Use existing PostgreSQL
This guide steps through using an existing PostgreSQL instance. By default, Helm chart deployment creates a new PostgreSQL instance, but it's possible to use an existing, external PostgreSQL Service instead.
Three Camunda 8 Self-Managed components use PostgreSQL:
- Identity
- Keycloak
- Web Modeler
For more details, review the architecture documentation.
Prerequisites
Supported version
To confirm the supported version of PostgreSQL, check the supported environments page.
Authentication
Make sure you have the following information for your existing PostgreSQL instance. For the sake of this guide, sample values will be used:
- host:
db.example.com
- port:
5432
- username:
postgres
- password:
examplePassword
Database setup
Ensure you have created the relevant databases in your PostgreSQL instance. For this guide, we will create the following databases:
CREATE DATABASE "web-modeler";
CREATE DATABASE "keycloak";
CREATE DATABASE "identity";
Creating Kubernetes secrets
Once you have confirmed the above, create a Kubernetes secret for the database password so you do not have to refer to sensitive information in plain text within your values.yaml
.
A secret for the existing PostgreSQL instance can be created like this:
kubectl create secret generic camunda-psql-db --from-literal=password=examplePassword -n camunda
This secret will exist outside the Helm chart and will not be affected on subsequent helm upgrade
commands.
Values file
webModeler:
enabled: true
restapi:
mail:
fromAddress: noreply@camunda.mycompany.com
fromName: Camunda 8 WebModeler
externalDatabase:
url: "jdbc:postgresql://db.example.com:5432/modeler"
user: "postgres"
existingSecret: "camunda-psql-db"
existingSecretKey: "password"
identity:
externalDatabase:
enabled: true
host: "db.example.com"
port: 5432
username: "postgres"
existingSecret: "camunda-psql-db"
existingSecretKey: "password"
database: "identity"
identityKeycloak:
externalDatabase:
host: "db.example.com"
port: 5432
user: "postgres"
existingSecret: "camunda-psql-db"
existingSecretKey: "password"
database: "keycloak"
auth:
adminUser: postgres
existingSecret: "camunda-psql-db"
existingSecretPasswordKey: "password"
# disable internal psql for keycloak
postgresql:
enabled: false
Common pitfalls
- If the database for Keycloak is misconfigured, other applications will output a
401
error code in the logs as they are not able to correctly authenticate against Keycloak. - If you have not created the databases in your external PostgreSQL instance, a
database missing
error will output in the logs of the respective component.