[ISSUE] Bring Managment Identity up to Standard for 8.8

[hamza-m-masood]

Describe the issue:

Overall, the 8.8 management Identity configuration needs to be reviewed on the Helm chart.

Below are areas that might need review, though this list is not exhaustive:

• Defining clients through env vars when the clients should be defined through the configmap.
  Currently there are 3 clients defined through env vars:
  1 connectors
  2 orchestration
  3 migration (optional)
  Why aren't web-modeler, console, and optimize also defined in this env var section with the other clients?
• Are the keycloak.presets still needed in the management identity configmap?
• Why does the management identity deployment require CAMUNDA_IDENTITY_AUDIENCE when optimize is disabled in an OIDC scenario? (create a POC for this to show when optimize is disabled the identity pod won't start)
• It is required to set IDENTITY_CLIENTID in order to get external keycloak working. Reference: https://camunda.slack.com/archives/C03UR0V2R2M/p1761661562981479
• It is required to set KEYCLOAK_REALM in order to get a custom real for external keycloak. Reference: https://camunda.slack.com/archives/C03UR0V2R2M/p1761662078802799

support: https://jira.camunda.com/browse/SUPPORT-29705
Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

• Platform:
• Helm CLI version:
• Chart version: 8.8
• Values file:

[hamza-m-masood]

@eamonnmoloney found an issue in the Helm chart where management identity would always create the camunda-realm even though a custom real was provided through the values.yaml.

[eamonnmoloney]

@hamza-m-masood I see that this is hardcoded in the codebase. It's set to only take the realm.json from the classpath.

Shouldn't be too hard to extend this to allow the user to pass this in so we can boot with and make any realm.

I'll make a PR in the Identity repo and see if it can get included.

The alternative is to create the realm ourselves but I'd really prefer not to do that as it means making all the supporting code too. Would be quite brittle as it needs to track changes identity would make.

Something like modding the code update the realm name after unmarshalling the realm.json should work.

https://github.com/camunda/identity/blob/b413ec189b9347ff6d37e6d241cf1148ace71942/management-api/src/main/resources/keycloak/realm.json

https://github.com/camunda/identity/blob/b413ec189b9347ff6d37e6d241cf1148ace71942/management-api/src/main/java/io/camunda/identity/impl/keycloak/initializer/service/RealmUploadInitializationService.java#L62

[eamonnmoloney]

https://github.com/camunda/identity/pull/3687

[hamza-m-masood]

@eamonnmoloney looks like the env var KEYCLOAK_REALM is needed. See slack thread: https://camunda.slack.com/archives/C03UR0V2R2M/p1761662078802799

[eamonnmoloney]

I've tried to set that but then I get a 409 error. After that I went digging and found the hardcoded json.

I don't think identity is intended to setup realms with names other than camunda-platform. Hopefully we can change that

[hamza-m-masood]

I scheduled a pairing session with @maryarm
We will go through these points.