Skip to main content
Version: v5.0

Notes on Kubernetes secrets

Overview#

This page contains a series of notes about Kubernetes secrets that you may find useful during the installation of the SMI.

External secrets#

The secrets listed on this page come from external systems. As such, the installer needs to ensure these secrets are created prior to installation. We suggest storing these in a cloud native secrets manager (such as AWS Secrets Manager) and using a tool such as the External Secrets Operator to generate the Kubernetes secrets.

Notes: Several of these secrets are encryption keys used to store encrypted data in external datasources. Losing these encryption keys after the system is initialized will result in loss of data. This is why storing external secrets in a more durable and versioned solution like AWS Secrets Manager is suggested.

However, if you would like to simply manage external secrets directly in Kubernetes, set the chart value createPlaceholderSecrets to true. The chart will then generate the Kubernetes secret resources with place holder values to edit and update with the values from external systems.

Environment Variable Definition#

VariableDescription
ACTIVEMQ_ADMINISTRATOR_PASSWORDPassword for administrator user in activemq service
ANALYTICS_DEFAULT_PASSWORDPassword for analytics user in postgres analytics service
ANALYTICS_ROOT_PASSWORDPassword for root user in postgres analytics service
DATASOURCESVC_ENCRYPTION_KEYKey for encrypting certain datasourcesvc data
DATASOURCESVC_ENCRYPTION_SALTSalt for encrypting certain datasourcesvc data
FILESVC_AWS_CLOUDFRONT_KEYFILEURL encoded version of the private key for used for CloudFront
FILESVC_AWS_CLOUDFRONT_KEYIDAWS Cloudfront public key id
HOOPS_LICENSE_KEYHoops license key for the graphicssvc
ITEMSVC_ENCRYPTION_KEYKey for encrypting certain itemsvc data
KAFKA_ADMINISTRATOR_PASSWORDPassword for administrator user in Kafka service
MAPBOX_LICENSE_KEYMapbox license key for the graphicssvc
MONGODB_GRAPHICSSVC_PASSWORDPassword for graphcissvc user in MongoDB service
MONGODB_ITEMSVC_PASSWORDPassword for itemsvc user in MongoDB service
MONGODB_METRICSSVC_PASSWORDPassword for metricssvc user in MongoDB service
NEO4J1_ADMINISTRATOR_PASSWORDPassword for administrator user in neo4j primary service
NEO4J2_ADMINISTRATOR_PASSWORDPassword for administrator user in neo4j secondary service
PASSPORTSVC_ENCRYPTION_KEYKey for encrypting certain passportsvc data
PASSPORTSVC_JWT_PRIVATE_KEYPrivate RSA PEM formatted key that is URL encoded
