8.10 Self-Managed: test & docs coverage gaps (docs ↔ chart ↔ E2E)

[eamonnmoloney]

Summary

Tracking issue for test and documentation coverage gaps in Camunda 8.10 Self-Managed, found by cross-referencing the 8.10 docs (camunda-docs/docs/self-managed/), the 8.10 Helm chart (charts/camunda-platform-8.10), and the Self-Managed E2E suite (c8-cross-component-e2e-tests/tests/SM-8.10/).

Two gap classes:

• Testing gaps — documented, user-facing behavior the SM-8.10 E2E matrix does not exercise.
• Docs gaps — chart capabilities shipped in 8.10 that the docs don't cover (or under-document).

Each subtask notes any in-flight PR. Several referenced PRs are drafts, ship disabled, or are manual-only — they are not counted as closing the gap until landed and green. Sub-checkboxes track the test side and the docs side separately where both apply.

---

Testing gaps (docs promise it; SM-8.10 E2E doesn't prove it)

• External OIDC providers (Entra/Okta/Auth0/generic), incl. the orchestration-cluster OIDC path — In flight: camunda-platform-helm#6015 + c8-cross-component-e2e-tests#2109 (Entra/TOTP, 8.7–8.10). ⚠️ Both draft; CI scenarios ship disabled until first green Entra run; live deploy unverified; Vault secrets pending. E2E file_pattern is smoke + identity specs only, so OC-API auth behavior is thin.
• JWT token claim mapping (jwt-token-claims.md) — no PR.
• Unprotected-API mode (orchestration.security.authentication.unprotectedApi) — no PR.
• RDBMS as secondary storage (orchestration.data.secondaryStorage.type: rdbms) — partial: test(8.10): honor RDBMS_POSTGRESQL_USERNAME for the role in postgresql-cluster fixture #6293 (postgresql-cluster fixture), fix: enable camunda backup webapps and remove other excludes when rdbms is enabled #5553 (backup webapps w/ rdbms). No end-to-end RDBMS E2E run.
• External Elasticsearch / external OpenSearch connection path — partial: fix: update existingSecretKey for Elasticsearch TLS #6204 (ES TLS secret key), fix(8.8): render es: connection in Optimize configmap for OpenSearch scenarios #5991 (Optimize OpenSearch), fix(ci): repair OpenSearch upgrade-minor scenarios for 8.9 and 8.10 #6107 (OpenSearch upgrade).
• External PostgreSQL for Identity / Keycloak / Web Modeler — in flight: test(8.10): add hub-external-db scenario for external PostgreSQL validation #6189 (hub-external-db scenario).
• Data retention & history archiving (ILM/ISM, orchestration.retention.* / orchestration.history.*) — no test PR.
• Ingress + TLS termination & Zeebe gRPC ingress — partial: fix: support Orchestration gRPC TLS endpoints #6280 (orchestration ingress over HTTPS), test(8.8): cover Zeebe TLS migration upgrade #6281 (Zeebe TLS migration), ci: remove dead env entries from playwright IT jobs and fix upgrade ingress host ref #5467 (ingress host ref).
• global.tls.caBundle "TLS everywhere" — in flight: feat(8.10): caBundle guardrails + cert-rotation auto-rollout #6295 (guardrails + cert rotation), fix(8.10): harden caBundle truststore init container for air-gapped & OpenShift #6292 (air-gapped/OpenShift init container).
• Kubernetes Gateway API — in flight: test(8.10): add CI integration test scenarios for gateway namespace feature #6243. ⚠️ Adds templates + unit tests but the scenarios are reference/manual-only ("never run automatically"); not wired into PR/merge-queue/nightly CI.
• Document store backends: Azure Blob & GCP Cloud Storage — no PR (only AWS/S3-compatible moving: feat(8.10): support S3-compatible endpoints in AWS document store #6254, c8-cross-component-e2e-tests#2502).
• Web Modeler SMTP / email-notification dependency — no PR.
• Custom connectors (init-container JAR to /opt/custom) — no PR.
• Multi-namespace production topology + cross-namespace Console config — partially related to test(8.10): add CI integration test scenarios for gateway namespace feature #6243 (gateway namespace).
• Cluster sizing / HA (clusterSize/partitionCount/replicationFactor, PDB, anti-affinity, Retain reclaim) — partial: ci: set Zeebe StatefulSet maxUnavailable to 100% on minor upgrades for 8.7-8.10 #5933, test(8.9,8.10): add component-persistence CI scenario for issue 4767 #6027.
• Licensing enforcement (Web Modeler 5-user limit, feature gating) — display-only tested; no gating test.
• Multi-tenancy × RBA combined + tenant-scoped cluster variables — partial: c8-cross-component-e2e-tests#1985 (tenant-scoped cluster variables, SM-8.9).
• extraConfiguration map→list migration (8.8→8.9) — no PR.
• noSecondaryStorage behavior — in flight: test: noSecondaryStorage should disable elasticsearch connection #5662 (unit + integration). ⚠️ Draft, bare description, no linked issue.

