Merge branch 'main' into context-pad-non-alpha

docs/components/connectors/custom-built-connectors/connector-sdk.md

@@ -344,7 +344,7 @@ The JSON deserialization depends on the Connector runtime environment your Conne
 Thus, use this deserialization approach with caution.
 While it works reliably for many input data types like string, boolean, integer, and nested
 objects, you might want to consider deserializing your Connector's input data in a custom fashion
-using `getVariables` and a library like [Jackson](https://github.com/FasterXML/jackson)or
+using `getVariables` and a library like [Jackson](https://github.com/FasterXML/jackson) or
 [Gson](https://github.com/google/gson).
 
 The `bindVariables` method and tools like Jackson or Gson can properly reflect nested data

docs/self-managed/connectors-deployment/connectors-configuration.md

@@ -50,6 +50,13 @@ If you are connecting a local Connector runtime to a SaaS cluster, you may want
 
 Zeebe:
 
+### Secure connection
+
+| Environment variable                                | Purpose                                                                        |
+| :-------------------------------------------------- | :----------------------------------------------------------------------------- |
+| `CAMUNDA_CLIENT_ZEEBE_BASEURL` (required)           | The base URL of the Zeebe broker (HTTPS)                                       |
+| `CAMUNDA_CLIENT_ZEEBE_CACERTIFICATEPATH` (optional) | The file location of the certificate to be used to connect to the Zeebe broker |
+
 ```bash
 ZEEBE_CLIENT_BROKER_GATEWAY-ADDRESS=127.0.0.1:26500
 ZEEBE_CLIENT_SECURITY_PLAINTEXT=true

docs/self-managed/operational-guides/update-guide/840-to-850.md

@@ -21,6 +21,12 @@ Follow the [upgrade instructions](/self-managed/setup/upgrade.md#helm-chart-1002
 
 ## Zeebe
 
+:::caution
+There is a [bug](https://github.com/camunda/camunda/issues/19984) in Zeebe 8.5.4 which incorrectly flags snapshots as corrupted even when they're not. This can cause reduced availability as nodes fail to start correctly. As such, **you should skip 8.5.4 and update directly from 8.5.3 to 8.5.5, or immediately to 8.5.5 if you're already on 8.5.4.**
+
+Note that there is **no** actual corruption or data loss, however.
+:::
+
 ### Deprecated broker health checks
 
 The broker health check routes have moved, and the old routes are now deprecated. Specifically, the following routes will return [a status code of 301](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301) and redirect you. See the table below about the new mappings:

docs/self-managed/setup/deploy/amazon/amazon-eks/terraform-setup.md

@@ -117,7 +117,7 @@ The [Camunda provided module](https://github.com/camunda/camunda-tf-eks-module)
 
 ```hcl
 module "eks_cluster" {
-  source = "github.com/camunda/camunda-tf-eks-module/modules/eks-cluster"
+  source = "git::https://github.com/camunda/camunda-tf-eks-module//modules/eks-cluster?ref=2.1.0"
 
   region  = "eu-central-1" # change to your AWS region
   name    = "cluster-name" # change to name of your choosing
@@ -142,7 +142,7 @@ We separated the cluster and PostgreSQL modules from each other to allow more cu
 
 ```hcl
 module "postgresql" {
-  source                     = "github.com/camunda/camunda-tf-eks-module/modules/aurora"
+  source                     = "git::https://github.com/camunda/camunda-tf-eks-module//modules/aurora?ref=2.1.0"
   engine_version             = "15.4"
   auto_minor_version_upgrade = false
   cluster_name               = "cluster-name-postgresql" # change "cluster-name" to your name
@@ -228,27 +228,41 @@ aws eks --region <region> update-kubeconfig --name <clusterName>
 
 ### Terraform AWS IAM permissions
 
-The user creating the Amazon EKS cluster has admin access. To allow other users to access this cluster as well, adjust the `aws-auth` configmap.
-
-With Terraform, you can create an AWS IAM user to Kubernetes role mapping via the following variable:
+The user creating the Amazon EKS cluster has admin access by default.
+To manage user access use the `access_entries` configuration introduced in module version [2.0.0](https://github.com/camunda/camunda-tf-eks-module/releases/tag/2.0.0):
 