PASSPORTSVC_JWT_PUBLIC_KEYPublic RSA PEM formatted key that is URL encoded
PASSPORTSVC_SAML_CERTPublic x509 PEM formatted certificate formatted key that is URL encoded
PASSPORTSVC_SAML_PRIVATE_KEYPrivate x509 PEM formatted key used to create PASSPORTSVC_SAML_CERT formatted key that is URL encoded
PLATFORMIAMSVC_ADMINISTRATORCLI_PASSWORDPassword for admin cli in Keycloak/platformiamsvc
PLATFORMIAMSVC_ADMINISTRATOR_PASSWORDPassword for admin user in Keycloak/platformiamsvc
PLATFORMIAMSVC_ENCRYPTION_KEYKey for encrypting certain platformiamsvc data
POSTGRES_ADMINISTRATOR_PASSWORDPassword for root/administrator user in postgres service
POSTGRES_AISVC_PASSWORDPassword for ai service api user in postgres service
POSTGRES_DATASOURCESVC_PASSWORDPassword for datasoursesvc user in postgres service
POSTGRES_FILESVC_PASSWORDPassword for filesvc user in postgres service
POSTGRES_ITEMSVC_PASSWORDPassword for itemsvc user in postgres service
POSTGRES_NOTIFICATIONSVC_PASSWORDPassword for notificationsvc user in postgres service
POSTGRES_OBJECTMODELSVC_PASSWORDPassword for objectmodelsvc user in postgres service
POSTGRES_PASSPORTSVC_PASSWORDPassword for passportsvc user in postgres service
POSTGRES_PLATFORMIAMSVC_PASSWORDPassword for platformiamsvc user in postgres service
POSTGRES_SCRIPTMANAGER_PASSWORDPassword for scriptmanager user in postgres service
POSTGRES_WORKFLOWSVC_API_PASSWORDPassword for workflow api user in postgres service
POSTGRES_WORKFLOWSVC_CONDUCTOR_PASSWORDPassword for workflow conductor user in postgres service
REDIS_AISVC_PASSWORDPassword for aisvc user in redis service
REDIS_APIGATEWAY_PASSWORDPassword for api-gateway user in redis service
REDIS_EVENTSTRANSFORMSVC_PASSWORDPassword for eventstransformsvc user in redis service
REDIS_ITEMSVC_PASSWORDPassword for itemsvc user in redis service
REDIS_NOTIFICATIONSVC_PASSWORDPassword for notificationsvc user in redis service
REDIS_PASSPORTSVC_PASSWORDPassword for passportsvc user in redis service
REDIS_PLATFORM_NOTIFICATIONSVC_PASSWORDPassword for notificationsvc user in redis service
SCRIPTMANAGER_ENCRYPTION_KEYKey for encrypting certain scriptmanager data
SCRIPTMANAGER_ENCRYPTION_SALTSalt for encrypting certain scriptmanager data
SISENSE_SECRET_KEY(optional) Sisense shared JWT key for SSO
SMTP_DEFAULT_PASSWORDPassword for default user in smtp service
WORKFLOWSVC_ENCRYPTION_KEYEncryption Key when storing parameter into the Database
WORKFLOWSVC_ENCRYPTION_SALTEncryption Salt used when storing parameter into the Database

