fix: remove mention of creating a Console client secret

docs/self-managed/deployment/helm/configure/authentication-and-authorization/external-keycloak.md

@@ -182,10 +182,6 @@ global:
       jwksUrl: <KEYCLOAK_URL>/realms/<realm>/protocol/openid-connect/certs
       identity:
         clientId: <identity_client_id>
-      console:
-        secret:
-          existingSecret: "camunda-credentials"
-          existingSecretKey: "identity-console-client-token"
       optimize:
         secret:
           existingSecret: "camunda-credentials"

docs/self-managed/deployment/helm/configure/authentication-and-authorization/internal-keycloak.md

@@ -187,19 +187,11 @@ For more details on configuring email delivery, see the [Web Modeler section in
 Console component configuration:
 
 ```yaml
-global:
-  identity:
-    auth:
-      console:
-        secret:
-          existingSecret: "camunda-credentials"
-          existingSecretKey: "identity-console-client-token"
-
 console:
   enabled: true
 ```
 
-Add the section under `global.identity.auth` to the existing section you created when configuring Management Identity.
+Since Console is a public client, it does not need to be defined under `global.identity.auth`.
 
 ### Full configuration example
 
@@ -210,10 +202,6 @@ global:
   identity:
     auth:
       enabled: true
-      console:
-        secret:
-          existingSecret: "camunda-credentials"
-          existingSecretKey: "identity-console-client-token"
       optimize:
         secret:
           existingSecret: "camunda-credentials"

docs/self-managed/deployment/helm/configure/secret-management.md

@@ -56,7 +56,6 @@ These secrets are used by Camunda applications and must be configured manually w
 | **Enterprise License Key**              | `global.license.secret`                             | Camunda Enterprise license key                          |
 | **Identity First User Password**        | `identity.firstUser.secret`                         | Default user password (`demo/demo`)                     |
 | **OAuth Client Secret (Admin)**         | `global.identity.auth.admin.secret`                 | OAuth admin client secret for administrative operations |
-| **OAuth Client Secret (Console)**       | `global.identity.auth.console.secret`               | OAuth client secret for Console                         |
 | **OAuth Client Secret (Connectors)**    | `connectors.security.authentication.oidc.secret`    | OAuth client secret for connectors                      |
 | **OAuth Client Secret (Orchestration)** | `orchestration.security.authentication.oidc.secret` | OAuth client secret for Orchestration Cluster           |
 | **OAuth Client Secret (Optimize)**      | `global.identity.auth.optimize.secret`              | OAuth client secret for Optimize                        |
@@ -121,7 +120,7 @@ For production environments, create a Kubernetes Secret and reference it from yo
 Create a secret using `kubectl` or a YAML manifest:
 
 ```sh
-kubectl create secret generic console-secret \
+kubectl create secret generic optimize-secret \
   --from-literal=client-secret=camundapassword \
   --namespace camunda
 ```
@@ -132,7 +131,7 @@ Or using YAML:
 apiVersion: v1
 kind: Secret
 metadata:
-  name: console-secret
+  name: optimize-secret
   namespace: camunda
 type: Opaque
 stringData:
@@ -147,9 +146,9 @@ stringData:
 global:
   identity:
     auth:
-      console:
+      optimize:
         secret:
-          existingSecret: "console-secret"
+          existingSecret: "optimize-secret"
           existingSecretKey: "client-secret"
 ```
 
@@ -261,9 +260,9 @@ This scenario applies when your legacy configuration references a Kubernetes sec
 global:
   identity:
     auth:
-      console:
+      optimize:
         existingSecret:
-          name: console-secret
+          name: optimize-secret
         existingSecretKey: client-secret
 ```
 
@@ -273,9 +272,9 @@ global:
 global:
   identity:
     auth:
-      console:
+      optimize:
         secret:
-          existingSecret: console-secret
+          existingSecret: optimize-secret
           existingSecretKey: client-secret
 ```
 
@@ -289,7 +288,7 @@ This scenario applies when your legacy configuration provided a plaintext string
 global:
   identity:
     auth:
-      console:
+      optimize:
         existingSecret: "my-plaintext-secret"
 ```
 
