Notes on Kubernetes secrets
Overview#
This page contains a series of notes about Kubernetes secrets that you may find useful during the installation of the self-hosted Digital Twin Platform.
External secrets#
The secrets listed on this page come from external systems. As such, the installer needs to ensure these secrets are created prior to installation. We suggest storing these in a cloud native secrets manager (such as AWS Secrets Manager) and using a tool such as the External Secrets Operator to generate the Kubernetes secrets.
Note: Several of these secrets are encryption keys used to store encrypted data in external datasources. Losing these encryption keys after the system is initialized will result in loss of data. This is why storing external secrets in a more durable and versioned solution like AWS Secrets Manager is suggested.
If you would prefer to manage external secrets directly in Kubernetes, set the chart value createPlaceholderSecrets to true. The chart will then generate the Kubernetes secret resources with placeholder values that you can edit and update with the values from external systems.
Environment Variable Definition#
| Variable | Description |
|---|---|
| ACTIVEMQ_ADMINISTRATOR_PASSWORD | Password for administrator user in activemq service |
| ANALYTICS_DEFAULT_PASSWORD | Password for analytics user in postgres analytics service |
| ANALYTICS_ROOT_PASSWORD | Password for root user in postgres analytics service |
| DATASOURCESVC_ENCRYPTION_KEY | Key for encrypting certain datasourcesvc data |
| DATASOURCESVC_ENCRYPTION_SALT | Salt for encrypting certain datasourcesvc data |
| FILESVC_AWS_CLOUDFRONT_KEYFILE | URL-encoded version of the private key used for CloudFront |
| FILESVC_AWS_CLOUDFRONT_KEYID | AWS CloudFront public key ID |
| HOOPS_LICENSE_KEY | Hoops license key for the graphicssvc |
| ITEMSVC_ENCRYPTION_KEY | Key for encrypting certain itemsvc data |
| KAFKA_ADMINISTRATOR_PASSWORD | Password for administrator user in Kafka service |
| KAFKA_AISVC_PASSWORD | Password for aisvc user in Kafka service |
| KAFKA_DATASOURCESVC_PASSWORD | Password for datasourcesvc user in Kafka service |
| KAFKA_EVENTSTRANSFORMSVC_PASSWORD | Password for eventstransformsvc user in Kafka service |
| KAFKA_FILESVC_PASSWORD | Password for filesvc user in Kafka service |
| KAFKA_ITEMSVC_PASSWORD | Password for itemsvc user in Kafka service |
| KAFKA_ITEMSVC_TELEMETRY_WORKER_PASSWORD | Password for itemsvc-telemetry-worker user in Kafka service |
| KAFKA_ITEMSVC_WORKER_PASSWORD | Password for itemsvc-worker user in Kafka service |
| KAFKA_METRIC_PERSISTER_SERVICE_PASSWORD | Password for metrics-persister-service user in Kafka service |
| KAFKA_OBJECTMODELSVC_PASSWORD | Password for objectmodelsvc user in Kafka service |
| KAFKA_PASSPORTSVC_PASSWORD | Password for passportsvc user in Kafka service |
| KAFKA_PASSPORTSVC_METRICS_PASSWORD | Password for passportsvc-metrics user in Kafka service |
| KAFKA_PLATFORM_NOTIFICATIONSVC_API_PASSWORD | Password for platform-notificationsvc-api user in Kafka service |
| KAFKA_PLATFORM_NOTIFICATIONSVC_WORKER_PASSWORD | Password for platform-notificationsvc-worker user in Kafka service |
| KAFKA_SCRIPTMANAGER_PASSWORD | Password for scriptmanager user in Kafka service |
| KAFKA_WORKFLOWSVC_API_PASSWORD | Password for workflowsvc-api user in Kafka service |
| KAFKA_WORKFLOWSVC_BACKEND_PASSWORD | Password for workflowsvc-backend user in Kafka service |
| KAFKA_WORKFLOWWKR_BACKEND_PASSWORD | Password for workflowwkr-backend user in Kafka service |
| MAPBOX_LICENSE_KEY | Mapbox license key for the graphicssvc |
| MONGODB_GRAPHICSSVC_PASSWORD | Password for graphicssvc user in MongoDB service |
