress.webapp.tls.secretName`	defines the secret name which contains the TLS private key and certificate	`camunda-platform-webmodeler-webapp`
`webModeler.ingress.websockets`	configuration of the websockets ingress
`webModeler.ingress.websockets.host`	defines the host of the ingress rule, see https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules; this is the host name the WebModeler client in the browser will use to connect to the WebSockets server	`""`
`webModeler.ingress.websockets.pathType`	can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types	`Prefix`
`webModeler.ingress.websockets.tls`	configuration for TLS on the ingress resource, see https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
`webModeler.ingress.websockets.tls.enabled`	if true, TLS will be configured on the ingress resource	`false`
`webModeler.ingress.websockets.tls.secretName`	defines the secret name which contains the TLS private key and certificate	`camunda-platform-webmodeler-websockets`

WebModeler - PostgreSQL Parameters

Name	Description	Value
`postgresql`	configuration for the postgresql dependency chart used by WebModeler. See the chart documentation https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters for more details.
`postgresql.enabled`	if true, a PostgreSQL database will be deployed as part of the Helm release by using the dependency chart	`false`
`postgresql.global.compatibility`	Compatibility adaptations for Kubernetes platforms
`postgresql.global.compatibility.openshift.adaptSecurityContext`	Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation)	`{{ .Values.global.compatibility.openshift.adaptSecurityContext
`postgresql.nameOverride`	defines the name of the Postgres resources (names will be prefixed with the release name), see https://github.com/bitnami/charts/tree/main/bitnami/postgresql#common-parameters	`postgresql-web-modeler`
`postgresql.image.repository`	PostgreSQL repo	`bitnami/postgresql`
`postgresql.image.tag`	PostgreSQL image tag	`14.14.0-debian-12-r0`
`postgresql.auth`	configuration of the database authentication
`postgresql.auth.username`	defines the name of the database user to be created for WebModeler	`web-modeler`
`postgresql.auth.password`	can be used to provide the database user's password; a random password will be generated if left empty / ignored if `postgresql.auth.existingSecret` is set	`""`
`postgresql.auth.database`	defines the name of the database to be created for WebModeler	`web-modeler`
`postgresql.auth.existingSecret`	can be used to provide the name of an existing secret resource containing the database password	`""`
`postgresql.auth.secretKeys.adminPasswordKey`	defines the key within the existing secret object for PostgreSQL admin.	`postgres-password`
`postgresql.auth.secretKeys.userPasswordKey`	defines the key within the existing secret object for PostgreSQL user.	`password`
`postgresql.primary.containerSecurityContext.enabled`		`true`
`postgresql.primary.containerSecurityContext.allowPrivilegeEscalation`		`false`
`postgresql.primary.containerSecurityContext.privileged`		`false`
`postgresql.primary.containerSecurityContext.readOnlyRootFilesystem`		`true`
`postgresql.primary.containerSecurityContext.runAsNonRoot`		`true`
`postgresql.primary.containerSecurityContext.runAsUser`		`1001`
`postgresql.primary.containerSecurityContext.capabilities.drop`		`["ALL"]`
`postgresql.primary.containerSecurityContext.seccompProfile.type`		`RuntimeDefault`
`postgresql.primary.podSecurityContext.enabled`		`true`
`postgresql.primary.podSecurityContext.runAsNonRoot`		`true`
`postgresql.primary.podSecurityContext.fsGroup`		`1001`

