Helm chart multi-tenancy configuration
Multi-tenancy is currently only available for Camunda 8 Self-Managed with authentication enabled through Identity.
To configure multi-tenancy you must enable the multi-tenancy flag either in the Helm charts or via environment variables.
- Helm Charts
- Environment Variables
When using Helm charts, you can enable multi-tenancy globally with the flag global.multitenancy.enabled
.
Visit the Helm chart configuration for additional details.
When using environment variables, you can enable multi-tenancy by setting the following variables:
export CAMUNDA_SECURITY_MULTITENANCY_ENABLED=true
export CAMUNDA_SECURITY_AUTHENTICATION_UNPROTECTEDAPI=false
Disabling multi-tenancy can lead to unexpected behavior if previously enabled with active tenants
Troubleshooting
Zeebe is unable to retrieve jobs for a tenant, unable to assign a task to yourself, or Operate retry is not functioning
If multi-tenancy is enabled, you may encounter the following issues:
- Zeebe is unable to retrieve jobs for a tenant when canceling or retrying via Operate or Tasklist.
- You see the error
Task could not be assigned - Service is not reachable
when attempting to assign a task to yourself in Tasklist. - Retry operations in Operate do not function as expected.
These issues typically occur because the Zeebe client used by Operate and Tasklist does not have access to the required tenant(s). This access must be explicitly granted.
How to fix it
You can resolve these issues by ensuring the Zeebe application is assigned to the tenant where the task or job resides. To do this:
- Log in to Camunda Identity.
- In the left-hand menu, go to Tenants.
- Click on the tenant that is experiencing the issue.
- Navigate to the Applications tab.
- Ensure that the checkbox for Zeebe is selected.
- Click Save if any changes were made.
Once the Zeebe application is assigned to the tenant, you should be able to:
- Assign tasks to yourself in Tasklist.
- Successfully retry jobs in Operate.
- Retrieve jobs from the correct tenant context.
For additional details, refer to the documentation on assigning applications to a tenant.
Tenant requirement for job actions
In single-tenant deployments, Operate and Tasklist can cancel or retry jobs without requiring tenant specification. However, in multi-tenant mode, this behavior changes: a tenant must always be explicitly provided.
This is a known limitation based on how the applications are built—there is no current workaround.
Identity usage for Zeebe client connections
Although Operate and Tasklist each have their own Keycloak identities (operate
, tasklist
), both internally use a Zeebe client to connect to Zeebe (particularly relevant for versions before 8.8).
This client must be configured with its own credentials (commonly labeled zeebe
) and should not reuse the application's identity. While it may appear that credentials are shared, the Zeebe client is meant to use a separate, purpose-specific identity.