| MONGODB_ITEMSVC_PASSWORD | Password for itemsvc user in MongoDB service |
| MONGODB_METRICSSVC_PASSWORD | Password for metricssvc user in MongoDB service |
| NEO4J1_ADMINISTRATOR_PASSWORD | Password for administrator user in neo4j primary service |
| NEO4J2_ADMINISTRATOR_PASSWORD | Password for administrator user in neo4j secondary service |
| PASSPORTSVC_ENCRYPTION_KEY | Key for encrypting certain passportsvc data |
| PASSPORTSVC_JWT_PRIVATE_KEY | URL-encoded RSA private key in PEM format |
| PASSPORTSVC_JWT_PUBLIC_KEY | URL-encoded RSA public key in PEM format |
| PASSPORTSVC_SAML_CERT | URL-encoded X.509 public certificate in PEM format |
| PASSPORTSVC_SAML_PRIVATE_KEY | URL-encoded X.509 private key in PEM format used to create PASSPORTSVC_SAML_CERT |
| PLATFORMIAMSVC_ADMINISTRATORCLI_PASSWORD | Password for admin cli in Keycloak/platformiamsvc |
| PLATFORMIAMSVC_ADMINISTRATOR_PASSWORD | Password for admin user in Keycloak/platformiamsvc |
| PLATFORMIAMSVC_ENCRYPTION_KEY | Key for encrypting certain platformiamsvc data |
| PLATFORM_NOTIFICATIONSVC_ENCRYPTION_KEY | Key for encrypting certain platform-notificationsvc data |
| PLATFORM_NOTIFICATIONSVC_ENCRYPTION_SALT | Salt for encrypting certain platform-notificationsvc data |
| POSTGRES_ADMINISTRATOR_PASSWORD | Password for root/administrator user in postgres service |
| POSTGRES_AISVC_PASSWORD | Password for ai service api user in postgres service |
| POSTGRES_DATASOURCESVC_PASSWORD | Password for datasourcesvc user in postgres service |
| POSTGRES_FILESVC_PASSWORD | Password for filesvc user in postgres service |
| POSTGRES_ITEMSVC_PASSWORD | Password for itemsvc user in postgres service |
| POSTGRES_NOTIFICATIONSVC_PASSWORD | Password for notificationsvc user in postgres service |
| POSTGRES_OBJECTMODELSVC_PASSWORD | Password for objectmodelsvc user in postgres service |
| POSTGRES_PASSPORTSVC_PASSWORD | Password for passportsvc user in postgres service |
| POSTGRES_PLATFORM_NOTIFICATIONSVC_PASSWORD | Password for platformnotificationsvc user in postgres service |
| POSTGRES_PLATFORMIAMSVC_PASSWORD | Password for platformiamsvc user in postgres service |
| POSTGRES_SCRIPTMANAGER_PASSWORD | Password for scriptmanager user in postgres service |
| POSTGRES_WORKFLOWSVC_API_PASSWORD | Password for workflow api user in postgres service |
| POSTGRES_WORKFLOWSVC_CONDUCTOR_PASSWORD | Password for workflow conductor user in postgres service |
| REDIS_AISVC_PASSWORD | Password for aisvc user in redis service |
| REDIS_EVENTSTRANSFORMSVC_PASSWORD | Password for eventstransformsvc user in redis service |
| REDIS_ITEMSVC_PASSWORD | Password for itemsvc user in redis service |
| REDIS_NOTIFICATIONSVC_PASSWORD | Password for notificationsvc user in redis service |
| REDIS_OBJECTMODELSVC_PASSWORD | Password for objectmodelsvc user in redis service |
| REDIS_PASSPORTSVC_PASSWORD | Password for passportsvc user in redis service |
| REDIS_PLATFORM_NOTIFICATIONSVC_PASSWORD | Password for platformnotificationsvc user in redis service |
| SCRIPTMANAGER_ENCRYPTION_KEY | Key for encrypting certain scriptmanager data |
| SCRIPTMANAGER_ENCRYPTION_SALT | Salt for encrypting certain scriptmanager data |
| SISENSE_SHARED_KEY | (optional) Sisense shared JWT key for SSO |
| SMTP_DEFAULT_PASSWORD | Password for default user in smtp service |
| WORKFLOWSVC_ENCRYPTION_KEY | Encryption key used when storing parameters in the workflowsvc database |
| WORKFLOWSVC_ENCRYPTION_SALT | Encryption salt used when storing parameters in the workflowsvc database |
Environment variables by secret#
This section lists the environment variables you should be aware of, grouped by their associated secret.