Connectors Parameters

Name	Description	Value
`connectors`	configuration for the Connectors.
`connectors.enabled`	if true, the Connectors deployment and its related resources are deployed via a helm release	`true`
`connectors.inbound`	Switch for inbound mode (e.g., for webhook or polling)
`connectors.inbound.mode`	acceptable values: disabled, credentials, or oauth	`oauth`
`connectors.inbound.auth`	configuration of the credentials authentication.
`connectors.inbound.auth.existingSecret`	can be used to configure Secret name that contains password (if inbound mode is credentials)	`""`
`connectors.inbound.auth.existingSecretKey`	defines the key within the existing secret object.	`connectors-secret`
`connectors.image`	configuration to configure the Connectors image specifics
`connectors.image.registry`	can be used to set container image registry.	`""`
`connectors.image.repository`	defines which image repository to use	`camunda/connectors-bundle`
`connectors.image.tag`	can be set to overwrite the global tag, which should be used in that chart	`8.7.0-alpha1`
`connectors.image.pullSecrets`	can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod	`[]`
`connectors.sidecars`	can be used to attach extra containers to the connectors deployment	`[]`
`connectors.initContainers`	can be used to set up extra init containers for the application Pod	`[]`
`connectors.replicas`	number of Connectors replicas	`1`
`connectors.contextPath`	can be used to make Connectors web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain.	`""`
`connectors.podAnnotations`	can be used to define extra Connectors pod annotations	`{}`
`connectors.podLabels`	can be used to define extra Connectors pod labels	`{}`
`connectors.logging`	configuration for the Connectors logging. This template will be directly included in the connector configuration YAML file
`connectors.logging.level.io.camunda.connector`		`ERROR`
`connectors.service`	configuration to configure the Connectors service.
`connectors.service.annotations`	can be used to define annotations, which will be applied to the Connectors service	`{}`
`connectors.service.type`	defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types	`ClusterIP`
`connectors.service.serverPort`	defines the port number where the Connector web application will be available	`8080`
`connectors.service.serverName`	defines the port name where the Connector web application will be available	`http`
`connectors.resources`	configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
`connectors.resources.requests.cpu`		`1`
`connectors.resources.requests.memory`		`1Gi`
`connectors.resources.limits.cpu`		`2`
`connectors.resources.limits.memory`		`2Gi`
`connectors.env`	can be used to set extra environment variables in each Connector container	`[]`
`connectors.envFrom`	list of environment variables to import from configMapRef and secretRef	`[]`
`connectors.command`	can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/	`[]`
`connectors.extraVolumes`	can be used to define extra volumes for the Connectors pods, useful for TLS and self-signed certificates	`[]`
`connectors.extraVolumeMounts`	can be used to mount extra volumes for the Connectors pods, useful for TLS and self-signed certificates	`[]`
`connectors.startupProbe`	configuration
`connectors.startupProbe.enabled`	if true, the startup probe is enabled in app container	`false`
`connectors.startupProbe.scheme`	defines the startup probe scheme used on calling the probePath	`HTTP`
`connectors.startupProbe.probePath`	defines the startup probe route used on the app	`/actuator/health/readiness`
`connectors.startupProbe.initialDelaySeconds`	defines the number of seconds after the container has started before	`30`
`connectors.startupProbe.periodSeconds`	defines how often the probe is executed	`30`
`connectors.startupProbe.successThreshold`	defines how often it needs to be true to be marked as ready, after failure	`1`
`connectors.startupProbe.failureThreshold`	defines when the probe is considered as failed so the Pod will be marked Unready	`5`
`connectors.startupProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`connectors.readinessProbe`	configuration
`connectors.readinessProbe.enabled`	if true, the readiness probe is enabled in app container	`false`
`connectors.readinessProbe.scheme`	defines the startup probe scheme used on calling the probePath	`HTTP`
`connectors.readinessProbe.probePath`	defines the readiness probe route used on the app	`/actuator/health/readiness`
`connectors.readinessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated.	`30`
`connectors.readinessProbe.periodSeconds`	defines how often the probe is executed	`30`