 ```hcl
-# AWS IAM roles mapping
-aws_auth_roles = [{
-    rolearn  = "<arn>"
-    username = "<username>"
-    groups   = ["system:masters"]
-  }]
-
-# AWS IAM users mapping
-aws_auth_users = [{
-    userarn  = "<arn>"
-    username = "<username>"
-    groups   = ["system:masters"]
-  }]
+access_entries = {
+  example = {
+    kubernetes_groups = []
+    principal_arn     = "<arn>"
+
+    policy_associations = {
+      example = {
+        policy_arn   = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
+        access_scope = {
+          namespaces = ["default"]
+          type       = "namespace"
+        }
+      }
+    }
+  }
+}
 ```
 
-Where `arn` is the `arn` of your user or the role. The `group` is the Kubernetes rule, where `system:masters` is equivalent to an admin role. Lastly, `username` is either the username itself or the role name, which is used for logs.
+In this updated configuration:
+
+- `principal_arn` should be replaced with the ARN of the IAM user or role.
+- `policy_associations` allow you to associate policies for fine-grained access control.
+
+For a list of policies, please visit the [AWS EKS Access Policies documentation](https://docs.aws.amazon.com/eks/latest/userguide/access-policies.html).
+
+:::info
+
+Please note that the version 2.x.x of this module no longer supports direct mappings via `aws_auth_roles` and `aws_auth_users`. If you are upgrading from version [1.x.x](https://github.com/camunda/camunda-tf-eks-module/releases/tag/1.0.3), fork the module repository and follow the official AWS instructions for managing the `aws-auth` ConfigMap.
+For more details, refer to the [official upgrade guide](https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/docs/UPGRADE-20.0.md).
+
+:::
 
 ## Outputs
 

docs/self-managed/setup/install.md

@@ -31,10 +31,10 @@ The following charts will be installed as part of Camunda 8 Self-Managed:
 - **Identity**: Deploys the Identity component responsible for authentication and authorization.
 - **Connectors**: Deploys the Connectors component responsible for inbound and outbound integration with external systems.
 - **Elasticsearch**: Deploys an Elasticsearch cluster with two nodes.
+- **Web Modeler**: Deploys the Web Modeler component that allows you to model BPMN processes in a collaborative way.
+  - _Note_: The chart is disabled by default and needs to be [enabled explicitly](#install-web-modeler).
 - **Console**: Deploys Camunda Console Self-Managed.
   - _Note_: The chart is disabled by default and needs to be [enabled explicitly](#install-console) as the Console is only available to enterprise customers.
-- **Web Modeler**: Deploys the Web Modeler component that allows you to model BPMN processes in a collaborative way.
-  - _Note_: The chart is disabled by default and needs to be [enabled explicitly](#install-web-modeler) as Web Modeler is only available to enterprise customers.
 
 :::note Amazon OpenSearch Helm support
 The existing Helm charts use the Elasticsearch configurations by default. The Helm charts can still be used to connect to Amazon OpenSearch Service. Refer to [using Amazon OpenSearch Service](/self-managed/setup/guides/using-existing-opensearch.md).
@@ -227,7 +227,7 @@ By default, Camunda services deployed in a cluster are not accessible from outsi
 
 ### Enterprise components secret
 
-Enterprise components such as Console and Web Modeler are published in Camunda's private Docker registry (registry.camunda.cloud) and are exclusive to enterprise customers. These components are not available in public repositories.
+Enterprise components such as Console are published in Camunda's private Docker registry (registry.camunda.cloud) and are exclusive to enterprise customers. These components are not available in public repositories.
 
 To enable Kubernetes to pull the images from this registry, first [create an image pull secret](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) using the credentials you received from Camunda:
 
@@ -277,7 +277,6 @@ Follow the steps below to install the Camunda Helm chart with Web Modeler enable
 To set up Web Modeler, you need to provide the following required configuration values (all available configuration options are described in more detail in the Helm chart's [values docs](https://artifacthub.io/packages/helm/camunda/camunda-platform#webmodeler-parameters)):
 
 - Enable Web Modeler with `webModeler.enabled: true` (it is disabled by default).
-- Configure the previously created [image pull secret](#create-image-pull-secret) in `webModeler.image.pullSecrets`.
 - Configure your SMTP server by providing the values under `webModeler.restapi.mail`.
   - Web Modeler requires an SMTP server to send notification emails to users.
 - Configure the database connection
@@ -290,10 +289,6 @@ We recommend specifying these values in a YAML file that you pass to the `helm i
 ```yaml
 webModeler:
   enabled: true
-  image:
-    pullSecrets:
-      # Create the secret as mentioned according to the instructions.
-      - name: registry-camunda-cloud
   restapi:
     mail:
       smtpHost: smtp.example.com

sidebars.js

@@ -46,7 +46,6 @@ module.exports = {
         },
       ],
     },
-    "guides/migrating-from-cawemo",
     {
       "Migrate from Camunda 7": [
         "guides/migrating-from-camunda-7/index",

src/css/custom.css

@@ -301,8 +301,6 @@ navbar .navbar .navbar__link[href*="self-managed"] {
 
 .component-block {
   transition: all 0.3s ease;
-  background-color: #000;
-  color: white;
   border-radius: 25px;
   box-shadow: 4px 4px 4px 1px lightgray;
   margin: 2px;
@@ -313,6 +311,15 @@ navbar .navbar .navbar__link[href*="self-managed"] {
   transition: all 0.3s ease;
 }
 