@@ -299,7 +298,7 @@ global:
 global:
   identity:
     auth:
-      console:
+      optimize:
         secret:
           inlineSecret: "my-plaintext-secret"
 ```
@@ -494,9 +493,6 @@ RELEASE_NAMESPACE=camunda-dev
 # Only if "connectors.enabled: true".
 export IDENTITY_CONNECTORS_CLIENT_SECRET=$(kubectl get secret "${RELEASE_NAME}-connectors-identity-secret" -o jsonpath="{.data.connectors-secret}" | base64 --decode)
 
-# Only if "console.enabled: true".
-export IDENTITY_CONSOLE_CLIENT_SECRET=$(kubectl get secret "${RELEASE_NAME}-console-identity-secret" -o jsonpath="{.data.console-secret}" | base64 --decode)
-
 # Only if "optimize.enabled: true".
 export IDENTITY_OPTIMIZE_CLIENT_SECRET=$(kubectl get secret "${RELEASE_NAME}-optimize-identity-secret" -o jsonpath="{.data.optimize-secret}" | base64 --decode)
 
@@ -534,9 +530,6 @@ stringData:
   # Only if "connectors.enabled: true".
   identity-connectors-client-token: "${IDENTITY_CONNECTORS_CLIENT_SECRET}"
 
-  # Only if "console.enabled: true".
-  identity-console-client-token: "${IDENTITY_CONSOLE_CLIENT_SECRET}"
-
   # Only if "optimize.enabled: true".
   identity-optimize-client-token: "${IDENTITY_OPTIMIZE_CLIENT_SECRET}"
 
@@ -576,10 +569,6 @@ If a component already uses its own existing secret, make sure to remove that se
 global:
   identity:
     auth:
-      console:
-        secret:
-          existingSecret: "camunda-credentials"
-          existingSecretKey: "identity-console-client-token"
       optimize:
         secret:
           existingSecret: "camunda-credentials"

docs/self-managed/deployment/helm/install/production/index.md

@@ -169,9 +169,6 @@ identity:
       clientId: "00000000-0000-0000-0000-000000000000"
       wellKnown: https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0/.well-known/openid-configuration
       audience: "00000000-0000-0000-0000-000000000000"
-      secret:
-        existingSecret: oidc-certificate-console
-        existingSecretKey: certificate-secret-data
       redirectUrl: https://management-and-modeling-host.com
     webModeler:
       clientId: "00000000-0000-0000-0000-000000000000"
@@ -541,9 +538,6 @@ global:
         clientId: "00000000-0000-0000-0000-000000000000"
         wellKnown: https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0/.well-known/openid-configuration
         audience: "00000000-0000-0000-0000-000000000000"
-        secret:
-          existingSecret: oidc-certificate-console
-          existingSecretKey: certificate-secret-data
         redirectUrl: https://management-and-modeling-host.com
       webModeler:
         clientId: "00000000-0000-0000-0000-000000000000"

docs/self-managed/deployment/helm/install/quick-install.md

@@ -135,9 +135,6 @@ global:
         redirectUrl: "http://localhost:8070"
       console:
         redirectUrl: "http://localhost:8087"
-        secret:
-          existingSecret: "camunda-credentials"
-          existingSecretKey: "identity-console-client-token"
       optimize:
         redirectUrl: "http://localhost:8083"
         secret:

docs/self-managed/deployment/helm/upgrade/helm-820-830.md

@@ -313,8 +313,6 @@ If not specified on installation, the Helm chart generates random secrets for al
 To extract the secrets, use the following code snippet, replacing `camunda` with your actual Helm release name:
 