Environment variables by secret#

This section lists the environmental variables you should be aware of and their associated secrets.

Environment Variables by Secret#

aisvc-external#
  • KAFKA_ADMINISTRATOR_PASSWORD
  • POSTGRES_AISVC_PASSWORD
  • REDIS_AISVC_PASSWORD
api-gateway-external#
  • REDIS_APIGATEWAY_PASSWORD
datasourcesvc-external#
  • ACTIVEMQ_ADMINISTRATOR_PASSWORD
  • ANALYTICS_DEFAULT_PASSWORD
  • ANALYTICS_ROOT_PASSWORD
  • DATASOURCESVC_ENCRYPTION_KEY
  • DATASOURCESVC_ENCRYPTION_SALT
  • KAFKA_ADMINISTRATOR_PASSWORD
  • POSTGRES_DATASOURCESVC_PASSWORD
  • SISENSE_SECRET_KEY
eventstransformsvc-external#
  • KAFKA_ADMINISTRATOR_PASSWORD
  • REDIS_EVENTSTRANSFORMSVC_PASSWORD
filesvc-external#
  • FILESVC_AWS_CLOUDFRONT_KEYFILE
  • FILESVC_AWS_CLOUDFRONT_KEYID
  • KAFKA_ADMINISTRATOR_PASSWORD
  • POSTGRES_FILESVC_PASSWORD
graphicssvc-external#
  • HOOPS_LICENSE_KEY
  • MAPBOX_LICENSE_KEY
  • MONGODB_GRAPHICSSVC_PASSWORD
itemsvc-external#
  • ACTIVEMQ_ADMINISTRATOR_PASSWORD
  • ITEMSVC_ENCRYPTION_KEY
  • KAFKA_ADMINISTRATOR_PASSWORD
  • MONGODB_ITEMSVC_PASSWORD
  • NEO4J1_ADMINISTRATOR_PASSWORD
  • NEO4J2_ADMINISTRATOR_PASSWORD
  • POSTGRES_ITEMSVC_PASSWORD
  • REDIS_ITEMSVC_PASSWORD
metricssvc-external#
  • KAFKA_ADMINISTRATOR_PASSWORD
  • MONGODB_METRICSSVC_PASSWORD
notificationsvc-external#
  • POSTGRES_NOTIFICATIONSVC_PASSWORD
  • REDIS_NOTIFICATIONSVC_PASSWORD
objectmodelsvc-external#
  • KAFKA_ADMINISTRATOR_PASSWORD
  • PASSPORTSVC_JWT_PUBLIC_KEY
  • POSTGRES_OBJECTMODELSVC_PASSWORD
passportsvc-external#
  • KAFKA_ADMINISTRATOR_PASSWORD
  • PASSPORTSVC_ENCRYPTION_KEY
  • PASSPORTSVC_JWT_PRIVATE_KEY
  • PASSPORTSVC_JWT_PUBLIC_KEY
  • PASSPORTSVC_SAML_CERT
  • PASSPORTSVC_SAML_PRIVATE_KEY
  • PLATFORMIAMSVC_ADMINISTRATORCLI_PASSWORD
  • PLATFORMIAMSVC_ADMINISTRATOR_PASSWORD
  • POSTGRES_PASSPORTSVC_PASSWORD
  • REDIS_PASSPORTSVC_PASSWORD
platform-kafka-connect-external#
  • ACTIVEMQ_ADMINISTRATOR_PASSWORD
  • KAFKA_ADMINISTRATOR_PASSWORD
  • MONGODB_ITEMSVC_PASSWORD
  • NEO4J1_ADMINISTRATOR_PASSWORD
  • NEO4J2_ADMINISTRATOR_PASSWORD
  • POSTGRES_DATASOURCESVC_PASSWORD
  • POSTGRES_FILESVC_PASSWORD
  • POSTGRES_OBJECTMODELSVC_PASSWORD
  • POSTGRES_PASSPORTSVC_PASSWORD
platform-notificationsvc-external#
  • KAFKA_ADMINISTRATOR_PASSWORD
  • REDIS_PLATFORM_NOTIFICATIONSVC_PASSWORD
platformiamsvc-external#
  • PLATFORMIAMSVC_ADMINISTRATORCLI_PASSWORD
  • PLATFORMIAMSVC_ADMINISTRATOR_PASSWORD
  • PLATFORMIAMSVC_ENCRYPTION_KEY
  • POSTGRES_PLATFORMIAMSVC_PASSWORD
  • SMTP_DEFAULT_PASSWORD
postgres-root-external#
  • POSTGRES_ADMINISTRATOR_PASSWORD
scriptmanager-external#
  • KAFKA_ADMINISTRATOR_PASSWORD
  • POSTGRES_SCRIPTMANAGER_PASSWORD
  • SCRIPTMANAGER_ENCRYPTION_KEY
  • SCRIPTMANAGER_ENCRYPTION_SALT
workflowsvc-api-external#
  • KAFKA_ADMINISTRATOR_PASSWORD
  • POSTGRES_WORKFLOWSVC_API_PASSWORD
  • WORKFLOWSVC_ENCRYPTION_KEY
  • WORKFLOWSVC_ENCRYPTION_SALT
workflowsvc-backend-external#
  • KAFKA_ADMINISTRATOR_PASSWORD
workflowsvc-conductor-external#
  • POSTGRES_WORKFLOWSVC_CONDUCTOR_PASSWORD
workflowwkr-backend-external#
  • KAFKA_ADMINISTRATOR_PASSWORD

Other notes#

All environment variables / secrets are referenced in the config map. This allows them to be modified without needing update the default application/service code. It also allows them to be easily referenced in a single location.

All files will be mounted in their own directory to allow for auto-updates via Kubernetes API. ConfigMaps mounted by sub-key do not receive updates. For more information, refer to this Kubernetes documentation.