camunda-platform-8.8-13.0.0

The changelog is automatically generated and it follows Conventional Commits format.

camunda-platform-13.0.0 (2025-10-13)

Refactor

• Upgrade keycloak image from 26.3.1 to 26.3.3 (#4386)
• Streamline OIDC and Microsoft Entra auth (#4416)
• Rename zeebe/orchestration labels (#4430)

Fixes

• No default backwardsCompatibleAudiences (#4421)
• Remove duplicate servicemonitor (#4428)
• Release-please should create a non-alpha release for 8.8.0 (#4439)
• Correct 13.0.0 version number
• Undo part of the release notes thats wrong version
• Fix doc links for 8.8 (#4453)

camunda-platform-8.5-10.11.3 (2025-10-08)

Features

• Support legacy retention age (#4179)
• Support issuer backend url in the orchestration config (#4265)

Refactor

• Differentiate between orchestration services (#4190)
• Move orchestration oidc from global to component (#4233)
• Move connectors oidc from global to component (#4234)
• Support auth values in components (#4279)
• Use the main config in migrations (#4235)
• Use postgresql 14 for web modeler (#4287)
• Use postgres 14 for web modeler (#4327)
• Add nodeSelector, affinity, and tolerations to orchestration extra resources (#4366)

Fixes

• NoSecondaryStorage constraint no longer breaks unit tests (#4223)
• Wrong openshift compatibilty helper elasticsearch commonLabels usage (#4180)
• Operate opensearch access in the unified config (#4224)
• 2 issues.. the configmap for optimize was using the elasticsearch prefix value for opensearch and the QA scenarios where reusing the global prefix to shared OS failed CI (#4238)
• Add the oidc group claim to opensearch (#4244)
• Simplify oidc mappings in 8.8 (#4229)
• Firstuser defaults should not fire constraint (#4227)
• Partition-count typo in 8.8 chart (#4245)
• Identity migration inital contactPoint port number (#4260)
• Revert orchestration service name for backward compatibility (#4264)
• Comment in values.yaml for enabling management identity auth (#4273)
• Comment for identity existing secret (#4275)
• Add conditional properties for management components in manageme… (#4276)
• Revert tls secret placeholders (#4239)
• Add missing opensearch fields in templates (#4280)
• Reintroduce capability to disable all exporters again (#4272)
• Add security config to webmodeler (#4285)
• Data migration and importer config (#4286)
• Opensearch config and index replica placement (#4297)
• Use correct upgrade strategy for importer deployment (#4310)
• Data and identity migraiton accept orchestration env (#4291)
• Es/os exporter inherit index replicas (#4309)
• Clean up redundant secret templates (#4328)
• This PR is enabling Entra for testing (#4294)
• Correctly configure data migration (#4343)
• Define importer node id based on regionId (#4349)
• Adjust autogenerated secret detection patterns (#4342)
• Fix configurations of identity migration (#4344)
• Remove importer affinity in 8.8 (#4357)
• Unique importer ids for swim (#4360)
• Add audiences for backward compatibility (#4351)
• Correct sysctlImage structure in values-enterprise.yaml (#4339)
• Web modeler extraConfiguration uses subcomponent subkey (#4097)
• Should be using 8.8 instead of 8.9 connectors (#4267)
• Couple importer deployment with migration (#4346)
• In optimize cm, set the zeebe name to be equal to prefix (#4382)
• Set correct value for identity migration configmap (#4387)
• Set client secret based on what it's bound to on identity-side (#4400)
• Update QA 8.8 opensearch values file (#4405)

Revert

• "refactor: set default value for contextPath in all component… (#4221)

camunda-platform-8.5-10.11.2 (2025-09-18)

Features

• Opensearch aws enabled config now affects usage of AWS credentials (#4163)
• Add the document store scenario to the qa scenario list (#4117)
• Introduce authenticationRefreshInterval config parameter (#3958)
• Add resource authorizations flag to identity migration (#4197)
• Add default roles for initial users (#4194)
• Add extra mapping for initial client for identity OIDC migration (#4202)

Refactor

• Set default replicas to 1 for secondary storage (#4150)
• Run orchestration cluster from unified config (#4138)

Fixes

• Update migration job labels so requests are not routed to them (#4143)
• Enable exporters when data migration is enabled (#4196)
• Add constraints for ES and Basic auth in noSecondaryStorage mode (#4170)
• Adjust secret constraint to reflect new secrets management (#4182)
• Add missing global.identity.auth.identity.secret configuration (#4222)

Release Info

Supported versions:

• Camunda applications: 8.8
• Camunda version matrix: 8.8
• Helm values: 13.0.0
• Helm CLI: 3.18.6

Camunda images:

• docker.io/camunda/camunda:8.8.0
• docker.io/camunda/connectors-bundle:8.8.0
• docker.io/camunda/console:8.8.3
• docker.io/camunda/identity:8.8.0
• docker.io/camunda/keycloak:26.3.3
• docker.io/camunda/optimize:8.8.0
• docker.io/camunda/web-modeler-restapi:8.8.0
• docker.io/camunda/web-modeler-webapp:8.8.0
• docker.io/camunda/web-modeler-websockets:8.8.0

Non-Camunda images:

• docker.io/bitnamilegacy/elasticsearch:8.18.0
• docker.io/bitnamilegacy/os-shell:12-debian-12-r43
• docker.io/bitnamilegacy/postgresql:14.18.0-debian-12-r0
• docker.io/bitnamilegacy/postgresql:15.10.0-debian-12-r2

Verification

For quick verification of the Helm chart integrity using Cosign:

cosign verify-blob camunda-platform-13.0.0.tgz \
  --bundle "camunda-platform-13.0.0-cosign-bundle.json" \
  --certificate-identity-regex "https://github.com/camunda/camunda-platform-helm" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

For detailed verification instructions, check the steps in the camunda-platform-13.0.0-cosign-verify.sh file.