`connectors.readinessProbe.successThreshold`	defines how often it needs to be true to be marked as ready, after failure	`1`
`connectors.readinessProbe.failureThreshold`	defines when the probe is considered as failed so the Pod will be marked Unready	`5`
`connectors.readinessProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`connectors.livenessProbe`	configuration
`connectors.livenessProbe.enabled`	if true, the liveness probe is enabled in app container	`false`
`connectors.livenessProbe.scheme`	defines the startup probe scheme used on calling the probePath	`HTTP`
`connectors.livenessProbe.probePath`	defines the liveness probe route used on the app	`/actuator/health/liveness`
`connectors.livenessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before	`30`
`connectors.livenessProbe.initialDelaySeconds`	the probe is initiated.	`30`
`connectors.livenessProbe.periodSeconds`	defines how often the probe is executed	`30`
`connectors.livenessProbe.successThreshold`	defines how often it needs to be true to be considered successful after having failed	`1`
`connectors.livenessProbe.failureThreshold`	defines when the probe is considered as failed so the container will be restarted	`5`
`connectors.livenessProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`connectors.metrics.prometheus`	Prometheus metrics endpoint	`/actuator/prometheus`
`connectors.serviceAccount`	configuration for the service account where the Connectors pods are assigned to
`connectors.serviceAccount.enabled`	if true, enables the Connectors service account	`true`
`connectors.serviceAccount.name`	can be used to set the name of the Connectors service account	`""`
`connectors.serviceAccount.annotations`	can be used to set the annotations of the service account	`{}`
`connectors.serviceAccount.automountServiceAccountToken`	can be used to control whether the service account token should be automatically mounted	`false`
`connectors.ingress.enabled`	if true, an ingress resource is deployed with the Connectors deployment. Only useful if an ingress controller is available, like nginx. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead.	`false`
`connectors.ingress.className`	defines the class or configuration of ingress which should be used by the controller	`nginx`
`connectors.ingress.annotations`	defines the ingress related annotations, consumed mostly by the ingress controller	`{}`
`connectors.ingress.path`	defines the path which is associated with the Connectors service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules	`/`
`connectors.ingress.pathType`	can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types	`Prefix`
`connectors.ingress.host`	can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules	`""`
`connectors.ingress.tls`	configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
`connectors.ingress.tls.enabled`	if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.	`false`
`connectors.ingress.tls.secretName`	defines the secret name which contains the TLS private key and certificate	`camunda-platform-connectors`
`connectors.podSecurityContext`	defines the security options the Connectors pod should be run with
`connectors.podSecurityContext.runAsNonRoot`	run as non root	`true`
`connectors.podSecurityContext.fsGroup`		`1001`
`connectors.podSecurityContext.seccompProfile`
`connectors.podSecurityContext.seccompProfile.type`		`RuntimeDefault`
`connectors.containerSecurityContext`	defines the security options the Connectors container should be run with
`connectors.containerSecurityContext.privileged`		`false`
`connectors.containerSecurityContext.readOnlyRootFilesystem`		`true`
`connectors.containerSecurityContext.allowPrivilegeEscalation`		`false`
`connectors.containerSecurityContext.runAsNonRoot`		`true`
`connectors.containerSecurityContext.runAsUser`		`1001`
`connectors.containerSecurityContext.seccompProfile`
`connectors.containerSecurityContext.seccompProfile.type`		`RuntimeDefault`
`connectors.nodeSelector`	can be used to define on which nodes the Connectors pods should run	`{}`
`connectors.tolerations`	can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/	`[]`
`connectors.affinity`	can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity	`{}`
`connectors.configuration`	if specified, contents will be used as the application.yaml	`""`
`connectors.extraConfiguration`	if specified, contents will be used for any extra configuration files such as the log4j2.xml	`{}`
`connectors.dnsPolicy`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy	`""`
`connectors.dnsConfig`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config	`{}`

Orchestration Core Parameters

Name	Description	Value
`core`	configuration for the Orchestration Core.
`core.enabled`	if true, all related resources are deployed via the helm release	`true`
`core.debug`	if true, extra info is printed.	`false`
`core.image`	configuration to configure the image specifics
`core.image.registry`	can be used to set container image registry.	`""`
`core.image.repository`	defines which image repository to use	`camunda/camunda`
`core.image.tag`	can be set to overwrite the global tag, which should be used in that chart	`8.7.0-alpha1`
`core.image.pullSecrets`	can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod	`[]`
`core.sidecars`	can be used to attach extra containers to the deployment	`[]`
`core.clusterSize`	defines the amount of brokers (=replicas), which are deployed via helm	`3`
`core.partitionCount`	defines how many partitions are set up in the cluster	`3`
`core.replicationFactor`	defines how each partition is replicated, the value defines the number of nodes	`3`
`core.env`	can be used to set extra environment variables in each broker container	`[]`
`core.envFrom`	list of environment variables to import from configMapRef and secretRef	`[]`
`core.configMap`	configuration which will be applied to the mounted config map.
`core.configMap.defaultMode`	can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. see https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623	`754`
`core.command`	can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/	`[]`
`core.logLevel`	defines the log level which is used	`info`
`core.log4j2`	can be used to overwrite the log4j2 configuration	`""`
`core.javaOpts`	can be used to set java options	`-XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/usr/local/zeebe/data -XX:ErrorFile=/usr/local/zeebe/data/zeebe_error%p.log -XX:+ExitOnOutOfMemoryError`
`core.service`	configuration for the broker service
`core.service.annotations`	can be used to define annotations, which will be applied to the service	`{}`
`core.service.type`	defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types	`ClusterIP`
`core.service.httpPort`	defines the port of the http endpoint, where for example metrics are provided	`8080`
`core.service.httpName`	defines the name of the http endpoint, where for example metrics are provided	`http`
`core.service.commandPort`	defines the port of the command api endpoint, where the broker commands are sent to	`26501`
`core.service.commandName`	defines the name of the command api endpoint, where the broker commands are sent to	`command`
`core.service.internalPort`	defines the port of the internal api endpoint, which is used for internal communication	`26502`
`core.service.internalName`	defines the name of the internal api endpoint, which is used for internal communication	`internal`
`core.service.extraPorts`	can be used to expose any other ports which are required. Can be useful for exporters	`[]`
`core.service.grpcPort`	defines the port of the gateway gRPC endpoint, where client commands (grpc) are sent to	`26500`
`core.service.grpcName`	defines the name of the gateway gRPC endpoint, where client commands (grpc) are sent to	`gateway`
`core.service.managementPort`		`9600`
`core.service.managementName`		`server`
`global.core.ServiceAccount`	configuration for the service account where the broker pods are assigned to
`core.serviceAccount.enabled`	if true, enables the broker service account	`true`
`core.serviceAccount.name`	can be used to set the name of the broker service account	`""`
`core.serviceAccount.annotations`	can be used to set the annotations of the broker service account	`{}`
`core.serviceAccount.automountServiceAccountToken`	can be used to control whether the service account token should be automatically mounted	`false`
`core.ingress.grpc.enabled`	if true, an ingress resource is deployed with the Zeebe gateway deployment. Only useful if an ingress controller is available, like nginx.	`false`
`core.ingress.grpc.className`	defines the class or configuration of ingress which should be used by the controller	`nginx`
`core.ingress.grpc.annotations`	defines the ingress related annotations, consumed mostly by the ingress controller	`{}`
`core.ingress.grpc.path`	defines the path which is associated with the Zeebe gateway's gRPC service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules	`/`
`core.ingress.grpc.pathType`	can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types	`Prefix`
`core.ingress.grpc.host`	can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules	`""`
`core.ingress.grpc.tls`	configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
`core.ingress.grpc.tls.enabled`	if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.	`false`
`core.ingress.grpc.tls.secretName`	defines the secret name which contains the TLS private key and certificate	`camunda-platform-core-grpc`
`core.ingress.http.enabled`	if true, an ingress resource is deployed with the Zeebe gateway deployment. Only useful if an ingress controller is available, like nginx.	`false`
`core.ingress.http.className`	defines the class or configuration of ingress which should be used by the controller	`nginx`
`core.ingress.http.annotations`	defines the ingress related annotations, consumed mostly by the ingress controller	`{}`
`core.ingress.http.path`	defines the path which is associated with the Core HTTP service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules	`/`
`core.ingress.http.pathType`	can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types	`Prefix`
`core.ingress.http.host`	can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules	`""`
`core.ingress.http.tls`	configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
`core.ingress.http.tls.enabled`	if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.	`false`
`core.ingress.http.tls.secretName`	defines the secret name which contains the TLS private key and certificate	`camunda-platform-core-http`
`core.contextPath`	can be used to make Core web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain.	`""`
`core.cpuThreadCount`	defines how many threads can be used for the processing on each broker pod	`3`
`core.ioThreadCount`	defines how many threads can be used for the exporting on each broker pod	`3`
`core.resources`	configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
`core.resources.requests`
`core.resources.requests.cpu`		`800m`
`core.resources.requests.memory`		`1200Mi`
`core.resources.limits.cpu`		`960m`
`core.resources.limits.memory`		`1920Mi`