 ```shell
-# Uncomment if Console is enabled.
-# export CONSOLE_SECRET=$(kubectl get secret "camunda-console-identity-secret" -o jsonpath="{.data.console-secret}" | base64 --decode)
 export TASKLIST_SECRET=$(kubectl get secret "camunda-tasklist-identity-secret" -o jsonpath="{.data.tasklist-secret}" | base64 --decode)
 export OPTIMIZE_SECRET=$(kubectl get secret "camunda-optimize-identity-secret" -o jsonpath="{.data.optimize-secret}" | base64 --decode)
 export OPERATE_SECRET=$(kubectl get secret "camunda-operate-identity-secret" -o jsonpath="{.data.operate-secret}" | base64 --decode)
@@ -332,8 +330,6 @@ After exporting all secrets into environment variables, run the following upgrad
 ```shell
 helm repo update
 helm upgrade camunda camunda/camunda-platform \
-  # Uncomment if Console is enabled.
-  # --set global.identity.auth.console.existingSecret=$CONSOLE_SECRET \
   --set global.identity.auth.tasklist.existingSecret=$TASKLIST_SECRET \
   --set global.identity.auth.optimize.existingSecret=$OPTIMIZE_SECRET \
   --set global.identity.auth.operate.existingSecret=$OPERATE_SECRET \

docs/self-managed/deployment/helm/upgrade/helm-830-840.md

@@ -104,8 +104,6 @@ If not specified on installation, the Helm chart generates random secrets for al
 To extract the secrets, use the following code snippet, replacing `camunda` with your actual Helm release name:
 
 ```shell
-# Uncomment if Console is enabled.
-# export CONSOLE_SECRET=$(kubectl get secret "camunda-console-identity-secret" -o jsonpath="{.data.console-secret}" | base64 --decode)
 export TASKLIST_SECRET=$(kubectl get secret "camunda-tasklist-identity-secret" -o jsonpath="{.data.tasklist-secret}" | base64 --decode)
 export OPTIMIZE_SECRET=$(kubectl get secret "camunda-optimize-identity-secret" -o jsonpath="{.data.optimize-secret}" | base64 --decode)
 export OPERATE_SECRET=$(kubectl get secret "camunda-operate-identity-secret" -o jsonpath="{.data.operate-secret}" | base64 --decode)
@@ -123,8 +121,6 @@ After exporting all secrets into environment variables, run the following upgrad
 ```shell
 helm repo update
 helm upgrade camunda camunda/camunda-platform \
-  # Uncomment if Console is enabled.
-  # --set global.identity.auth.console.existingSecret=$CONSOLE_SECRET \
   --set global.identity.auth.tasklist.existingSecret=$TASKLIST_SECRET \
   --set global.identity.auth.optimize.existingSecret=$OPTIMIZE_SECRET \
   --set global.identity.auth.operate.existingSecret=$OPERATE_SECRET \

docs/self-managed/deployment/helm/upgrade/helm-840-850.md

@@ -180,8 +180,6 @@ If not specified on installation, the Helm chart generates random secrets for al
 To extract the secrets, use the following code snippet, replacing `camunda` with your actual Helm release name:
 
 ```shell
-# Uncomment if Console is enabled.
-# export CONSOLE_SECRET=$(kubectl get secret "camunda-console-identity-secret" -o jsonpath="{.data.console-secret}" | base64 --decode)
 export TASKLIST_SECRET=$(kubectl get secret "camunda-tasklist-identity-secret" -o jsonpath="{.data.tasklist-secret}" | base64 --decode)
 export OPTIMIZE_SECRET=$(kubectl get secret "camunda-optimize-identity-secret" -o jsonpath="{.data.optimize-secret}" | base64 --decode)
 export OPERATE_SECRET=$(kubectl get secret "camunda-operate-identity-secret" -o jsonpath="{.data.operate-secret}" | base64 --decode)
@@ -199,8 +197,6 @@ After exporting all secrets into environment variables, run the following upgrad
 ```shell
 helm repo update
 helm upgrade camunda camunda/camunda-platform \
-  # Uncomment if Console is enabled.
-  # --set global.identity.auth.console.existingSecret=$CONSOLE_SECRET \
   --set global.identity.auth.tasklist.existingSecret=$TASKLIST_SECRET \
   --set global.identity.auth.optimize.existingSecret=$OPTIMIZE_SECRET \
   --set global.identity.auth.operate.existingSecret=$OPERATE_SECRET \

docs/self-managed/deployment/helm/upgrade/helm-850-860.md

@@ -100,8 +100,6 @@ If not specified on installation, the Helm chart generates random secrets for al
 To extract the secrets, use the following code snippet, replacing `camunda` with your actual Helm release name:
 
 ```shell
-# Uncomment if Console is enabled.
-# export CONSOLE_SECRET=$(kubectl get secret "camunda-console-identity-secret" -o jsonpath="{.data.console-secret}" | base64 --decode)
 export TASKLIST_SECRET=$(kubectl get secret "camunda-tasklist-identity-secret" -o jsonpath="{.data.tasklist-secret}" | base64 --decode)
 export OPTIMIZE_SECRET=$(kubectl get secret "camunda-optimize-identity-secret" -o jsonpath="{.data.optimize-secret}" | base64 --decode)
 export OPERATE_SECRET=$(kubectl get secret "camunda-operate-identity-secret" -o jsonpath="{.data.operate-secret}" | base64 --decode)
@@ -119,8 +117,6 @@ After exporting all secrets into environment variables, run the following upgrad
 ```shell
 helm repo update
 helm upgrade camunda camunda/camunda-platform \
-  # Uncomment if Console is enabled.
-  # --set global.identity.auth.console.existingSecret=$CONSOLE_SECRET \
   --set global.identity.auth.tasklist.existingSecret=$TASKLIST_SECRET \
   --set global.identity.auth.optimize.existingSecret=$OPTIMIZE_SECRET \
   --set global.identity.auth.operate.existingSecret=$OPERATE_SECRET \

docs/self-managed/deployment/helm/upgrade/helm-860-870.md

@@ -72,8 +72,6 @@ If not specified on installation, the Helm chart generates random secrets for al
 To extract the secrets, use the following code snippet, replacing `camunda` with your actual Helm release name:
 
 ```shell
-# Uncomment if Console is enabled.
-# export CONSOLE_SECRET=$(kubectl get secret "camunda-console-identity-secret" -o jsonpath="{.data.console-secret}" | base64 --decode)
 export TASKLIST_SECRET=$(kubectl get secret "camunda-tasklist-identity-secret" -o jsonpath="{.data.tasklist-secret}" | base64 --decode)
 export OPTIMIZE_SECRET=$(kubectl get secret "camunda-optimize-identity-secret" -o jsonpath="{.data.optimize-secret}" | base64 --decode)
 export OPERATE_SECRET=$(kubectl get secret "camunda-operate-identity-secret" -o jsonpath="{.data.operate-secret}" | base64 --decode)
@@ -91,8 +89,6 @@ After exporting all secrets into environment variables, run the following upgrad
 ```shell
 helm repo update
 helm upgrade camunda camunda/camunda-platform \
-  # Uncomment if Console is enabled.
-  # --set global.identity.auth.console.existingSecret=$CONSOLE_SECRET \
   --set global.identity.auth.tasklist.existingSecret=$TASKLIST_SECRET \
   --set global.identity.auth.optimize.existingSecret=$OPTIMIZE_SECRET \
   --set global.identity.auth.operate.existingSecret=$OPERATE_SECRET \

versioned_docs/version-8.6/self-managed/setup/guides/secret-management.md

@@ -19,7 +19,6 @@ These secrets are used by Camunda applications. They are created and managed by
 | **OAuth Client Secret (Tasklist)**   | `global.identity.auth.tasklist.existingSecret.name`                                                                           | OAuth client secret for Tasklist                                  | Generated by default if not set |
 | **OAuth Client Secret (Optimize)**   | `global.identity.auth.optimize.existingSecret.name`                                                                           | OAuth client secret for Optimize                                  | Generated by default if not set |
 | **OAuth Client Secret (Connectors)** | `global.identity.auth.connectors.existingSecret.name`                                                                         | OAuth client secret for Connectors                                | Generated by default if not set |
-| **OAuth Client Secret (Console)**    | `global.identity.auth.console.existingSecret.name`                                                                            | OAuth client secret for Console                                   | Generated by default if not set |
 | **OAuth Client Secret (Zeebe)**      | `global.identity.auth.zeebe.existingSecret.name`                                                                              | OAuth client secret for Zeebe                                     | Generated by default if not set |
 | **Identity PostgreSQL Password**     | `identityPostgresql.auth.existingSecret`                                                                                      | Password for embedded PostgreSQL used by Identity                 | Generated by default if not set |
 | **Keycloak PostgreSQL Password**     | `identityKeycloak.auth.existingSecret`                                                                                        | Password for embedded PostgreSQL used by Keycloak                 | Generated by default if not set |

versioned_docs/version-8.6/self-managed/setup/install.md

@@ -107,7 +107,6 @@ data:
   tasklist-secret: VmVyeUxvbmdTdHJpbmc=
   optimize-secret: VmVyeUxvbmdTdHJpbmc=
   connectors-secret: VmVyeUxvbmdTdHJpbmc=
-  console-secret: VmVyeUxvbmdTdHJpbmc=
   keycloak-secret: VmVyeUxvbmdTdHJpbmc=
   zeebe-secret: VmVyeUxvbmdTdHJpbmc=
 ```
@@ -133,9 +132,6 @@ global:
       connectors:
         existingSecret:
           name: identity-secret-for-components
-      console:
-        existingSecret:
-          name: identity-secret-for-components
       zeebe:
         existingSecret:
           name: identity-secret-for-components

