[ISSUE] Default Values in Chart Cause Legacy Configuration Warnings Even When Using New Syntax #4149
Description
Describe the issue:
The Camunda Helm chart contains default values for deprecated identity.firstUser configuration fields, which causes warning messages to appear even when users correctly implement the new recommended secret configuration syntax.
Actual behavior:
When using the current recommended secret syntax for identity.firstUser:
identity:
firstUser:
enabled: true
username: admin
email: [email protected]
firstName: Admin
lastName: User
secret:
existingSecret: camunda-credentials
existingSecretKey: identity-firstuser-passwordThe following warnings still appear during Helm deployment:
[camunda][warning] identity.firstUser has both legacy and new secret configuration defined at 'identity.firstUser'. The new configuration will take precedence and the legacy configuration will be ignored. Please remove the legacy configuration to avoid confusion.
[camunda][warning] SECURITY: identity.firstUser is using legacy plaintext field 'password' at 'identity.firstUser.password'. This stores secrets as plain-text in the Helm values and is NOT suitable for production use. For production environments, please use Kubernetes Secrets with 'identity.firstUser.secret.existingSecret' and 'identity.firstUser.secret.existingSecretKey'.
Expected behavior:
When users correctly use the new secret configuration syntax, no warnings should appear about legacy configuration or plaintext passwords.
Root Cause:
The chart's default values.yaml contains default values for the deprecated fields:
identity:
firstUser:
## @param identity.firstUser.password (DEPRECATED - use identity.firstUser.secret instead)
password: demo
## @param identity.firstUser.existingSecret (DEPRECATED - use identity.firstUser.secret instead)
existingSecret: camunda-credentials
## @param identity.firstUser.existingSecretKey (DEPRECATED - use identity.firstUser.secret instead)
existingSecretKey: identity-firstuser-passwordEven when users don't explicitly set these values, they are present in the merged configuration, triggering the warnings.
Impact:
- Confusing User Experience: Users following best practices still receive security warnings
- False Positives: Warnings appear even when using secure secret-based configuration
- Deployment Noise: Important warnings may be overlooked due to false alarms
- Documentation Confusion: Users may think they're doing something wrong
Proposed Solutions:
Option 1: Remove Default Values (Recommended)
Remove the default values for deprecated fields in the chart's values.yaml:
identity:
firstUser:
# Remove these default values:
# password: demo
# existingSecret: camunda-credentials
# existingSecretKey: identity-firstuser-passwordOption 2: Fix Warning Logic
Modify the chart templates to only show warnings when deprecated fields are explicitly set by users, not when they come from default values.
Option 3: Conditional Warnings
Only show warnings when both legacy and new configurations are explicitly provided by the user, ignoring chart defaults.
Configuration Used:
identity:
firstUser:
enabled: true
username: admin
email: [email protected]
firstName: Admin
lastName: User
secret:
existingSecret: camunda-credentials
existingSecretKey: identity-firstuser-passwordEnvironment:
- Chart version: 0.0.0-snapshot-latest (development version)
- Platform: OpenShift / Kubernetes (operator-based deployment)
- Helm CLI version: 3.x.x
Additional Context:
This issue becomes particularly problematic when preparing for Camunda 8.7 where automatic password generation will be removed, as users trying to follow migration guidance are still seeing security warnings despite using the recommended approach.
Documentation Reference:
The chart's own documentation shows these deprecated fields have default values:
- https://github.com/camunda/camunda-platform-helm/blob/main/charts/camunda-platform-8.8/values.yaml (search for "identity.firstUser")
This creates a contradiction where the chart promotes new syntax but still includes deprecated defaults that trigger warnings.
PR: #4227
Metadata
Metadata
Assignees
Labels
Type
Projects
Status