`core.persistenceType`	defines the type of persistence which is used by core. Possible values are: disk, local and memory.	`disk`
`core.pvc.size`	defines the persistent volume claim size, which is used by each broker pod https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims	`32Gi`
`core.pvc.accessModes`	can be used to configure the persistent volume claim access mode https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes	`["ReadWriteOnce"]`
`core.pvc.storageClassName`	can be used to set the storage class name which should be used by the persistent volume claim.	`""`
`core.pvc.annotations`	can be used to specify custom annotations for persistent volume claims, enhancing storage configuration flexibility.	`{}`
`core.pvc.selector`	can be used to specify a label selector for persistent volume claims for further filtering of the set of persistent volumes to select.	`{}`
`core.extraVolumes`	can be used to define extra volumes for the broker pods, useful for additional exporters	`[]`
`core.extraVolumeMounts`	can be used to mount extra volumes for the broker pods, useful for additional exporters	`[]`
`core.extraInitContainers`	(Deprecated - use `initContainers` instead) ExtraInitContainers can be used to set up extra init containers for the broker pods, useful for additional exporters	`[]`
`core.initContainers`	can be used to set up extra init containers for the application Pod	`[]`
`core.podAnnotations`	can be used to define extra broker pod annotations	`{}`
`core.podLabels`	can be used to define extra broker pod labels	`{}`
`core.podDisruptionBudget`	configuration to configure a pod disruption budget for the broker pods https://kubernetes.io/docs/tasks/run-application/configure-pdb/
`core.podDisruptionBudget.enabled`	if true a pod disruption budget is defined for the brokers	`false`
`core.podDisruptionBudget.minAvailable`	can be used to set how many pods should be available. Be aware that if minAvailable is set, maxUnavailable will not be set (they are mutually exclusive).	`nil`
`core.podDisruptionBudget.maxUnavailable`	can be used to set how many pods should be at max. unavailable	`1`
`core.podSecurityContext`	defines the security options the pod should be run with
`core.podSecurityContext.runAsNonRoot`	run as non root	`true`
`core.podSecurityContext.fsGroup`		`1001`
`core.podSecurityContext.seccompProfile`
`core.podSecurityContext.seccompProfile.type`		`RuntimeDefault`
`core.containerSecurityContext`	defines the security options the container should be run with
`core.containerSecurityContext.allowPrivilegeEscalation`		`false`
`core.containerSecurityContext.privileged`		`false`
`core.containerSecurityContext.readOnlyRootFilesystem`		`true`
`core.containerSecurityContext.runAsNonRoot`		`true`
`core.containerSecurityContext.runAsUser`		`1001`
`core.containerSecurityContext.seccompProfile`
`core.containerSecurityContext.seccompProfile.type`		`RuntimeDefault`
`core.startupProbe`	configuration
`core.startupProbe.enabled`	if true, the startup probe is enabled in app container	`false`
`core.startupProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`core.startupProbe.probePath`	defines the startup probe route used on the app	`/actuator/health/startup`
`core.startupProbe.initialDelaySeconds`	defines the number of seconds after the container has started before the probe is initiated.	`30`
`core.startupProbe.periodSeconds`	defines how often the probe is executed	`30`
`core.startupProbe.successThreshold`	defines how often it needs to be true to be marked as ready, after failure	`1`
`core.startupProbe.failureThreshold`	defines when the probe is considered as failed so the Pod will be marked Unready	`5`
`core.startupProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`core.readinessProbe`	configuration
`core.readinessProbe.enabled`	if true, the readiness probe is enabled in app container	`true`
`core.readinessProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`core.readinessProbe.probePath`	defines the readiness probe route used on the app	`/actuator/health/readiness`
`core.readinessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before	`30`
`core.readinessProbe.periodSeconds`	defines how often the probe is executed	`30`
`core.readinessProbe.successThreshold`	defines how often it needs to be true to be marked as ready, after failure	`1`
`core.readinessProbe.failureThreshold`	defines when the probe is considered as failed so the Pod will be marked Unready	`5`
`core.readinessProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`core.livenessProbe`	configuration
`core.livenessProbe.enabled`	if true, the liveness probe is enabled in app container	`false`
`core.livenessProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`core.livenessProbe.probePath`	defines the liveness probe route used on the app. The path is intended to be the same as the readinessProbe. Refer to this issue for more details: camunda#1849	`/actuator/health/readiness`
`core.livenessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before	`30`
`core.livenessProbe.periodSeconds`	defines how often the probe is executed	`30`
`core.livenessProbe.successThreshold`	defines how often it needs to be true to be considered successful after having failed	`1`
`core.livenessProbe.failureThreshold`	defines when the probe is considered as failed so the container will be restarted	`5`
`core.livenessProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`core.metrics.prometheus`	Prometheus metrics endpoint	`/actuator/prometheus`
`core.nodeSelector`	can be used to define on which nodes the broker pods should run	`{}`
`core.tolerations`	can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/	`[]`
`global.core.Affinity`	can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
`core.priorityClassName`	can be used to define the broker pods priority https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass	`""`
`core.retention.enabled`	if true, the ILM Policy is created and applied to the index templates.	`false`
`core.retention.minimumAge`	defines how old the data must be, before the data is deleted as a duration.	`30d`
`core.retention.policyName`	defines the name of the created and applied ILM policy.	`core-record-retention-policy`
`core.configuration`	if specified, contents will be used as the application.yaml	`""`
`core.extraConfiguration`	if specified, contents will be used for any extra configuration files such as log4j2.xml	`{}`
`core.dnsPolicy`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy	`""`
`core.dnsConfig`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config	`{}`

