Skip to content

[ISSUE] Inconsistent Secret Configuration Documentation: Warning vs Official Chart Values #4148

New issue
New issue
Closed
#4182
Closed
[ISSUE] Inconsistent Secret Configuration Documentation: Warning vs Official Chart Values#4148
#4182
Assignees
bkenez
Labels
kind/issueUnidentified issue, it could be a bug, misconfig, or anything in betweenplatform/openshiftIssues related to OpenShifttarget:8.8Target release 8.8.0
@leiicamundi

Description

@leiicamundi
leiicamundi
opened on Sep 11, 2025

Describe the issue:

There is a discrepancy between the deprecation warnings shown by the Camunda Helm chart and the official documentation in the chart's values.yaml file regarding the correct syntax for Identity authentication secrets.

Seems to be related to #3478

Actual behavior:

When using the latest recommended secret syntax as documented in the official chart values file:

global:
  identity:
    auth:
      connectors:
        secret:
          existingSecret: camunda-credentials
          existingSecretKey: identity-connectors-client-token

The Helm chart still displays warnings indicating that the following values are missing:

The following values inside your values.yaml need to be set but were not:
       
 global.identity.auth.connectors.existingSecret.name 
 global.identity.auth.console.existingSecret.name 
 global.identity.auth.orchestration.existingSecret.name 

 Please be aware that each of the above parameters expect a string name of a Kubernetes Secret object.

Expected behavior:

The warnings should not appear when using the current recommended syntax, or the documentation should be updated to reflect the actual expected format.

Documentation Evidence:

  1. Current recommended syntax according to the official chart values.yaml:

    secret:
  existingSecret: ""
  existingSecretKey: ""

  2. Deprecated syntax mentioned in the same file:

    # DEPRECATED: Use secret.existingSecret and secret.existingSecretKey instead.
existingSecret:
  name: ""

The Problem:

The chart validation logic appears to still expect the deprecated existingSecret.name format, while the official documentation promotes the newer secret.existingSecret format. This creates confusion for users trying to follow the latest best practices.

Configuration Used:

global:
  identity:
    auth:
      connectors:
        secret:
          existingSecret: camunda-credentials
          existingSecretKey: identity-connectors-client-token
      console:
        secret:
          existingSecret: camunda-credentials
          existingSecretKey: identity-console-client-token
      orchestration:
        secret:
          existingSecret: camunda-credentials
          existingSecretKey: identity-orchestration-client-token

Environment:

  • Chart version: 0.0.0-snapshot-latest (development version)
  • Platform: OpenShift / Kubernetes (operator-based deployment)
  • Helm CLI version: 3.x.x

Requested Action:

Either:

  1. Update the chart validation logic to accept the current recommended syntax without warnings, OR
  2. Update the documentation to reflect the actual expected format that avoids warnings

Impact:

This inconsistency causes confusion for users implementing Camunda deployments and makes it unclear which syntax should be used for production deployments, especially when preparing for the upcoming Camunda 8.7 release where automatic password generation will be removed.

Metadata

Metadata

Assignees

Labels

kind/issueUnidentified issue, it could be a bug, misconfig, or anything in betweenplatform/openshiftIssues related to OpenShifttarget:8.8Target release 8.8.0

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions