The provided data is not valid.
diff --git a/docs/apis-tools/camunda-api-rest/specifications/update-user-task.api.mdx b/docs/apis-tools/camunda-api-rest/specifications/update-user-task.api.mdx
index 455e45a6940..f8240c2d514 100644
--- a/docs/apis-tools/camunda-api-rest/specifications/update-user-task.api.mdx
+++ b/docs/apis-tools/camunda-api-rest/specifications/update-user-task.api.mdx
@@ -5,7 +5,7 @@ description: "Update a user task with the given key."
sidebar_label: "Update user task"
hide_title: true
hide_table_of_contents: true
-api: eJztWW1v2zYQ/isHflm3ybKSOF2rb17abdlLFyTOBiwJUFo622wlUuNLHMPQfx+OlGz5JU3Wdd9cIKhj3hvv7nnIHJfM8qlh6Q27NqjBcvOR3UVMVai5FUqe5yxlrsq5RRIY0XrEcjSZFhUJsJRd+2Xg4FoTMBd2BnaGMBX3KOEjLmIWsYprXqJFTQ6XTPISyXpj9xdcsIgJslhxO2MR0/i3ExpzllrtcNvtaIZkGNTEe1o7twpCxOTTZDMsOUuXzC4qciekxSlqFrGJ0iW34auXA1bXd8ElGvu9yheks45gwguDEcuUtCgtrfGqKkTms9T/YCik5a43Nf6AmaW9a8qpFWhoNZtxOUWD3tDmtn6++v0dBLWQxiCbh71xa7UYO4twzwuHJr6Vt5IyMVFFoeZCTtciBjIuYYzA8w/OWMzbsggDKPNKCWkj4HkuyDUvOpq3ci6KgnTFVCqNeUp+voH3GZe5oNz+qJWrzHvogaZ9wHgBlVb3IvchSMCysgsohLGbetRFz1fLHb7hFp+Sv7JayKnXCHm4rv6lWqWF0sIuSKUUUpSuhCSCkj/4j0dJEkGOE+4KC6cJJeOiY69pQmWwm32fbQ7vpSuK96FeoDSoUlhLesJCReHpe0o49XCF2ghfqZWZr0zQXBWaGyOmEpGKK5V9sr7OoMfH0OuFLmpXYzLppY3T1C9Ka+o7vEdpAUthjFASJkp33IbWjW8li3a6nLbKxwW2iF0310Wn/8PaJiKaSnegY3x1ujil/ulZUeIOBVFicofgiaghBNppDJdP1j/eibsmn+s2+g8xBTM9V325yDaR1ImNa80Xe6MgOJHvlaonS/P8cMgABSMslmY3HfWnwgxE8ZlxTr3y/xpoi/wnj4iT471Bt/obQbKINSzC0oS0PHOw9DSJWMMpLCVS2Y6njpgVln5lZ6szoo4Yz4LL7dNiCJkzVpUQBBqWsTNOh0dgcJ5laIwYFwgTrcrOQelhbogiXeEZya9v8AcIea/CIRfD+QSIcULeMY+IwbyXlhmtgtvmtnDLNhhiBZzH99veL8J14jIcxKyuSUajqZQ0gSqOk8FuIkYbV4A5N80dIAfjfAImrigWMeVykCRP6u/cXzp02xiO4TelEXK0XBQGuMZVZkBIr92GDWOVL0I+HrlAVFqNCyy/3b1IbNf7Ikg2ftubAjcQBMfB+83lD2fwenD63d2LmbWVSfv9+Xwe60nWw1xYpWOlp309yeiH5L6OYTRDjVDyRThTVteCNVGDqTATE5FRpf2B1QRDVd5/ImyyfFj9BJ06LXZQNoTry3MQOUorJgvq0x3XrIMxxsfK2XRccPmRrftr1+m2F+PKkusVkDcd1BEzlltnPpcnfhqNLiCYgEzl6E9Vj7XG0QZpDJIuU7xMkppsUsWfsRMJ+FAVXPrW2t6OkFCu+9ZvTEhjucy+VGWUFlOx7TdmXaw3Tfwm7ChgfPAMWO/CkpBOuJwoJ/P4ALADwA4AexRgrz8DYMK0p9lcKzn1GUbInNYobbE4nIIHkB5A+uVAerrvcjqUQFnW1IeoNQ0RMo/AHOYzUXjz/pLf+G6mWAesHbB2wNpjWKsjVqKdqTwMnLOZn1DbGUtZn07EHp2Ipr/szKdrGijTvK6ZYDtdsJQtA3TqtN9fzpSxdbqslLZ1/57qcs+1oD94fRlpOUCsbZ1CZbzwX+8rIS3QmLzd2hkvncw5vILLt1cj+JFbnPPwVy253DT9KnmV7B9ZKG0fsTi8OIeww9CAHVJozRK695oNws8x7EftBjNHg5MrUgvpGSPXqIeOirBqjMaft06/ByEWNR9+aNvl5z9HvuJEaJfrMf7bB15WAY6bU/d24MiOk+NB7+i4d3QyOjpJj16ng+N4cHLyF9seA35Kcnssd9M29N2eWVh3cT1/Ok06g57OyErIifL5aAdDO5mlNqPRsVdM4qNd2Fyce/Rnqiyd9EeAnLYD6rW9rKA5siZeKESG0vi0Ne80rdivYQX+CB7hKKYuC1BomX8q7MyN40yV/Syorf4fF2rcL7mQ/caF6Z8Nf7t+92bY+/X87O27q7e9oziJ7YP11ayUsSWXnTia56bVpXV7s8v1iff8p6mm1yw+2H5VcCEp8X5Py4YUbtiaFFjE0u6z1V3UIPuGLZdjbvBaF3VNX//tUC9YenO3JgLPHLkw9Hn9sPToFl5cNm9QX8PzXrz2bqWdvcqFp6TC0W8sYh9xsfUEV9/VEZshz1H7SIPEWYinNyI7aws7b2B11GoMswwr+4jsxuWDyGDFxBfD0dlPBO7mBa5UOSlrPqcHQT5nKbtltxS68snyvOG/X7KCy6njU5IPhunfP2aHBSg=
+api: eJztWW1v2zYQ/isHftmbLCtZ0jb65qVdm67rgsTZgCUBSktnm61EqnyJYxj678ORki2/pMm67psLBHXMe+PdPQ+Z44JZPjEsvWZXBjVYbj6x24ipCjW3QsmznKXMVTm3SAJDWo9YjibToiIBlrIrvwwcXGsCZsJOwU4RJuIOJXzCecwiVnHNS7SoyeGCSV4iWW/s/oZzFjFBFitupyxiGj87oTFnqdUON90Op0iGQY29p5VzqyBETD5NNsWSs3TB7Lwid0JanKBmERsrXXIbvnp2xOr6NrhEY39R+Zx0VhGMeWEwYpmSFqWlNV5Vhch8lvofDYW02PamRh8xs7R3TTm1Ag2tZlMuJ2jQG1rf1tvLP95DUAtpDLJ52Bu3VouRswh3vHBo4ht5IykTY1UUaibkZCViIOMSRgg8/+iMxbwtizCAMq+UkDYCnueCXPOio3kjZ6IoSFdMpNKYp+TnR/iQcZkLyu1rrVxlPkAPNO0DRnOotLoTuQ9BApaVnUMhjF3Xoy56ulru8CW3+Jj8pdVCTrxGyMNV9S/VKi2UFnZOKqWQonQlJBGU/N5/PEiSCHIcc1dYOE4oGecde00TKoPd7Ptsc/ggXVF8CPUCpUGVwlrSExYqCk/fUcKphyvURvhKLc18Z4LmstDcGDGRiFRcqeyj9XUGPT4GXi90Ubsak0kvbZymflFaU9/hHUoLWApjhJIwVrrjNrRufCNZtNXltFU+KrBF7Kq5zjv9H9bWEdFUugMd46vTxSn1T8+KErcoiBKTOwRPRA0h0E5juHi0/vFW3DX5XLXRf4gpmOm56ttFto6kTmxcaz7fGQXBiXwvVT1ZmqeHQwYoGGGxNNvpqL8UZiCKr4xz4pX/10Bb5D96RPx8uDPoVn8tSBaxhkVYmpCWZw6WHicRaziFpUQqm/HUEbPC0q/sdHlG1BHjWXC5eVoMIHPGqhKCQMMydsrp8AgMzrMMjRGjAmGsVdk5KD3MDVGkKzwj+fU1/gAh71Q45GI4GwMxTsg75hExmPfSMqNVcNPcFm7YGkMsgfPwftv7RbhOXISDmNU1yWg0lZImUMVhcrSdiOHaFWDGTXMHyME4n4CxK4p5TLk8SpJH9bfuLx26bQzH8LvSCDlaLgoDXOMyMyCk127DhpHK5yEfD1wgKq1GBZY/bV8kNut9HiQbv+1NgRsIgqPg/fri11M4OTp+fvv91NrKpP3+bDaL9TjrYS6s0rHSk74eZ/RDcj/EMJyiRij5PJwpy2vBiqjBVJiJscio0v7AaoKhKu8+EdZZPqx+gU6dFlsoG8DVxRmIHKUV4zn16ZZr1sEY4yPlbDoquPzEVv217XTTi3FlyfUSyOsO6ogZy60zX8sTb4bDcwgmIFM5+lPVY61xtEYaR0mXKZ4lSU02qeJP2IkEvK8KLn1rbW5HSChXfes3JqSxXGbfqjJKi4nY9BuzLtabJn4ZdhQwfvQEWG/DkpBOuBwrJ/N4D7A9wPYAexBgJ18BMGHa02ymlZz4DCNkTmuUtpjvT8E9SPcg/XYgPd51OR1IoCxr6kPUmoYImUdgDrOpKLx5f8lvfDdTrD3W9ljbY+0hrNURK9FOVR4GztnUT6jtlKWsTydij05E01905tM1DZRpXtdMsJ0uWMoWATp12u8vpsrYOl1UStu6f0d1ueNa0B+8voy0HCDWtk6hMl74r3eVkBZoTN5u7ZSXTuYcXsDFq8shvOYWZzz8VUsu102/SF4ku0cWStsHLA7OzyDsMDRghxRas4TunWaD8FMM+1G7wczR4OSS1EJ6Rsg16oGjIiwbo/HnrdPvQYhFzYdf23Z5+9fQV5wI7WI1xn91z8sqwHF96t4OHNlhcnjUOzjsHZwMD47T5Hn680l88vzZ32xzDPglyc2x3HXb0Lc7ZmHdxdX86TjpDHo6Iyshx8rnox0MbWWW2oxGx14xiQ+2YXN+5tGfqbJ00h8BctIOqFf2soLmyJp4oRAZSuPT1rzTtGLvwgr8GTzCQUxdFqDQMv9E2KkbxZkq+1lQW/4/KtSoX3Ih+40L0z8d/H71/uWg9+7s9NX7y1e9gziJ7b311ayUsSWXnTia56blpXVzs4vViff0p6mm1yze235VcCEp8X5Pi4YUrtmKFFjE0u6z1W3UIPuaLRYjbvBKF3VNX392qOcsvb5dEYFnjlwY+rx6WHpwC99fNG9QP8DTXrx2bqWdvcq5p6TC0W8sYp9wvvEEV9/WEZsiz1H7SIPEaYinNyQ7Kwtbb2B11GoMsgwr+4Ds2uWDyGDJxOeD4ekbAnfzAleqnJQ1n9GDIJ+xlN2wGwpd+WR53vDfL1jB5cTxCckHw/TvHxGiBVY=
sidebar_class_name: "patch api-method"
info_path: docs/apis-tools/camunda-api-rest/specifications/camunda-8-rest-api
custom_edit_url: null
diff --git a/docs/apis-tools/node-js-sdk.md b/docs/apis-tools/node-js-sdk.md
index 583c837affb..b11e5f327d7 100644
--- a/docs/apis-tools/node-js-sdk.md
+++ b/docs/apis-tools/node-js-sdk.md
@@ -1,7 +1,7 @@
---
id: node-js-sdk
title: Node.js
-description: Get started with the official Camunda 8 JavaScript SDK for Node.js, available via npm.
+description: Get started with the official Camunda 8 JavaScript SDK for Node.js.
---
As of 8.5.0, the official [Camunda 8 JavaScript SDK for Node.js](https://github.com/camunda/camunda-8-js-sdk) is available via [npm](https://www.npmjs.com/package/@camunda8/sdk).
diff --git a/docs/apis-tools/spring-zeebe-sdk/configuration.md b/docs/apis-tools/spring-zeebe-sdk/configuration.md
index 6cff515bf51..5c644b42928 100644
--- a/docs/apis-tools/spring-zeebe-sdk/configuration.md
+++ b/docs/apis-tools/spring-zeebe-sdk/configuration.md
@@ -275,7 +275,7 @@ A custom maxMessageSize allows the client to receive larger or smaller responses
camunda:
client:
zeebe:
- max-message-size: 3
+ max-message-size: 4194304
```
### Request timeout
diff --git a/docs/apis-tools/working-with-apis-tools.md b/docs/apis-tools/working-with-apis-tools.md
index 10907399b5d..0f75b9bb805 100644
--- a/docs/apis-tools/working-with-apis-tools.md
+++ b/docs/apis-tools/working-with-apis-tools.md
@@ -72,6 +72,9 @@ Additionally, visit our documentation on [Operate](../self-managed/operate-deplo
### SDKs
### Postman
diff --git a/docs/components/modeler/bpmn/user-tasks/user-tasks.md b/docs/components/modeler/bpmn/user-tasks/user-tasks.md
index 90a64a6191c..b1a4919be5d 100644
--- a/docs/components/modeler/bpmn/user-tasks/user-tasks.md
+++ b/docs/components/modeler/bpmn/user-tasks/user-tasks.md
@@ -36,6 +36,11 @@ attributes can be specified simultaneously:
- `candidateUsers`: Specifies the users that the task can be assigned to.
- `candidateGroups`: Specifies the groups of users that the task can be assigned to.
+:::info
+The assignee attribute must adhere to the userId field’s case-sensitivity requirements.
+Note that in SaaS, all user IDs are converted to lowercase by default, as they are based on email addresses.
+:::
+
:::info
Assignment resources can also be used for set user task restrictions ([SaaS](/components/concepts/access-control/user-task-access-restrictions.md)/[Self-Managed](docs/self-managed/concepts/access-control/user-task-access-restrictions.md)), where users will see only the tasks they have authorization to work on.
:::
diff --git a/docs/components/modeler/desktop-modeler/use-connectors.md b/docs/components/modeler/desktop-modeler/use-connectors.md
index 921b5c0f693..6a0f28ee837 100644
--- a/docs/components/modeler/desktop-modeler/use-connectors.md
+++ b/docs/components/modeler/desktop-modeler/use-connectors.md
@@ -12,7 +12,7 @@ Desktop Modeler automatically fetches and updates [element templates](./element-
## Automatic Connector template fetching
-Automatic Connector template fetching is enabled by default, and notifies you of any updates or errors.
+Automatic Connector template fetching is enabled by default, and notifies you of any updates or errors. The fetch is triggered whenever you start the application, or every 24 hours if the application is not closed.
After an update check has concluded, a notification indicates if the templates are up to date or have been updated:
diff --git a/docs/self-managed/console-deployment/configuration/configuration.md b/docs/self-managed/console-deployment/configuration/configuration.md
index 1c09cea48e1..69365322378 100644
--- a/docs/self-managed/console-deployment/configuration/configuration.md
+++ b/docs/self-managed/console-deployment/configuration/configuration.md
@@ -41,6 +41,20 @@ Console environment variables could be set in Helm via the `console.env` key. Fo
Camunda 8 components without a valid license may display **Non-Production License** in the navigation bar and issue warnings in the logs. These warnings have no impact on Console startup or functionality. To obtain a license, visit the [Camunda Enterprise page](https://camunda.com/platform/camunda-platform-enterprise-contact/).
:::
+### Proxy
+
+These settings are useful when the application needs to make outgoing network requests in environments that require traffic to pass through a proxy server.
+
+| Environment variable | Description | Example value | Default value |
+| -------------------- | ---------------------------------------------------------------------------------------------- | ------------------------------------- | ------------- |
+| `http_proxy` | Specifies the proxy server to be used for outgoing HTTP requests. | `http://proxy.example.com:8080` | - |
+| `https_proxy` | Specifies the proxy server to be used for outgoing HTTPS requests. | `https://secureproxy.example.com:443` | - |
+| `no_proxy` | A comma-separated list of domain names or IP addresses for which the proxy should be bypassed. | `localhost,127.0.0.1,.example.com` | - |
+
+:::note
+The proxy-related environment variables are lowercase because they follow a widely accepted convention used in many system environments and tools.
+:::
+
## Telemetry
You can enable telemetry and usage collection to help us improve our product by sending several telemetry metrics to Camunda. The information we collect will contribute to continuous product enhancement and help us understand how Camunda is used. We do not collect sensitive information and limit data points to several metrics. For more information, you can download collected data set metrics from the telemetry page at anytime.
diff --git a/docs/self-managed/modeler/web-modeler/configuration/configuration.md b/docs/self-managed/modeler/web-modeler/configuration/configuration.md
index 0fa011b7f38..5585791bf52 100644
--- a/docs/self-managed/modeler/web-modeler/configuration/configuration.md
+++ b/docs/self-managed/modeler/web-modeler/configuration/configuration.md
@@ -20,7 +20,9 @@ import Licensing from '../../../../self-managed/react-components/licensing.md'
### Clusters
-Clusters configured using the following options can be selected when deploying from Web Modeler. If no clusters are configured, you will not be able to preform any actions that require a cluster (for example, deploy, start an instance, or Play a process). The Camunda 8 [Helm](/self-managed/setup/install.md) and [Docker Compose](/self-managed/setup/deploy/local/docker-compose.md) distributions provide a local Zeebe cluster configured by default.
+Clusters must be configured using the following options to access the cluster from within Web Modeler. If no clusters are configured, you will not be able to perform any actions that require a cluster (for example, deploy, start an instance, or Play a process).
+
+The Camunda 8 [Helm](/self-managed/setup/install.md) and [Docker Compose](/self-managed/setup/deploy/local/docker-compose.md) distributions provide a local Zeebe cluster configured by default.
To add additional clusters, increment the `0` value for each variable (`CAMUNDA_MODELER_CLUSTERS_1_NAME`).
diff --git a/docs/self-managed/operational-guides/update-guide/860-to-870.md b/docs/self-managed/operational-guides/update-guide/860-to-870.md
index 205beda3075..d8604906a77 100644
--- a/docs/self-managed/operational-guides/update-guide/860-to-870.md
+++ b/docs/self-managed/operational-guides/update-guide/860-to-870.md
@@ -12,3 +12,50 @@ The following sections explain which adjustments must be made to migrate from Ca
Configuring a non-existing bucket for backups will not prevent Zeebe to start up anymore and will only result
in logs (at WARN) in the startup phase.
+
+## Exported records
+
+### `USER_TASK` records
+
+To support User Task Listeners, some backward incompatible changes were necessary to the exported `USER_TASK` records.
+
+#### `assignee` no longer provided in `CREATING/CREATED` events
+
+Previously, when a user task was activating with a specified `assignee`,
+we appended the following events of the `USER_TASK` value type:
+
+- `CREATING` with `assignee` property as provided
+- `CREATED` with `assignee` property as provided
+
+The `ASSIGNING` and `ASSIGNED` events were not appended in this case.
+
+To support the new User Task Listeners feature, the `assignee` value will not be filled in the `CREATING` and `CREATED` events anymore.
+
+With 8.7, the following events are now appended:
+
+- `CREATING` with `assignee` always `""` (empty string)
+- `CREATED` with `assignee` always `""` (empty string)
+- `ASSIGNING` with `assignee` property as provided
+- `ASSIGNED` with `assignee` property as provided
+
+#### `ASSIGNING` has become `CLAIMING` for `CLAIM` operation
+
+When claiming a user task, we previously appended the following records of the `USER_TASK` value type:
+
+- `CLAIM`
+- `ASSIGNING`
+- `ASSIGNED`
+
+A new `CLAIMING` intent was introduced to distinquish between claiming and regular assigning.
+We now append the following records when claiming a user task:
+
+- `CLAIM`
+- `CLAIMING`
+- `ASSIGNED`
+
+The `ASSIGNING` event is still appended for assigning a user task.
+In that case, we append the following records:
+
+- `ASSIGN`
+- `ASSIGNING`
+- `ASSIGNED`
diff --git a/docs/self-managed/reference-architecture/img/management-cluster.jpg b/docs/self-managed/reference-architecture/img/management-cluster.jpg
new file mode 100644
index 00000000000..026ecfcdb9f
Binary files /dev/null and b/docs/self-managed/reference-architecture/img/management-cluster.jpg differ
diff --git a/docs/self-managed/reference-architecture/img/orchestration-cluster.jpg b/docs/self-managed/reference-architecture/img/orchestration-cluster.jpg
new file mode 100644
index 00000000000..276984d34ae
Binary files /dev/null and b/docs/self-managed/reference-architecture/img/orchestration-cluster.jpg differ
diff --git a/docs/self-managed/reference-architecture/manual/img/manual-ha.jpg b/docs/self-managed/reference-architecture/manual/img/manual-ha.jpg
new file mode 100644
index 00000000000..5d06e9a1146
Binary files /dev/null and b/docs/self-managed/reference-architecture/manual/img/manual-ha.jpg differ
diff --git a/docs/self-managed/reference-architecture/manual/img/manual-single.jpg b/docs/self-managed/reference-architecture/manual/img/manual-single.jpg
new file mode 100644
index 00000000000..2d54eb33b3f
Binary files /dev/null and b/docs/self-managed/reference-architecture/manual/img/manual-single.jpg differ
diff --git a/docs/self-managed/reference-architecture/manual/manual.md b/docs/self-managed/reference-architecture/manual/manual.md
new file mode 100644
index 00000000000..f82e348be42
--- /dev/null
+++ b/docs/self-managed/reference-architecture/manual/manual.md
@@ -0,0 +1,123 @@
+---
+id: manual
+title: "Manual JAR deployment overview"
+sidebar_label: Manual JAR
+description: "Camunda 8 Manual (Java) deployment Reference architecture home "
+---
+
+
+
+This reference architecture provides guidance on deploying Camunda 8 Self-Managed as a standalone Java application. This deployment method is ideal for users who prefer manual deployment on bare metal servers or virtual machines (VMs), offering full control over the environment and configuration. It is particularly suited for scenarios with specific infrastructure requirements or highly customized setups.
+
+:::note
+This method of deployment requires a solid understanding of infrastructure, networking, and application management. Consider evaluating your [deployment platform options](../reference-architecture.md) based on your familiarity and need. If you prefer a simpler and managed solution, [Camunda 8 SaaS](https://camunda.com/platform/) can significantly reduce maintenance efforts, allowing you to focus on your core business needs.
+:::
+
+## Key features
+
+- **Single application JAR**: Starting from Camunda 8.7, all core components (Zeebe, Tasklist, Operate, Optimize, and Identity) are bundled into a single JAR file. This simplifies deployment by reducing the number of artifacts to manage.
+- **Full control**: Users are responsible for all aspects of deployment, including installation, configuration, scaling, and maintenance. This offers maximum flexibility for custom environments.
+
+Other deployment options, such as containerized deployments or managed services, might offer more convenience and automation. However, VM based deployment gives you the flexibility to tailor the deployment to your exact needs, which can be beneficial for regulated or highly customized environments.
+
+For documentation on the orchestration cluster, Web Modeler and Console separation, refer to the [reference architecture overview](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console).
+
+## Reference implementations
+
+This section includes deployment reference architectures for manual setups:
+
+- [Amazon EC2 deployment](/self-managed/setup/deploy/amazon/aws-ec2.md) - a standard production setup with support for high availability.
+
+## Considerations
+
+- This overview page focuses on deploying the [orchestration cluster](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster), the single JAR compromised of Identity, Operate, Optimize, Tasklist, and Zeebe, as well as the Connectors runtime. Web Modeler and Console deployments are not included.
+- General guidance and examples focuses on **unix** users, but can be adapted by Windows users with options like [WSL](https://learn.microsoft.com/en-us/windows/wsl/install) or included `batch` files.
+- The Optimize importer is not highly available and must only run once within the whole setup.
+
+## Architecture
+
+
+
+This above diagram illustrates a single-machine deployment using the single JAR package. While simple and effective for lightweight setups, scaling to multiple machines requires careful planning.
+
+Compared to the generalized architecture depicted in the [reference architecture](/self-managed/reference-architecture/reference-architecture.md#architecture), the `Optimize importer` can be enabled as part of the single JAR.
+
+### High Availability (HA)
+
+:::caution Non-HA Optimize importer
+When scaling from a single machine to multiple machines, ensure that the `Optimize importer` is enabled on only one machine and disabled on the others. Enabling it on multiple machines will cause data inconsistencies. This limitation is known and will be addressed in future updates.
+:::
+
+
+
+For high availability, a minimum of three machines is recommended to ensure fault tolerance and enable master election in case of failures. Refer to the [clustering documentation](/components/zeebe/technical-concepts/clustering.md) to learn more about the raft protocol and clustering concepts.
+
+### Components
+
+The orchestration core is packaged as a single JAR file and includes the following components:
+
+- **Zeebe**
+- **Operate**
+- **Tasklist**
+- **Optimize**
+- **Identity**
+
+The core facilitates:
+
+1. **gRPC communication**: For client workers.
+2. **HTTP endpoints**: Used by the REST API and Web UI.
+
+Both types of endpoints can be routed through a load balancer to maintain availability, ensuring that the system remains accessible even if a machine becomes unavailable. While using a load balancer is optional, it is recommended for enhanced availability and security. Alternatively, you can expose static machines, ports, and IPs directly. However, direct exposure is generally discouraged due to security concerns.
+
+Connectors expose additional HTTP(s) endpoints for handling incoming webhooks, which can also be routed through the same http load balancer.
+
+The orchestration components rely on **Elasticsearch** or **OpenSearch** as their data store.
+
+Components within the orchestration core communicate seamlessly, particularly:
+
+- **Zeebe brokers** exchange data over gRPC endpoints for efficient inter-broker communication.
+
+## Requirements
+
+Before implementing a reference architecture, review the requirements and guidance outlined below. We are differentiating between `Infrastructure` and `Application` requirements.
+
+### Infrastructure
+
+Any of the following are just suggestions for the minimum viable setup, the sizing heavily depends on your use cases and usage. It is recommended to understand the documentation on [sizing your environment](/components/best-practices/architecture/sizing-your-environment.md) and run benchmarking to confirm your required needs.
+
+#### Minimum Requirements Per Host
+
+- Modern CPU: 4 cores
+- Memory: 8 GB RAM
+- Storage: 32 GB SSD (**1,000** IOPS recommended; avoid burstable disk types)
+
+Suggested instance types from cloud providers:
+
+- AWS: [m7i](https://aws.amazon.com/ec2/instance-types/m7i/) series
+- GCP: [n1](https://cloud.google.com/compute/docs/general-purpose-machines#n1_machines) series
+
+#### Networking
+
+- Stable and high-speed network connection
+- Configured firewall rules to allow necessary traffic:
+ - **8080**: Web UI / REST endpoint.
+ - **9090**: Connector port.
+ - **9600**: Metrics endpoint.
+ - **26500**: gRPC endpoint.
+ - **26501**: Gateway-to-broker communication.
+ - **26502**: Inter-broker communication.
+- Load balancer for distributing traffic (if required)
+
+:::info Customizing ports
+Some ports can be overwritten and are not definitive, you may conduct the documentation of each component to see how it can be done, in case you want to use a different port. Or in our example `Connectors` and `Web UIs` overlap on 8080 due to which we moved connectors to a different port.
+:::
+
+### Application
+
+- Java Virtual Machine, see [supported environments](/reference/supported-environments.md) for version details.
+
+### Database
+
+- Elasticsearch / OpenSearch, see [supported environments](/reference/supported-environments.md) for version details.
+
+Our recommendation is to use an external managed offer as we will not go into detail on how to manage and maintain your database.
diff --git a/docs/self-managed/reference-architecture/reference-architecture.md b/docs/self-managed/reference-architecture/reference-architecture.md
new file mode 100644
index 00000000000..da8b632d49c
--- /dev/null
+++ b/docs/self-managed/reference-architecture/reference-architecture.md
@@ -0,0 +1,144 @@
+---
+id: reference-architecture
+title: "Camunda 8 reference architectures"
+sidebar_label: "Overview"
+description: "Learn about the Self-Managed reference architectures and how they can help you get started."
+---
+
+Reference architectures provide a comprehensive blueprint for designing and implementing scalable, robust, and adaptable systems. The reference architectures published here offer guidance to help enterprise architects, developers, and IT managers streamline deployments and improve system reliability.
+
+## Overview
+
+Reference architectures are not a one-size-fits-all solution, and each organization has unique requirements and constraints that may necessitate modifications to the provided blueprints.
+
+While these reference architectures offer a solid foundation and best practices, they should be adapted to fit the specific needs of your project. Use them as a starting point to start your Camunda 8 implementation process, but be prepared to make adjustments to ensure they align with your goals and infrastructure.
+
+### Target users
+
+- **Enterprise architects**: To design and plan the overall system structure.
+- **Developers**: To understand the components and their interactions.
+- **IT managers**: To ensure the system meets business requirements and is maintainable.
+
+### Key benefits
+
+- **Accelerated deployment**: Predefined best practices and guidelines simplify the deployment process, reducing the time and effort required to set up a reliable workflow automation solution.
+- **Consistency**: Ensures consistency across deployments by standardizing system components and their configurations, which helps reduce the risk of errors and simplifies maintenance.
+- **Enhanced security**: Reference architectures incorporate best practices for securing Camunda 8 deployments, ensuring that sensitive data and processes are protected through standard security measures like encryption, authentication, and access controls.
+
+### Support considerations
+
+Deviations from the reference architecture are unavoidable. However, such changes will introduce additional complexity, making troubleshooting more difficult. When modifications are required, ensure they are well-documented to facilitate future maintenance and troubleshooting more quickly. Camunda publishes [supported environment](/reference/supported-environments.md) information to help you navigate supported configurations.
+
+## Architecture
+
+### Orchestration cluster vs Web Modeler and Console
+
+When designing a reference architecture, it's essential to understand the differences between an orchestration cluster and Web Modeler and Console Self-Managed. These components play crucial roles in the deployment and operation of processes, but they serve different purposes and include distinct components.
+
+#### Orchestration Cluster
+
+
+
+The orchestration cluster is the core of Camunda.
+
+The included components are:
+
+- [Zeebe](/components/zeebe/zeebe-overview.md): A workflow engine for orchestrating microservices and managing stateful, long-running business processes.
+- [Operate](/components/operate/operate-introduction.md): A monitoring tool for visualizing and troubleshooting workflows running in Zeebe.
+- [Tasklist](/components/tasklist/introduction-to-tasklist.md): A user interface for managing and completing human tasks within workflows.
+- [Optimize]($optimize$/components/what-is-optimize/): An analytics tool for generating reports and insights based on workflow data.
+- [Identity](/self-managed/identity/what-is-identity.md): A service for managing user authentication and authorization.
+- [Connectors](/components/connectors/introduction.md): Pre-built integrations for connecting Zeebe with external systems and services.
+
+Each component within the orchestration cluster is part of an integrated system that works together to provide end-to-end process orchestration. These components form a unified cluster that is tightly integrated to ensure seamless communication and data flow.
+
+This design ensures that all components are in sync, working collectively to maintain consistent state management, data integrity, and smooth process orchestration across the entire cluster. This architecture ensures reliable process execution with clear boundaries between each workflow engine's operation.
+
+#### Web Modeler and Console
+
+
+
+Web Modeler and Console are designed to interact with multiple orchestration clusters. Console offers tools and interfaces for administrators to monitor clusters, and Web Modeler allows developers to create and deploy BPMN models.
+
+- [Console](/components/console/introduction-to-console.md): A central management interface for monitoring and managing multiple orchestration clusters.
+- [Web Modeler](/self-managed/modeler/web-modeler/installation.md): A web-based tool for designing and deploying workflow models to any available orchestration cluster.
+
+Additionally, Web Modeler and Console require the following:
+
+- [Identity](/self-managed/identity/what-is-identity.md): A service for managing user authentication and authorization.
+
+Unlike the orchestration cluster, Web Modeler and Console run a separate and dedicated Identity deployment. For production environments, using an external [identity provider](/self-managed/setup/guides/connect-to-an-oidc-provider.md) is recommended.
+
+### Databases
+
+Databases can be deployed as part of the Camunda clusters, but using external databases or managed services offers several advantages:
+
+- **Flexibility**: Allows you to choose the database technology that best fits your needs and existing infrastructure while choosing one of the [supported environments](/reference/supported-environments.md#component-requirements).
+- **Scalability**: External databases can be scaled independently of the Camunda components, providing better performance and resource management.
+- **Maintenance**: Simplifies the maintenance and upgrade processes, as database management can be handled separately.
+- **Compliance**: Ensures that you can adhere to specific data governance and compliance requirements.
+
+While some guides go into detail on how to deploy databases together with Camunda, the recommendation is to maintain this outside of Camunda.
+
+By decoupling databases from Camunda, you gain greater control and customization over your data storage and management strategies.
+
+### High availability (HA)
+
+High availability (HA) ensures that a system remains operational and accessible even in the event of component failures. While all components are equipped to be run in a highly available manner, some components need extra considerations when run in HA mode.
+
+
+
+While high availability is one part of the increased fault tolerance and resilience, you should also consider regional or zonal placement of your workloads.
+
+If you run infrastructure on cloud providers, you are often met with different regions and zones. For ideal high availability you should consider a minimum setup of 3 zones within a region as this will guarantee that in case of a zonal failure that the remaining two workloads can still process data. For more information on how Zeebe handles fault tolerance, have a look at the [raft consensus chapter](/components/zeebe/technical-concepts/clustering.md#raft-consensus-and-replication-protocol).
+
+If running a single instance is preferred, make sure to implement [regular backups](/self-managed/operational-guides/backup-restore/backup-and-restore.md) since resilience will be limited.
+
+## Available reference architectures
+
+:::note Documentation Update in Progress
+This is a work in progress as the existing documentation is updated to provide better general guidance on the topic. The Kubernetes and Docker documentation may point to older guides.
+:::
+
+Choosing the right reference architecture depends on various factors such as the organization's goals, existing infrastructure, and specific requirements. The following guides are available to help choose and guide deployments:
+
+### Kubernetes
+
+Kubernetes is a powerful orchestration platform for containerized applications. Using a reference architecture for Kubernetes can help organizations deploy and manage their applications more effectively. It provides guidelines for setting up clusters, managing workloads, and ensuring high availability and scalability. This approach is ideal for organizations looking to leverage the benefits of containerization and self-healing capabilities.
+
+- Ideal for organizations adopting containerization and microservices (see [Cloud Native computing foundation](https://www.cncf.io/)).
+- Suitable for dynamic scaling and high availability.
+- Best for teams with experience in managing containerized environments.
+- A steeper learning curve but offers scalable and highly resilient platform.
+
+For more information and guides, see the reference for [Kubernetes](/self-managed/setup/install.md).
+
+
+
+### Containers
+
+Containers, such as Docker, offer a middle ground between the manual JAR and Kubernetes approaches. They provide a lightweight, portable, and consistent runtime environment, making it easier to develop, test, and deploy applications across different environments. Containers encapsulate an application and its dependencies, ensuring that it runs reliably regardless of where it is deployed.
+
+- Advisable as a middle ground between manual JAR and Kubernetes. Profit from containerization while not having the whole overhead of Kubernetes.
+- Containers can run on any system that supports the container runtime, ensuring consistency across development, testing, and production environments.
+- Each container runs in its own isolated environment, which helps prevent conflicts between applications and improves security.
+- Containers can be easily scaled up or down to handle varying workloads, providing flexibility in resource management.
+
+For more information and guides, see the reference for [containers](/self-managed/setup/deploy/other/docker.md).
+
+### Manual JAR (bare metal/virtual machines)
+
+For organizations that prefer traditional infrastructure, reference architectures for bare metal or virtual machines (VMs) offer a structured approach to system deployment. These architectures provide best practices for setting up physical servers or VMs, configuring networks, and managing storage using Infrastructure as Service cloud providers. They are suitable for environments where containerization or use of Kubernetes services may not be feasible.
+
+- Suitable for organizations requiring use of IaaS, bare metal, and other traditional infrastructures.
+- Ideal for traditional setups needing highly customized security, strict data residency, or industry-specific regulatory compliance.
+- Applicable for high availability but requires more detailed planning.
+- Best for teams with expertise in managing physical servers or virtual machines.
+
+For more information and guides, see the reference for [manual setups](./manual/manual.md).
+
+
+
+### Local development
+
+While the above options are suitable for trying out Camunda 8 locally, [Camunda 8 Run](/self-managed/setup/deploy/local/c8run.md) provides a simplified, developer-focused experience.
diff --git a/docs/self-managed/setup/deploy/amazon/amazon-eks/eks-helm.md b/docs/self-managed/setup/deploy/amazon/amazon-eks/eks-helm.md
index d196001567e..bc70916d34f 100644
--- a/docs/self-managed/setup/deploy/amazon/amazon-eks/eks-helm.md
+++ b/docs/self-managed/setup/deploy/amazon/amazon-eks/eks-helm.md
@@ -4,6 +4,8 @@ title: "Install Camunda 8 on an EKS cluster"
description: "Set up the Camunda 8 environment with Helm and an optional Ingress setup on Amazon EKS."
---
+
+
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
@@ -30,6 +32,7 @@ Multi-tenancy is disabled by default and is not covered further in this guide. I
:::caution Optimize compatibility with OpenSearch
**Migration:** The migration step will be disabled during the installation. For more information, refer to [using Amazon OpenSearch Service](/self-managed/setup/guides/using-existing-opensearch.md).
+
:::
## Architecture
@@ -427,7 +430,6 @@ https://github.com/camunda/camunda-tf-eks-module/blob/main/examples/camunda-8.7/
Use these environment variables in the `kubectl` command to create the secret.
-- The values for `postgres-password` and `password` are not required if you are using an external database. If you choose not to use an external database, you must provide those values.
- The `smtp-password` should be replaced with the appropriate external value ([see how it's used by Web Modeler](/self-managed/modeler/web-modeler/configuration/configuration.md#smtp--email)).
```bash reference
@@ -569,7 +571,7 @@ Below is a summary of the necessary instructions:
1. Open Identity in your browser at `https://${DOMAIN_NAME}/identity`. You will be redirected to Keycloak and prompted to log in with a username and password.
2. Use `demo` as both the username and password.
3. Select **Add application** and select **M2M** as the type. Assign a name like "test."
-4. Select the newly created application. Then, select **Access to APIs > Assign permissions**, and select the **Zeebe API** with "write" permission.
+4. Select the newly created application. Then, select **Access to APIs > Assign permissions**, and select the **Core API** with "read" and "write" permission.
5. Retrieve the `client-id` and `client-secret` values from the application details
```shell
@@ -591,7 +593,7 @@ kubectl port-forward services/camunda-keycloak 18080:80 --namespace camunda
1. Open Identity in your browser at `http://localhost:8080`. You will be redirected to Keycloak and prompted to log in with a username and password.
2. Use `demo` as both the username and password.
3. Select **Add application** and select **M2M** as the type. Assign a name like "test."
-4. Select the newly created application. Then, select **Access to APIs > Assign permissions**, and select the **Zeebe API** with "write" permission.
+4. Select the newly created application. Then, select **Access to APIs > Assign permissions**, and select the **Core API** with "read" and "write" permission.
5. Retrieve the `client-id` and `client-secret` values from the application details
```shell
diff --git a/docs/self-managed/setup/deploy/amazon/amazon-eks/terraform-setup.md b/docs/self-managed/setup/deploy/amazon/amazon-eks/terraform-setup.md
index 7a440c0e3b0..cad212c143a 100644
--- a/docs/self-managed/setup/deploy/amazon/amazon-eks/terraform-setup.md
+++ b/docs/self-managed/setup/deploy/amazon/amazon-eks/terraform-setup.md
@@ -96,25 +96,25 @@ Advanced users may want to handle this part differently and use a different back
#### Set up AWS authentication
The [AWS Terraform provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) is required to create resources in AWS. Before you can use the provider, you must authenticate it using your AWS credentials.
-You can further change the region and other preferences and explore different [authentication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration) methods.
-We recommend using the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). If you have configured your AWS CLI, Terraform will automatically detect and use those credentials.
+:::caution Ownership of the created resources
-To configure the AWS CLI:
+A user who creates resources in AWS will always retain administrative access to those resources, including any Kubernetes clusters created. It is recommended to create a dedicated [AWS IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) for Terraform purposes, ensuring that the resources are managed and owned by that user.
-```bash
-aws configure
-```
+:::
-Enter your `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, region, and output format. These can be retrieved from the [AWS Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).
+You can further change the region and other preferences and explore different [authentication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration) methods:
-:::caution Ownership of the created resources
+- For development or testing purposes you can use the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). If you have configured your AWS CLI, Terraform will automatically detect and use those credentials.
+ To configure the AWS CLI:
-A user who creates resources in AWS will always retain administrative access to those resources, including any Kubernetes clusters created. It is recommended to create a dedicated [AWS IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) for Terraform purposes, ensuring that the resources are managed and owned by that user.
+ ```bash
+ aws configure
+ ```
-[Create access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for the new IAM user via the console and export them as `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` variables to use with the AWS CLI and `eksctl`
+ Enter your `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, region, and output format. These can be retrieved from the [AWS Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).
-:::
+- For production environments, we recommend the use of a dedicated IAM user. Create [access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for the new IAM user via the console, and export them as `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
#### Create an S3 bucket for Terraform state management
diff --git a/docs/self-managed/setup/deploy/amazon/assets/aws-ec2-arch.jpg b/docs/self-managed/setup/deploy/amazon/assets/aws-ec2-arch.jpg
new file mode 100644
index 00000000000..0ef72f02ab6
Binary files /dev/null and b/docs/self-managed/setup/deploy/amazon/assets/aws-ec2-arch.jpg differ
diff --git a/docs/self-managed/setup/deploy/amazon/assets/aws-ec2-arch.pdf b/docs/self-managed/setup/deploy/amazon/assets/aws-ec2-arch.pdf
new file mode 100644
index 00000000000..f53db5315da
Binary files /dev/null and b/docs/self-managed/setup/deploy/amazon/assets/aws-ec2-arch.pdf differ
diff --git a/docs/self-managed/setup/deploy/amazon/aws-ec2.md b/docs/self-managed/setup/deploy/amazon/aws-ec2.md
new file mode 100644
index 00000000000..8ffb1beba7c
--- /dev/null
+++ b/docs/self-managed/setup/deploy/amazon/aws-ec2.md
@@ -0,0 +1,344 @@
+---
+id: aws-ec2
+title: "Amazon EC2"
+description: "Learn how to install Camunda 8 on AWS EC2 instances."
+---
+
+This guide provides a detailed walkthrough for installing the Camunda 8 single JAR on AWS EC2 instances. It focuses on managed services by AWS and their cloud offering. Finally, you will verify that the connection to your Self-Managed Camunda 8 environment is working.
+
+This guide focuses on setting up the [orchestration cluster](/self-managed/reference-architecture/reference-architecture.md#orchestration-cluster-vs-web-modeler-and-console) for Camunda 8. The Web Modeler and Console are not covered in this manual deployment approach. These components are supported on Kubernetes and should be [deployed using Kubernetes](/self-managed/setup/install.md/#install-web-modeler).
+
+:::note Using other Cloud providers
+This guide is built around the available tools and services that AWS offers, but is not limited to AWS. The scripts and ideas included can be adjusted for any other cloud provider and use case.
+
+When using this guide with a different cloud provider, note that you will be responsible for configuring and maintaining the resulting infrastructure. Our support is limited to questions related to the guide itself, not to the specific tools and services of the chosen cloud provider.
+:::
+
+:::warning Cost management
+Following this guide will incur costs on your Cloud provider account, namely for the EC2 instances, and OpenSearch. More information can be found on AWS and their [pricing calculator](https://calculator.aws/#/) as the total cost varies per region.
+
+To get an estimate, you can refer to this [example calculation](https://calculator.aws/#/estimate?id=8ce855e2d02d182c4910ec8b4ea2dbf42ea5fd1d), which can be further optimized to suit your specific use cases.
+:::
+
+## Architecture
+
+The architecture as depicted focuses on a standard deployment consisting of a three-node setup distributed over 3 [availability zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html) within an AWS region, as well as an OpenSearch domain with the same conditions. The focus is on a highly available setup and redundancy in case a zone should fail.
+
+
+
+
+_Infrastructure diagram for a 3 node EC2 architecture (click on the image to open the PDF version)_
+[](./assets/aws-ec2-arch.pdf)
+
+The setup consists of:
+
+- [Virtual Private Cloud](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) (VPC) is a logically isolated virtual network.
+ - a [Private Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html), which does not have direct access to the internet and cannot be easily reached.
+ - three [EC2](https://aws.amazon.com/ec2/) instances using Ubuntu, one within each availability zone, which will run Camunda 8.
+ - a [managed OpenSearch](https://aws.amazon.com/what-is/opensearch/) cluster stretched over the three availability zones.
+ - a [Public Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html), which allows direct access to the Internet via an [Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html).
+ - (optional) an [Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html) (ALB) is used to expose the WebUIs like Operate, Tasklist, and Connectors, as well as the REST API to the outside world. This is done using sticky sessions, as generally requests are distributed round-robin across all EC2 instances.
+ - (optional) a [Network Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html) (NLB) is used to expose the gRPC endpoint of the Zeebe Gateway, in case external applications require it.
+ - (optional) a [Bastion Host](https://en.wikipedia.org/wiki/Bastion_host) to allow access to the private EC2 instances since they're not publicly exposed.
+ - Alternatively, utilize the [AWS Client VPN](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html) instead to reach the private subnet within the VPC. The setup requires extra work and certificates, but can be set up by following the [getting started tutorial by AWS](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html).
+ - a NAT Gateway that allows the private EC2 instances to reach the internet to download and update software packages. This cannot be used to access the EC2 instances.
+- [Security Groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) to handle traffic flow to the VMs.
+- an [Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html) to allow traffic between the VPC and the Internet.
+
+Both types of subnets are distributed over three availability zones of a single AWS region, allowing for a highly available setup.
+
+:::note Single Deployment
+Alternatively, the same setup can run with a single AWS EC2 instance, but be aware that in case of a zone failure, the whole setup would be unreachable.
+:::
+
+## Requirements
+
+- An AWS account to create any resources within AWS.
+ - On a high level, permissions are required on the **ec2**, **iam**, **elasticloadbalancing**, **kms**, **logs**, and **es** level.
+ - For a more fine-grained view of the permissions, check this [example policy](https://github.com/camunda/camunda-deployment-references/blob/main/aws/ec2/example/policy.json).
+- Terraform (1.7+)
+- Unix based Operating System (OS) with ssh and sftp
+ - Windows may be used with [Cygwin](https://www.cygwin.com/) or [Windows WSL](https://learn.microsoft.com/en-us/windows/wsl/install) but has not been tested
+
+### Considerations
+
+- The Optimize importer is not highly available and must only run once within the whole setup.
+
+### Outcome
+
+The outcome is a fully working Camunda orchestration cluster running in a high availability setup using AWS EC2 and utilizing a managed OpenSearch domain.
+The EC2 instances come with an extra disk meant for Camunda to ensure that the content is separated from the operating system.
+
+## 1. Create the required infrastructure
+
+:::note Terraform infrastructure example
+We do not recommend using the below Terraform related infrastructure as module as we do not guarantee compatibility.
+Therefore, we recommend extending or reusing some elements of the Terraform example to ensure compatibility with your environments.
+:::
+
+### Download the reference architecture GitHub repository
+
+The provided reference architecture repository allows you to directly reuse and extend the existing Terraform example base. This sample implementation is flexible to extend to your own needs without the potential limitations of a Terraform module.
+
+```sh
+wget https://github.com/camunda/camunda-deployment-references/archive/refs/heads/main.zip
+```
+
+### Update the configuration files
+
+1. Navigate to the new directory:
+
+```sh
+cd camunda-deployment-references-main/aws/ec2/terraform
+```
+
+2. Edit the `variables.tf` file to customize the settings, such as the prefix for resource names and CIDR blocks:
+
+```hcl
+variable "prefix" {
+ default = "example"
+}
+
+variable "cidr_blocks" {
+ default = "10.0.1.0/24"
+}
+```
+
+3. In `config.tf`, configure a new Terraform backend by updating `backend "local"` to [AWS 3](https://developer.hashicorp.com/terraform/language/backend/s3) (or any other non-`local` backend that fits your organization).
+
+:::note
+`local` is meant for testing and development purposes. The state is saved locally, and does not allow to easily share it with colleagues. More information on alternatives can be found in the [Terraform documentation](https://developer.hashicorp.com/terraform/language/backend).
+:::
+
+### Configure the Terraform AWS provider
+
+1. Add the [Terraform AWS provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) in the `config.tf`:
+
+```hcl
+provider "aws" {}
+```
+
+This can be done via a simple script or manually:
+
+```sh
+echo 'provider "aws" {}' >> config.tf
+```
+
+:::note
+This is a current technical limitation, as the same files are used for testing. Terraform does not allow defining the provider twice.
+:::
+
+1. Configure authentication to allow the [AWS Terraform provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) to create resources in AWS. You must configure the provider with the proper credentials before using it. You can further change the region and other preferences and explore different authentication methods.
+
+There are several ways to authenticate the AWS provider:
+
+ - **Testing/development**: Use the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html) to configure access. Terraform will automatically default to AWS CLI configuration when present.
+ - **CI/CD**: Set the environment variables `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, which can be retrieved from the [AWS Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).
+ - **Enterprise grade security**: Use an [AWS IAM role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assuming-an-iam-role).
+
+Ensure you have set the `AWS_REGION` either as environment variable or in the Terraform AWS provider to deploy the infrastructure in your desired region. AWS resources are region bound on creation.
+
+:::note Secret management
+We strongly recommend managing sensitive information using a secure secrets management solution like HashiCorp Vault. For details on how to inject secrets directly into Terraform via Vault, see the [Terraform Vault secrets injection guide](https://developer.hashicorp.com/terraform/tutorials/secrets/secrets-vault).
+:::
+
+### Initialize and deploy Terraform
+
+1. Initialize the Terraform working directory. This step downloads the necessary provider plugins:
+
+```sh
+terraform init
+```
+
+1. Plan the configuration files:
+
+```sh
+terraform plan -out infrastructure.plan # describe what will be created
+```
+
+1. After reviewing the plan, confirm and apply the changes:
+
+```sh
+terraform apply infrastructure.plan # apply the creation
+```
+
+The execution takes roughly 30 minutes. Around 25 minutes is solely for the creation of a managed highly available OpenSearch cluster.
+
+1. After the infrastructure is created, access the outputs defined in `outputs.tf` using `terraform output`.
+
+For example, to retrieve the OpenSearch endpoint:
+
+```sh
+terraform output aws_opensearch_domain
+```
+
+### Connect to remote machines via Bastion host (optional)
+
+The EC2 instances are not public and have to be reached via a Bastion host. Alternatively, utilize the [AWS VPN Client](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html) to connect securely to a private VPC. This step is not described, as setup requires specific manual user interaction.
+
+```sh
+export BASTION_HOST=$(terraform output -raw bastion_ip)
+# retrieves the first IP from the camunda_ips array
+export CAMUNDA_IP=$(tf output -json camunda_ips | jq -r '.[0]')
+
+ssh -J admin@${BASTION_HOST} admin@${CAMUNDA_IP}
+```
+
+## 2. Deploy Camunda 8
+
+### Configure and run the installation script
+
+1. Navigate to the script directory:
+
+```sh
+cd camunda-deployment-references-main/aws/ec2/scripts
+```
+
+The script directory contains bash scripts that can be used to install and configure Camunda 8.
+
+2. Configure any script features using the following environment variables:
+
+ - `CLOUDWATCH_ENABLED`: The default is false. If set to true will install the CloudWatch agent on each EC2 instance and export Camunda logs and Prometheus metrics to AWS CloudWatch.
+ - `SECURITY`: The default is false. If set to true will use self-signed certificates to secure cluster communication, based on the procedure described in the [documentation](/self-managed/zeebe-deployment/security/secure-cluster-communication.md). This requires a manual step as a prerequisite as described below in step 3.
+
+3. Configure any variables in the `camunda-install.sh` script to overwrite the default for Camunda and Java versions:
+
+ - `OPENJDK_VERSION`: The Temurin Java version.
+ - `CAMUNDA_VERSION`: The Camunda 8 version.
+ - `CAMUNDA_CONNECTORS_VERSION`: The Camunda 8 connectors version.
+
+ :::note
+ The above variables must be set in `camunda-install.sh` . They cannot be set as environment variables.
+ :::
+
+4. Execute the `SECURITY` script (optional):
+
+If `SECURITY` was enabled in step 2, execute the `generate-self-signed-cert-authority.sh` script to create a certificate authority.
+
+This certificate should be saved somewhere securely, as it will be required to upgrade or change configuations in an automated way. If the certificate is lost, recreate the certificate authority via the script and all manually created client certificates.
+
+:::note Self-signed certificates for testing
+Self-signed certificates are advocated for development and testing purposes. Check the [documentation](/self-managed/zeebe-deployment/security/secure-cluster-communication.md) on secure cluster communication to learn more about PEM certificates.
+:::
+
+1. Execute the `all-in-one-install.sh` script.
+
+This script installs all required dependencies. Additionally, it configures Camunda 8 to run in a highly available setup by using a managed OpenSearch instance.
+
+The script will pull all required IPs and other information from the Terraform state via Terraform outputs.
+
+During the first installation, you will be asked to confirm the connection to each EC2 instance by typing `yes`.
+
+### Connect and use Camunda 8
+
+The Application Load Balancer (ALB) and the Network Load Balancer (NLB) can be accessed via the following Terraform outputs:
+
+- `terraform output alb_endpoint`: Access Operate (or the Connectors instance on port `9090`). The ALB is designed for handling Web UIs, such as Operate, Tasklist, Optimize, and Connectors.
+- `terraform output nlb_endpoint`: Access the gRPC endpoint of the Zeebe gateway. The NLB is intended for managing the gRPC endpoint of the Zeebe Gateway. This is due to the difference of protocols with ALB focusing on HTTP and NLB on TCP.
+
+The two endpoints above use the publicly assigned hostname of AWS. Add your domain via CNAME records or use [Route53](https://aws.amazon.com/route53/) to map to the load balancers, allowing them to easily enable SSL. This will require extra work in the Terraform blueprint as it listens to HTTP by default.
+
+Alternatively, if you have decided not to expose your environment, you can use the jump host to access relevant services on your local machine via port-forwarding.
+
+For an enterprise grade solution, you can utilize the [AWS Client VPN](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html) instead to reach the private subnet within the VPC. The setup requires extra work and certificates, described in the [getting started tutorial by AWS](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html).
+
+The following can be executed from within the Terraform folder to bind the remote ports to your local machine:
+
+```sh
+export BASTION_HOST=$(terraform output -raw bastion_ip)
+# retrieves the first IP from the camunda_ips array
+export CAMUNDA_IP=$(tf output -json camunda_ips | jq -r '.[0]')
+
+# 26500 - gRPC; 8080 - WebUI; 9090 - Connectors
+ssh -L 26500:${CAMUNDA_IP}:26500 -L 8080:${CAMUNDA_IP}:8080 -L 9090:${CAMUNDA_IP}:9090 admin@${BASTION_HOST}
+```
+
+### Turn off bastion host (optional)
+
+If you used the [bastion host](#turn-off-bastion-host-optional) for access, it can be turned off when longer needed for direct access to the EC2 instances.
+
+To turn off the bastion host, set the `enable_jump_host` variable to `false` in the `variables.tf` file, and reapply Terraform.
+
+## 3. Verify connectivity to Camunda 8
+
+Using Terraform, you can obtain the HTTP endpoint of the Application Load Balancer and interact with Camunda through the [REST API](/apis-tools/camunda-api-rest/camunda-api-rest-overview.md).
+
+1. Navigate to the Terraform folder:
+
+```sh
+cd camunda-deployment-references-main/aws/ec2/terraform
+```
+
+2. Retrieve the Application Load Balancer output:
+
+```sh
+terraform output -raw alb_endpoint
+```
+
+3. Use the REST API to communicate with Camunda:
+
+Follow the example in the [REST API documentation](/apis-tools/camunda-api-rest/camunda-api-rest-authentication.md) to authenticate and retrieve the cluster topology.
+
+## Manage Camunda 8
+
+### Upgrade Camunda 8
+
+:::info Direct upgrade not supported
+Upgrading directly from a Camunda 8.6 release to 8.7 is not supported and cannot be performed.
+:::
+
+To update to a new patch release, the recommended approach is as follows:
+
+1. Remove the `jars` folder: This step ensures that outdated dependencies from previous versions are completely removed.
+2. Overwrite remaining files: Replace the existing files with those from the downloaded patch release package.
+3. Restart Camunda 8.
+
+The update process can be automated using the `all-in-one-install.sh` script, which performs the following steps:
+
+- Detects an existing Camunda 8 installation.
+- Deletes the jars folder to clear outdated dependencies.
+- Overwrites the remaining files with the updated version.
+- Regenerates configuration files.
+- Restarts the application to apply the updates.
+
+### Monitoring
+
+Our default way of exposing metrics is in the Prometheus format, please conduct the general [metrisc related documentation](/self-managed/zeebe-deployment/operations/metrics.md) to learn more how to scrape Camunda 8.
+
+In an AWS environment, you can leverage CloudWatch not only for log collection but also for gathering [Prometheus metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights-Prometheus-metrics.html). It's important to note that while Camunda natively supports Grafana and Prometheus, integrating CloudWatch for metric visualization is possible but requires additional configuration.
+
+### Backups
+
+Please conduct the general topic of backups in the [documentation](/self-managed/operational-guides/backup-restore/backup-and-restore.md).
+
+With AWS as chosen platform you can utilize [S3](https://aws.amazon.com/s3/) for the backups both for Zeebe and Elasticsearch.
+
+If you are using a managed OpenSearch domain instead, you should check out the [official documentation](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/managedomains-snapshots.html) on creating backups and snapshots in OpenSearch.
+
+## Troubleshooting
+
+Please conduct the general topic of troubleshooting in the [documentation](/self-managed/operational-guides/troubleshooting/troubleshooting.md).
+
+
+
+
diff --git a/docs/self-managed/setup/deploy/amazon/openshift/assets/rosa-single-region.jpg b/docs/self-managed/setup/deploy/amazon/openshift/assets/rosa-single-region.jpg
new file mode 100644
index 00000000000..862eacd4fe0
Binary files /dev/null and b/docs/self-managed/setup/deploy/amazon/openshift/assets/rosa-single-region.jpg differ
diff --git a/docs/self-managed/setup/deploy/amazon/openshift/assets/rosa-single-region.pdf b/docs/self-managed/setup/deploy/amazon/openshift/assets/rosa-single-region.pdf
new file mode 100644
index 00000000000..5506e354c8c
Binary files /dev/null and b/docs/self-managed/setup/deploy/amazon/openshift/assets/rosa-single-region.pdf differ
diff --git a/docs/self-managed/setup/deploy/amazon/openshift/terraform-setup.md b/docs/self-managed/setup/deploy/amazon/openshift/terraform-setup.md
new file mode 100644
index 00000000000..150827308ef
--- /dev/null
+++ b/docs/self-managed/setup/deploy/amazon/openshift/terraform-setup.md
@@ -0,0 +1,384 @@
+---
+id: terraform-setup
+title: "Deploy a ROSA HCP Cluster with Terraform"
+description: "Deploy Red Hat OpenShift on AWS using a Terraform module for a quick Camunda 8 setup."
+---
+
+
+
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+
+This guide provides a detailed tutorial for deploying a [Red Hat OpenShift on AWS (ROSA) cluster with Hosted Control Plane (HCP)](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html-single/architecture/index#architecture-overview) capabilities. It is specifically tailored for deploying Camunda 8 using Terraform, a widely-used Infrastructure as Code (IaC) tool.
+
+We recommend this guide for building a robust and sustainable infrastructure. However, if you are looking for a quicker trial or proof of concept, or if your needs aren't fully met by our module, consider following the official [ROSA Quickstart Guide](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/getting_started/rosa-quickstart-guide-ui#rosa-quickstart-guide-ui).
+
+This guide aims to help you leverage IaC to streamline and reproduce your cloud infrastructure setup. While it covers the essentials for deploying an ROSA HCP cluster, for more advanced use cases, please refer to the official [Red Hat OpenShift on AWS Documentation](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4).
+
+:::tip
+
+If you are completely new to Terraform and the idea of IaC, read through the [Terraform IaC documentation](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/infrastructure-as-code) and give their [interactive quick start](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/infrastructure-as-code#quick-start) a try for a basic understanding.
+
+:::
+
+## Requirements
+
+- A [Red Hat Account](https://www.redhat.com/) to create the Red Hat OpenShift cluster.
+- An [AWS account](https://docs.aws.amazon.com/accounts/latest/reference/accounts-welcome.html) to create any resources within AWS.
+- [AWS CLI (2.17+)](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html), a CLI tool for creating AWS resources.
+- [Terraform (1.9+)](https://developer.hashicorp.com/terraform/downloads)
+- [kubectl (1.30+)](https://kubernetes.io/docs/tasks/tools/#kubectl) to interact with the cluster.
+- [ROSA CLI](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/getting_started/rosa-quickstart-guide-ui#rosa-getting-started-environment-setup_rosa-quickstart-guide-ui) to interact with the cluster.
+- [jq (1.7+)](https://jqlang.github.io/jq/download/) to interact with some Terraform variables.
+- This guide uses GNU/Bash for all the shell commands listed.
+
+### Considerations
+
+This setup provides a foundational starting point for working with Camunda 8, though it is not optimized for peak performance. It serves as a solid initial step in preparing a production environment by leveraging [Infrastructure as Code (IaC) tools](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/infrastructure-as-code).
+
+Terraform can seem complex at first. If you're interested in understanding what each component does, consider trying out the [Red Hat OpenShift on AWS UI-based tutorial](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/tutorials/getting-started-with-rosa#creating-account-wide-roles). This guide will show you what resources are created and how they interact with each other.
+
+If you require managed services for PostgreSQL Aurora or OpenSearch, you can refer to the definitions provided in the [EKS setup with Terraform](../amazon-eks/terraform-setup.md) guide. However, please note that these configurations may need adjustments to fit your specific requirements and have not been tested. By default, this guide assumes that the database services (PostgreSQL and Elasticsearch) integrated into the default chart will be used.
+
+For testing Camunda 8 or developing against it, you might consider signing up for our [SaaS offering](https://camunda.com/platform/). If you already have a Red Hat OpenShift cluster on AWS, you can skip ahead to the [Helm setup guide](/self-managed/setup/deploy/openshift/redhat-openshift.md).
+
+To keep this guide concise, we provide links to additional documentation covering best practices, allowing you to explore each topic in greater depth.
+
+:::warning Cost management
+
+Following this guide will incur costs on your cloud provider account and your Red Hat account, specifically for the managed OpenShift service, OpenShift worker nodes running in EC2, the hosted control plane, Elastic Block Storage (EBS), and Route 53. For more details, refer to [ROSA AWS pricing](https://aws.amazon.com/rosa/pricing/) and the [AWS Pricing Calculator](https://calculator.aws/#/) as total costs vary by region.
+
+:::
+
+### Variants
+
+Unlike the [EKS Terraform setup](../amazon-eks/terraform-setup.md), we currently support only one main variant of this setup:
+
+- The **standard installation** uses a username and password connection for Camunda components (or relies solely on network isolation for certain components). This option is straightforward and easier to implement, making it ideal for environments where simplicity and rapid deployment are priorities, or where network isolation provides adequate security.
+
+- The second variant, **IRSA** (IAM Roles for Service Accounts), may work but has not been tested. If you’re interested in setting it up, please refer to the EKS guide as a foundational resource.
+
+### Outcome
+
+
+
+
+_Infrastructure diagram for a single region ROSA setup (click on the image to open the PDF version)_
+[](./assets/rosa-single-region.pdf)
+
+Following this tutorial and steps will result in:
+
+- A [Red Hat OpenShift with Hosted Control Plane](https://www.redhat.com/en/topics/containers/what-are-hosted-control-planes#rosa-with-hcp) cluster running the latest ROSA version with six nodes ready for Camunda 8 installation.
+- The [EBS CSI driver](https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html) is installed and configured, which is used by the Camunda 8 Helm chart to create [persistent volumes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/).
+
+## 1. Configure AWS and initialize Terraform
+
+### Terraform prerequisites
+
+To manage the infrastructure for Camunda 8 on AWS using Terraform, we need to set up Terraform's backend to store the state file remotely in an S3 bucket. This ensures secure and persistent storage of the state file.
+
+:::note
+Advanced users may want to handle this part differently and use a different backend. The backend setup provided is an example for new users.
+:::
+
+#### Set up AWS authentication
+
+The [AWS Terraform provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) is required to create resources in AWS. Before you can use the provider, you must authenticate it using your AWS credentials.
+
+:::caution Ownership of the created resources
+
+A user who creates resources in AWS will always retain administrative access to those resources, including any Kubernetes clusters created. It is recommended to create a dedicated [AWS IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) for Terraform purposes, ensuring that the resources are managed and owned by that user.
+
+:::
+
+You can further change the region and other preferences and explore different [authentication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration) methods:
+
+- For development or testing purposes you can use the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). If you have configured your AWS CLI, Terraform will automatically detect and use those credentials.
+ To configure the AWS CLI:
+
+ ```bash
+ aws configure
+ ```
+
+ Enter your `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, region, and output format. These can be retrieved from the [AWS Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).
+
+- For production environments, we recommend the use of a dedicated IAM user. Create [access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for the new IAM user via the console, and export them as `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
+
+#### Create an S3 bucket for Terraform state management
+
+Before setting up Terraform, you need to create an S3 bucket that will store the state file. This is important for collaboration and to prevent issues like state file corruption.
+
+To start, set the region as an environment variable upfront to avoid repeating it in each command:
+
+```bash
+export AWS_REGION=
+```
+
+Replace `` with your chosen AWS region (for example, `eu-central-1`).
+
+Now, follow these steps to create the S3 bucket with versioning enabled:
+
+1. Open your terminal and ensure the AWS CLI is installed and configured.
+
+1. Run the following command to create an S3 bucket for storing your Terraform state. Make sure to use a unique bucket name and set the `AWS_REGION` environment variable beforehand:
+
+ ```bash
+ # Replace "my-rosa-tf-state" with your unique bucket name
+ export S3_TF_BUCKET_NAME="my-rosa-tf-state"
+
+ aws s3api create-bucket --bucket "$S3_TF_BUCKET_NAME" --region "$AWS_REGION" \
+ --create-bucket-configuration LocationConstraint="$AWS_REGION"
+ ```
+
+1. Enable versioning on the S3 bucket to track changes and protect the state file from accidental deletions or overwrites:
+
+ ```bash
+ aws s3api put-bucket-versioning --bucket "$S3_TF_BUCKET_NAME" --versioning-configuration Status=Enabled --region "$AWS_REGION"
+ ```
+
+1. Secure the bucket by blocking public access:
+
+ ```bash
+ aws s3api put-public-access-block --bucket "$S3_TF_BUCKET_NAME" --public-access-block-configuration \
+ "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" --region "$AWS_REGION"
+ ```
+
+1. Verify versioning is enabled on the bucket:
+
+ ```bash
+ aws s3api get-bucket-versioning --bucket "$S3_TF_BUCKET_NAME" --region "$AWS_REGION"
+ ```
+
+This S3 bucket will now securely store your Terraform state files with versioning enabled.
+
+#### Create a `config.tf` with the following setup
+
+Once the S3 bucket is created, configure your `config.tf` file to use the S3 backend for managing the Terraform state:
+
+```hcl reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/config.tf
+```
+
+#### Initialize Terraform
+
+Once your `config.tf` and authentication are set up, you can initialize your Terraform project. The previous steps configured a dedicated S3 Bucket (`S3_TF_BUCKET_NAME`) to store your state, and the following creates a bucket key that will be used by your configuration.
+
+Configure the backend and download the necessary provider plugins:
+
+```bash
+export S3_TF_BUCKET_KEY="camunda-terraform/terraform.tfstate"
+
+echo "Storing terraform state in s3://$S3_TF_BUCKET_NAME/$S3_TF_BUCKET_KEY"
+
+terraform init -backend-config="bucket=$S3_TF_BUCKET_NAME" -backend-config="key=$S3_TF_BUCKET_KEY"
+```
+
+Terraform will connect to the S3 bucket to manage the state file, ensuring remote and persistent storage.
+
+### OpenShift cluster module setup
+
+This module sets up the foundational configuration for ROSA HCP and Terraform usage.
+
+We will leverage [Terraform modules](https://developer.hashicorp.com/terraform/language/modules), which allow us to abstract resources into reusable components, simplifying infrastructure management.
+
+The [Camunda-provided module](https://github.com/camunda/camunda-tf-rosa) is publicly available and serves as a robust starting point for deploying a Red Hat OpenShift cluster on AWS using a Hosted Control Plane. It is highly recommended to review this module before implementation to understand its structure and capabilities.
+
+Please note that this module is based on the official [ROSA HCP Terraform module documentation](https://docs.openshift.com/rosa/rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.html). It is presented as an example for running Camunda 8 in ROSA. For advanced use cases or custom setups, we encourage you to use the official module, which includes vendor-supported features.
+
+#### Set up ROSA authentication
+
+To set up a ROSA cluster, certain prerequisites must be configured on your AWS account. Below is an excerpt from the [official ROSA planning prerequisites checklist](https://docs.openshift.com/rosa/rosa_planning/rosa-cloud-expert-prereq-checklist.html):
+
+1. Verify that your AWS account is correctly configured:
+
+ ```bash
+ aws sts get-caller-identity
+ ```
+
+1. Check if the ELB service role exists, as if you have never created a load balancer in your AWS account, the role for Elastic Load Balancing (ELB) might not exist yet:
+
+ ```bash
+ aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"
+ ```
+
+ If it doesn't exist, create it:
+
+ ```bash
+ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"
+ ```
+
+1. Create a Red Hat Hybrid Cloud Console account if you don’t already have one: [Red Hat Hybrid Cloud Console](https://console.redhat.com/).
+
+1. Enable ROSA on your AWS account via the [AWS Console](https://console.aws.amazon.com/rosa/).
+
+1. Enable HCP ROSA on [AWS Marketplace](https://docs.openshift.com/rosa/cloud_experts_tutorials/cloud-experts-rosa-hcp-activation-and-account-linking-tutorial.html):
+
+ - Navigate to the ROSA console: [AWS ROSA Console](https://console.aws.amazon.com/rosa).
+ - Choose **Get started**.
+ - On the **Verify ROSA prerequisites** page, select **I agree to share my contact information with Red Hat**.
+ - Choose **Enable ROSA**.
+
+ **Note**: Only a single AWS account can be associated with a Red Hat account for service billing.
+
+1. Install the ROSA CLI from the [OpenShift AWS Console](https://console.redhat.com/openshift/downloads#tool-rosa).
+
+1. Get an API token, go to the [OpenShift Cluster Management API Token](https://console.redhat.com/openshift/token/rosa), click **Load token**, and save it. Use the token to log in with ROSA CLI:
+
+ ```bash
+ export RHCS_TOKEN=""
+ rosa login --token="$RHCS_TOKEN"
+
+ # Verify the login
+ rosa whoami
+ ```
+
+1. Verify your AWS quotas:
+
+ ```bash
+ rosa verify quota --region="$AWS_REGION"
+ ```
+
+ **Note**: This may fail due to organizational policies.
+
+1. Create the required account roles:
+
+ ```bash
+ rosa create account-roles --mode auto
+ ```
+
+1. Verify your AWS quotas, and if quotas are insufficient, consult the following:
+
+ - [Provisioned AWS Infrastructure](https://docs.openshift.com/rosa/rosa_planning/rosa-sts-aws-prereqs.html#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs)
+ - [Required AWS Service Quotas](https://docs.openshift.com/rosa/rosa_planning/rosa-sts-required-aws-service-quotas.html#rosa-sts-required-aws-service-quotas)
+
+1. Ensure the `oc` CLI is installed. If it’s not already installed, follow the [official ROSA oc installation guide](https://docs.openshift.com/rosa/cli_reference/openshift_cli/getting-started-cli.html#cli-getting-started):
+
+ ```bash
+ rosa verify openshift-client
+ ```
+
+#### Set up the ROSA cluster module
+
+1. Create a `cluster.tf` file in the same directory as your `config.tf` file.
+2. Add the following content to your newly created `cluster.tf` file to utilize the provided module:
+
+ :::note Configure your cluster
+
+ Customize the cluster name, availability zones, with the values you previously retrieved from the Red Hat Console.
+ Additionally, provide a secure username and password for the cluster administrator.
+
+ Ensure that you have set the environment `RHCS_TOKEN` is set with your [OpenShift Cluster Management API Token](https://console.redhat.com/openshift/token/rosa).
+
+ By default, this cluster will be accessible from the internet. If you prefer to restrict access, please refer to the official documentation of the module.
+
+ :::
+
+ ```hcl reference
+ https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/cluster.tf
+ ```
+
+ :::caution Camunda Terraform module
+
+ This ROSA module is based on the [official Red Hat Terraform module for ROSA HCP](https://registry.terraform.io/modules/terraform-redhat/rosa-hcp/rhcs/latest). Please be aware of potential differences and choices in implementation between this module and the official one.
+
+ We invite you to consult the [Camunda ROSA module documentation](https://github.com/camunda/camunda-tf-rosa/blob/v2.0.0/modules/rosa-hcp/README.md) for more information.
+
+ :::
+
+3. [Initialize](#initialize-terraform) Terraform for this module using the following Terraform command:
+
+ ```bash
+ terraform init -backend-config="bucket=$S3_TF_BUCKET_NAME" -backend-config="key=$S3_TF_BUCKET_KEY"
+ ```
+
+4. Configure user access to the cluster. By default, the user who creates the OpenShift cluster has administrative access. If you want to grant access to other users, follow the [Red Hat documentation for granting admin rights to users](https://docs.openshift.com/rosa/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-admin-rights.html) when the cluster is created.
+
+5. Customize the cluster setup. The module offers various input options that allow you to further customize the cluster configuration. For a comprehensive list of available options and detailed usage instructions, refer to the [ROSA module documentation](https://github.com/camunda/camunda-tf-rosa/blob/v2.0.0/modules/rosa-hcp/README.md).
+
+### Define outputs
+
+**Terraform** allows you to define outputs, which make it easier to retrieve important values generated during execution, such as cluster endpoints and other necessary configurations for Helm setup.
+
+Each module that you have previously set up contains an output definition at the end of the file. You can adjust them to your needs.
+
+### Execution
+
+:::note Secret management
+
+We strongly recommend managing sensitive information (for example, the OpenSearch or Aurora username and password) using a secure secrets management solution like HashiCorp Vault. For details on how to inject secrets directly into Terraform via Vault, see the [Terraform Vault Secrets Injection Guide](https://developer.hashicorp.com/terraform/tutorials/secrets/secrets-vault).
+
+:::
+
+1. Open a terminal in the created Terraform folder where `config.tf` and other `.tf` files are.
+
+2. Plan the configuration files:
+
+ ```bash
+ terraform plan -out cluster.plan # describe what will be created
+ ```
+
+3. After reviewing the plan, you can confirm and apply the changes.
+
+ ```bash
+ terraform apply cluster.plan # apply the creation
+ ```
+
+Terraform will now create the OpenShift cluster with all the necessary configurations. The completion of this process may require approximately 20-30 minutes for each component.
+
+### Reference files
+
+Depending on the installation path you have chosen, you can find the reference files used on this page:
+
+- **Standard installation:** [Reference Files](https://github.com/camunda/camunda-deployment-references/tree/feature/openshift-ra-standard/aws/rosa-hcp/camunda-versions/8.7)
+
+## 2. Preparation for Camunda 8 installation
+
+### Access the created OpenShift cluster
+
+You can access the created OpenShift cluster using the following steps:
+
+Set up the required environment variables:
+
+```shell
+export CLUSTER_NAME="$(terraform console <<
+
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
Red Hat OpenShift, a Kubernetes distribution maintained by [Red Hat](https://www.redhat.com/en/technologies/cloud-computing/openshift), provides options for both managed and on-premises hosting.
-:::note
-Deploying Camunda 8 on Red Hat OpenShift is achievable using Helm, given the appropriate configurations. However, it's important to note that the [Security Context Constraints (SCCs)](#security-context-constraints-sccs) and [Routes](./redhat-openshift.md?current-ingress=openshift-routes#using-openshift-routes) configurations might require slight deviations from the guidelines provided in the [general Helm deployment guide](/self-managed/setup/install.md).
-:::
+Deploying Camunda 8 on Red Hat OpenShift is supported using Helm, given the appropriate configurations.
+
+However, it's important to note that the [Security Context Constraints (SCCs)](#security-context-constraints-sccs) and [Routes](./redhat-openshift.md?current-ingress=openshift-routes#using-openshift-routes) configurations might require slight deviations from the guidelines provided in the [general Helm deployment guide](/self-managed/setup/install.md).
## Cluster Specification
When deploying Camunda 8 on an OpenShift cluster, the cluster specification should align with your specific requirements and workload characteristics. Here's a suggested configuration to begin with:
-- **Instance type:** 4 vCPUs (x86_64, >3.1 GHz), 16 GiB Memory (for example, [m5.xlarge on AWS](https://aws.amazon.com/en/ebs/general-purpose/))
+- **Instance type:** 4 vCPUs (x86_64, >3.1 GHz), 16 GiB Memory (for example, [mi7.xlarge on AWS](https://aws.amazon.com/en/ebs/general-purpose/))
- **Number of dedicated nodes:** 4
- **Volume type:** SSD volumes (with between 1000 and 3000 IOPS per volume, and a throughput of 1,000 MB/s per volume, for instance, [gp3 on AWS](https://aws.amazon.com/en/ebs/general-purpose/))
+If you need to set up an OpenShift cluster on a cloud provider, we recommend our [guide to deploying a ROSA cluster](/self-managed/setup/deploy/amazon/openshift/terraform-setup.md).
+
### Supported Versions
We conduct testing and ensure compatibility against the following OpenShift versions:
| OpenShift Version | [End of Support Date](https://access.redhat.com/support/policy/updates/openshift) |
| ----------------- | --------------------------------------------------------------------------------- |
+| 4.17.x | June 27, 2025 |
| 4.16.x | December 27, 2025 |
| 4.15.x | August 27, 2025 |
| 4.14.x | May 1, 2025 |
-| 4.13.x | November 17, 2024 |
-:::caution
+:::caution Versions compatibility
+
Camunda 8 supports OpenShift versions in the Red Hat General Availability, Full Support, and Maintenance Support life cycle phases. For more information, refer to the [Red Hat OpenShift Container Platform Life Cycle Policy](https://access.redhat.com/support/policy/updates/openshift).
+
:::
-## Deploying Camunda 8 in OpenShift
+## Requirements
-Depending on your OpenShift cluster's Security Context Constraints (SCCs) configuration, the deployment process may vary.
+- [Helm (3.16+)](https://helm.sh/docs/intro/install/)
+- [kubectl (1.30+)](https://kubernetes.io/docs/tasks/tools/#kubectl) to interact with the cluster.
+- [jq (1.7+)](https://jqlang.github.io/jq/download/) to interact with some variables.
+- [GNU envsubst](https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html) to generate manifests.
+- [oc (version supported by your OpenShift)](https://docs.openshift.com/container-platform/4.17/cli_reference/openshift_cli/getting-started-cli.html) to interact with OpenShift.
+- A namespace to host the Camunda Platform, in this guide we will reference `camunda` as the target namespace.
-
-
+## Deploy Camunda 8 via Helm charts
+
+### Configure your deployment
+
+Start by creating a `values.yml` file to store the configuration for your environment.
+This file will contain key-value pairs that will be substituted using `envsubst`.
+Over this guide, you will add and merge values in this file to configure your deployment to fit your needs.
+
+You can find a reference example of this file here:
+
+```hcl reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/base.yml
+```
+
+:::warning Merging YAML files
+
+This guide references multiple configuration files that need to be merged into a single YAML file. Be cautious to avoid duplicate keys when merging the files. Additionally, pay close attention when copying and pasting YAML content. Ensure that the separator notation `---` does not inadvertently split the configuration into multiple documents.
+
+We strongly recommend double-checking your YAML file before applying it. You can use tools like [yamllint.com](https://www.yamllint.com/) or the [YAML Lint CLI](https://github.com/adrienverge/yamllint) if you prefer not to share your information online.
+
+:::
+
+#### Configuring the Ingress
+
+Before exposing services outside the cluster, we need an Ingress component. Here's how you can configure it:
+
+
+
+
+
+[Routes](https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html) expose services externally by linking a URL to a service within the cluster. OpenShift supports both the [standard Kubernetes Ingress and routes](https://docs.openshift.com/container-platform/latest/networking/ingress-operator.html), giving cluster users the flexibility to choose.
+
+The presence of routes is rooted in their specification predating Ingress. The functionality of routes differs from Ingress; for example, unlike Ingress, routes don't allow multiple services to be linked to a single route or the use of paths.
+
+To use these routes for the Zeebe Gateway, configure this through Ingress as well.
+
+#### Setting Up the application domain for Camunda 8
+
+The route created by OpenShift will use a domain to provide access to the platform. By default, you can use the OpenShift applications domain, but any other domain supported by the router can also be used.
+
+To retrieve the OpenShift applications domain (used as an example here), run the following command:
+
+```bash
+export OPENSHIFT_APPS_DOMAIN=$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')
+```
+
+Next, define the route domain that will be used for the Camunda 8 deployment. For example:
+
+```bash
+export DOMAIN_NAME="camunda.$OPENSHIFT_APPS_DOMAIN"
+
+echo "Camunda 8 will be reachable from $DOMAIN_NAME"
+```
+
+If you choose to use a custom domain instead, ensure it is supported by your router configuration and replace the example domain with your desired domain. For more details on configuring custom domains in OpenShift, refer to the official [custom domain OpenShift documentation](https://docs.openshift.com/dedicated/applications/deployments/osd-config-custom-domains-applications.html).
+
+#### Checking if HTTP/2 is enabled
+
+As the Zeebe Gateway also uses `gRPC` (which relies on `HTTP/2`), [HTTP/2 Ingress Connectivity must be enabled](https://docs.openshift.com/container-platform/latest/networking/ingress-operator.html#nw-http2-haproxy_configuring-ingress).
+
+To check if HTTP/2 is already enabled on your OpenShift cluster, run the following command:
+
+```bash
+oc get ingresses.config/cluster -o json | jq '.metadata.annotations."ingress.operator.openshift.io/default-enable-http2"'
+```
+
+Alternatively, if you use a dedicated IngressController for the deployment:
+
+```bash
+# List your IngressControllers
+oc -n openshift-ingress-operator get ingresscontrollers
+
+# Replace with your IngressController name
+oc -n openshift-ingress-operator get ingresscontrollers/ -o json | jq '.metadata.annotations."ingress.operator.openshift.io/default-enable-http2"'
+```
+
+- If the output is `"true"`, it means HTTP/2 is enabled.
+- If the output is `null` or empty, HTTP/2 is not enabled.
+
+
+ Enable HTTP/2
+
+If HTTP/2 is not enabled, you can enable it by running the following command:
+
+**IngressController configuration:**
+
+```bash
+oc -n openshift-ingress-operator annotate ingresscontrollers/ ingress.operator.openshift.io/default-enable-http2=true
+```
+
+**Global cluster configuration:**
+
+```bash
+oc annotate ingresses.config/cluster ingress.operator.openshift.io/default-enable-http2=true
+```
+
+This will add the necessary annotation to [enable HTTP/2 for Ingress in your OpenShift cluster](https://docs.openshift.com/container-platform/latest/networking/ingress-operator.html#nw-http2-haproxy_configuring-ingress) globally on the cluster.
+
+
+
+#### Configure Route TLS
+
+Additionally, the Zeebe Gateway should be configured to use an encrypted connection with TLS. In OpenShift, the connection from HAProxy to the Zeebe Gateway service can use HTTP/2 only for re-encryption or pass-through routes, and not for edge-terminated or insecure routes.
-### With restrictive SCCs
+1. **Core Pod:** two [TLS secrets](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) for the Zeebe Gateway are required, one for the **service** and the other one for the **route**:
+ - The first TLS secret is issued to the Zeebe Gateway Service Name. This must use the [PKCS #8 syntax](https://en.wikipedia.org/wiki/PKCS_8) or [PKCS #1 syntax](https://en.wikipedia.org/wiki/PKCS_1) as Zeebe only supports these, referenced as `camunda-platform-internal-service-certificate`. This certificate is also use in the other components such as Operate, Tasklist.
+
+ In the example below, a TLS certificate is generated for the Zeebe Gateway service with an [annotation](https://docs.openshift.com/container-platform/latest/security/certificates/service-serving-certificate.html). The generated certificate will be in the form of a secret.
+
+ Another option is [Cert Manager](https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html). For more details, review the [OpenShift documentation](https://docs.openshift.com/container-platform/latest/networking/routes/secured-routes.html#nw-ingress-creating-a-reencrypt-route-with-a-custom-certificate_secured-routes).
+
+
+ PKCS #8, PKCS #1 syntax
+
+ > PKCS #1 private key encoding. PKCS #1 produces a PEM block that contains the private key algorithm in the header and the private key in the body. A key that uses this can be recognised by its BEGIN RSA PRIVATE KEY or BEGIN EC PRIVATE KEY header. NOTE: This encoding is not supported for Ed25519 keys. Attempting to use this encoding with an Ed25519 key will be ignored and default to PKCS #8.
+
+ > PKCS #8 private key encoding. PKCS #8 produces a PEM block with a static header and both the private key algorithm and the private key in the body. A key that uses this encoding can be recognised by its BEGIN PRIVATE KEY header.
+
+ [PKCS #1, PKCS #8 syntax definitionfrom cert-manager](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.PrivateKeyEncoding)
+
+
+
+ - The second TLS secret is used on the exposed route, referenced as `camunda-platform-external-certificate`. For example, this would be the same TLS secret used for Ingress. We also configure the Zeebe Gateway Ingress to create a [Re-encrypt Route](https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html#nw-ingress-creating-a-route-via-an-ingress_route-configuration).
+
+ To configure a Zeebe cluster securely, it's essential to set up a secure communication configuration between pods:
+
+ - We enable gRPC ingress for the Core pod, which sets up a secure proxy that we'll use to communicate with the Zeebe cluster. To avoid conflicts with other services, we use a specific domain (`zeebe-$DOMAIN_NAME`) for the gRPC proxy, different from the one used by other services (`$DOMAIN_NAME`). We also note that the port used for gRPC is `443`.
+
+ - We mount the **Service Certificate Secret** (`camunda-platform-internal-service-certificate`) to the Core pod and configure a secure TLS connection.
+
+ Update your `values.yml` file with the following:
+
+ ```yaml reference
+ https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/core-route.yml
+ ```
+
+ The actual configuration properties can be reviewed:
+
+ - [in the Operate configuration documentation](/self-managed/operate-deployment/operate-configuration.md#zeebe-broker-connection),
+ - [in the Tasklist configuration documentation](/self-managed/tasklist-deployment/tasklist-configuration.md#zeebe-broker-connection),
+ - [in the Zeebe Gateway configuration documentation](/self-managed/zeebe-deployment/configuration/gateway.md).
+
+2. **Connectors:** update your `values.yml` file with the following:
+
+```yaml reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/connectors-route.yml
+```
+
+The actual configuration properties can be reviewed [in the Connectors configuration documentation](/self-managed/connectors-deployment/connectors-configuration.md#zeebe-broker-connection).
+
+1. Configure all other applications running inside the cluster and connecting to the Zeebe Gateway to also use TLS.
+
+1. Set up the global configuration to enable the single Ingress definition with the host. Update your configuration file as shown below:
+
+```yaml reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/domain.yml
+```
+
+
+
+
+
+
+
+
+[Routes](https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html) serve as OpenShift's default Ingress implementation.
+
+If you find that its features aren't suitable for your needs, or if you prefer to use a Kubernetes-native Ingress controller, such as the [ingress-nginx controller](https://github.com/kubernetes/ingress-nginx), [you have that option](https://www.redhat.com/en/blog/a-guide-to-using-routes-ingress-and-gateway-apis-in-kubernetes-without-vendor-lock-in).
+
+For guidance on installing an Ingress controller, you can refer to the [Ingress Setup documentation](/self-managed/setup/guides/ingress-setup.md).
+
+:::note Difference between ingress-nginx and NGINX Ingress
+
+Do not confuse the [ingress-nginx controller](https://github.com/kubernetes/ingress-nginx) with the [NGINX Ingress Controller](https://www.redhat.com/en/blog/using-nginx-ingress-controller-red-hat-openshift) that is endorsed by Red Hat for usage with OpenShift. Despite very similar names, they are two different products.
+
+If you should decide to use the Red Hat endorsed [NGINX Ingress Controller](https://www.redhat.com/en/blog/using-nginx-ingress-controller-red-hat-openshift), you would require additional adjustments done to the Camunda 8 Ingress objects and the NGINX Ingress Controller itself to make `gRPC` and `HTTP/2` connections work. In that case, please refer to the [example and the prerequisites](https://github.com/nginxinc/kubernetes-ingress/blob/main/examples/ingress-resources/grpc-services/README.md).
+
+:::
+
+
+
+If you do not have a domain name or do not intend to use one for your Camunda 8 deployment, external access to Camunda 8 web endpoints from outside the OpenShift cluster will not be possible.
+
+However, you can use `kubectl port-forward` to access the Camunda platform without a domain name or Ingress configuration. For more information, refer to the [kubectl port-forward documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_port-forward/).
+
+To make this work, you will need to configure the deployment to reference `localhost` with the forwarded port. Update your `values.yml` file with the following:
+
+```yaml reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/no-domain.yml
+```
+
+
+
+
+#### Configuring the Security Context Constraints
+
+Depending on your OpenShift cluster's Security Context Constraints (SCCs) configuration, the deployment process may vary.
By default, OpenShift employs more restrictive SCCs. The Helm chart must assign `null` to the user running all components and dependencies.
+
+
+
+
The `global.compatibility.openshift.adaptSecurityContext` variable in your values.yaml can be used to set the following possible values:
- `force`: The `runAsUser` and `fsGroup` values will be null in all components.
- `disabled`: The `runAsUser` and `fsGroup` values will not be modified (default).
-To deploy Camunda 8 on OpenShift:
-
-1. Install [Helm and other CLI tools](/self-managed/setup/install.md#prerequisites).
-2. Install the [Camunda Helm chart repository](/self-managed/setup/install.md#helm-repository).
-3. Set `global.compatibility.openshift.adaptSecurityContext` to `force`
-
-```shell
-helm install camunda camunda/camunda-platform --skip-crds \
- --set global.compatibility.openshift.adaptSecurityContext=force
+```hcl reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/scc.yml
```
-### With permissive SCCs
-
To use permissive SCCs, simply install the charts as they are. Follow the [general Helm deployment guide](/self-managed/setup/install.md).
+```hcl reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/procedure/install/helm-values/no-scc.yml
+```
+
-## Available Configurations of OpenShift Components
+#### Enable Enterprise components
+
+Some components are not enabled by default in this deployment. For more information on how to configure and enable these components, refer to [configuring Enterprise components and Connectors](/self-managed/setup/install.md#configuring-enterprise-components-and-connectors).
+
+#### Fill your deployment with actual values
+
+Once you've prepared the `values.yml` file, run the following `envsubst` command to substitute the environment variables with their actual values:
+
+```bash
+# generate the final values
+envsubst < values.yml > generated-values.yml
+
+# print the result
+cat generated-values.yml
+```
+
+:::info Camunda Helm chart no longer automatically generates passwords
+
+Starting from **Camunda 8.6**, the Helm chart deprecated the automatic generation of secrets, and this feature has been fully removed in **Camunda 8.7**.
+
+:::
+
+Next, store various passwords in a Kubernetes secret, which will be used by the Helm chart. Below is an example of how to set up the required secret. You can use `openssl` to generate random secrets and store them in environment variables:
+
+```bash reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/procedure/install/generate-passwords.sh
+```
+
+Use these environment variables in the `kubectl` command to create the secret.
+
+- The `smtp-password` should be replaced with the appropriate external value ([see how it's used by Web Modeler](/self-managed/modeler/web-modeler/configuration/configuration.md#smtp--email)).
+
+```bash reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/procedure/install/create-identity-secret.sh
+```
+
+### Install Camunda 8 using Helm
+
+Now that the `generated-values.yml` is ready, you can install Camunda 8 using Helm.
+
+The following are the required environment variables with some example values:
+
+```bash reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/procedure/install/chart-env.sh
+```
+
+Then run the following command:
+
+```bash reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.7/procedure/install/install-chart.sh
+```
+
+This command:
+
+- Installs (or upgrades) the Camunda platform using the Helm chart.
+- Substitutes the appropriate version using the `$CAMUNDA_HELM_CHART_VERSION` environment variable.
+- Applies the configuration from `generated-values.yml`.
+
+:::note
+
+This guide uses `helm upgrade --install` as it runs install on initial deployment and upgrades future usage. This may make it easier for future [Camunda 8 Helm upgrades](/self-managed/setup/upgrade.md) or any other component upgrades.
+
+:::
+
+You can track the progress of the installation using the following command:
+
+```bash
+watch -n 5 '
+ kubectl get pods -n camunda --output=wide;
+ if [ $(kubectl get pods -n camunda --field-selector=status.phase!=Running -o name | wc -l) -eq 0 ] &&
+ [ $(kubectl get pods -n camunda -o json | jq -r ".items[] | select(.status.containerStatuses[]?.ready == false)" | wc -l) -eq 0 ];
+ then
+ echo "All pods are Running and Healthy - Installation completed!";
+ else
+ echo "Some pods are not Running or Healthy";
+ fi
+'
+```
+
+## Verify connectivity to Camunda 8
+
+Please follow our [guide to verify connectivity to Camunda 8](/self-managed/setup/deploy/amazon/amazon-eks/eks-helm.md#verify-connectivity-to-camunda-8).
+
+The username of the first user is `demo`, the password is the one generated previously and stored in the environment variable `FIRST_USER_PASSWORD`.
+
+:::caution Domain name for gRPC Zeebe
+
+In this setup, the domain used for gRPC communication with Zeebe is slightly different from the one in the guide. Instead of using `zeebe.$DOMAIN_NAME`, you need to use `zeebe-$DOMAIN_NAME`.
+
+:::
+
+## Pitfalls to avoid
+
+For general deployment pitfalls, visit the [deployment troubleshooting guide](/self-managed/operational-guides/troubleshooting/troubleshooting.md).
### Security Context Constraints (SCCs)
@@ -144,220 +440,3 @@ If you deploy Camunda 8 (and related infrastructure) with permissive SCCs out of
-
-## Ingress Configuration
-
-Before exposing services outside the cluster, we need an Ingress component. Here's how you can configure it:
-
-
-
-
-### Using Kubernetes Ingress
-
-[Routes](https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html) serve as OpenShift's default Ingress implementation.
-
-If you find that its features aren't suitable for your needs, or if you prefer to use a Kubernetes-native Ingress controller, such as the [ingress-nginx controller](https://github.com/kubernetes/ingress-nginx), [you have that option](https://www.redhat.com/en/blog/a-guide-to-using-routes-ingress-and-gateway-apis-in-kubernetes-without-vendor-lock-in).
-
-For guidance on installing an Ingress controller, you can refer to the [Ingress Setup documentation](/self-managed/setup/guides/ingress-setup.md).
-
-:::note Difference between ingress-nginx and NGINX Ingress
-
-Do not confuse the [ingress-nginx controller](https://github.com/kubernetes/ingress-nginx) with the [NGINX Ingress Controller](https://www.redhat.com/en/blog/using-nginx-ingress-controller-red-hat-openshift) that is endorsed by Red Hat for usage with OpenShift. Despite very similar names, they are two different products.
-
-If you should decide to use the Red Hat endorsed [NGINX Ingress Controller](https://www.redhat.com/en/blog/using-nginx-ingress-controller-red-hat-openshift), you would require additional adjustments done to the Camunda 8 Ingress objects and the NGINX Ingress Controller itself to make `gRPC` and `HTTP/2` connections work. In that case, please refer to the [example and the prerequisites](https://github.com/nginxinc/kubernetes-ingress/blob/main/examples/ingress-resources/grpc-services/README.md).
-
-:::
-
-
-
-
-### Using OpenShift Routes
-
-[Routes](https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html) expose services externally by linking a URL to a service within the cluster. [OpenShift supports both the standard Kubernetes Ingress and routes](https://docs.openshift.com/container-platform/latest/networking/ingress-operator.html), giving cluster users the flexibility to choose.
-
-The presence of routes is rooted in their specification predating Ingress. It's worth noting that the functionality of routes differs from Ingress; for example, unlike Ingress, routes don't allow multiple services to be linked to a single route or the use of paths.
-
-To use these routes for the Zeebe Gateway, configure this through Ingress as well.
-
-#### Prerequisite
-
-As the Zeebe Gateway also uses `gRPC` (which relies on `HTTP/2`), [HTTP/2 Ingress Connectivity has to be enabled](https://docs.openshift.com/container-platform/latest/networking/ingress-operator.html#nw-http2-haproxy_configuring-ingress).
-
-Additionally, the Zeebe Gateway should be configured to use an encrypted connection with TLS. In OpenShift, the connection from HAProxy to the Zeebe Gateway service can use HTTP/2 only for re-encryption or pass-through routes, and not for edge-terminated or insecure routes.
-
-#### Required Steps
-
-1. Provide two [TLS secrets](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) for the Zeebe Gateway.
-
- - The first TLS secret is issued to the Zeebe Gateway Service Name. This must use the [PKCS #8 syntax](https://en.wikipedia.org/wiki/PKCS_8) or [PKCS #1 syntax](https://en.wikipedia.org/wiki/PKCS_1) as Zeebe only supports these, referenced as `camunda-platform-internal-service-certificate`.
-
- In the example below, a TLS certificate is generated for the Zeebe Gateway service with an [annotation](https://docs.openshift.com/container-platform/latest/security/certificates/service-serving-certificate.html). The generated certificate will be in the form of a secret.
-
- ```yaml
- zeebeGateway:
- service:
- annotations:
- service.beta.openshift.io/serving-cert-secret-name: camunda-platform-internal-service-certificate
- ```
-
- Another option is [Cert Manager](https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html). For more details, review the [OpenShift documentation](https://docs.openshift.com/container-platform/latest/networking/routes/secured-routes.html#nw-ingress-creating-a-reencrypt-route-with-a-custom-certificate_secured-routes).
-
-
- PKCS #8, PKCS #1 syntax
-
- > PKCS #1 private key encoding. PKCS #1 produces a PEM block that contains the private key algorithm in the header and the private key in the body. A key that uses this can be recognised by its BEGIN RSA PRIVATE KEY or BEGIN EC PRIVATE KEY header. NOTE: This encoding is not supported for Ed25519 keys. Attempting to use this encoding with an Ed25519 key will be ignored and default to PKCS #8.
-
- > PKCS #8 private key encoding. PKCS #8 produces a PEM block with a static header and both the private key algorithm and the private key in the body. A key that uses this encoding can be recognised by its BEGIN PRIVATE KEY header.
-
- [PKCS #1, PKCS #8 syntax definitionfrom cert-manager](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.PrivateKeyEncoding)
-
-
-
- - The second TLS secret is used on the exposed route, referenced as `camunda-platform-external-certificate`. For example, this would be the same TLS secret used for Ingress.
