Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In PoC secenarios all secrets are generated from the data of the values file. In production environments it , this is recommended to store any secret data in Kubernets secretsnot recommended, since ther should not be any confidential data in the values file. Therefore the Kubernetes secrets have to be created beforhand, manually or ideally from a vault. The Smartfacts and OSLC Adapter charts support the use of pre-installed Kubernetes secrets.

Secret Templates

Most secrets, except the tls secret, are opaque secets. You can use the following template to construct the secrets:

Opaque secrets

Code Block
apiVersion: v1
data:
  <Secret Field Name 1>: <base64 encoded secret data 1>
  <Secret Field Name 2>: <base64 encoded secret data 2>
  ...
kind: Secret
metadata:
  name: <Name of the secret in Kubernets>
type: Opaque

TLS Secrets

Code Block
apiVersion: v1
data:
  tls.crt: <Complete certificate chain in PEM format, encoded as base64>
  tls.key: <certificate key in PEM format, encoded as base64>
kind: Secret
metadata:
  name: <Name of the secret in Kubernets>
type: kubernetes.io/tls

Docker config json Secrets

To generate the value to insert in the secret, fill in the "..." placeholder with your username and password for the docker image registry, replace the retistry name “repo.mid.de” with your own registry if needed.

Code Block
{
  "auths":
  {
    "repo.mid.de" :
    {
      "username":"...",
      "password":"..."
    }
  }
}

Encode the whole json as base64 with padding and insert the base64 string in the secret template:

Code Block
apiVersion: v1
data:
  .dockerconfigjson: ...
kind: Secret
metadata:
  name: <Name of the secret in Kubernets>
type: kubernetes.io/dockerconfigjson

List of Secrets

Secret purpose

default secret name

Secret type

name of property to override default secret name

secret data property namesecret data property meaning

content (All contens have to be base64 encoded!)

Secret necessary when …

TLS certificates for ingresses

smartfacts-certs

kubernets.io/tls

global.cert.crtFullChain

tls.crt

The Server cetificate

Ingress is terminating tls

global.cert.key

tls.key

The key for the server certificate

Username and Password of the Administration user in Keycloak

smartfacts-keycloak-admin-secret

Opaque

KEYCLOAK_PASSWORD

The password for the keycloak administrator

Keycloak.enabled is set to true in values file

KEYCLOAK_USER

The username of the keycloak administrator. By default this is “keycloak-admin”.

Data for connecting to the OIDC provider

smartfacts-oidc-secrets

Opaque

global.secrets.oidcSecretName

campId

ID of camp client in OIDC issuer

Connecting to an OIDC provider

camSecret

Secret of camp client in OIDC issuer

smartfactsId

ID of smartfacts client in OIDC issuer

smartfactsSecret

Secret of smartfacts client in OIDC issuer

Username and password of the postgresql database used for Keycloak

smartfacts-postgresql

Opaque

password

Keycloak.enabled is set to true in values file

postgres-password

The Java truststore used by the Smartfacts platform and genoslc toolservice

smartfacts-truststore

Opaque

truststore.jks

property truststoreEnabled: true

is set in values file or if the property is not present (default is “true”)

smartfacts-truststore-password

Opaque

password

The password of the truststore.

regcred

kubernetes.io/dockerconfigjson

global.imagePullSecrets[]

.dockerconfigjson

Docker Image Registry needs a login

smartfacts-mongodb-connection-secret

Opaque

connection-string

The Connection string to the mongodb in the format for Java drivers. The Connection string will contain the username and password of the mongodb user.

Always

smartfacts-oauth10a-encryption-key-secret

Opaque

ENCRYPTION_KEY

A random string, that should never change again. It is used as secret to encrypt and decrypt the oauth10a configuration data in the mongodb.

Always

smartfacts-oslc-technical-user-secret

Opaque

env.tool.adaptedToolTechnicalUserAuthorizationHeader

adaptedToolTechnicalUserAuthorizationHeader

“Basic <credentials as base64>”, with the placeholder <credentials as base64> replaced with the base64 encoded string of “username:password” of the user. (Yes, at the end username:password is twice encoded with base64)

OSLC Connectors are used