Optimize Parameters

Name	Description	Value
`optimize.enabled`	if true, the Optimize deployment and its related resources are deployed via a helm release	`true`
`optimize.image`	configuration to configure the Optimize image specifics
`optimize.image.registry`	can be used to set container image registry	`""`
`optimize.image.repository`	defines which image repository to use	`camunda/optimize`
`optimize.image.tag`	can be set to overwrite the global tag, which should be used in that chart	`8.7.0-alpha1`
`optimize.image.pullSecrets`	can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod	`[]`
`optimize.migration`	configuration for Optimize migration
`optimize.migration.enabled`	if true, run Optimize migration script as an init container	`true`
`optimize.migration.env`	can be used to set environment variables for Optimize migration init container	`[]`
`optimize.migration.resources`	configuration to set request and limit configuration for the migration container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
`optimize.migration.resources.requests.cpu`		`600m`
`optimize.migration.resources.requests.memory`		`1Gi`
`optimize.migration.resources.limits.cpu`		`2000m`
`optimize.migration.resources.limits.memory`		`2Gi`
`optimize.sidecars`	can be used to attach extra containers to the optimize deployment	`[]`
`optimize.contextPath`	can be used to make Optimize web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain.	`""`
`optimize.configMap`	configuration which will be applied to the mounted config map.
`optimize.configMap.defaultMode`	can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.	`754`
`optimize.podAnnotations`	can be used to define extra Optimize pod annotations	`{}`
`optimize.podLabels`	can be used to define extra Optimize pod labels	`{}`
`optimize.logLevel`	configuration for the optimize runtime environment. https://docs.camunda.io/optimize/next/self-managed/optimize-deployment/configuration/logging/	`info`
`optimize.upgradeLogLevel`	sets the logging level for the Optimize update log. https://docs.camunda.io/optimize/next/self-managed/optimize-deployment/configuration/logging/	`info`
`optimize.esLogLevel`	sets the logging level for Elasticsearch. https://docs.camunda.io/optimize/next/self-managed/optimize-deployment/configuration/logging/	`warn`
`optimize.partitionCount`	defines how many Zeebe partitions are set up in the cluster and which should be imported by Optimize	`3`
`optimize.env`	can be used to set extra environment variables in each Optimize container	`[]`
`optimize.envFrom`	list of environment variables to import from configMapRef and secretRef	`[]`
`optimize.command`	can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/	`[]`
`optimize.extraVolumes`	can be used to define extra volumes for the Optimize pods, useful for tls and self-signed certificates	`[]`
`optimize.extraVolumeMounts`	can be used to mount extra volumes for the Optimize pods, useful for tls and self-signed certificates	`[]`
`optimize.initContainers`	can be used to set up extra init containers for the application Pod	`[]`
`optimize.serviceAccount`	configuration for the service account where the Optimize pods are assigned to
`optimize.serviceAccount.enabled`	if true, enables the Optimize service account	`true`
`optimize.serviceAccount.name`	can be used to set the name of the Optimize service account	`""`
`optimize.serviceAccount.annotations`	can be used to set the annotations of the Optimize service account	`{}`
`optimize.serviceAccount.automountServiceAccountToken`	can be used to control whether the service account token should be automatically mounted	`false`
`optimize.service`	configuration to configure the Optimize service.
`optimize.service.annotations`	can be used to define annotations, which will be applied to the Optimize service	`{}`
`optimize.service.type`	defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types	`ClusterIP`
`optimize.service.port`	defines the port of the service, where the Optimize web application will be available	`80`
`optimize.service.managementPort`	defines the port where actuator will be available. Also required to reach backup API	`8092`
`optimize.podSecurityContext`	defines the security options the Optimize pod should be run with
`optimize.podSecurityContext.runAsNonRoot`		`true`
`optimize.podSecurityContext.fsGroup`		`1001`
`optimize.podSecurityContext.seccompProfile`
`optimize.podSecurityContext.seccompProfile.type`		`RuntimeDefault`
`optimize.containerSecurityContext`	defines the security options the Optimize container should be run with
`optimize.containerSecurityContext.allowPrivilegeEscalation`		`false`
`optimize.containerSecurityContext.privileged`		`false`
`optimize.containerSecurityContext.readOnlyRootFilesystem`		`true`
`optimize.containerSecurityContext.runAsNonRoot`		`true`
`optimize.containerSecurityContext.runAsUser`		`1001`
