Changes to Camunda Helm Sub-Charts: What You Need to Know

As part of our ongoing commitment to secure, production-grade deployments, we’re making essential changes to how Camunda Helm charts handle infrastructure services like Elasticsearch, PostgreSQL, and Keycloak. These updates are driven by a recent shift in Bitnami’s container image distribution model and reflect our long-term strategy to decouple Camunda from third-party infrastructure bundles.

Why this matters

Earlier this year, Bitnami (now part of Broadcom) announced a significant change to its container image distribution. Many of the images used in Camunda’s default sub-charts will no longer be maintained in the public registry, and updates will be limited to customers of VMware’s Tanzu Application Catalog.

This shift affects:

• PostgreSQL
• Elasticsearch
• Keycloak

Camunda’s Helm charts currently use Bitnami-maintained sub-charts as the default dependency for backend services. While convenient for development, these dependencies are no longer a viable option for secure, long-term production use.

What’s changing in Camunda Helm charts

Here’s what you can expect across upcoming releases:

For Camunda 8.7.x and older

• The default sub-charts will still function in Camunda 8.7.x, but they will rely on Bitnami’s legacy image registry, which is no longer actively maintained or patched.
• Enterprise customers can use Camunda-provided hardened Bitnami Secure Images from our private registry (https://registry.camunda.cloud). Bitnami maintains these images, including patches for known vulnerabilities (CVEs). Camunda synchronizes them with our private repository for our enterprise customers to use for secure production.
• We’re publishing updated documentation and values files to help configure secure deployments.

For Camunda 8.8 and future releases

• Sub-charts for infrastructure components will be disabled by default. Existing users can continue using them by explicitly enabling and configuring the required values.
• From Camunda 8.8, new installations must install these infrastructure dependencies before Camunda Helm deployment, using managed services (e.g., AWS RDS, AWS OpenSearch) or independent self-hosted deployments.
• Migration guides and examples for alternative setups will be published with the Camunda 8.8 release.

What you should do now

Depending on how you currently deploy Camunda, we recommend the following:

If you use Camunda Helm sub-charts in production:

• Switch to Camunda-maintained enterprise images via our private registry. See our guide for instructions.
• Evaluate alternative deployment strategies using vendor-native services or community Helm charts. For example, deploy an Elasticsearch cluster.

If you’re planning a new production setup:

• We recommend separating infrastructure deployment from Camunda services and managing PostgreSQL, Elasticsearch, and Keycloak independently. This will allow you to operate these services independently, make updates and modifications, and use the full power of your preferred deployment methodologies.

Enterprise-grade Bitnami Secure Images from Camunda

We now offer Bitnami Secure Images for PostgreSQL, Keycloak, and Elasticsearch to our enterprise customers to deploy Camunda Orchestration clusters on Web Modeler. These are:

• Licensed Bitnami Secure Images
• Patched against CVEs and security-hardened
• Offered via Camunda private container repository with an enterprise subscription.

You can install them by adding a registry secret and using a dedicated values-enterprise.yaml file in your Helm deployment.

kubectl create secret docker-registry camunda-registry-secret \
  --docker-server=registry.camunda.cloud \
  --docker-username=<your-username> \
  --docker-password=<your-password> \
  --docker-email=unused@example.com

helm install camunda camunda/camunda-platform --version 8.7.x \
  --values values.yaml \
  --values values-enterprise.yaml

Timeline

For more information, please refer to the documentation or contact us.