-
-1. Configure your Zeebe Gateway Ingress to create a [Re-encrypt Route](https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html#nw-ingress-creating-a-route-via-an-ingress_route-configuration):
-
- ```yaml
- zeebeGateway:
- ingress:
- grpc:
- annotations:
- route.openshift.io/termination: reencrypt
- route.openshift.io/destination-ca-certificate-secret: camunda-platform-internal-service-certificate
- className: openshift-default
- tls:
- enabled: true
- secretName: camunda-platform-external-certificate
- ```
-
-1. Mount the **Service Certificate Secret** to the Zeebe Gateway Pod:
-
- ```yaml
- zeebeGateway:
- env:
- - name: ZEEBE_GATEWAY_SECURITY_ENABLED
- value: "true"
- - name: ZEEBE_GATEWAY_SECURITY_CERTIFICATECHAINPATH
- value: /usr/local/zeebe/config/tls.crt
- - name: ZEEBE_GATEWAY_SECURITY_PRIVATEKEYPATH
- value: /usr/local/zeebe/config/tls.key
- extraVolumeMounts:
- - name: certificate
- mountPath: /usr/local/zeebe/config/tls.crt
- subPath: tls.crt
- - name: key
- mountPath: /usr/local/zeebe/config/tls.key
- subPath: tls.key
- extraVolumes:
- - name: certificate
- secret:
- secretName: camunda-platform-internal-service-certificate
- items:
- - key: tls.crt
- path: tls.crt
- defaultMode: 420
- - name: key
- secret:
- secretName: camunda-platform-internal-service-certificate
- items:
- - key: tls.key
- path: tls.key
- defaultMode: 420
- ```
-
-1. Mount the **Service Certificate Secret** to the Operate and Tasklist pods and configure the secure TLS connection. Here, only the `tls.crt` file is required.
-
- For Operate:
-
- ```yaml
- operate:
- env:
- - name: CAMUNDA_OPERATE_ZEEBE_SECURE
- value: "true"
- - name: CAMUNDA_OPERATE_ZEEBE_CERTIFICATEPATH
- value: /usr/local/operate/config/tls.crt
- - name: CAMUNDA_OPERATE_ZEEBE_BROKERCONTACTPOINT
- value: camunda-zeebe-gateway.camunda.svc.cluster.local:26500
- extraVolumeMounts:
- - name: certificate
- mountPath: /usr/local/operate/config/tls.crt
- subPath: tls.crt
- extraVolumes:
- - name: certificate
- secret:
- secretName: camunda-platform-internal-service-certificate
- items:
- - key: tls.crt
- path: tls.crt
- defaultMode: 420
- ```
-
- The actual configuration properties can be reviewed [in the Operate configuration documentation](/self-managed/operate-deployment/operate-configuration.md#zeebe-broker-connection).
-
- For Tasklist:
-
- ```yaml
- tasklist:
- env:
- - name: CAMUNDA_TASKLIST_ZEEBE_SECURE
- value: "true"
- - name: CAMUNDA_TASKLIST_ZEEBE_CERTIFICATEPATH
- value: /usr/local/tasklist/config/tls.crt
- - name: CAMUNDA_TASKLIST_ZEEBE_BROKERCONTACTPOINT
- value: camunda-zeebe-gateway.camunda.svc.cluster.local:26500
- extraVolumeMounts:
- - name: certificate
- mountPath: /usr/local/tasklist/config/tls.crt
- subPath: tls.crt
- extraVolumes:
- - name: certificate
- secret:
- secretName: camunda-platform-internal-service-certificate
- items:
- - key: tls.crt
- path: tls.crt
- defaultMode: 420
- ```
-
- The actual configuration properties can be reviewed [in the Tasklist configuration documentation](/self-managed/tasklist-deployment/tasklist-configuration.md#zeebe-broker-connection).
-
-1. Configure Connectors:
-
- ```yaml
- connectors:
- inbound:
- mode: oauth
- env:
- - name: ZEEBE_CLIENT_BROKER_GATEWAY-ADDRESS
- value: "camunda-zeebe-gateway.camunda.svc.cluster.local:26500"
- - name: ZEEBE_CLIENT_SECURITY_PLAINTEXT
- value: "false"
- - name: CAMUNDA_CLIENT_ZEEBE_CACERTIFICATEPATH
- value: /usr/local/certificates/tls.crt
- extraVolumeMounts:
- - name: certificate
- mountPath: /usr/local/certificates/tls.crt
- subPath: tls.crt
- extraVolumes:
- - name: certificate
- secret:
- secretName: camunda-platform-internal-service-certificate
- items:
- - key: tls.crt
- path: tls.crt
- defaultMode: 420
- ```
-
- The actual configuration properties can be reviewed [in the Connectors configuration documentation](/self-managed/connectors-deployment/connectors-configuration.md#zeebe-broker-connection).
-
-1. Configure all other applications running inside the cluster and connecting to the Zeebe Gateway to also use TLS.
-
-
-
-
-
-
-
-## Pitfalls to avoid
-
-For general deployment pitfalls, visit the [deployment troubleshooting guide](/self-managed/operational-guides/troubleshooting/troubleshooting.md).
diff --git a/docusaurus.config.js b/docusaurus.config.js
index a90cf5de490..1280a40afbf 100644
--- a/docusaurus.config.js
+++ b/docusaurus.config.js
@@ -101,15 +101,15 @@ module.exports = {
},
],
[
- // Zeebe REST API docs generation
+ // Administration Self-Managed REST API docs generation
"docusaurus-plugin-openapi-docs",
{
- id: "api-consolesm-openapi",
+ id: "api-adminsm-openapi",
docsPluginId: "default",
config: {
- consolesm: {
- specPath: "api/console-sm/console-sm-openapi.yaml",
- outputDir: "docs/apis-tools/console-sm-api/specifications",
+ adminsm: {
+ specPath: "api/administration-sm/administration-sm-openapi.yaml",
+ outputDir: "docs/apis-tools/administration-sm-api/specifications",
sidebarOptions: {
groupPathsBy: "tag",
},
diff --git a/optimize_sidebars.js b/optimize_sidebars.js
index ab7552d80e3..a423fa57aa2 100644
--- a/optimize_sidebars.js
+++ b/optimize_sidebars.js
@@ -2075,12 +2075,1053 @@ function docsLink(label, href) {
),
],
},
+ {
+ "Clients & SDKs": [
+ {
+ SDKs: [
+ docsLink("Node.js", "apis-tools/node-js-sdk/"),
+
+ {
+ "Spring Zeebe": [
+ docsLink(
+ "Getting started",
+ "apis-tools/spring-zeebe-sdk/getting-started/"
+ ),
+ docsLink(
+ "Configuration",
+ "apis-tools/spring-zeebe-sdk/configuration/"
+ ),
+ ],
+ },
+ ],
+ },
+ {
+ Clients: [
+ {
+ "Java client": [
+ docsLink("Quick reference", "apis-tools/java-client/"),
+ docsLink("Job worker", "apis-tools/java-client/job-worker/"),
+ docsLink("Logging", "apis-tools/java-client/logging/"),
+ docsLink(
+ "Zeebe Process Test",
+ "apis-tools/java-client/zeebe-process-test/"
+ ),
+
+ {
+ Examples: [
+ docsLink("Overview", "apis-tools/java-client-examples/"),
+ docsLink(
+ "Deploy a process",
+ "apis-tools/java-client-examples/process-deploy/"
+ ),
+ docsLink(
+ "Create a process instance",
+ "apis-tools/java-client-examples/process-instance-create/"
+ ),
+ docsLink(
+ "Create non-blocking process instances",
+ "apis-tools/java-client-examples/process-instance-create-nonblocking/"
+ ),
+ docsLink(
+ "Create a process instance with results",
+ "apis-tools/java-client-examples/process-instance-create-with-result/"
+ ),
+ docsLink(
+ "Evaluate a decision",
+ "apis-tools/java-client-examples/decision-evaluate/"
+ ),
+ docsLink(
+ "Open a job worker",
+ "apis-tools/java-client-examples/job-worker-open/"
+ ),
+ docsLink(
+ "Handle variables as POJO",
+ "apis-tools/java-client-examples/data-pojo/"
+ ),
+ docsLink(
+ "Request cluster topology",
+ "apis-tools/java-client-examples/cluster-topology-request/"
+ ),
+ ],
+ },
+ ],
+ },
+
+ {
+ "Community clients": [
+ docsLink("Component clients", "apis-tools/community-clients/"),
+
+ {
+ "Zeebe clients": [
+ docsLink(
+ "JavaScript/Node.js",
+ "apis-tools/community-clients/javascript/"
+ ),
+ docsLink("Spring", "apis-tools/community-clients/spring/"),
+ {
+ "CLI client": [
+ docsLink("Quick reference", "apis-tools/cli-client/"),
+ docsLink(
+ "Getting started with the CLI client",
+ "apis-tools/cli-client/cli-get-started/"
+ ),
+ ],
+ },
+
+ {
+ "Go client": [
+ docsLink("Quick reference", "apis-tools/go-client/"),
+ docsLink(
+ "Getting started with the Go client",
+ "apis-tools/go-client/go-get-started/"
+ ),
+ docsLink(
+ "Job worker",
+ "apis-tools/go-client/job-worker/"
+ ),
+ ],
+ },
+ ],
+ },
+ docsLink(
+ "Build your own client",
+ "apis-tools/build-your-own-client/"
+ ),
+ ],
+ },
+ ],
+ },
+ ],
+ },
+
+ {
+ "Frontend development": [
+ {
+ "Task applications": [
+ docsLink(
+ "Introduction to task applications",
+ "apis-tools/frontend-development/task-applications/introduction-to-task-applications/"
+ ),
+ docsLink(
+ "User task life cycle",
+ "apis-tools/frontend-development/task-applications/user-task-lifecycle/"
+ ),
+ docsLink(
+ "Task application architecture",
+ "apis-tools/frontend-development/task-applications/task-application-architecture/"
+ ),
+ ],
+ },
+
+ {
+ Forms: [
+ docsLink(
+ "Introduction to forms",
+ "apis-tools/frontend-development/forms/introduction-to-forms/"
+ ),
+
+ {
+ "Embed forms": [
+ docsLink(
+ "Concepts",
+ "apis-tools/frontend-development/forms/embed-forms/form-js-concepts/"
+ ),
+ docsLink(
+ "Embed forms in JavaScript",
+ "apis-tools/frontend-development/forms/embed-forms/embed-forms-in-javascript/"
+ ),
+ ],
+ },
+
+ {
+ "Customize & extend": [
+ docsLink(
+ "Styling",
+ "apis-tools/frontend-development/forms/customize-and-extend/form-styling/"
+ ),
+ docsLink(
+ "Custom components",
+ "apis-tools/frontend-development/forms/customize-and-extend/custom-components/"
+ ),
+ docsLink(
+ "Integrate API data",
+ "apis-tools/frontend-development/forms/customize-and-extend/integrate-api-data/"
+ ),
+ ],
+ },
+ ],
+ },
+ ],
+ },
+ ],
+
+ "Self-Managed": [
+ docsLink("Camunda 8 Self-Managed", "self-managed/about-self-managed/"),
+
+ {
+ Setup: [
+ docsLink("Overview", "self-managed/setup/overview/"),
+ docsLink("Install", "self-managed/setup/install/"),
+ docsLink("Upgrade", "self-managed/setup/upgrade/"),
+
+ {
+ Deploy: [
+ {
+ Local: [
+ docsLink(
+ "Camunda 8 Run",
+ "self-managed/setup/deploy/local/c8run/"
+ ),
+ docsLink(
+ "Local Kubernetes cluster",
+ "self-managed/setup/deploy/local/local-kubernetes-cluster/"
+ ),
+ docsLink(
+ "Docker Compose",
+ "self-managed/setup/deploy/local/docker-compose/"
+ ),
+ docsLink("Manual", "self-managed/setup/deploy/local/manual/"),
+ ],
+ },
+
+ {
+ "Amazon (AWS)": [
+ {
+ "Amazon EKS": [
+ docsLink(
+ "Deploy an EKS cluster with eksctl",
+ "self-managed/setup/deploy/amazon/amazon-eks/eks-eksctl/"
+ ),
+ docsLink(
+ "Deploy an EKS cluster with Terraform",
+ "self-managed/setup/deploy/amazon/amazon-eks/eks-terraform/"
+ ),
+ docsLink(
+ "Install Camunda 8 on an EKS cluster",
+ "self-managed/setup/deploy/amazon/amazon-eks/eks-helm/"
+ ),
+ docsLink(
+ "Dual-region setup (EKS)",
+ "self-managed/setup/deploy/amazon/amazon-eks/dual-region/"
+ ),
+ docsLink(
+ "IAM roles for service accounts",
+ "self-managed/setup/deploy/amazon/amazon-eks/irsa/"
+ ),
+ ],
+ ROSA: [
+ docsLink(
+ "Deploy a ROSA cluster with Terraform",
+ "self-managed/setup/deploy/amazon/openshift/terraform/"
+ ),
+ ],
+ },
+
+ docsLink(
+ "Install AWS Marketplace",
+ "self-managed/setup/deploy/amazon/aws-marketplace/"
+ ),
+ docsLink(
+ "Amazon EC2",
+ "self-managed/setup/deploy/amazon/aws-ec2/"
+ ),
+ ],
+ },
+
+ {
+ "Microsoft (Azure)": [
+ docsLink(
+ "Microsoft AKS",
+ "self-managed/setup/deploy/azure/microsoft-aks/"
+ ),
+ ],
+ },
+
+ {
+ "Google (GCP)": [
+ docsLink(
+ "Google GKE",
+ "self-managed/setup/deploy/gcp/google-gke/"
+ ),
+ ],
+ },
+
+ {
+ "Red Hat (OpenShift)": [
+ docsLink(
+ "Red Hat OpenShift",
+ "self-managed/setup/deploy/openshift/redhat-openshift/"
+ ),
+ ],
+ },
+
+ {
+ Other: [
+ docsLink("Docker", "self-managed/setup/deploy/other/docker/"),
+ docsLink("Manual", "self-managed/setup/deploy/local/manual/"),
+ ],
+ },
+ ],
+ },
+
+ {
+ Guides: [
+ docsLink(
+ "Accessing components without Ingress",
+ "self-managed/setup/guides/accessing-components-without-ingress/"
+ ),
+ docsLink(
+ "Ingress setup",
+ "self-managed/setup/guides/ingress-setup/"
+ ),
+ docsLink(
+ "Using existing Keycloak",
+ "self-managed/setup/guides/using-existing-keycloak/"
+ ),
+ docsLink(
+ "Using existing Elasticsearch",
+ "self-managed/setup/guides/using-existing-elasticsearch/"
+ ),
+ docsLink(
+ "Using Amazon OpenSearch Service",
+ "self-managed/setup/guides/using-existing-opensearch/"
+ ),
+ docsLink(
+ "Configure custom headers",
+ "self-managed/setup/guides/configure-db-custom-headers/"
+ ),
+ docsLink(
+ "Connect to an OpenID Connect provider",
+ "self-managed/setup/guides/connect-to-an-oidc-provider/"
+ ),
+ docsLink(
+ "Installing in an air-gapped environment",
+ "self-managed/setup/guides/air-gapped-installation/"
+ ),
+ docsLink(
+ "Running custom Connectors",
+ "self-managed/setup/guides/running-custom-connectors/"
+ ),
+ docsLink(
+ "Multi-namespace deployment",
+ "self-managed/setup/guides/multi-namespace-deployment/"
+ ),
+ docsLink(
+ "Verifying Camunda 8 installation with a demo app",
+ "self-managed/setup/guides/installing-payment-app-example/"
+ ),
+ ],
+ },
+ ],
+ },
+ {
+ "Reference Architecture": [
+ docsLink("Overview", "self-managed/reference-architecture/"),
+ docsLink("Manual JAR", "self-managed/reference-architecture/manual/"),
+ ],
+ },
+ {
+ "Operational guides": [
+ {
+ "Update guide": [
+ docsLink(
+ "Update 8.5 to 8.6",
+ "self-managed/operational-guides/update-guide/850-to-860/"
+ ),
+ docsLink(
+ "Update 8.4 to 8.5",
+ "self-managed/operational-guides/update-guide/840-to-850/"
+ ),
+ docsLink(
+ "Update 8.3 to 8.4",
+ "self-managed/operational-guides/update-guide/830-to-840/"
+ ),
+ docsLink(
+ "Update 8.2 to 8.3",
+ "self-managed/operational-guides/update-guide/820-to-830/"
+ ),
+
+ {
+ Elasticsearch: [
+ docsLink(
+ "Update 7 to 8",
+ "self-managed/operational-guides/update-guide/elasticsearch/7-to-8/"
+ ),
+ ],
+ },
+
+ {
+ Keycloak: [
+ docsLink(
+ "Update Keycloak",
+ "self-managed/operational-guides/update-guide/keycloak/keycloak-update/"
+ ),
+ ],
+ },
+ ],
+ },
+
+ docsLink(
+ "Configure multi-tenancy",
+ "self-managed/operational-guides/configure-multi-tenancy/"
+ ),
+
+ {
+ "Backup and restore": [
+ docsLink(
+ "Backup and restore Optimize data",
+ "self-managed/operational-guides/backup-restore/optimize-backup/"
+ ),
+ docsLink(
+ "Backup and restore Operate and Tasklist data",
+ "self-managed/operational-guides/backup-restore/operate-tasklist-backup/"
+ ),
+ docsLink(
+ "Backup and restore Zeebe data",
+ "self-managed/operational-guides/backup-restore/zeebe-backup-and-restore/"
+ ),
+ docsLink(
+ "Backup and restore Web Modeler data",
+ "self-managed/operational-guides/backup-restore/modeler-backup-and-restore/"
+ ),
+ ],
+ },
+
+ docsLink(
+ "Configure components",
+ "self-managed/operational-guides/application-configs/"
+ ),
+ docsLink(
+ "Configure flow control",
+ "self-managed/operational-guides/configure-flow-control/"
+ ),
+
+ {
+ "Multi-region": [
+ docsLink(
+ "Dual-region operational procedure",
+ "self-managed/operational-guides/multi-region/dual-region-operational-procedure/"
+ ),
+ ],
+ },
+
+ {
+ Troubleshooting: [
+ docsLink(
+ "Troubleshooting",
+ "self-managed/operational-guides/troubleshooting/"
+ ),
+ docsLink(
+ "Log levels",
+ "self-managed/operational-guides/troubleshooting/log-levels/"
+ ),
+ ],
+ },
+ ],
+ },
+
+ {
+ Concepts: [
+ {
+ "Access control": [
+ docsLink(
+ "Applications",
+ "self-managed/concepts/access-control/applications/"
+ ),
+ docsLink(
+ "Resource authorizations",
+ "self-managed/concepts/access-control/resource-authorizations/"
+ ),
+ docsLink(
+ "User task access restrictions",
+ "self-managed/concepts/access-control/user-task-access-restrictions/"
+ ),
+ ],
+ },
+
+ docsLink("Exporters", "self-managed/concepts/exporters/"),
+
+ {
+ "Multi-region": [
+ docsLink(
+ "Dual-region",
+ "self-managed/concepts/multi-region/dual-region/"
+ ),
+ ],
+ },
+
+ docsLink("Multi-tenancy", "self-managed/concepts/multi-tenancy/"),
+ docsLink("Mapping rules", "self-managed/concepts/mapping-rules/"),
+ docsLink(
+ "Elasticsearch privileges",
+ "self-managed/concepts/elasticsearch-privileges/"
+ ),
+ docsLink(
+ "OpenSearch privileges",
+ "self-managed/concepts/opensearch-privileges/"
+ ),
+ ],
+ },
+
+ {
+ Components: [
+ {
+ Console: [
+ docsLink("Overview", "self-managed/console-deployment/overview/"),
+ docsLink(
+ "Installation",
+ "self-managed/console-deployment/installation/"
+ ),
+ docsLink(
+ "Configuration",
+ "self-managed/console-deployment/configuration/"
+ ),
+ docsLink("Telemetry", "self-managed/console-deployment/telemetry/"),
+ ],
+ },
+
+ {
+ Zeebe: [
+ docsLink(
+ "Overview",
+ "self-managed/zeebe-deployment/zeebe-installation/"
+ ),
+
+ {
+ "Zeebe Gateway": [
+ docsLink(
+ "Overview",
+ "self-managed/zeebe-deployment/zeebe-gateway/overview/"
+ ),
+ docsLink(
+ "Interceptors",
+ "self-managed/zeebe-deployment/zeebe-gateway/interceptors/"
+ ),
+ docsLink(
+ "Filters",
+ "self-managed/zeebe-deployment/zeebe-gateway/filters/"
+ ),
+ docsLink(
+ "Job streaming",
+ "self-managed/zeebe-deployment/zeebe-gateway/job-streaming/"
+ ),
+ ],
+ },
+
+ {
+ Configuration: [
+ docsLink(
+ "Overview",
+ "self-managed/zeebe-deployment/configuration/"
+ ),
+ docsLink(
+ "Logging",
+ "self-managed/zeebe-deployment/configuration/logging/"
+ ),
+ docsLink(
+ "Gateway health probes",
+ "self-managed/zeebe-deployment/configuration/gateway-health-probes/"
+ ),
+ docsLink(
+ "Environment variables",
+ "self-managed/zeebe-deployment/configuration/environment-variables/"
+ ),
+ docsLink(
+ "Fixed partitioning",
+ "self-managed/zeebe-deployment/configuration/fixed-partitioning/"
+ ),
+ docsLink(
+ "Priority election",
+ "self-managed/zeebe-deployment/configuration/priority-election/"
+ ),
+ docsLink(
+ "Broker configuration",
+ "self-managed/zeebe-deployment/configuration/broker-config/"
+ ),
+ docsLink(
+ "Gateway configuration",
+ "self-managed/zeebe-deployment/configuration/gateway-config/"
+ ),
+ ],
+ },
+
+ {
+ Security: [
+ docsLink("Overview", "self-managed/zeebe-deployment/security/"),
+ docsLink(
+ "Client authorization",
+ "self-managed/zeebe-deployment/security/client-authorization/"
+ ),
+ docsLink(
+ "Secure client communication",
+ "self-managed/zeebe-deployment/security/secure-client-communication/"
+ ),
+ docsLink(
+ "Secure cluster communication",
+ "self-managed/zeebe-deployment/security/secure-cluster-communication/"
+ ),
+ ],
+ },
+
+ {
+ Operation: [
+ docsLink(
+ "Overview",
+ "self-managed/zeebe-deployment/operations/zeebe-in-production/"
+ ),
+ docsLink(
+ "Resource planning",
+ "self-managed/zeebe-deployment/operations/resource-planning/"
+ ),
+ docsLink(
+ "Network ports",
+ "self-managed/zeebe-deployment/operations/network-ports/"
+ ),
+ docsLink(
+ "Setting up a Zeebe cluster",
+ "self-managed/zeebe-deployment/operations/setting-up-a-cluster/"
+ ),
+ docsLink(
+ "Metrics",
+ "self-managed/zeebe-deployment/operations/metrics/"
+ ),
+ docsLink(
+ "Health status",
+ "self-managed/zeebe-deployment/operations/health/"
+ ),
+ docsLink(
+ "Backpressure",
+ "self-managed/zeebe-deployment/operations/backpressure/"
+ ),
+ docsLink(
+ "Disk space",
+ "self-managed/zeebe-deployment/operations/disk-space/"
+ ),
+ docsLink(
+ "Update Zeebe",
+ "self-managed/zeebe-deployment/operations/update-zeebe/"
+ ),
+ docsLink(
+ "Rebalancing",
+ "self-managed/zeebe-deployment/operations/rebalancing/"
+ ),
+ docsLink(
+ "Management API",
+ "self-managed/zeebe-deployment/operations/management-api/"
+ ),
+ docsLink(
+ "Backups",
+ "self-managed/zeebe-deployment/operations/backups/"
+ ),
+ docsLink(
+ "Cluster scaling",
+ "self-managed/zeebe-deployment/operations/cluster-scaling/"
+ ),
+ ],
+ },
+
+ {
+ Exporters: [
+ docsLink(
+ "Install Zeebe exporters",
+ "self-managed/zeebe-deployment/exporters/install-zeebe-exporters/"
+ ),
+ docsLink(
+ "Elasticsearch",
+ "self-managed/zeebe-deployment/exporters/elasticsearch-exporter/"
+ ),
+ docsLink(
+ "OpenSearch",
+ "self-managed/zeebe-deployment/exporters/opensearch-exporter/"
+ ),
+ ],
+ },
+ ],
+ },
+
+ {
+ Operate: [
+ docsLink(
+ "Installation",
+ "self-managed/operate-deployment/install-and-start/"
+ ),
+ docsLink(
+ "Configuration",
+ "self-managed/operate-deployment/operate-configuration/"
+ ),
+ docsLink(
+ "Data retention",
+ "self-managed/operate-deployment/data-retention/"
+ ),
+ docsLink(
+ "Schema and migration",
+ "self-managed/operate-deployment/schema-and-migration/"
+ ),
+ docsLink(
+ "Importer and archiver",
+ "self-managed/operate-deployment/importer-and-archiver/"
+ ),
+ docsLink(
+ "Authentication and authorization",
+ "self-managed/operate-deployment/operate-authentication/"
+ ),
+ docsLink(
+ "Usage metrics",
+ "self-managed/operate-deployment/usage-metrics/"
+ ),
+ ],
+ },
+
+ {
+ Tasklist: [
+ docsLink(
+ "Installation",
+ "self-managed/tasklist-deployment/install-and-start/"
+ ),
+ docsLink(
+ "Configuration",
+ "self-managed/tasklist-deployment/tasklist-configuration/"
+ ),
+ docsLink(
+ "Custom styling",
+ "self-managed/tasklist-deployment/tasklist-custom-styling/"
+ ),
+ docsLink(
+ "Data retention",
+ "self-managed/tasklist-deployment/data-retention/"
+ ),
+ docsLink(
+ "Importer and archiver",
+ "self-managed/tasklist-deployment/importer-and-archiver/"
+ ),
+ docsLink(
+ "Authentication",
+ "self-managed/tasklist-deployment/tasklist-authentication/"
+ ),
+ docsLink(
+ "Usage metrics",
+ "self-managed/tasklist-deployment/usage-metrics/"
+ ),
+ ],
+ },
+
+ {
+ Connectors: [
+ docsLink(
+ "Installation",
+ "self-managed/connectors-deployment/install-and-start/"
+ ),
+ docsLink(
+ "Configuration",
+ "self-managed/connectors-deployment/connectors-configuration/"
+ ),
+ ],
+ },
+
+ {
+ Optimize: [
+ "self-managed/optimize-deployment/install-and-start",
+ "self-managed/optimize-deployment/version-policy",
+ {
+ Configuration: [
+ "self-managed/optimize-deployment/configuration/getting-started",
+ {
+ "System configuration": [
+ "self-managed/optimize-deployment/configuration/system-configuration",
+ "self-managed/optimize-deployment/configuration/system-configuration-platform-8",
+ "self-managed/optimize-deployment/configuration/system-configuration-platform-7",
+ "self-managed/optimize-deployment/configuration/event-based-process-configuration",
+ ],
+ },
+ "self-managed/optimize-deployment/configuration/logging",
+ "self-managed/optimize-deployment/configuration/optimize-license",
+ "self-managed/optimize-deployment/configuration/security-instructions",
+ "self-managed/optimize-deployment/configuration/shared-elasticsearch-cluster",
