Managing Secrets
- Rene Beckert
- Cornelius Wachinger
In PoC secenarios all secrets are generated from the data of the values file. In production environments, this is not recommended, since ther should not be any confidential data in the values file. Therefore the Kubernetes secrets have to be created beforhand, manually or ideally from a vault. The Smartfacts and OSLC Adapter charts support the use of pre-installed Kubernetes secrets.
Secret Templates
Most secrets, except the tls secret, are opaque secets. You can use the following template to construct the secrets:
Opaque secrets
apiVersion: v1
data:
<Secret Field Name 1>: <base64 encoded secret data 1>
<Secret Field Name 2>: <base64 encoded secret data 2>
...
kind: Secret
metadata:
name: <Name of the secret in Kubernets>
type: OpaqueTLS Secrets
apiVersion: v1
data:
tls.crt: <Complete certificate chain in PEM format, encoded as base64>
tls.key: <certificate key in PEM format, encoded as base64>
kind: Secret
metadata:
name: <Name of the secret in Kubernets>
type: kubernetes.io/tlsDocker config json Secrets
To generate the value to insert in the secret, fill in the "..." placeholder with your username and password for the docker image registry, replace the retistry name “repo.mid.de” with your own registry if needed.
{
"auths":
{
"repo.mid.de" :
{
"username":"...",
"password":"..."
}
}
}Encode the whole json as base64 with padding and insert the base64 string in the secret template:
List of Secrets
Secret purpose | default secret name | Secret type | name of property to override default secret name | secret data property name | content (All contens have to be base64 encoded!) | Secret necessary when … |
|---|---|---|---|---|---|---|
TLS certificates for ingresses | smartfacts-certs | kubernets.io/tls | global.cert.crtFullChain | tls.crt | The Server cetificate | Ingress is terminating tls |
global.cert.key | tls.key | The key for the server certificate | ||||
Username and Password of the Administration user in Keycloak | smartfacts-keycloak-admin-secret | Opaque |
| KEYCLOAK_PASSWORD | The password for the keycloak administrator | Keycloak.enabled is set to true in values file |
| KEYCLOAK_USER | The username of the keycloak administrator. By default this is “keycloak-admin”. | ||||
Data for connecting to the OIDC provider | smartfacts-oidc-secrets | Opaque | global.secrets.oidcSecretName | campId | ID of camp client in OIDC issuer | Connecting to an OIDC provider |
camSecret | Secret of camp client in OIDC issuer | |||||
smartfactsId | ID of smartfacts client in OIDC issuer | |||||
smartfactsSecret | Secret of smartfacts client in OIDC issuer | |||||
Username and password of the postgresql database used for Keycloak | smartfacts-postgresql | Opaque |
| password |
| Keycloak.enabled is set to true in values file |
| postgres-password |
| ||||
The Java truststore used by the Smartfacts platform and genoslc toolservice | smartfacts-truststore | Opaque |
| truststore.jks |
| property is set in values file or if the property is not present (default is “true”) |
| smartfacts-truststore-password | Opaque |
| password | The password of the truststore. | |
| regcred | kubernetes.io/dockerconfigjson | global.imagePullSecrets[] | .dockerconfigjson |
| Docker Image Registry needs a login |
| smartfacts-mongodb-connection-secret | Opaque |
| connection-string | The Connection string to the mongodb in the format for Java drivers. The Connection string will contain the username and password of the mongodb user. | Always |
| smartfacts-oauth10a-encryption-key-secret | Opaque |
| ENCRYPTION_KEY | A random string, that should never change again. It is used as secret to encrypt and decrypt the oauth10a configuration data in the mongodb. | Always |
| smartfacts-oslc-technical-user-secret | Opaque | env.tool. | adaptedToolTechnicalUserAuthorizationHeader | “Basic <credentials as base64>”, with the placeholder <credentials as base64> replaced with the base64 encoded string of “username:password” of the user. (Yes, at the end username:password is twice encoded with base64) | OSLC Connectors are used |