versioned_docs/version-8.6/self-managed/setup/upgrade.md

@@ -575,8 +575,6 @@ If not specified on installation, the Helm chart generates random secrets for al
 To extract the secrets, use the following code snippet, replacing `camunda` with your actual Helm release name:
 
 ```shell
-# Uncomment if Console is enabled.
-# export CONSOLE_SECRET=$(kubectl get secret "camunda-console-identity-secret" -o jsonpath="{.data.console-secret}" | base64 --decode)
 export TASKLIST_SECRET=$(kubectl get secret "camunda-tasklist-identity-secret" -o jsonpath="{.data.tasklist-secret}" | base64 --decode)
 export OPTIMIZE_SECRET=$(kubectl get secret "camunda-optimize-identity-secret" -o jsonpath="{.data.optimize-secret}" | base64 --decode)
 export OPERATE_SECRET=$(kubectl get secret "camunda-operate-identity-secret" -o jsonpath="{.data.operate-secret}" | base64 --decode)
@@ -593,8 +591,6 @@ After exporting all secrets into environment variables, run the following upgrad
 
 ```shell
 helm upgrade camunda camunda/camunda-platform \
-  # Uncomment if Console is enabled.
-  # --set global.identity.auth.console.existingSecret=$CONSOLE_SECRET \
   --set global.identity.auth.tasklist.existingSecret=$TASKLIST_SECRET \
   --set global.identity.auth.optimize.existingSecret=$OPTIMIZE_SECRET \
   --set global.identity.auth.operate.existingSecret=$OPERATE_SECRET \

versioned_docs/version-8.7/self-managed/operational-guides/production-guide/helm-chart-production-guide.md

@@ -184,9 +184,6 @@ global:
         clientId: "00000000-0000-0000-0000-000000000000"
         wellKnown: https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0/.well-known/openid-configuration
         audience: "00000000-0000-0000-0000-000000000000"
-        existingSecret:
-          name: oidc-certificate-console
-        existingSecretKey: certificate-secret-data
         redirectUrl: https://management-host.com
       webModeler:
         clientId: "00000000-0000-0000-0000-000000000000"
@@ -567,13 +564,7 @@ global:
         clientId: "00000000-0000-0000-0000-000000000000"
         wellKnown: https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0/.well-known/openid-configuration
         audience: "00000000-0000-0000-0000-000000000000"
-        existingSecret:
-          name: oidc-certificate-console
-        existingSecretKey: certificate-secret-data
         redirectUrl: https://management-host.com
-        existingSecret:
-          name: camunda-credentials
-        existingSecretKey: identity-console-client-password
       webModeler:
         clientId: "00000000-0000-0000-0000-000000000000"
         audience: "00000000-0000-0000-0000-000000000000"
@@ -594,7 +585,6 @@ identity:
     existingSecret: identity-db-secret
     existingSecretPasswordKey: database-password
 
-
 webModeler:
   enabled: true
   contextPath: /modeler
@@ -691,7 +681,6 @@ console:
                   version: 8.7.x
                   readiness: http://camunda-zeebe.orchestration:9600/actuator/health/readiness
                   metrics: http://camunda-zeebe.orchestration:9600/actuator/prometheus
-
 ```
 
 ### Example orchestration configuration