+.component-block a {
+  color: var(--ifm-color-black);
+}
+
+.component-block a:hover {
+  color: var(--ifm-color-primary);
+  text-decoration: none;
+}
+
 div[class^="announcementBar_"] {
   font-size: 120%;
   padding: 1em 0;

src/pages/index.js

@@ -55,15 +55,15 @@ function Feature({ imageUrl, url, title, description }) {
   const imgUrl = useBaseUrl(imageUrl);
   return (
     <div className={clsx("col component-block", styles.feature)}>
-      {imgUrl && (
-        <div className="text--center">
-          <Link to={useBaseUrl(url)}>
+      <Link to={useBaseUrl(url)}>
+        {imgUrl && (
+          <div className="text--center">
             <img className={styles.featureImage} src={imgUrl} alt={title} />
-          </Link>
-        </div>
-      )}
-      <h3>{title}</h3>
-      <p>{description}</p>
+          </div>
+        )}
+        <h3>{title}</h3>
+        <p>{description}</p>
+      </Link>
     </div>
   );
 }

static/.htaccess

@@ -9,6 +9,12 @@ Options -Indexes -MultiViews
 # redirect new-context-pad to context-pad
 RewriteRule ^docs/components/modeler/web-modeler/new-context-pad/?$ /docs/components/modeler/web-modeler/context-pad/$1 [R=301,L]
 
+# Remove Cawemo
+RewriteRule ^docs/guides/migrating-from-cawemo/?$ https://docs.camunda.org/enterprise/announcement/#cawemo-saas-announcements [R=301,L]
+RewriteRule ^docs/8.4/guides/migrating-from-cawemo/?$ https://docs.camunda.org/enterprise/announcement/#cawemo-saas-announcements [R=301,L]
+RewriteRule ^docs/8.3/guides/migrating-from-cawemo/?$ https://docs.camunda.org/enterprise/announcement/#cawemo-saas-announcements [R=301,L]
+RewriteRule ^docs/8.2/guides/migrating-from-cawemo/?$ https://docs.camunda.org/enterprise/announcement/#cawemo-saas-announcements [R=301,L]
+
 # Move Help Center
 RewriteRule ^docs/guides/camunda-help-center/(.*)$ /docs/reference/camunda-help-center/$1 [R=301,L]
 RewriteRule ^docs/8.5/guides/camunda-help-center/(.*)$ /docs/8.5/reference/camunda-help-center/$1 [R=301,L]

versioned_docs/version-8.2/components/connectors/custom-built-connectors/connector-sdk.md

@@ -323,7 +323,7 @@ The JSON deserialization depends on the Connector runtime environment your Conne
 Thus, use this deserialization approach with caution.
 While it works reliably for many input data types like string, boolean, integer, and nested
 objects, you might want to consider deserializing your Connector's input data in a custom fashion
-using `getVariables` and a library like [Jackson](https://github.com/FasterXML/jackson)or
+using `getVariables` and a library like [Jackson](https://github.com/FasterXML/jackson) or
 [Gson](https://github.com/google/gson).
 
 The `bindVariables` method and tools like Jackson or Gson can properly reflect nested data

versioned_docs/version-8.3/components/connectors/custom-built-connectors/connector-sdk.md

@@ -319,7 +319,7 @@ The JSON deserialization depends on the Connector runtime environment your Conne
 Thus, use this deserialization approach with caution.
 While it works reliably for many input data types like string, boolean, integer, and nested
 objects, you might want to consider deserializing your Connector's input data in a custom fashion
-using `getVariables` and a library like [Jackson](https://github.com/FasterXML/jackson)or
+using `getVariables` and a library like [Jackson](https://github.com/FasterXML/jackson) or
 [Gson](https://github.com/google/gson).
 
 The `bindVariables` method and tools like Jackson or Gson can properly reflect nested data

versioned_docs/version-8.4/components/connectors/custom-built-connectors/connector-sdk.md

@@ -316,7 +316,7 @@ The JSON deserialization depends on the Connector runtime environment your Conne
 Thus, use this deserialization approach with caution.
 While it works reliably for many input data types like string, boolean, integer, and nested
 objects, you might want to consider deserializing your Connector's input data in a custom fashion
-using `getVariables` and a library like [Jackson](https://github.com/FasterXML/jackson)or
+using `getVariables` and a library like [Jackson](https://github.com/FasterXML/jackson) or
 [Gson](https://github.com/google/gson).
 
 The `bindVariables` method and tools like Jackson or Gson can properly reflect nested data