diff --git a/docs/self-managed/deployment/helm/configure/secret-management.md b/docs/self-managed/deployment/helm/configure/secret-management.md index cbf79619e3f..be4530bffb1 100644 --- a/docs/self-managed/deployment/helm/configure/secret-management.md +++ b/docs/self-managed/deployment/helm/configure/secret-management.md @@ -339,62 +339,59 @@ global: ## TLS certificates -For TLS-enabled services, you'll need to configure certificate secrets. +TLS certificate secrets for Camunda components and external services. -### Secrets using the legacy pattern (all versions) +### Secrets using the new pattern (Camunda 8.9+) -| **Secret** | **Chart values key** | **Purpose** | -| ----------------------------------- | ----------------------------------------- | --------------------------------------------------- | -| **Console TLS Certificate** | `console.tls.existingSecret` | TLS certificate for Console web application | -| **External Elasticsearch TLS Cert** | `global.elasticsearch.tls.existingSecret` | TLS certificate for external Elasticsearch over SSL | -| **External OpenSearch TLS Cert** | `global.opensearch.tls.existingSecret` | TLS certificate for external OpenSearch over SSL | +| **Secret** | **Chart values key** | **Purpose** | +| ----------------------------------- | --------------------------------- | --------------------------------------------------- | +| **Console TLS Certificate** | `console.tls.secret` | TLS certificate for Console web application | +| **External Elasticsearch TLS Cert** | `global.elasticsearch.tls.secret` | TLS certificate for external Elasticsearch over SSL | +| **External OpenSearch TLS Cert** | `global.opensearch.tls.secret` | TLS certificate for external OpenSearch over SSL | -### Ingress TLS +**TLS Certificate Configuration**: Unlike password-based secrets, TLS certificates do not support `inlineSecret` (certificates are binary files unsuitable for inline configuration). -Configure TLS for Camunda services exposed via Ingress: +For Elasticsearch and OpenSearch, both `existingSecret` and `existingSecretKey` are required to specify which key in the secret contains the certificate file. For Console, only `existingSecret` is required as the entire secret is mounted as a directory. -```yaml -global: - ingress: - tls: - enabled: true - secretName: camunda-platform -``` +Create the secrets with your certificate files using `kubectl create secret generic`: -### External service TLS +```sh +kubectl create secret generic \ + --from-file== \ + --namespace camunda +``` -For external Elasticsearch or OpenSearch with TLS, configure the TLS certificate using the legacy pattern: +Reference them in your values: ```yaml +# Elasticsearch/OpenSearch global: elasticsearch: tls: enabled: true - existingSecret: elasticsearch-tls-secret -``` - -### Console TLS (legacy pattern) + secret: + existingSecret: elasticsearch-tls-secret + existingSecretKey: externaldb.jks -```yaml +# Console console: tls: enabled: true - existingSecret: console-tls-secret - certKeyFilename: tls.key + secret: + existingSecret: console-tls-secret + certKeyFilename: ca.crt ``` -Create TLS secrets using the standard Kubernetes TLS secret type: +### Ingress TLS + +Configure TLS for Camunda services exposed via Ingress: ```yaml -apiVersion: v1 -kind: Secret -metadata: - name: camunda-platform - namespace: camunda -type: kubernetes.io/tls -data: - tls.crt: - tls.key: +global: + ingress: + tls: + enabled: true + secretName: camunda-platform ``` ## Extract plaintext values and reference them as Kubernetes Secrets