fix(broker): add multitenancy configuration

docs/self-managed/zeebe-deployment/configuration/broker.md

@@ -51,6 +51,75 @@ broker:
     enable: false
 ```
 
+### zeebe.broker.gateway.multitenancy
+
+Multi-tenancy in Zeebe can be configured with the following configuration properties.
+Multi-tenancy is disabled by default.
+Read more [in the multi-tenancy documentation](../../../self-managed/concepts/multi-tenancy.md).
+
+:::note
+For now, multi-tenancy is only supported in combination with Identity.
+To use multi-tenancy, you must set [`authentication.mode`](#zeebebrokergatewaysecurityauthentication) to `'identity'` and specify the
+`camunda.identity.baseUrl` property or the [corresponding Camunda Identity environment variable](../../identity/deployment/configuration-variables.md#core-configuration)
+as well.
+:::
+
+:::note
+If you are using a standalone gateway, refer to the [gateway configuration guide](./gateway.md/#zeebegatewaymultitenancy).
+:::
+
+| Field   | Description                                                                                                                                                  | Example value |
+| ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------- |
+| enabled | Enable multitenancy in the embedded gateway. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_MULTITENANCY_ENABLED`. | False         |
+
+#### YAML snippet
+
+```yaml
+broker:
+  gateway:
+    multitenancy:
+      enable: false
+```
+
+### zeebe.broker.gateway.security.authentication
+
+| Field | Description                                                                                                                                                                                                                                                                                                                                                                                           | Example value |
+| ----- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
+| mode  | Controls which authentication mode is active; supported modes are `none` and `identity`. If `identity` is set, authentication will be done using [camunda-identity](/self-managed/identity/what-is-identity.md), which needs to be configured in the corresponding subsection. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_MODE`. | none          |
+
+#### YAML snippet
+
+```yaml
+security:
+  authentication:
+    mode: none
+```
+
+### zeebe.broker.gateway.security.authentication.identity
+
+:::note
+The Zeebe configuration properties for Camunda Identity are deprecated as of version `8.4.0`. Use the dedicated
+Camunda Identity properties or the [corresponding environment variables](../../identity/deployment/configuration-variables.md#core-configuration).
+:::
+
+| Field            | Description                                                                                                                                                                                                 | Example value                                     |
+| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------- |
+| issuerBackendUrl | The URL to the auth provider backend, used to validate tokens. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_ISSUERBACKENDURL`. | http://keycloak:8080/auth/realms/camunda-platform |
+| audience         | The required audience of the auth token. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_AUDIENCE`.                               | zeebe-api                                         |
+| baseUrl          | The URL to the Identity instance. This setting can also be overridden using the environment variable `ZEEBE_BROKER_GATEWAY_SECURITY_AUTHENTICATION_IDENTITY_BASEURL`.                                       | http://identity:8084                              |
+
+#### YAML snippet
+
+```yaml
+security:
+  authentication:
+    mode: identity
+    identity:
+      issuerBackendUrl: http://keycloak:8080/auth/realms/camunda-platform
+      audience: zeebe-api
+      type: keycloak
+```
+
 ### zeebe.broker.network
 
 This section contains the network configuration. Particularly, it allows to configure the hosts and ports the broker should bind to. The broker exposes two sockets:

docs/self-managed/zeebe-deployment/configuration/gateway.md

@@ -340,6 +340,10 @@ To use multi-tenancy, you must set [`authentication.mode`](#zeebegatewayclusters
 as well.
 :::
 
+:::note
+If you are using an embedded gateway, refer to the [broker configuration guide](./broker.md/#zeebebrokergatewaymultitenancy).
+:::
+
 | Field   | Description                                                                                                                                     | Example value |
 | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------- |
 | enabled | Enables multi-tenancy for the cluster. This setting can also be overridden using the environment variable `ZEEBE_GATEWAY_MULTITENANCY_ENABLED`. | true          |