`optimize.containerSecurityContext.seccompProfile`
`optimize.containerSecurityContext.seccompProfile.type`		`RuntimeDefault`
`optimize.startupProbe`	configuration
`optimize.startupProbe.enabled`	if true, the startup probe is enabled in app container	`false`
`optimize.startupProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`optimize.startupProbe.probePath`	defines the startup probe route used on the app	`/api/readyz`
`optimize.startupProbe.initialDelaySeconds`	defines the number of seconds after the container has started before	`30`
`optimize.startupProbe.periodSeconds`	defines how often the probe is executed	`30`
`optimize.startupProbe.successThreshold`	defines how often it needs to be true to be marked as ready, after failure	`1`
`optimize.startupProbe.failureThreshold`	defines when the probe is considered as failed so the Pod will be marked Unready	`5`
`optimize.startupProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`optimize.readinessProbe`	configuration
`optimize.readinessProbe.enabled`	if true, the readiness probe is enabled in app container	`true`
`optimize.readinessProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`optimize.readinessProbe.probePath`	defines the readiness probe route used on the app	`/api/readyz`
`optimize.readinessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before	`30`
`optimize.readinessProbe.periodSeconds`	defines how often the probe is executed	`30`
`optimize.readinessProbe.successThreshold`	defines how often it needs to be true to be marked as ready, after failure	`1`
`optimize.readinessProbe.failureThreshold`	defines when the probe is considered as failed so the Pod will be marked Unready	`5`
`optimize.readinessProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`optimize.livenessProbe`	configuration
`optimize.livenessProbe.enabled`	if true, the liveness probe is enabled in app container	`false`
`optimize.livenessProbe.scheme`	defines the startup probe schema used on calling the probePath	`HTTP`
`optimize.livenessProbe.probePath`	defines the liveness probe route used on the app	`/api/readyz`
`optimize.livenessProbe.initialDelaySeconds`	defines the number of seconds after the container has started before	`30`
`optimize.livenessProbe.periodSeconds`	defines how often the probe is executed	`30`
`optimize.livenessProbe.successThreshold`	defines how often it needs to be true to be considered successful after having failed	`1`
`optimize.livenessProbe.failureThreshold`	defines when the probe is considered as failed so the container will be restarted	`5`
`optimize.livenessProbe.timeoutSeconds`	defines the seconds after the probe times out	`1`
`optimize.metrics.prometheus`	Prometheus metrics endpoint	`/actuator/prometheus`
`optimize.nodeSelector`	can be used to define on which nodes the Optimize pods should run	`{}`
`optimize.tolerations`	can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/	`[]`
`optimize.affinity`	can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity	`{}`
`optimize.resources`	configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
`optimize.resources.requests.cpu`		`600m`
`optimize.resources.requests.memory`		`1Gi`
`optimize.resources.limits.cpu`		`2000m`
`optimize.resources.limits.memory`		`2Gi`
`optimize.ingress.enabled`	if true, an ingress resource is deployed with the Optimize deployment. Only useful if an ingress controller is available, like nginx. Warning, separated ingress is deprecated and will be removed in the next release, please use global.ingress instead.	`false`
`optimize.ingress.className`	defines the class or configuration of ingress which should be used by the controller	`nginx`
`optimize.ingress.annotations`	defines the ingress related annotations, consumed mostly by the ingress controller	`{}`
`optimize.ingress.path`	defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules	`/`
`optimize.ingress.pathType`	can be used to define the Ingress path type. https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types	`Prefix`
`optimize.ingress.host`	can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules	`""`
`optimize.ingress.tls`	configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
`optimize.ingress.tls.enabled`	if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.	`false`
`optimize.ingress.tls.secretName`	defines the secret name which contains the TLS private key and certificate	`camunda-platform-optimize`
`optimize.configuration`	if specified, contents will be used as the environment-config.yaml	`""`
`optimize.extraConfiguration`	if specified, contents will be used for any extra configuration files such as environment-logback.xml	`{}`
`optimize.dnsPolicy`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy	`""`
`optimize.dnsConfig`	https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config	`{}`

