Provision of reference configurations and examples for deploying Camunda 8 on STACKIT. This repository builds up on the official Camunda Deployment References with specific instructions, infrastructure templates, and best practices for STACKIT.
- Local requirements
- STACKIT Access & Project Configuration
- Terraform Backend (STACKIT Object Storage / S3)
- Terraform Infrastructure Deployment
- Kubernetes Access
Documentation: Install Terraform
Required version: "1.14.7"
Documentation: STACKIT CLI
# Login to STACKIT
stackit auth login
# Select project
stackit project list
stackit config set --project-id <PROJECT-ID>Documentation: Create a Service Account
Warning
If a service account already exists in the team, no new service account needs to be created.
In this case, the existing sa_key.json is used.
Requirements:
- Access to the existing
sa_key.json - File is available locally
- File is entered in
.gitignore
Create a new Service Account:
stackit service-account create --name <SERVICE_ACCOUNT_NAME>Add service account to the project:
stackit project member add <SERVICE_ACCOUNT_NAME>@sa.stackit.cloud --role editorWarning
If the object storage, bucket, and credentials group already exist for this project, these steps do not need to be performed again.
In this case, the existing configuration can be used directly for the Terraform backend.
Prerequisites:
- Access to existing bucket and credential data
- Local file
config.s3.tfbackendexists or can be created using existing keys - All sensitive data is entered in
.gitignore
# Enable object storage
stackit object-storage enable
# Create Bucket for Terraform State
stackit object-storage bucket create tfstate-bucket-camunda-ske-deploymentstackit object-storage credentials-group create --name terraform-stateResult:
- Credentials Group ID
- URN
Use CREDENTIAL_GROUP_ID generated in previous step.
stackit object-storage credentials create --credentials-group-id <CREDENTIAL_GROUP_ID>Generates:
- Access Key
- Secret Access Key
- Expiration Date: Never
Note
Replace <environment> with the target environment directory (e.g. single-region).
Configure S3 Bucket
cp environments/<environment>/config.s3.example.tfbackend environments/<environment>/config.s3.tfbackendAdjust secret_key and access_key:
access_key = "<S3_ACCESS_KEY>"
secret_key = "<S3_SECRET_KEY>"
bucket = "tfstate-bucket-camunda-ske-deployment"
key = "camunda_ske_deployment.tfstate"Configure remaining terraform variables by copying terraform.example.tfvars to terraform.tfvars (cp environments/<environment>/terraform.example.tfvars environments/<environment>/terraform.tfvars) and replacing the placeholders.
Create Service Account Key or reference:
cd environments/<environment>/
stackit service-account key create --email <SERVICE_ACCOUNT_NAME>@sa.stackit.cloud > sa_key.jsonIf you already have one, you could copy it and adopt the name if necessary in variables.tf (sa_key_file_name).
cd environments/<environment>/
terraform init --backend-config=./config.s3.tfbackend
terraform plan
terraform applyResult:
Running instances of:
- SKE Cluster
- Postgres
- OpenSearch
- Secrets Manager
- Keycloak
- Camunda 8
terraform destroyImportant
terraform destroy deletes all instances listed above and cannot be undone.
# View Cluster
stackit ske cluster list
# Create kubeconfig
stackit ske kubeconfig create <environment> --loginCurrently only the Orchestration Cluster is supported. The Web Modeler and Console will follow. For the distinction, see Camunda docs.
- Identity Secret: https://github.com/camunda/camunda-deployment-references/blob/stable/8.8/generic/openshift/single-region/procedure/create-identity-secret.sh
- Docs: https://docs.camunda.io/docs/self-managed/deployment/helm/configure/authentication-and-authorization/internal-keycloak/