aisvc-external#
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_AISVC_PASSWORD
- POSTGRES_AISVC_PASSWORD
- REDIS_AISVC_PASSWORD
datasourcesvc-external#
- ACTIVEMQ_ADMINISTRATOR_PASSWORD
- ANALYTICS_DEFAULT_PASSWORD
- ANALYTICS_ROOT_PASSWORD
- DATASOURCESVC_ENCRYPTION_KEY
- DATASOURCESVC_ENCRYPTION_SALT
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_DATASOURCESVC_PASSWORD
- POSTGRES_DATASOURCESVC_PASSWORD
- SISENSE_SHARED_KEY
eventstransformsvc-external#
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_EVENTSTRANSFORMSVC_PASSWORD
- REDIS_EVENTSTRANSFORMSVC_PASSWORD
filesvc-external#
- FILESVC_AWS_CLOUDFRONT_KEYFILE
- FILESVC_AWS_CLOUDFRONT_KEYID
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_FILESVC_PASSWORD
- POSTGRES_FILESVC_PASSWORD
graphicssvc-external#
- HOOPS_LICENSE_KEY
- MAPBOX_LICENSE_KEY
- MONGODB_GRAPHICSSVC_PASSWORD
itemsvc-external#
- ACTIVEMQ_ADMINISTRATOR_PASSWORD
- ITEMSVC_ENCRYPTION_KEY
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_ITEMSVC_PASSWORD
- KAFKA_ITEMSVC_TELEMETRY_WORKER_PASSWORD
- KAFKA_ITEMSVC_WORKER_PASSWORD
- MONGODB_ITEMSVC_PASSWORD
- NEO4J1_ADMINISTRATOR_PASSWORD
- NEO4J2_ADMINISTRATOR_PASSWORD
- POSTGRES_ITEMSVC_PASSWORD
- REDIS_ITEMSVC_PASSWORD
metricssvc-external#
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_METRIC_PERSISTER_SERVICE_PASSWORD
- MONGODB_METRICSSVC_PASSWORD
notificationsvc-external#
- POSTGRES_NOTIFICATIONSVC_PASSWORD
- REDIS_NOTIFICATIONSVC_PASSWORD
- SMTP_DEFAULT_PASSWORD
objectmodelsvc-external#
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_OBJECTMODELSVC_PASSWORD
- PASSPORTSVC_JWT_PUBLIC_KEY
- POSTGRES_OBJECTMODELSVC_PASSWORD
- REDIS_OBJECTMODELSVC_PASSWORD
passportsvc-external#
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_PASSPORTSVC_PASSWORD
- KAFKA_PASSPORTSVC_METRICS_PASSWORD
- PASSPORTSVC_ENCRYPTION_KEY
- PASSPORTSVC_JWT_PRIVATE_KEY
- PASSPORTSVC_JWT_PUBLIC_KEY
- PASSPORTSVC_SAML_CERT
- PASSPORTSVC_SAML_PRIVATE_KEY
- PLATFORMIAMSVC_ADMINISTRATORCLI_PASSWORD
- PLATFORMIAMSVC_ADMINISTRATOR_PASSWORD
- POSTGRES_PASSPORTSVC_PASSWORD
- REDIS_PASSPORTSVC_PASSWORD
platform-kafka-connect-external#
- ACTIVEMQ_ADMINISTRATOR_PASSWORD
- KAFKA_ADMINISTRATOR_PASSWORD
- MONGODB_ITEMSVC_PASSWORD
- NEO4J1_ADMINISTRATOR_PASSWORD
- NEO4J2_ADMINISTRATOR_PASSWORD
- POSTGRES_DATASOURCESVC_PASSWORD
- POSTGRES_FILESVC_PASSWORD
- POSTGRES_OBJECTMODELSVC_PASSWORD
- POSTGRES_PASSPORTSVC_PASSWORD
- POSTGRES_PLATFORM_NOTIFICATIONSVC_PASSWORD
platform-notificationsvc-external#
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_PLATFORM_NOTIFICATIONSVC_API_PASSWORD
- KAFKA_PLATFORM_NOTIFICATIONSVC_WORKER_PASSWORD
- PLATFORM_NOTIFICATIONSVC_ENCRYPTION_KEY
- PLATFORM_NOTIFICATIONSVC_ENCRYPTION_SALT
- POSTGRES_PLATFORM_NOTIFICATIONSVC_PASSWORD
- REDIS_PLATFORM_NOTIFICATIONSVC_PASSWORD
- SMTP_DEFAULT_PASSWORD
platformiamsvc-external#
- PLATFORMIAMSVC_ADMINISTRATORCLI_PASSWORD
- PLATFORMIAMSVC_ADMINISTRATOR_PASSWORD
- PLATFORMIAMSVC_ENCRYPTION_KEY
- POSTGRES_PLATFORMIAMSVC_PASSWORD
- SMTP_DEFAULT_PASSWORD
postgres-root-external#
- POSTGRES_ADMINISTRATOR_PASSWORD
scriptmanager-external#
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_SCRIPTMANAGER_PASSWORD
- POSTGRES_SCRIPTMANAGER_PASSWORD
- SCRIPTMANAGER_ENCRYPTION_KEY
- SCRIPTMANAGER_ENCRYPTION_SALT
workflowsvc-api-external#
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_WORKFLOWSVC_API_PASSWORD
- POSTGRES_WORKFLOWSVC_API_PASSWORD
- WORKFLOWSVC_ENCRYPTION_KEY
- WORKFLOWSVC_ENCRYPTION_SALT
workflowsvc-backend-external#
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_WORKFLOWSVC_BACKEND_PASSWORD
- WORKFLOWSVC_ENCRYPTION_KEY
- WORKFLOWSVC_ENCRYPTION_SALT
workflowsvc-conductor-external#
- POSTGRES_WORKFLOWSVC_CONDUCTOR_PASSWORD
workflowwkr-backend-external#
- KAFKA_ADMINISTRATOR_PASSWORD
- KAFKA_WORKFLOWWKR_BACKEND_PASSWORD
Other notes#
All environment variables and secrets are referenced from the config map. This allows them to be modified without updating the default application/service code, and it keeps them easy to reference from a single location.
Each file is mounted in its own directory to allow for auto-updates via the Kubernetes API. ConfigMaps mounted by sub-key do not receive updates. For more information, refer to the Kubernetes documentation.