+ "self-managed/optimize-deployment/configuration/history-cleanup",
+ "self-managed/optimize-deployment/configuration/localization",
+ "self-managed/optimize-deployment/configuration/object-variables",
+ "self-managed/optimize-deployment/configuration/clustering",
+ "self-managed/optimize-deployment/configuration/webhooks",
+ "self-managed/optimize-deployment/configuration/authorization-management",
+ "self-managed/optimize-deployment/configuration/user-management",
+ "self-managed/optimize-deployment/configuration/multi-tenancy",
+ "self-managed/optimize-deployment/configuration/multiple-engines",
+ "self-managed/optimize-deployment/configuration/setup-event-based-processes",
+ "self-managed/optimize-deployment/configuration/common-problems",
+ ],
+ },
+
+ {
+ Plugins: [
+ "self-managed/optimize-deployment/plugins/plugin-system",
+ "self-managed/optimize-deployment/plugins/businesskey-import-plugin",
+ "self-managed/optimize-deployment/plugins/decision-import-plugin",
+ "self-managed/optimize-deployment/plugins/elasticsearch-header",
+ "self-managed/optimize-deployment/plugins/engine-rest-filter-plugin",
+ "self-managed/optimize-deployment/plugins/single-sign-on",
+ "self-managed/optimize-deployment/plugins/variable-import-plugin",
+ ],
+ },
+ "self-managed/optimize-deployment/reimport",
+ {
+ "Migration & update": [
+ {
+ "Camunda 8": [
+ "self-managed/optimize-deployment/migration-update/camunda-8/instructions",
+ "self-managed/optimize-deployment/migration-update/camunda-8/3.13_8.5-to-8.6",
+ "self-managed/optimize-deployment/migration-update/camunda-8/3.12_8.4-to-3.13_8.5",
+ "self-managed/optimize-deployment/migration-update/camunda-8/3.11_8.3-to-3.12_8.4",
+ "self-managed/optimize-deployment/migration-update/camunda-8/3.10-to-3.11_8.3",
+ "self-managed/optimize-deployment/migration-update/camunda-8/3.9-to-3.10",
+ "self-managed/optimize-deployment/migration-update/camunda-8/3.9-preview-1-to-3.9",
+ "self-managed/optimize-deployment/migration-update/camunda-8/3.8-to-3.9-preview-1",
+ "self-managed/optimize-deployment/migration-update/camunda-8/3.7-to-3.8",
+ ],
+ "Camunda 7": [
+ "self-managed/optimize-deployment/migration-update/camunda-7/instructions",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.13-to-3.14",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.12-to-3.13",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.11-to-3.12",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.10-to-3.11",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.9-to-3.10",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.9-preview-1-to-3.9",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.8-to-3.9-preview-1",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.7-to-3.8",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.6-to-3.7",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.5-to-3.6",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.4-to-3.5",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.3-to-3.4",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.2-to-3.3",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.1-to-3.2",
+ "self-managed/optimize-deployment/migration-update/camunda-7/3.0-to-3.1",
+ "self-managed/optimize-deployment/migration-update/camunda-7/2.7-to-3.0",
+ "self-managed/optimize-deployment/migration-update/camunda-7/2.6-to-2.7",
+ "self-managed/optimize-deployment/migration-update/camunda-7/2.5-to-2.6",
+ "self-managed/optimize-deployment/migration-update/camunda-7/2.4-to-2.5",
+ "self-managed/optimize-deployment/migration-update/camunda-7/2.3-to-2.4",
+ "self-managed/optimize-deployment/migration-update/camunda-7/2.2-to-2.3",
+ "self-managed/optimize-deployment/migration-update/camunda-7/2.1-to-2.2",
+ ],
+ },
+ ],
+ },
+
+ {
+ "Advanced features": [
+ "self-managed/optimize-deployment/advanced-features/engine-data-deletion",
+ "self-managed/optimize-deployment/advanced-features/import-guide",
+ ],
+ },
+ ],
+ },
+
+ {
+ Identity: [
+ docsLink(
+ "What is Identity?",
+ "self-managed/identity/what-is-identity/"
+ ),
+ docsLink(
+ "Installation and first steps",
+ "self-managed/identity/getting-started/install-identity/"
+ ),
+
+ {
+ "User guide": [
+ {
+ Configuration: [
+ docsLink(
+ "Making Identity production ready",
+ "self-managed/identity/user-guide/configuration/making-identity-production-ready/"
+ ),
+ docsLink(
+ "Configuring an external identity provider",
+ "self-managed/identity/user-guide/configuration/configure-external-identity-provider/"
+ ),
+ docsLink(
+ "Configure logging",
+ "self-managed/identity/user-guide/configuration/configure-logging/"
+ ),
+ docsLink(
+ "Connect to an existing Keycloak instance",
+ "self-managed/identity/user-guide/configuration/connect-to-an-existing-keycloak/"
+ ),
+ ],
+ },
+
+ {
+ Roles: [
+ docsLink(
+ "Add and assign a role",
+ "self-managed/identity/user-guide/roles/add-assign-role/"
+ ),
+ docsLink(
+ "Add and assign a permission",
+ "self-managed/identity/user-guide/roles/add-assign-permission/"
+ ),
+ ],
+ },
+
+ {
+ Groups: [
+ docsLink(
+ "Create a group",
+ "self-managed/identity/user-guide/groups/create-group/"
+ ),
+ docsLink(
+ "Assign users and roles to a group",
+ "self-managed/identity/user-guide/groups/assign-users-roles-to-group/"
+ ),
+ ],
+ },
+
+ {
+ Authorizations: [
+ docsLink(
+ "Managing resource authorizations",
+ "self-managed/identity/user-guide/authorizations/managing-resource-authorizations/"
+ ),
+ docsLink(
+ "Managing user access",
+ "self-managed/identity/user-guide/authorizations/managing-user-access/"
+ ),
+ docsLink(
+ "Generating machine-to-machine (M2M) tokens",
+ "self-managed/identity/user-guide/authorizations/generating-m2m-tokens/"
+ ),
+ ],
+ },
+
+ {
+ Tenants: [
+ docsLink(
+ "Managing tenants",
+ "self-managed/identity/user-guide/tenants/managing-tenants/"
+ ),
+ ],
+ },
+
+ {
+ "Mapping rules": [
+ docsLink(
+ "Managing mapping rules",
+ "self-managed/identity/user-guide/mapping-rules/managing-mapping-rules/"
+ ),
+ ],
+ },
+
+ {
+ "Additional features": [
+ docsLink(
+ "Adding an API",
+ "self-managed/identity/user-guide/additional-features/adding-an-api/"
+ ),
+ docsLink(
+ "Incorporate applications",
+ "self-managed/identity/user-guide/additional-features/incorporate-applications/"
+ ),
+ ],
+ },
+ ],
+ },
+
+ {
+ Deployment: [
+ docsLink(
+ "Configuration variables",
+ "self-managed/identity/deployment/configuration-variables/"
+ ),
+ docsLink(
+ "Application monitoring",
+ "self-managed/identity/deployment/application-monitoring/"
+ ),
+ docsLink(
+ "Starting configuration",
+ "self-managed/identity/deployment/starting-configuration-for-identity/"
+ ),
+ docsLink(
+ "Resource management",
+ "self-managed/identity/deployment/resource-management/"
+ ),
+ ],
+ },
+
+ docsLink(
+ "Troubleshoot Identity",
+ "self-managed/identity/troubleshooting/troubleshoot-identity/"
+ ),
+ ],
+ },
+
+ {
+ Modeler: [
+ {
+ "Web Modeler": [
+ docsLink(
+ "Installation",
+ "self-managed/modeler/web-modeler/installation/"
+ ),
+
+ {
+ Configuration: [
+ docsLink(
+ "Overview",
+ "self-managed/modeler/web-modeler/configuration/"
+ ),
+ docsLink(
+ "Database",
+ "self-managed/modeler/web-modeler/configuration/database/"
+ ),
+ docsLink(
+ "Identity",
+ "self-managed/modeler/web-modeler/configuration/identity/"
+ ),
+ docsLink(
+ "Logging",
+ "self-managed/modeler/web-modeler/configuration/logging/"
+ ),
+ docsLink(
+ "SSL",
+ "self-managed/modeler/web-modeler/configuration/ssl/"
+ ),
+ ],
+ },
+
+ {
+ Troubleshooting: [
+ docsLink(
+ "Database connection",
+ "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-database-connection/"
+ ),
+ docsLink(
+ "Zeebe connection",
+ "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-zeebe-connection/"
+ ),
+ docsLink(
+ "Missing data",
+ "self-managed/modeler/web-modeler/troubleshooting/troubleshoot-missing-data/"
+ ),
+ ],
+ },
+ ],
+ },
+
+ {
+ "Desktop Modeler": [
+ docsLink(
+ "Deploy diagram",
+ "self-managed/modeler/desktop-modeler/deploy-to-self-managed/"
+ ),
+ ],
+ },
+ ],
+ },
],
},
],
}),
{
- "Clients & SDKs": [
+ 7& SDKs": [
{
SDKs: [
docsLink("Node.js", "apis-tools/node-js-sdk/"),
diff --git a/package.json b/package.json
index 0bc82be266a..1c85373daab 100644
--- a/package.json
+++ b/package.json
@@ -28,7 +28,7 @@
"api:generate:operate": "npm run api:generate operate",
"api:generate:tasklist": "npm run api:generate tasklist",
"api:generate:zeebe": "npm run api:generate zeebe",
- "api:generate:consolesm": "npm run api:generate consolesm",
+ "api:generate:adminsm": "npm run api:generate adminsm",
"api:generate:camunda": "npm run api:generate camunda"
},
"dependencies": {
diff --git a/sidebars.js b/sidebars.js
index 4add84d1d97..9b598667a66 100644
--- a/sidebars.js
+++ b/sidebars.js
@@ -965,7 +965,27 @@ module.exports = {
"self-managed/setup/deploy/amazon/amazon-eks/irsa",
],
},
- "self-managed/setup/deploy/amazon/aws-marketplace",
+ {
+ type: "category",
+ label: "ROSA",
+ link: {
+ type: "doc",
+ id: "self-managed/setup/deploy/amazon/openshift/terraform-setup",
+ },
+ items: [
+ "self-managed/setup/deploy/amazon/openshift/terraform-setup",
+ ],
+ },
+ {
+ type: "category",
+ label: "Amazon MarketPlace",
+ link: {
+ type: "doc",
+ id: "self-managed/setup/deploy/amazon/aws-marketplace",
+ },
+ items: [],
+ },
+ "self-managed/setup/deploy/amazon/aws-ec2",
],
"Microsoft (Azure)": [
"self-managed/setup/deploy/azure/microsoft-aks",
@@ -1003,6 +1023,14 @@ module.exports = {
],
},
],
+ },
+ {
+ "Reference architecture": [
+ "self-managed/reference-architecture/reference-architecture",
+ "self-managed/reference-architecture/manual/manual",
+ ],
+ },
+ {
"Operational guides": [
{
type: "category",
diff --git a/static/.htaccess b/static/.htaccess
index 99205f43616..20496bb89ff 100644
--- a/static/.htaccess
+++ b/static/.htaccess
@@ -98,6 +98,9 @@ RewriteRule ^docs/reference/bpmn-processes/?(.*)$ /docs/components/modeler/bpmn/
# Remove Tasklist GraphQL API
RewriteRule ^docs/next/apis-tools/tasklist-api/(.*)$ /docs/next/apis-tools/camunda-api-rest/camunda-api-rest-overview/ [R=301,L]
+# Finalize the renaming of Console SM API to Administration API (Self-Managed)
+RewriteRule ^docs/next/apis-tools/administration-sm-api/specifications/sm-administration-api/?$ /docs/next/apis-tools/administration-sm-api/specifications/administration-api-self-managed/ [R=301,L]
+
# Remove Zeebe REST API
RewriteRule ^docs/next/apis-tools/zeebe-api-rest/specifications/?$ /docs/next/apis-tools/camunda-api-rest/specifications/$1 [R=301,L]
RewriteRule ^docs/next/apis-tools/zeebe-api-rest/zeebe-api-rest-overview/?$ /docs/next/apis-tools/camunda-api-rest/camunda-api-rest-overview/$1 [R=301,L]
diff --git a/versioned_docs/version-8.4/components/modeler/bpmn/user-tasks/user-tasks.md b/versioned_docs/version-8.4/components/modeler/bpmn/user-tasks/user-tasks.md
index b475a31143c..6141163fc38 100644
--- a/versioned_docs/version-8.4/components/modeler/bpmn/user-tasks/user-tasks.md
+++ b/versioned_docs/version-8.4/components/modeler/bpmn/user-tasks/user-tasks.md
@@ -56,6 +56,11 @@ attributes can be specified simultaneously:
- `candidateUsers`: Specifies the users that the task can be assigned to.
- `candidateGroups`: Specifies the groups of users that the task can be assigned to.
+:::info
+The assignee attribute must adhere to the userId field’s case-sensitivity requirements.
+Note that in SaaS, all user IDs are converted to lowercase by default, as they are based on email addresses.
+:::
+
Typically, the assignee, candidate users, and candidate groups are defined as [static values](/docs/components/concepts/expressions.md#expressions-vs-static-values) (e.g. `some_username`, `some_username, another_username` and
`sales, operations`), but they can also be defined as
[expressions](/components/concepts/expressions.md) (e.g. `= book.author` and `= remove(reviewers, book.author)` and `= reviewer_roles`). The expressions are evaluated on activating the user task and must result in a
diff --git a/versioned_docs/version-8.5/apis-tools/node-js-sdk.md b/versioned_docs/version-8.5/apis-tools/node-js-sdk.md
index 3186f048f21..ffe800bbc5f 100644
--- a/versioned_docs/version-8.5/apis-tools/node-js-sdk.md
+++ b/versioned_docs/version-8.5/apis-tools/node-js-sdk.md
@@ -1,7 +1,7 @@
---
id: node-js-sdk
title: Node.js
-description: Get started with the official Camunda 8 JavaScript SDK for Node.js, available via npm.
+description: Get started with the official Camunda 8 JavaScript SDK for Node.js.
---
As of 8.5.0, the official [Camunda 8 JavaScript SDK for Node.js](https://github.com/camunda/camunda-8-js-sdk) is available via [npm](https://www.npmjs.com/package/@camunda8/sdk).
diff --git a/versioned_docs/version-8.5/apis-tools/working-with-apis-tools.md b/versioned_docs/version-8.5/apis-tools/working-with-apis-tools.md
index 9ee4f2daecb..57e5bbf0d50 100644
--- a/versioned_docs/version-8.5/apis-tools/working-with-apis-tools.md
+++ b/versioned_docs/version-8.5/apis-tools/working-with-apis-tools.md
@@ -84,6 +84,9 @@ Additionally, visit our documentation on [Operate](../self-managed/operate-deplo
### SDKs
### Postman
diff --git a/versioned_docs/version-8.5/components/modeler/bpmn/user-tasks/user-tasks.md b/versioned_docs/version-8.5/components/modeler/bpmn/user-tasks/user-tasks.md
index 7f7d2d48815..b00e97e7c75 100644
--- a/versioned_docs/version-8.5/components/modeler/bpmn/user-tasks/user-tasks.md
+++ b/versioned_docs/version-8.5/components/modeler/bpmn/user-tasks/user-tasks.md
@@ -35,6 +35,11 @@ attributes can be specified simultaneously:
- `candidateUsers`: Specifies the users that the task can be assigned to.
- `candidateGroups`: Specifies the groups of users that the task can be assigned to.
+:::info
+The assignee attribute must adhere to the userId field’s case-sensitivity requirements.
+Note that in SaaS, all user IDs are converted to lowercase by default, as they are based on email addresses.
+:::
+
:::info
Assignment resources can also be used for set user task restrictions ([SaaS](/components/concepts/access-control/user-task-access-restrictions.md)/[Self-Managed](docs/self-managed/concepts/access-control/user-task-access-restrictions.md)), where users will see only the tasks they have authorization to work on.
:::
diff --git a/versioned_docs/version-8.5/components/modeler/desktop-modeler/use-connectors.md b/versioned_docs/version-8.5/components/modeler/desktop-modeler/use-connectors.md
index 921b5c0f693..6a0f28ee837 100644
--- a/versioned_docs/version-8.5/components/modeler/desktop-modeler/use-connectors.md
+++ b/versioned_docs/version-8.5/components/modeler/desktop-modeler/use-connectors.md
@@ -12,7 +12,7 @@ Desktop Modeler automatically fetches and updates [element templates](./element-
## Automatic Connector template fetching
-Automatic Connector template fetching is enabled by default, and notifies you of any updates or errors.
+Automatic Connector template fetching is enabled by default, and notifies you of any updates or errors. The fetch is triggered whenever you start the application, or every 24 hours if the application is not closed.
After an update check has concluded, a notification indicates if the templates are up to date or have been updated:
diff --git a/versioned_docs/version-8.6/apis-tools/node-js-sdk.md b/versioned_docs/version-8.6/apis-tools/node-js-sdk.md
index 583c837affb..b11e5f327d7 100644
--- a/versioned_docs/version-8.6/apis-tools/node-js-sdk.md
+++ b/versioned_docs/version-8.6/apis-tools/node-js-sdk.md
@@ -1,7 +1,7 @@
---
id: node-js-sdk
title: Node.js
-description: Get started with the official Camunda 8 JavaScript SDK for Node.js, available via npm.
+description: Get started with the official Camunda 8 JavaScript SDK for Node.js.
---
As of 8.5.0, the official [Camunda 8 JavaScript SDK for Node.js](https://github.com/camunda/camunda-8-js-sdk) is available via [npm](https://www.npmjs.com/package/@camunda8/sdk).
diff --git a/versioned_docs/version-8.6/apis-tools/spring-zeebe-sdk/configuration.md b/versioned_docs/version-8.6/apis-tools/spring-zeebe-sdk/configuration.md
index 6cff515bf51..5c644b42928 100644
--- a/versioned_docs/version-8.6/apis-tools/spring-zeebe-sdk/configuration.md
+++ b/versioned_docs/version-8.6/apis-tools/spring-zeebe-sdk/configuration.md
@@ -275,7 +275,7 @@ A custom maxMessageSize allows the client to receive larger or smaller responses
camunda:
client:
zeebe:
- max-message-size: 3
+ max-message-size: 4194304
```
### Request timeout
diff --git a/versioned_docs/version-8.6/apis-tools/working-with-apis-tools.md b/versioned_docs/version-8.6/apis-tools/working-with-apis-tools.md
index 766d9a434e5..37a4f546afe 100644
--- a/versioned_docs/version-8.6/apis-tools/working-with-apis-tools.md
+++ b/versioned_docs/version-8.6/apis-tools/working-with-apis-tools.md
@@ -72,6 +72,9 @@ Additionally, visit our documentation on [Operate](../self-managed/operate-deplo
### SDKs
### Postman
diff --git a/versioned_docs/version-8.6/components/modeler/bpmn/user-tasks/user-tasks.md b/versioned_docs/version-8.6/components/modeler/bpmn/user-tasks/user-tasks.md
index 90a64a6191c..b1a4919be5d 100644
--- a/versioned_docs/version-8.6/components/modeler/bpmn/user-tasks/user-tasks.md
+++ b/versioned_docs/version-8.6/components/modeler/bpmn/user-tasks/user-tasks.md
@@ -36,6 +36,11 @@ attributes can be specified simultaneously:
- `candidateUsers`: Specifies the users that the task can be assigned to.
- `candidateGroups`: Specifies the groups of users that the task can be assigned to.
+:::info
+The assignee attribute must adhere to the userId field’s case-sensitivity requirements.
+Note that in SaaS, all user IDs are converted to lowercase by default, as they are based on email addresses.
+:::
+
:::info
Assignment resources can also be used for set user task restrictions ([SaaS](/components/concepts/access-control/user-task-access-restrictions.md)/[Self-Managed](docs/self-managed/concepts/access-control/user-task-access-restrictions.md)), where users will see only the tasks they have authorization to work on.
:::
diff --git a/versioned_docs/version-8.6/components/modeler/desktop-modeler/use-connectors.md b/versioned_docs/version-8.6/components/modeler/desktop-modeler/use-connectors.md
index 921b5c0f693..6a0f28ee837 100644
--- a/versioned_docs/version-8.6/components/modeler/desktop-modeler/use-connectors.md
+++ b/versioned_docs/version-8.6/components/modeler/desktop-modeler/use-connectors.md
@@ -12,7 +12,7 @@ Desktop Modeler automatically fetches and updates [element templates](./element-
## Automatic Connector template fetching
-Automatic Connector template fetching is enabled by default, and notifies you of any updates or errors.
+Automatic Connector template fetching is enabled by default, and notifies you of any updates or errors. The fetch is triggered whenever you start the application, or every 24 hours if the application is not closed.
After an update check has concluded, a notification indicates if the templates are up to date or have been updated:
diff --git a/versioned_docs/version-8.6/self-managed/console-deployment/configuration.md b/versioned_docs/version-8.6/self-managed/console-deployment/configuration.md
index 8bfa775bf15..9da243ab378 100644
--- a/versioned_docs/version-8.6/self-managed/console-deployment/configuration.md
+++ b/versioned_docs/version-8.6/self-managed/console-deployment/configuration.md
@@ -33,6 +33,20 @@ Console environment variables could be set in Helm via the `console.env` key. Fo
Camunda 8 components without a valid license may display **Non-Production License** in the navigation bar and issue warnings in the logs. These warnings have no impact on Console startup or functionality. To obtain a license, visit the [Camunda Enterprise page](https://camunda.com/platform/camunda-platform-enterprise-contact/).
:::
+### Proxy
+
+These settings are useful when the application needs to make outgoing network requests in environments that require traffic to pass through a proxy server.
+
+| Environment variable | Description | Example value | Default value |
+| -------------------- | ---------------------------------------------------------------------------------------------- | ------------------------------------- | ------------- |
+| `http_proxy` | Specifies the proxy server to be used for outgoing HTTP requests. | `http://proxy.example.com:8080` | - |
+| `https_proxy` | Specifies the proxy server to be used for outgoing HTTPS requests. | `https://secureproxy.example.com:443` | - |
+| `no_proxy` | A comma-separated list of domain names or IP addresses for which the proxy should be bypassed. | `localhost,127.0.0.1,.example.com` | - |
+
+:::note
+The proxy-related environment variables are lowercase because they follow a widely accepted convention used in many system environments and tools.
+:::
+
## Telemetry
You can enable telemetry and usage collection to help us improve our product by sending several telemetry metrics to Camunda. The information we collect will contribute to continuous product enhancement and help us understand how Camunda is used. We do not collect sensitive information and limit data points to several metrics. For more information, you can download collected data set metrics from the telemetry page at anytime.
diff --git a/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/amazon-eks/eks-helm.md b/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/amazon-eks/eks-helm.md
index 1a46c925e7b..328387b3915 100644
--- a/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/amazon-eks/eks-helm.md
+++ b/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/amazon-eks/eks-helm.md
@@ -4,6 +4,8 @@ title: "Install Camunda 8 on an EKS cluster"
description: "Set up the Camunda 8 environment with Helm and an optional Ingress setup on Amazon EKS."