Elasticsearch Parameters

Name	Description	Value
`elasticsearch`
`elasticsearch.enabled`		`true`
`elasticsearch.global.compatibility`	Compatibility adaptations for Kubernetes platforms
`elasticsearch.global.compatibility.openshift.adaptSecurityContext`	Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: force (perform the adaptation always), disabled (do not perform adaptation)	`{{ .Values.global.compatibility.openshift.adaptSecurityContext
`elasticsearch.image.repository`		`bitnami/elasticsearch`
`elasticsearch.image.tag`		`8.16.0`
`elasticsearch.master.replicaCount`	defines number of master-elegible replicas to deploy	`3`
`elasticsearch.master.podAntiAffinityPreset`	defines Pod anti-affinity preset. Ignored if master.affinity is set	`hard`
`elasticsearch.master.containerSecurityContext.readOnlyRootFilesystem`		`true`
`elasticsearch.master.masterOnly`		`false`
`elasticsearch.master.heapSize`		`1024m`
`elasticsearch.master.persistence.size`		`64Gi`
`elasticsearch.master.resources.requests.cpu`	cpu request	`1`
`elasticsearch.master.resources.requests.memory`	request	`2Gi`
`elasticsearch.master.resources.limits.cpu`	cpu limit	`2`
`elasticsearch.master.resources.limits.memory`	memory limit	`2Gi`
`elasticsearch.master.extraEnvVars[0].name`	env	`ELASTICSEARCH_ENABLE_REST_TLS`
`elasticsearch.master.extraEnvVars[0].value`	env value	`false`
`elasticsearch.sysctlImage.enabled`		`true`
`elasticsearch.data.replicaCount`		`0`
`elasticsearch.coordinating.replicaCount`		`0`
`elasticsearch.ingest.enabled`		`false`

Prometheus Parameters

Name	Description	Value
`PrometheusServiceMonitor`	configuration to configure a prometheus service monitor
`prometheusServiceMonitor.enabled`	if true then a service monitor will be deployed, which allows an installed prometheus controller to scrape metrics from the deployed pods	`false`
`promotheuServiceMonitor.labels`	can be set to configure extra labels, which will be added to the servicemonitor and can be used on the prometheus controller for selecting the servicemonitors
`prometheusServiceMonitor.labels.release`		`metrics`
`prometheusServiceMonitor.scrapeInterval`	can be set to configure the interval at which metrics should be scraped	`10s`

Files

README.md

Latest commit

History

README.md

File metadata and controls

Camunda 8 Helm Chart

Architecture

Requirements

Dependencies

Versioning

Installation

Local Kubernetes

OpenShift

Backporting

Uninstalling Charts

Configuration

Notes on Configuration

Web Modeler

Database

SMTP server

Updating Environment Variables

Outbound Connectors

Inbound Connectors

Using Connector Secrets

Elasticsearch

Elasticsearch Retention

Keycloak

Keycloak Theme

Development

Releasing the Charts

Parameters

Global parameters

Identity Parameters

Identity - PostgreSQL Parameters

Identity - Keycloak Parameters

Console Parameters

WebModeler Parameters

WebModeler - RestAPI Parameters

WebModeler - WebApp Parameters

WebModeler - WebSockets Parameters

WebModeler - PostgreSQL Parameters

Connectors Parameters

Orchestration Core Parameters

Optimize Parameters

Elasticsearch Parameters

Prometheus Parameters