Skip to main content
Version: 8.6

Use existing PostgreSQL

This guide steps through using an existing PostgreSQL instance. By default, Helm chart deployment creates a new PostgreSQL instance, but it's possible to use an existing, external PostgreSQL Service instead.

Three Camunda 8 Self-Managed components use PostgreSQL:

  • Identity
  • Keycloak
  • Web Modeler

For more details, review the architecture documentation.

Prerequisites

Supported version

To confirm the supported version of PostgreSQL, check the supported environments page.

Authentication

Make sure you have the following information for your existing PostgreSQL instance. For the sake of this guide, sample values will be used:

  • host: db.example.com
  • port: 5432
  • username: postgres
  • password: examplePassword

Database setup

Ensure you have created the relevant databases in your PostgreSQL instance. For this guide, we will create the following databases:

CREATE DATABASE "web-modeler";
CREATE DATABASE "keycloak";
CREATE DATABASE "identity";

Creating Kubernetes secrets

Once you have confirmed the above, create a Kubernetes secret for the database password so you do not have to refer to sensitive information in plain text within your values.yaml.

A secret for the existing PostgreSQL instance can be created like this:

kubectl create secret generic camunda-psql-db --from-literal=password=examplePassword -n camunda

This secret will exist outside the Helm chart and will not be affected on subsequent helm upgrade commands.

Values file

webModeler:
  enabled: true
  restapi:
    mail:
      fromAddress: noreply@camunda.mycompany.com
      fromName: Camunda 8 WebModeler
    externalDatabase:
      url: "jdbc:postgresql://db.example.com:5432/modeler"
      user: "postgres"
      existingSecret: "camunda-psql-db"
      existingSecretKey: "password"

identity:
  externalDatabase:
    enabled: true
    host: "db.example.com"
    port: 5432
    username: "postgres"
    existingSecret: "camunda-psql-db"
    existingSecretKey: "password"
    database: "identity"

identityKeycloak:
  externalDatabase:
    host: "db.example.com"
    port: 5432
    user: "postgres"
    existingSecret: "camunda-psql-db"
    existingSecretKey: "password"
    database: "keycloak"
  auth:
    adminUser: postgres
    existingSecret: "camunda-psql-db"
    existingSecretPasswordKey: "password"
  # disable internal psql for keycloak
  postgresql:
    enabled: false

Common pitfalls

  • If the database for Keycloak is misconfigured, other applications will output a 401 error code in the logs as they are not able to correctly authenticate against Keycloak.
  • If you have not created the databases in your external PostgreSQL instance, a database missing error will output in the logs of the respective component.