---
+
+
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
@@ -427,7 +429,6 @@ https://github.com/camunda/camunda-tf-eks-module/blob/main/examples/camunda-8.6/
Use these environment variables in the `kubectl` command to create the secret.
-- The values for `postgres-password` and `password` are not required if you are using an external database. If you choose not to use an external database, you must provide those values.
- The `smtp-password` should be replaced with the appropriate external value ([see how it's used by Web Modeler](/self-managed/modeler/web-modeler/configuration/configuration.md#smtp--email)).
```bash reference
diff --git a/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/amazon-eks/terraform-setup.md b/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/amazon-eks/terraform-setup.md
index 40fe91e4dc8..73c9e6c48ce 100644
--- a/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/amazon-eks/terraform-setup.md
+++ b/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/amazon-eks/terraform-setup.md
@@ -4,6 +4,8 @@ title: "Deploy an EKS cluster with Terraform (advanced)"
description: "Deploy an Amazon Kubernetes Cluster (EKS) with a Terraform module for a quick Camunda 8 setup."
---
+
+
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
@@ -96,25 +98,25 @@ Advanced users may want to handle this part differently and use a different back
#### Set up AWS authentication
The [AWS Terraform provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) is required to create resources in AWS. Before you can use the provider, you must authenticate it using your AWS credentials.
-You can further change the region and other preferences and explore different [authentication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration) methods.
-We recommend using the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). If you have configured your AWS CLI, Terraform will automatically detect and use those credentials.
+:::caution Ownership of the created resources
-To configure the AWS CLI:
+A user who creates resources in AWS will always retain administrative access to those resources, including any Kubernetes clusters created. It is recommended to create a dedicated [AWS IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) for Terraform purposes, ensuring that the resources are managed and owned by that user.
-```bash
-aws configure
-```
+:::
-Enter your `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, region, and output format. These can be retrieved from the [AWS Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).
+You can further change the region and other preferences and explore different [authentication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration) methods:
-:::caution Ownership of the created resources
+- For development or testing purposes you can use the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). If you have configured your AWS CLI, Terraform will automatically detect and use those credentials.
+ To configure the AWS CLI:
-A user who creates resources in AWS will always retain administrative access to those resources, including any Kubernetes clusters created. It is recommended to create a dedicated [AWS IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) for Terraform purposes, ensuring that the resources are managed and owned by that user.
+ ```bash
+ aws configure
+ ```
-[Create access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for the new IAM user via the console and export them as `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` variables to use with the AWS CLI and `eksctl`
+ Enter your `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, region, and output format. These can be retrieved from the [AWS Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).
-:::
+- For production environments, we recommend the use of a dedicated IAM user and [create access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for the new IAM user via the console and export them as `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
#### Create an S3 bucket for Terraform state management
diff --git a/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/openshift/assets/rosa-single-region.jpg b/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/openshift/assets/rosa-single-region.jpg
new file mode 100644
index 00000000000..862eacd4fe0
Binary files /dev/null and b/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/openshift/assets/rosa-single-region.jpg differ
diff --git a/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/openshift/assets/rosa-single-region.pdf b/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/openshift/assets/rosa-single-region.pdf
new file mode 100644
index 00000000000..5506e354c8c
Binary files /dev/null and b/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/openshift/assets/rosa-single-region.pdf differ
diff --git a/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/openshift/terraform-setup.md b/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/openshift/terraform-setup.md
new file mode 100644
index 00000000000..eca6ea8c5eb
--- /dev/null
+++ b/versioned_docs/version-8.6/self-managed/setup/deploy/amazon/openshift/terraform-setup.md
@@ -0,0 +1,384 @@
+---
+id: terraform-setup
+title: "Deploy a ROSA HCP Cluster with Terraform"
+description: "Deploy Red Hat OpenShift on AWS using a Terraform module for a quick Camunda 8 setup."
+---
+
+
+
+import Tabs from "@theme/Tabs";
+import TabItem from "@theme/TabItem";
+
+This guide provides a detailed tutorial for deploying a [Red Hat OpenShift on AWS (ROSA) cluster with Hosted Control Plane (HCP)](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html-single/architecture/index#architecture-overview) capabilities. It is specifically tailored for deploying Camunda 8 using Terraform, a widely-used Infrastructure as Code (IaC) tool.
+
+We recommend this guide for building a robust and sustainable infrastructure. However, if you are looking for a quicker trial or proof of concept, or if your needs aren't fully met by our module, consider following the official [ROSA Quickstart Guide](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/getting_started/rosa-quickstart-guide-ui#rosa-quickstart-guide-ui).
+
+This guide aims to help you leverage IaC to streamline and reproduce your cloud infrastructure setup. While it covers the essentials for deploying an ROSA HCP cluster, for more advanced use cases, please refer to the official [Red Hat OpenShift on AWS Documentation](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4).
+
+:::tip
+
+If you are completely new to Terraform and the idea of IaC, read through the [Terraform IaC documentation](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/infrastructure-as-code) and give their [interactive quick start](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/infrastructure-as-code#quick-start) a try for a basic understanding.
+
+:::
+
+## Requirements
+
+- A [Red Hat Account](https://www.redhat.com/) to create the Red Hat OpenShift cluster.
+- An [AWS account](https://docs.aws.amazon.com/accounts/latest/reference/accounts-welcome.html) to create any resources within AWS.
+- [AWS CLI (2.17+)](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html), a CLI tool for creating AWS resources.
+- [Terraform (1.9+)](https://developer.hashicorp.com/terraform/downloads)
+- [kubectl (1.30+)](https://kubernetes.io/docs/tasks/tools/#kubectl) to interact with the cluster.
+- [ROSA CLI](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/getting_started/rosa-quickstart-guide-ui#rosa-getting-started-environment-setup_rosa-quickstart-guide-ui) to interact with the cluster.
+- [jq (1.7+)](https://jqlang.github.io/jq/download/) to interact with some Terraform variables.
+- This guide uses GNU/Bash for all the shell commands listed.
+
+### Considerations
+
+This setup provides a foundational starting point for working with Camunda 8, though it is not optimized for peak performance. It serves as a solid initial step in preparing a production environment by leveraging [Infrastructure as Code (IaC) tools](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/infrastructure-as-code).
+
+Terraform can seem complex at first. If you're interested in understanding what each component does, consider trying out the [Red Hat OpenShift on AWS UI-based tutorial](https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/tutorials/getting-started-with-rosa#creating-account-wide-roles). This guide will show you what resources are created and how they interact with each other.
+
+If you require managed services for PostgreSQL Aurora or OpenSearch, you can refer to the definitions provided in the [EKS setup with Terraform](../amazon-eks/terraform-setup.md) guide. However, please note that these configurations may need adjustments to fit your specific requirements and have not been tested. By default, this guide assumes that the database services (PostgreSQL and Elasticsearch) integrated into the default chart will be used.
+
+For testing Camunda 8 or developing against it, you might consider signing up for our [SaaS offering](https://camunda.com/platform/). If you already have a Red Hat OpenShift cluster on AWS, you can skip ahead to the [Helm setup guide](/self-managed/setup/deploy/openshift/redhat-openshift.md).
+
+To keep this guide concise, we provide links to additional documentation covering best practices, allowing you to explore each topic in greater depth.
+
+:::warning Cost management
+
+Following this guide will incur costs on your cloud provider account and your Red Hat account, specifically for the managed OpenShift service, OpenShift worker nodes running in EC2, the hosted control plane, Elastic Block Storage (EBS), and Route 53. For more details, refer to [ROSA AWS pricing](https://aws.amazon.com/rosa/pricing/) and the [AWS Pricing Calculator](https://calculator.aws/#/) as total costs vary by region.
+
+:::
+
+### Variants
+
+Unlike the [EKS Terraform setup](../amazon-eks/terraform-setup.md), we currently support only one main variant of this setup:
+
+- The **standard installation** uses a username and password connection for Camunda components (or relies solely on network isolation for certain components). This option is straightforward and easier to implement, making it ideal for environments where simplicity and rapid deployment are priorities, or where network isolation provides adequate security.
+
+- The second variant, **IRSA** (IAM Roles for Service Accounts), may work but has not been tested. If you’re interested in setting it up, please refer to the EKS guide as a foundational resource.
+
+### Outcome
+
+
+
+
+_Infrastructure diagram for a single region ROSA setup (click on the image to open the PDF version)_
+[](./assets/rosa-single-region.pdf)
+
+Following this tutorial and steps will result in:
+
+- A [Red Hat OpenShift with Hosted Control Plane](https://www.redhat.com/en/topics/containers/what-are-hosted-control-planes#rosa-with-hcp) cluster running the latest ROSA version with six nodes ready for Camunda 8 installation.
+- The [EBS CSI driver](https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html) is installed and configured, which is used by the Camunda 8 Helm chart to create [persistent volumes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/).
+
+## 1. Configure AWS and initialize Terraform
+
+### Terraform prerequisites
+
+To manage the infrastructure for Camunda 8 on AWS using Terraform, we need to set up Terraform's backend to store the state file remotely in an S3 bucket. This ensures secure and persistent storage of the state file.
+
+:::note
+Advanced users may want to handle this part differently and use a different backend. The backend setup provided is an example for new users.
+:::
+
+#### Set up AWS authentication
+
+The [AWS Terraform provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) is required to create resources in AWS. Before you can use the provider, you must authenticate it using your AWS credentials.
+
+:::caution Ownership of the created resources
+
+A user who creates resources in AWS will always retain administrative access to those resources, including any Kubernetes clusters created. It is recommended to create a dedicated [AWS IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) for Terraform purposes, ensuring that the resources are managed and owned by that user.
+
+:::
+
+You can further change the region and other preferences and explore different [authentication](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration) methods:
+
+- For development or testing purposes you can use the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). If you have configured your AWS CLI, Terraform will automatically detect and use those credentials.
+ To configure the AWS CLI:
+
+ ```bash
+ aws configure
+ ```
+
+ Enter your `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, region, and output format. These can be retrieved from the [AWS Console](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html).
+
+- For production environments, we recommend the use of a dedicated IAM user. Create [access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for the new IAM user via the console, and export them as `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
+
+#### Create an S3 bucket for Terraform state management
+
+Before setting up Terraform, you need to create an S3 bucket that will store the state file. This is important for collaboration and to prevent issues like state file corruption.
+
+To start, set the region as an environment variable upfront to avoid repeating it in each command:
+
+```bash
+export AWS_REGION=
+```
+
+Replace `` with your chosen AWS region (for example, `eu-central-1`).
+
+Now, follow these steps to create the S3 bucket with versioning enabled:
+
+1. Open your terminal and ensure the AWS CLI is installed and configured.
+
+1. Run the following command to create an S3 bucket for storing your Terraform state. Make sure to use a unique bucket name and set the `AWS_REGION` environment variable beforehand:
+
+ ```bash
+ # Replace "my-rosa-tf-state" with your unique bucket name
+ export S3_TF_BUCKET_NAME="my-rosa-tf-state"
+
+ aws s3api create-bucket --bucket "$S3_TF_BUCKET_NAME" --region "$AWS_REGION" \
+ --create-bucket-configuration LocationConstraint="$AWS_REGION"
+ ```
+
+1. Enable versioning on the S3 bucket to track changes and protect the state file from accidental deletions or overwrites:
+
+ ```bash
+ aws s3api put-bucket-versioning --bucket "$S3_TF_BUCKET_NAME" --versioning-configuration Status=Enabled --region "$AWS_REGION"
+ ```
+
+1. Secure the bucket by blocking public access:
+
+ ```bash
+ aws s3api put-public-access-block --bucket "$S3_TF_BUCKET_NAME" --public-access-block-configuration \
+ "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true" --region "$AWS_REGION"
+ ```
+
+1. Verify versioning is enabled on the bucket:
+
+ ```bash
+ aws s3api get-bucket-versioning --bucket "$S3_TF_BUCKET_NAME" --region "$AWS_REGION"
+ ```
+
+This S3 bucket will now securely store your Terraform state files with versioning enabled.
+
+#### Create a `config.tf` with the following setup
+
+Once the S3 bucket is created, configure your `config.tf` file to use the S3 backend for managing the Terraform state:
+
+```hcl reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/config.tf
+```
+
+#### Initialize Terraform
+
+Once your `config.tf` and authentication are set up, you can initialize your Terraform project. The previous steps configured a dedicated S3 Bucket (`S3_TF_BUCKET_NAME`) to store your state, and the following creates a bucket key that will be used by your configuration.
+
+Configure the backend and download the necessary provider plugins:
+
+```bash
+export S3_TF_BUCKET_KEY="camunda-terraform/terraform.tfstate"
+
+echo "Storing terraform state in s3://$S3_TF_BUCKET_NAME/$S3_TF_BUCKET_KEY"
+
+terraform init -backend-config="bucket=$S3_TF_BUCKET_NAME" -backend-config="key=$S3_TF_BUCKET_KEY"
+```
+
+Terraform will connect to the S3 bucket to manage the state file, ensuring remote and persistent storage.
+
+### OpenShift cluster module setup
+
+This module sets up the foundational configuration for ROSA HCP and Terraform usage.
+
+We will leverage [Terraform modules](https://developer.hashicorp.com/terraform/language/modules), which allow us to abstract resources into reusable components, simplifying infrastructure management.
+
+The [Camunda-provided module](https://github.com/camunda/camunda-tf-rosa) is publicly available and serves as a robust starting point for deploying a Red Hat OpenShift cluster on AWS using a Hosted Control Plane. It is highly recommended to review this module before implementation to understand its structure and capabilities.
+
+Please note that this module is based on the official [ROSA HCP Terraform module documentation](https://docs.openshift.com/rosa/rosa_hcp/terraform/rosa-hcp-creating-a-cluster-quickly-terraform.html). It is presented as an example for running Camunda 8 in ROSA. For advanced use cases or custom setups, we encourage you to use the official module, which includes vendor-supported features.
+
+#### Set up ROSA authentication
+
+To set up a ROSA cluster, certain prerequisites must be configured on your AWS account. Below is an excerpt from the [official ROSA planning prerequisites checklist](https://docs.openshift.com/rosa/rosa_planning/rosa-cloud-expert-prereq-checklist.html):
+
+1. Verify that your AWS account is correctly configured:
+
+ ```bash
+ aws sts get-caller-identity
+ ```
+
+1. Check if the ELB service role exists, as if you have never created a load balancer in your AWS account, the role for Elastic Load Balancing (ELB) might not exist yet:
+
+ ```bash
+ aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"
+ ```
+
+ If it doesn't exist, create it:
+
+ ```bash
+ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"
+ ```
+
+1. Create a Red Hat Hybrid Cloud Console account if you don’t already have one: [Red Hat Hybrid Cloud Console](https://console.redhat.com/).
+
+1. Enable ROSA on your AWS account via the [AWS Console](https://console.aws.amazon.com/rosa/).
+
+1. Enable HCP ROSA on [AWS Marketplace](https://docs.openshift.com/rosa/cloud_experts_tutorials/cloud-experts-rosa-hcp-activation-and-account-linking-tutorial.html):
+
+ - Navigate to the ROSA console: [AWS ROSA Console](https://console.aws.amazon.com/rosa).
+ - Choose **Get started**.
+ - On the **Verify ROSA prerequisites** page, select **I agree to share my contact information with Red Hat**.
+ - Choose **Enable ROSA**.
+
+ **Note**: Only a single AWS account can be associated with a Red Hat account for service billing.
+
+1. Install the ROSA CLI from the [OpenShift AWS Console](https://console.redhat.com/openshift/downloads#tool-rosa).
+
+1. Get an API token, go to the [OpenShift Cluster Management API Token](https://console.redhat.com/openshift/token/rosa), click **Load token**, and save it. Use the token to log in with ROSA CLI:
+
+ ```bash
+ export RHCS_TOKEN=""
+ rosa login --token="$RHCS_TOKEN"
+
+ # Verify the login
+ rosa whoami
+ ```
+
+1. Verify your AWS quotas:
+
+ ```bash
+ rosa verify quota --region="$AWS_REGION"
+ ```
+
+ **Note**: This may fail due to organizational policies.
+
+1. Create the required account roles:
+
+ ```bash
+ rosa create account-roles --mode auto
+ ```
+
+1. Verify your AWS quotas, and if quotas are insufficient, consult the following:
+
+ - [Provisioned AWS Infrastructure](https://docs.openshift.com/rosa/rosa_planning/rosa-sts-aws-prereqs.html#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs)
+ - [Required AWS Service Quotas](https://docs.openshift.com/rosa/rosa_planning/rosa-sts-required-aws-service-quotas.html#rosa-sts-required-aws-service-quotas)
+
+1. Ensure the `oc` CLI is installed. If it’s not already installed, follow the [official ROSA oc installation guide](https://docs.openshift.com/rosa/cli_reference/openshift_cli/getting-started-cli.html#cli-getting-started):
+
+ ```bash
+ rosa verify openshift-client
+ ```
+
+#### Set up the ROSA cluster module
+
+1. Create a `cluster.tf` file in the same directory as your `config.tf` file.
+2. Add the following content to your newly created `cluster.tf` file to utilize the provided module:
+
+ :::note Configure your cluster
+
+ Please customize the cluster name, availability zones, with the values you previously retrieved from the Red Hat Console.
+ Additionally, provide a secure username and password for the cluster administrator.
+
+ Ensure that you have set the environment `RHCS_TOKEN` is set with your [OpenShift Cluster Management API Token](https://console.redhat.com/openshift/token/rosa).
+
+ By default, this cluster will be accessible from the internet. If you prefer to restrict access, please refer to the official documentation of the module.
+
+ :::
+
+ ```hcl reference
+ https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/cluster.tf
+ ```
+
+ :::caution Camunda Terraform module
+
+ This ROSA module is based on the [official Red Hat Terraform module for ROSA HCP](https://registry.terraform.io/modules/terraform-redhat/rosa-hcp/rhcs/latest). Please be aware of potential differences and choices in implementation between this module and the official one.
+
+ We invite you to consult the [Camunda ROSA module documentation](https://github.com/camunda/camunda-tf-rosa/blob/v2.0.0/modules/rosa-hcp/README.md) for more information.
+
+ :::
+
+3. [Initialize](#initialize-terraform) Terraform for this module using the following Terraform command:
+
+ ```bash
+ terraform init -backend-config="bucket=$S3_TF_BUCKET_NAME" -backend-config="key=$S3_TF_BUCKET_KEY"
+ ```
+
+4. Configure user access to the cluster. By default, the user who creates the OpenShift cluster has administrative access, if you want to grant access to other users, please follow the [Red Hat documentation for granting admin rights to users](https://docs.openshift.com/rosa/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-admin-rights.html) when the cluster is created.
+
+5. Customize the cluster setup. The module offers various input options that allow you to further customize the cluster configuration. For a comprehensive list of available options and detailed usage instructions, refer to the [ROSA module documentation](https://github.com/camunda/camunda-tf-rosa/blob/v2.0.0/modules/rosa-hcp/README.md).
+
+### Define outputs
+
+**Terraform** allows you to define outputs, which make it easier to retrieve important values generated during execution, such as cluster endpoints and other necessary configurations for Helm setup.
+
+Each module that you have previously set up contains an output definition at the end of the file. You can adjust them to your needs.
+
+### Execution
+
+:::note Secret management
+
+We strongly recommend managing sensitive information such as the OpenSearch, Aurora username and password using a secure secrets management solution like HashiCorp Vault. For details on how to inject secrets directly into Terraform via Vault, see the [Terraform Vault Secrets Injection Guide](https://developer.hashicorp.com/terraform/tutorials/secrets/secrets-vault).
+
+:::
+
+1. Open a terminal in the created Terraform folder where `config.tf` and other `.tf` files are.
+
+2. Plan the configuration files:
+
+ ```bash
+ terraform plan -out cluster.plan # describe what will be created
+ ```
+
+3. After reviewing the plan, you can confirm and apply the changes.
+
+ ```bash
+ terraform apply cluster.plan # apply the creation
+ ```
+
+Terraform will now create the OpenShift cluster with all the necessary configurations. The completion of this process may require approximately 20-30 minutes for each component.
+
+### Reference files
+
+Depending on the installation path you have chosen, you can find the reference files used on this page:
+
+- **Standard installation:** [Reference Files](https://github.com/camunda/camunda-deployment-references/tree/feature/openshift-ra-standard/aws/rosa-hcp/camunda-versions/8.6)
+
+## 2. Preparation for Camunda 8 installation
+
+### Access the created OpenShift cluster
+
+You can access the created OpenShift cluster using the following steps:
+
+Set up the required environment variables:
+
+```shell
+export CLUSTER_NAME="$(terraform console <<
+
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
Red Hat OpenShift, a Kubernetes distribution maintained by [Red Hat](https://www.redhat.com/en/technologies/cloud-computing/openshift), provides options for both managed and on-premises hosting.
-:::note
-Deploying Camunda 8 on Red Hat OpenShift is achievable using Helm, given the appropriate configurations. However, it's important to note that the [Security Context Constraints (SCCs)](#security-context-constraints-sccs) and [Routes](./redhat-openshift.md?current-ingress=openshift-routes#using-openshift-routes) configurations might require slight deviations from the guidelines provided in the [general Helm deployment guide](/self-managed/setup/install.md).
-:::
+Deploying Camunda 8 on Red Hat OpenShift is supported using Helm, given the appropriate configurations.
+
+However, it's important to note that the [Security Context Constraints (SCCs)](#security-context-constraints-sccs) and [Routes](./redhat-openshift.md?current-ingress=openshift-routes#using-openshift-routes) configurations might require slight deviations from the guidelines provided in the [general Helm deployment guide](/self-managed/setup/install.md).
## Cluster Specification
When deploying Camunda 8 on an OpenShift cluster, the cluster specification should align with your specific requirements and workload characteristics. Here's a suggested configuration to begin with:
-- **Instance type:** 4 vCPUs (x86_64, >3.1 GHz), 16 GiB Memory (for example, [m5.xlarge on AWS](https://aws.amazon.com/en/ebs/general-purpose/))
+- **Instance type:** 4 vCPUs (x86_64, >3.1 GHz), 16 GiB Memory (for example, [mi7.xlarge on AWS](https://aws.amazon.com/en/ebs/general-purpose/))
- **Number of dedicated nodes:** 4
- **Volume type:** SSD volumes (with between 1000 and 3000 IOPS per volume, and a throughput of 1,000 MB/s per volume, for instance, [gp3 on AWS](https://aws.amazon.com/en/ebs/general-purpose/))
+If you need to set up an OpenShift cluster on a cloud provider, we recommend our [guide to deploying a ROSA cluster](/self-managed/setup/deploy/amazon/openshift/terraform-setup.md).
+
### Supported Versions
We conduct testing and ensure compatibility against the following OpenShift versions:
| OpenShift Version | [End of Support Date](https://access.redhat.com/support/policy/updates/openshift) |
| ----------------- | --------------------------------------------------------------------------------- |
+| 4.17.x | June 27, 2025 |
| 4.16.x | December 27, 2025 |
| 4.15.x | August 27, 2025 |
| 4.14.x | May 1, 2025 |
-| 4.13.x | November 17, 2024 |
-:::caution
+:::caution Version compatibility
+
Camunda 8 supports OpenShift versions in the Red Hat General Availability, Full Support, and Maintenance Support life cycle phases. For more information, refer to the [Red Hat OpenShift Container Platform Life Cycle Policy](https://access.redhat.com/support/policy/updates/openshift).
+
:::
-## Deploying Camunda 8 in OpenShift
+## Requirements
-Depending on your OpenShift cluster's Security Context Constraints (SCCs) configuration, the deployment process may vary.
+- [Helm (3.16+)](https://helm.sh/docs/intro/install/)
+- [kubectl (1.30+)](https://kubernetes.io/docs/tasks/tools/#kubectl) to interact with the cluster.
+- [jq (1.7+)](https://jqlang.github.io/jq/download/) to interact with some variables.
+- [GNU envsubst](https://www.gnu.org/software/gettext/manual/html_node/envsubst-Invocation.html) to generate manifests.
+- [oc (version supported by your OpenShift)](https://docs.openshift.com/container-platform/4.17/cli_reference/openshift_cli/getting-started-cli.html) to interact with OpenShift.
+- A namespace to host the Camunda Platform, in this guide we will reference `camunda` as the target namespace.
-
-
+## Deploy Camunda 8 via Helm charts
+
+### Configure your deployment
+
+Start by creating a `values.yml` file to store the configuration for your environment.
+This file will contain key-value pairs that will be substituted using `envsubst`.
+Over this guide, you will add and merge values in this file to configure your deployment to fit your needs.
+
+You can find a reference example of this file here:
+
+```hcl reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/base.yml
+```
+
+:::warning Merging YAML files
+
+This guide references multiple configuration files that need to be merged into a single YAML file. Be cautious to avoid duplicate keys when merging the files. Additionally, pay close attention when copying and pasting YAML content. Ensure that the separator notation `---` does not inadvertently split the configuration into multiple documents.
+
+We strongly recommend double-checking your YAML file before applying it. You can use tools like [yamllint.com](https://www.yamllint.com/) or the [YAML Lint CLI](https://github.com/adrienverge/yamllint) if you prefer not to share your information online.
