Upgrade Camunda 8.8 to 8.9 using Helm
This page is a work in progress for Camunda 8.9 and will be updated as upgrade requirements are finalized.
Upgrade a Helm-managed Camunda 8 Self-Managed deployment from version 8.8 to 8.9.
Prerequisites
Before upgrading:
- Confirm your deployment is running the latest
8.8.xpatch. If you are upgrading from a version earlier than 8.8, see Upgrading from an earlier version. - Review Prepare for upgrade to confirm upgrade eligibility and complete any required pre-upgrade actions for 8.9.
- Review the Camunda Helm chart version matrix and confirm:
- the Helm chart version that deploys Camunda 8.9 is supported for your Kubernetes version, and
- your Helm client version is supported for that chart.
- Create and verify backups for your Camunda data. See Backup and restore.
- Review your existing
values.yamlfor custom configuration that must be updated for 8.9 (for example, Ingress rules, authentication, exporters, Elasticsearch/OpenSearch settings, index prefixes, and component overrides). - Test the upgrade in a non-production environment using a copy of your production configuration.
- If your
values.yamlcontains plaintext secrets, migrate them to Kubernetes secrets before upgrading. See Extract plaintext values and reference them as Kubernetes secrets.
Create your 8.9 values file
Use your existing 8.8 configuration as the starting point for the upgrade.
-
Copy your current
values.yamland name the filevalues-8.9.yaml. -
Download the default values for the Camunda 8.9 Helm chart:
helm repo update
helm show values camunda/camunda-platform --version <CHART_VERSION> > values-8.9-default.yamlTo identify the latest available chart version, run:
helm search repo camunda/camunda-platform --versions -
Compare
values-8.9.yamlwithvalues-8.9-default.yamlto identify:- new configuration options,
- changed defaults, and
- deprecated or removed settings.
-
Update
values-8.9.yamlusing the configuration tables below before runninghelm upgrade.
Update your values file to 8.9
Use the following sections to update values-8.9.yaml for the 8.8 to 8.9 upgrade.
Configuration changes
| 13.x/8.8 values | 14.x/8.9 values |
|---|---|
TBD | |
Elasticsearch is now disabled by default
If you are currently using elasticsearch, you must explicitly enable it in your values.yaml:
global:
elasticsearch:
enabled: true
elasticsearch:
enabled: true
Example: upgrade values.yaml from 8.8 to 8.9
This section shows a complete before-and-after example of a Helm values.yaml migrated from Camunda 8.8 to 8.9.
View example values files
- 8.8 values.yaml (before)
- 8.9 values-8.9.yaml (after)
# =========================
# Camunda 8.8 values.yaml
# =========================
# TODO (8.9): Add a representative 8.8 configuration example.
# =========================
# Camunda 8.9 values-8.9.yaml
# =========================
# TODO (8.9): Add the migrated 8.9 configuration example.
Prepare and run the upgrade
Add any upgrade-specific configuration required for the 8.9 upgrade.
Run the Helm upgrade
After preparing secrets and applying any required 8.9 configuration changes, run the Helm upgrade:
helm repo update
helm upgrade camunda camunda/camunda-platform \
--namespace <NAMESPACE> \
-f values-8.9.yaml
Monitor and validate the upgrade
After triggering the Helm upgrade, monitor the rollout to ensure all pods return to a healthy state and any migration jobs complete.
Watch pod rollout progress
Watch the pods being upgraded via:
kubectl -n <NAMESPACE> get pods -w
You should see pods terminating and restarting with updated images.
Inspect logs (if required)
# TODO (8.9): Add log commands for any 8.9-specific jobs or components that require verification.
Validate the upgrade
-
Confirm all pods are healthy:
kubectl -n <namespace> get pods -
Confirm all pods are running
8.9.ximages:kubectl -n <namespace> get pods -o jsonpath="{range .items[*]}{.metadata.name}{':\t'}{range .spec.containers[*]}{.image}{'\n'}{end}{end}" -
Verify access to Camunda components.
For example:
https://<your-domain>/<contextPath>/operate
https://<your-domain>/<contextPath>/tasklist
https://<your-domain>/<contextPath>/identity -
Verify authentication and authorization behavior, based on your configuration.
-
Verify workers.
Confirm your workers can still poll and complete jobs (for example, by running a known process end-to-end and checking worker logs/metrics).
Troubleshooting
Upgrade failed due to missing secrets
If your upgrade fails due to missing credentials (often when migrating from chart-managed secret generation to Kubernetes secrets), see Extract plaintext values and reference them as Kubernetes Secrets.
The Bitnami library chart used by Camunda can block upgrades when credentials were previously generated and persisted (for example, in PVCs). This is expected behavior to prevent secret regeneration.
For additional context, see Helm chart Bitnami legacy values file.
The following is an example of the error you might see:
Error: UPGRADE FAILED: execution error at (camunda-platform/charts/identity/templates/tasklist-secret.yaml:10:22):
PASSWORDS ERROR: You must provide your current passwords when upgrading the release.
Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims.
Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases
'global.identity.auth.tasklist.existingSecret' must not be empty, please add '--set global.identity.auth.tasklist.existingSecret=$TASKLIST_SECRET' to the command. To get the current value:
export TASKLIST_SECRET=$(kubectl get secret --namespace "camunda" "camunda-platform-test-tasklist-identity-secret" -o jsonpath="{.data.tasklist-secret}" | base64 --decode)
To complete the upgrade, migrate plaintext values to Kubernetes secrets and reference them from your values file as described in the secret management guide.