---

Docs gaps (chart can do it; 8.10 docs don't, or barely)

• Kubernetes Gateway API setup — in flight: camunda-docs#8860 (rewrite Gateway API setup guide). Chart support also in test(8.10): add CI integration test scenarios for gateway namespace feature #6243.
• global.tls.caBundle as the unified TLS-trust mechanism (per-component ...tls.secret now deprecated) — in flight: camunda-docs#8760 ([TLS E] TLS config guide), #8977.
• Service-mesh / external routing toggles (global.ingress.external, global.gateway.external) — no PR.
• OpenShift compatibility knob (global.compatibility.openshift.adaptSecurityContext) — no PR.
• noSecondaryStorage engine-only mode — no docs PR (test: noSecondaryStorage should disable elasticsearch connection #5662 is test-only).
• global.extraManifests — no PR.
• global.createReleaseInfo — no PR.
• requestBodySize / upload-size config — in flight: fix: align upload size with Zeebe message limits #6279 + camunda-docs#8975.
• Multi-region Zeebe (global.multiregion.*) — in flight: camunda-docs#8981.
• AWS-native auth via IRSA (secondary storage + document store + RDS IAM) — no PR.
• Declarative identity.users[] / identity.clients[] / firstUser.* — no PR.
• Orchestration profiles (orchestration.profiles.broker/admin/operate/tasklist) — no PR.
• Identity-as-code authorization bootstrap (orchestration.security.initialization.*) — partial: camunda-docs#8571 (API permissions for machine clients), #8737 (global.rba.enabled).
• Connector secrets via connectors.env[] + valueFrom.secretKeyRef — no PR.
• Zeebe primary-storage / disk tuning (persistenceType, pvc*, data.disk.freeSpace.*, thread counts) — no PR.
• Observability surface (prometheusServiceMonitor.*, per-component metrics ports/paths) — no PR.
• Probe configuration (startup/readiness/liveness per component) — in flight: camunda-docs#8655 (liveness endpoint change).
• Per-component image overrides / private-registry / air-gapped — no PR.
• Scheduling/extensibility primitives (sidecars, initContainers, extraVolumes, nodeSelector, tolerations, affinity, serviceAccount automount) — no PR.
• Connectors persistence (connectors.persistence.*) — no PR.
• Optimize import alignment (optimize.partitionCount, optimize.migration.*) — no PR.
• Bitnami/Keycloak removal → external-only — in flight: docs(8.10): document bitnami removal and add removal ADR #6278 (removal ADR), camunda-docs#8976 / #8873 (8.9→8.10 upgrade).

---

Cross-cutting

• Confirm no 8.10 doc snippet still relies on global.secrets.autoGenerated (removed in 8.9+).
• Bundled Keycloak removed in 8.10 → external-only, which raises the priority of the untested external-OIDC and external-PostgreSQL scenarios above.
• Highest-overlap area (both test and docs gaps): external OIDC + external PostgreSQL + Gateway/Ingress TLS — the now-near-mandatory production shape.

Source analysis: 8.10-docs-vs-helm-gap-analysis.md. PR↔gap mapping is title/body-derived from open PRs as of 2026-06-03; draft/disabled status noted inline.

---

Cross-minor-version upgrade coverage is tracked separately in #6309.

[distro-ci]

🧭 Triage Assessment

Field	Value
Work type	TASK
Kind	chore
Severity	🔴 High
Likelihood	🔥 High
Confidence	0.91

📝 Rationale

Issue #6308 is within SM Platform Distribution scope because the team-boundaries guidance assigns Helm Charts, the camunda/camunda-platform-helm repository, Self-Managed documentation, integration/deployment readiness for periphery such as OIDC providers and secondary storage, and automated scenario testing/deployments to this team. Under the Distro Task/Toil/Non-Feature Triage guide, this belongs on the non-feature path because kind/bug is reserved for incorrect existing behavior, while kind/chore is for maintenance, cleanup, tech debt, and housekeeping; this issue is an umbrella to close missing test and docs coverage for already-shipped 8.10 capabilities rather than a single broken runtime defect or a new capability request. It also meets the task-triage minimum bar because it clearly states the present limitation, who is affected, and what improves if the work is done. Severity is high by analogy to impact/high in the task guide because this is cross-component and delivery-critical work touching customer-facing docs plus release-readiness coverage for production-shape scenarios such as external OIDC, external PostgreSQL, Gateway/Ingress TLS, multi-namespace, and other 8.10 deployment paths. Likelihood is high because the gap is systematic and recurring across many scenarios and validation cycles, not a one-off case; the closest prior umbrella epic (#5300) was also assessed as a high/high coverage-gap task and explicitly cites related epics rather than treating them as duplicates. I do not see evidence that #6308 is a strict duplicate of those issues; it is best understood as a newer 8.10-specific umbrella extending the same family of work across docs, chart, and E2E alignment.

🔍 Similar Issues

#5300, #4518, #4320, #5599

---

🤖 This issue was automatically triaged by an AI-based system.
✋ If you believe this assessment is incorrect, update the labels or add the triage:manual label for human review.