+
+:::
+
+#### Configuring the Ingress
+
+Before exposing services outside the cluster, we need an Ingress component. Here's how you can configure it:
+
+
+
+
+
+[Routes](https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html) expose services externally by linking a URL to a service within the cluster. OpenShift supports both the [standard Kubernetes Ingress and routes](https://docs.openshift.com/container-platform/latest/networking/ingress-operator.html), giving cluster users the flexibility to choose.
+
+The presence of routes is rooted in their specification predating Ingress. The functionality of routes differs from Ingress; for example, unlike Ingress, routes don't allow multiple services to be linked to a single route or the use of paths.
+
+To use these routes for the Zeebe Gateway, configure this through Ingress as well.
+
+#### Setting Up the application domain for Camunda 8
+
+The route created by OpenShift will use a domain to provide access to the platform. By default, you can use the OpenShift applications domain, but any other domain supported by the router can also be used.
+
+To retrieve the OpenShift applications domain (used as an example here), run the following command:
-### With restrictive SCCs
+```bash
+export OPENSHIFT_APPS_DOMAIN=$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')
+```
+
+Next, define the route domain that will be used for the Camunda 8 deployment. For example:
+
+```bash
+export DOMAIN_NAME="camunda.$OPENSHIFT_APPS_DOMAIN"
+
+echo "Camunda 8 will be reachable from $DOMAIN_NAME"
+```
+
+If you choose to use a custom domain instead, ensure it is supported by your router configuration and replace the example domain with your desired domain. For more details on configuring custom domains in OpenShift, refer to the official [custom domain OpenShift documentation](https://docs.openshift.com/dedicated/applications/deployments/osd-config-custom-domains-applications.html).
+
+#### Checking if HTTP/2 is enabled
+
+As the Zeebe Gateway also uses `gRPC` (which relies on `HTTP/2`), [HTTP/2 Ingress Connectivity must be enabled](https://docs.openshift.com/container-platform/latest/networking/ingress-operator.html#nw-http2-haproxy_configuring-ingress).
+
+To check if HTTP/2 is already enabled on your OpenShift cluster, run the following command:
+
+```bash
+oc get ingresses.config/cluster -o json | jq '.metadata.annotations."ingress.operator.openshift.io/default-enable-http2"'
+```
+
+Alternatively, if you use a dedicated IngressController for the deployment:
+
+```bash
+# List your IngressControllers
+oc -n openshift-ingress-operator get ingresscontrollers
+
+# Replace with your IngressController name
+oc -n openshift-ingress-operator get ingresscontrollers/ -o json | jq '.metadata.annotations."ingress.operator.openshift.io/default-enable-http2"'
+```
+
+- If the output is `"true"`, it means HTTP/2 is enabled.
+- If the output is `null` or empty, HTTP/2 is not enabled.
+
+
+ Enable HTTP/2
+
+If HTTP/2 is not enabled, you can enable it by running the following command:
+
+**IngressController configuration:**
+
+```bash
+oc -n openshift-ingress-operator annotate ingresscontrollers/ ingress.operator.openshift.io/default-enable-http2=true
+```
+
+**Global cluster configuration:**
+
+```bash
+oc annotate ingresses.config/cluster ingress.operator.openshift.io/default-enable-http2=true
+```
+
+This will add the necessary annotation to [enable HTTP/2 for Ingress in your OpenShift cluster](https://docs.openshift.com/container-platform/latest/networking/ingress-operator.html#nw-http2-haproxy_configuring-ingress) globally on the cluster.
+
+
+
+#### Configure Route TLS
+
+Additionally, the Zeebe Gateway should be configured to use an encrypted connection with TLS. In OpenShift, the connection from HAProxy to the Zeebe Gateway service can use HTTP/2 only for re-encryption or pass-through routes, and not for edge-terminated or insecure routes.
+
+1. **Zeebe Gateway:** two [TLS secrets](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) for the Zeebe Gateway are required, one for the **service** and the other one for the **route**:
+
+ - The first TLS secret is issued to the Zeebe Gateway Service Name. This must use the [PKCS #8 syntax](https://en.wikipedia.org/wiki/PKCS_8) or [PKCS #1 syntax](https://en.wikipedia.org/wiki/PKCS_1) as Zeebe only supports these, referenced as `camunda-platform-internal-service-certificate`.
+
+ In the example below, a TLS certificate is generated for the Zeebe Gateway service with an [annotation](https://docs.openshift.com/container-platform/latest/security/certificates/service-serving-certificate.html). The generated certificate will be in the form of a secret.
+
+ Another option is [Cert Manager](https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html). For more details, review the [OpenShift documentation](https://docs.openshift.com/container-platform/latest/networking/routes/secured-routes.html#nw-ingress-creating-a-reencrypt-route-with-a-custom-certificate_secured-routes).
+
+
+ PKCS #8, PKCS #1 syntax
+
+ > PKCS #1 private key encoding. PKCS #1 produces a PEM block that contains the private key algorithm in the header and the private key in the body. A key that uses this can be recognised by its BEGIN RSA PRIVATE KEY or BEGIN EC PRIVATE KEY header. NOTE: This encoding is not supported for Ed25519 keys. Attempting to use this encoding with an Ed25519 key will be ignored and default to PKCS #8.
+
+ > PKCS #8 private key encoding. PKCS #8 produces a PEM block with a static header and both the private key algorithm and the private key in the body. A key that uses this encoding can be recognised by its BEGIN PRIVATE KEY header.
+
+ [PKCS #1, PKCS #8 syntax definitionfrom cert-manager](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.PrivateKeyEncoding)
+
+
+
+ - The second TLS secret is used on the exposed route, referenced as `camunda-platform-external-certificate`. For example, this would be the same TLS secret used for Ingress. We also configure the Zeebe Gateway Ingress to create a [Re-encrypt Route](https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html#nw-ingress-creating-a-route-via-an-ingress_route-configuration).
+
+ Finally, we mount the **Service Certificate Secret** (`camunda-platform-internal-service-certificate`) to the Zeebe Gateway Pod.
+ Update your `values.yml` file with the following:
+
+ ```yaml reference
+ https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/zeebe-gateway-route.yml
+ ```
+
+ The domain used by the Zeebe Gateway for gRPC is `zeebe-$DOMAIN_NAME` which different from the one used for the rest, namely `$DOMAIN_NAME`, to avoid any conflicts. It is also important to note that the port used for gRPC is `443`.
+
+2. **Operate:** mount the **Service Certificate Secret** to the Operate pod and configure the secure TLS connection. Here, only the `tls.crt` file is required.
+
+Update your `values.yml` file with the following:
+
+```yaml reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/operate-route.yml
+```
+
+The actual configuration properties can be reviewed [in the Operate configuration documentation](/self-managed/operate-deployment/operate-configuration.md#zeebe-broker-connection).
+
+1. **Tasklist:** mount the **Service Certificate Secret** to the Tasklist pod and configure the secure TLS connection. Here, only the `tls.crt` file is required.
+
+ Update your `values.yml` file with the following:
+
+```yaml reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/tasklist-route.yml
+```
+
+The actual configuration properties can be reviewed [in the Tasklist configuration documentation](/self-managed/tasklist-deployment/tasklist-configuration.md#zeebe-broker-connection).
+
+1. **Connectors:** update your `values.yml` file with the following:
+
+```yaml reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/connectors-route.yml
+```
+
+The actual configuration properties can be reviewed [in the Connectors configuration documentation](/self-managed/connectors-deployment/connectors-configuration.md#zeebe-broker-connection).
+
+1. Configure all other applications running inside the cluster and connecting to the Zeebe Gateway to also use TLS.
+
+1. Set up the global configuration to enable the single Ingress definition with the host. Update your configuration file as shown below:
+
+```yaml reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/domain.yml
+```
+
+
+
+
+
+
+
+
+[Routes](https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html) serve as OpenShift's default Ingress implementation.
+
+If you find that its features aren't suitable for your needs, or if you prefer to use a Kubernetes-native Ingress controller, such as the [ingress-nginx controller](https://github.com/kubernetes/ingress-nginx), [you have that option](https://www.redhat.com/en/blog/a-guide-to-using-routes-ingress-and-gateway-apis-in-kubernetes-without-vendor-lock-in).
+
+For guidance on installing an Ingress controller, you can refer to the [Ingress Setup documentation](/self-managed/setup/guides/ingress-setup.md).
+
+:::note Difference between ingress-nginx and NGINX Ingress
+
+Do not confuse the [ingress-nginx controller](https://github.com/kubernetes/ingress-nginx) with the [NGINX Ingress Controller](https://www.redhat.com/en/blog/using-nginx-ingress-controller-red-hat-openshift) that is endorsed by Red Hat for usage with OpenShift. Despite very similar names, they are two different products.
+
+If you should decide to use the Red Hat endorsed [NGINX Ingress Controller](https://www.redhat.com/en/blog/using-nginx-ingress-controller-red-hat-openshift), you would require additional adjustments done to the Camunda 8 Ingress objects and the NGINX Ingress Controller itself to make `gRPC` and `HTTP/2` connections work. In that case, please refer to the [example and the prerequisites](https://github.com/nginxinc/kubernetes-ingress/blob/main/examples/ingress-resources/grpc-services/README.md).
+
+:::
+
+
+
+If you do not have a domain name or do not intend to use one for your Camunda 8 deployment, external access to Camunda 8 web endpoints from outside the OpenShift cluster will not be possible.
+
+However, you can use `kubectl port-forward` to access the Camunda platform without a domain name or Ingress configuration. For more information, refer to the [kubectl port-forward documentation](https://kubernetes.io/docs/reference/kubectl/generated/kubectl_port-forward/).
+
+To make this work, you will need to configure the deployment to reference `localhost` with the forwarded port. Update your `values.yml` file with the following:
+
+```yaml reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/no-domain.yml
+```
+
+
+
+#### Configuring the Security Context Constraints
+
+Depending on your OpenShift cluster's Security Context Constraints (SCCs) configuration, the deployment process may vary.
By default, OpenShift employs more restrictive SCCs. The Helm chart must assign `null` to the user running all components and dependencies.
+
+
+
+
The `global.compatibility.openshift.adaptSecurityContext` variable in your values.yaml can be used to set the following possible values:
- `force`: The `runAsUser` and `fsGroup` values will be null in all components.
- `disabled`: The `runAsUser` and `fsGroup` values will not be modified (default).
-To deploy Camunda 8 on OpenShift:
-
-1. Install [Helm and other CLI tools](/self-managed/setup/install.md#prerequisites).
-2. Install the [Camunda Helm chart repository](/self-managed/setup/install.md#helm-repository).
-3. Set `global.compatibility.openshift.adaptSecurityContext` to `force`
-
-```shell
-helm install camunda camunda/camunda-platform --skip-crds \
- --set global.compatibility.openshift.adaptSecurityContext=force
+```hcl reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/scc.yml
```
-### With permissive SCCs
-
To use permissive SCCs, simply install the charts as they are. Follow the [general Helm deployment guide](/self-managed/setup/install.md).
+```hcl reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/helm-values/no-scc.yml
+```
+
-## Available Configurations of OpenShift Components
+#### Enable Enterprise components
+
+Some components are not enabled by default in this deployment. For more information on how to configure and enable these components, refer to [configuring Enterprise components and Connectors](/self-managed/setup/install.md#configuring-enterprise-components-and-connectors).
+
+#### Fill your deployment with actual values
+
+Once you've prepared the `values.yml` file, run the following `envsubst` command to substitute the environment variables with their actual values:
+
+```bash
+# generate the final values
+envsubst < values.yml > generated-values.yml
+
+# print the result
+cat generated-values.yml
+```
+
+:::info Camunda Helm chart no longer automatically generates passwords
+
+Starting from **Camunda 8.6**, the Helm chart deprecated the automatic generation of secrets, and this feature has been fully removed in **Camunda 8.7**.
+
+:::
+
+Next, store various passwords in a Kubernetes secret, which will be used by the Helm chart. Below is an example of how to set up the required secret. You can use `openssl` to generate random secrets and store them in environment variables:
+
+```bash reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/generate-passwords.sh
+```
+
+Use these environment variables in the `kubectl` command to create the secret.
+
+- The `smtp-password` should be replaced with the appropriate external value ([see how it's used by Web Modeler](/self-managed/modeler/web-modeler/configuration/configuration.md#smtp--email)).
+
+```bash reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/create-identity-secret.sh
+```
+
+### Install Camunda 8 using Helm
+
+Now that the `generated-values.yml` is ready, you can install Camunda 8 using Helm.
+
+The following are the required environment variables with some example values:
+
+```bash reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/chart-env.sh
+```
+
+Then run the following command:
+
+```bash reference
+https://github.com/camunda/camunda-deployment-references/blob/main/aws/rosa-hcp/camunda-versions/8.6/procedure/install/install-chart.sh
+```
+
+This command:
+
+- Installs (or upgrades) the Camunda platform using the Helm chart.
+- Substitutes the appropriate version using the `$CAMUNDA_HELM_CHART_VERSION` environment variable.
+- Applies the configuration from `generated-values.yml`.
+
+:::note
+
+This guide uses `helm upgrade --install` as it runs install on initial deployment and upgrades future usage. This may make it easier for future [Camunda 8 Helm upgrades](/self-managed/setup/upgrade.md) or any other component upgrades.
+
+:::
+
+You can track the progress of the installation using the following command:
+
+```bash
+watch -n 5 '
+ kubectl get pods -n camunda --output=wide;
+ if [ $(kubectl get pods -n camunda --field-selector=status.phase!=Running -o name | wc -l) -eq 0 ] &&
+ [ $(kubectl get pods -n camunda -o json | jq -r ".items[] | select(.status.containerStatuses[]?.ready == false)" | wc -l) -eq 0 ];
+ then
+ echo "All pods are Running and Healthy - Installation completed!";
+ else
+ echo "Some pods are not Running or Healthy";
+ fi
+'
+```
+
+## Verify connectivity to Camunda 8
+
+Please follow our [guide to verify connectivity to Camunda 8](/self-managed/setup/deploy/amazon/amazon-eks/eks-helm.md#verify-connectivity-to-camunda-8)
+
+:::caution Domain name for gRPC Zeebe
+
+In this setup, the domain used for gRPC communication with Zeebe is slightly different from the one in the guide. Instead of using `zeebe.$DOMAIN_NAME`, you need to use `zeebe-$DOMAIN_NAME`.
+
+:::
+
+## Pitfalls to avoid
+
+For general deployment pitfalls, visit the [deployment troubleshooting guide](/self-managed/operational-guides/troubleshooting/troubleshooting.md).
### Security Context Constraints (SCCs)
@@ -144,220 +449,3 @@ If you deploy Camunda 8 (and related infrastructure) with permissive SCCs out of
-
-## Ingress Configuration
-
-Before exposing services outside the cluster, we need an Ingress component. Here's how you can configure it:
-
-
-
-
-### Using Kubernetes Ingress
-
-[Routes](https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html) serve as OpenShift's default Ingress implementation.
-
-If you find that its features aren't suitable for your needs, or if you prefer to use a Kubernetes-native Ingress controller, such as the [ingress-nginx controller](https://github.com/kubernetes/ingress-nginx), [you have that option](https://www.redhat.com/en/blog/a-guide-to-using-routes-ingress-and-gateway-apis-in-kubernetes-without-vendor-lock-in).
-
-For guidance on installing an Ingress controller, you can refer to the [Ingress Setup documentation](/self-managed/setup/guides/ingress-setup.md).
-
-:::note Difference between ingress-nginx and NGINX Ingress
-
-Do not confuse the [ingress-nginx controller](https://github.com/kubernetes/ingress-nginx) with the [NGINX Ingress Controller](https://www.redhat.com/en/blog/using-nginx-ingress-controller-red-hat-openshift) that is endorsed by Red Hat for usage with OpenShift. Despite very similar names, they are two different products.
-
-If you should decide to use the Red Hat endorsed [NGINX Ingress Controller](https://www.redhat.com/en/blog/using-nginx-ingress-controller-red-hat-openshift), you would require additional adjustments done to the Camunda 8 Ingress objects and the NGINX Ingress Controller itself to make `gRPC` and `HTTP/2` connections work. In that case, please refer to the [example and the prerequisites](https://github.com/nginxinc/kubernetes-ingress/blob/main/examples/ingress-resources/grpc-services/README.md).
-
-:::
-
-
-
-
-### Using OpenShift Routes
-
-[Routes](https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html) expose services externally by linking a URL to a service within the cluster. [OpenShift supports both the standard Kubernetes Ingress and routes](https://docs.openshift.com/container-platform/latest/networking/ingress-operator.html), giving cluster users the flexibility to choose.
-
-The presence of routes is rooted in their specification predating Ingress. It's worth noting that the functionality of routes differs from Ingress; for example, unlike Ingress, routes don't allow multiple services to be linked to a single route or the use of paths.
-
-To use these routes for the Zeebe Gateway, configure this through Ingress as well.
-
-#### Prerequisite
-
-As the Zeebe Gateway also uses `gRPC` (which relies on `HTTP/2`), [HTTP/2 Ingress Connectivity has to be enabled](https://docs.openshift.com/container-platform/latest/networking/ingress-operator.html#nw-http2-haproxy_configuring-ingress).
-
-Additionally, the Zeebe Gateway should be configured to use an encrypted connection with TLS. In OpenShift, the connection from HAProxy to the Zeebe Gateway service can use HTTP/2 only for re-encryption or pass-through routes, and not for edge-terminated or insecure routes.
-
-#### Required Steps
-
-1. Provide two [TLS secrets](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) for the Zeebe Gateway.
-
- - The first TLS secret is issued to the Zeebe Gateway Service Name. This must use the [PKCS #8 syntax](https://en.wikipedia.org/wiki/PKCS_8) or [PKCS #1 syntax](https://en.wikipedia.org/wiki/PKCS_1) as Zeebe only supports these, referenced as `camunda-platform-internal-service-certificate`.
-
- In the example below, a TLS certificate is generated for the Zeebe Gateway service with an [annotation](https://docs.openshift.com/container-platform/latest/security/certificates/service-serving-certificate.html). The generated certificate will be in the form of a secret.
-
- ```yaml
- zeebeGateway:
- service:
- annotations:
- service.beta.openshift.io/serving-cert-secret-name: camunda-platform-internal-service-certificate
- ```
-
- Another option is [Cert Manager](https://docs.openshift.com/container-platform/latest/security/cert_manager_operator/index.html). For more details, review the [OpenShift documentation](https://docs.openshift.com/container-platform/latest/networking/routes/secured-routes.html#nw-ingress-creating-a-reencrypt-route-with-a-custom-certificate_secured-routes).
-
-
- PKCS #8, PKCS #1 syntax
-
- > PKCS #1 private key encoding. PKCS #1 produces a PEM block that contains the private key algorithm in the header and the private key in the body. A key that uses this can be recognised by its BEGIN RSA PRIVATE KEY or BEGIN EC PRIVATE KEY header. NOTE: This encoding is not supported for Ed25519 keys. Attempting to use this encoding with an Ed25519 key will be ignored and default to PKCS #8.
-
- > PKCS #8 private key encoding. PKCS #8 produces a PEM block with a static header and both the private key algorithm and the private key in the body. A key that uses this encoding can be recognised by its BEGIN PRIVATE KEY header.
-
- [PKCS #1, PKCS #8 syntax definitionfrom cert-manager](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.PrivateKeyEncoding)
-
-
-
- - The second TLS secret is used on the exposed route, referenced as `camunda-platform-external-certificate`. For example, this would be the same TLS secret used for Ingress.
-
-1. Configure your Zeebe Gateway Ingress to create a [Re-encrypt Route](https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html#nw-ingress-creating-a-route-via-an-ingress_route-configuration):
-
- ```yaml
- zeebeGateway:
- ingress:
- grpc:
- annotations:
- route.openshift.io/termination: reencrypt
- route.openshift.io/destination-ca-certificate-secret: camunda-platform-internal-service-certificate
- className: openshift-default
- tls:
- enabled: true
- secretName: camunda-platform-external-certificate
- ```
-
-1. Mount the **Service Certificate Secret** to the Zeebe Gateway Pod:
-
- ```yaml
- zeebeGateway:
- env:
- - name: ZEEBE_GATEWAY_SECURITY_ENABLED
- value: "true"
- - name: ZEEBE_GATEWAY_SECURITY_CERTIFICATECHAINPATH
- value: /usr/local/zeebe/config/tls.crt
- - name: ZEEBE_GATEWAY_SECURITY_PRIVATEKEYPATH
- value: /usr/local/zeebe/config/tls.key
- extraVolumeMounts:
- - name: certificate
- mountPath: /usr/local/zeebe/config/tls.crt
- subPath: tls.crt
- - name: key
- mountPath: /usr/local/zeebe/config/tls.key
- subPath: tls.key
- extraVolumes:
- - name: certificate
- secret:
- secretName: camunda-platform-internal-service-certificate
- items:
- - key: tls.crt
- path: tls.crt
- defaultMode: 420
- - name: key
- secret:
- secretName: camunda-platform-internal-service-certificate
- items:
- - key: tls.key
- path: tls.key
- defaultMode: 420
- ```
-
-1. Mount the **Service Certificate Secret** to the Operate and Tasklist pods and configure the secure TLS connection. Here, only the `tls.crt` file is required.
-
- For Operate:
-
- ```yaml
- operate:
- env:
- - name: CAMUNDA_OPERATE_ZEEBE_SECURE
- value: "true"
- - name: CAMUNDA_OPERATE_ZEEBE_CERTIFICATEPATH
- value: /usr/local/operate/config/tls.crt
- - name: CAMUNDA_OPERATE_ZEEBE_BROKERCONTACTPOINT
- value: camunda-zeebe-gateway.camunda.svc.cluster.local:26500
- extraVolumeMounts:
- - name: certificate
- mountPath: /usr/local/operate/config/tls.crt
- subPath: tls.crt
- extraVolumes:
- - name: certificate
- secret:
- secretName: camunda-platform-internal-service-certificate
- items:
- - key: tls.crt
- path: tls.crt
- defaultMode: 420
- ```
-
- The actual configuration properties can be reviewed [in the Operate configuration documentation](/self-managed/operate-deployment/operate-configuration.md#zeebe-broker-connection).
-
- For Tasklist:
-
- ```yaml
- tasklist:
- env:
- - name: CAMUNDA_TASKLIST_ZEEBE_SECURE
- value: "true"
- - name: CAMUNDA_TASKLIST_ZEEBE_CERTIFICATEPATH
- value: /usr/local/tasklist/config/tls.crt
- - name: CAMUNDA_TASKLIST_ZEEBE_BROKERCONTACTPOINT
- value: camunda-zeebe-gateway.camunda.svc.cluster.local:26500
- extraVolumeMounts:
- - name: certificate
- mountPath: /usr/local/tasklist/config/tls.crt
- subPath: tls.crt
- extraVolumes:
- - name: certificate
- secret:
- secretName: camunda-platform-internal-service-certificate
- items:
- - key: tls.crt
- path: tls.crt
- defaultMode: 420
- ```
-
- The actual configuration properties can be reviewed [in the Tasklist configuration documentation](/self-managed/tasklist-deployment/tasklist-configuration.md#zeebe-broker-connection).
-
-1. Configure Connectors:
-
- ```yaml
- connectors:
- inbound:
- mode: oauth
- env:
- - name: ZEEBE_CLIENT_BROKER_GATEWAY-ADDRESS
- value: "camunda-zeebe-gateway.camunda.svc.cluster.local:26500"
- - name: ZEEBE_CLIENT_SECURITY_PLAINTEXT
- value: "false"
- - name: CAMUNDA_CLIENT_ZEEBE_CACERTIFICATEPATH
- value: /usr/local/certificates/tls.crt
- extraVolumeMounts:
- - name: certificate
- mountPath: /usr/local/certificates/tls.crt
- subPath: tls.crt
- extraVolumes:
- - name: certificate
- secret:
- secretName: camunda-platform-internal-service-certificate
- items:
- - key: tls.crt
- path: tls.crt
- defaultMode: 420
- ```
-
- The actual configuration properties can be reviewed [in the Connectors configuration documentation](/self-managed/connectors-deployment/connectors-configuration.md#zeebe-broker-connection).
-
-1. Configure all other applications running inside the cluster and connecting to the Zeebe Gateway to also use TLS.
-
-
-
-
-
-
-
-## Pitfalls to avoid
-
-For general deployment pitfalls, visit the [deployment troubleshooting guide](/self-managed/operational-guides/troubleshooting/troubleshooting.md).
diff --git a/versioned_sidebars/version-8.6-sidebars.json b/versioned_sidebars/version-8.6-sidebars.json
index 66f10535b88..cff47e1dc55 100644
--- a/versioned_sidebars/version-8.6-sidebars.json
+++ b/versioned_sidebars/version-8.6-sidebars.json
@@ -1834,6 +1834,17 @@
"self-managed/setup/deploy/amazon/amazon-eks/irsa"
]
},
+ {
+ "type": "category",
+ "label": "ROSA",
+ "link": {
+ "type": "doc",
+ "id": "self-managed/setup/deploy/amazon/openshift/terraform-setup"
+ },
+ "items": [
+ "self-managed/setup/deploy/amazon/openshift/terraform-setup"
+ ]
+ },
"self-managed/setup/deploy/amazon/aws-marketplace"
],
"Microsoft (Azure)": [