Notes on Kubernetes secrets
Overview#
This page contains a series of notes about Kubernetes secrets that you may find useful during the installation of the SMI.
External secrets#
The secrets listed on this page come from external systems. As such, the installer needs to ensure these secrets are created prior to installation. We suggest storing these in a cloud native secrets manager (such as AWS Secrets Manager) and using a tool such as the External Secrets Operator to generate the Kubernetes secrets.
Notes: Several of these secrets are encryption keys used to store encrypted data in external datasources. Losing these encryption keys after the system is initialized will result in loss of data. This is why storing external secrets in a more durable and versioned solution like AWS Secrets Manager is suggested.
However, if you would like to simply manage external secrets directly in Kubernetes, set the chart value createPlaceholderSecrets to true. The chart will then generate the Kubernetes secret resources with place holder values to edit and update with the values from external systems.
Environment Variable Definition#
| Variable | Description |
|---|---|
| ACTIVEMQ_ADMINISTRATOR_PASSWORD | Password for administrator user in activemq service |
| ANALYTICS_DEFAULT_PASSWORD | Password for analytics user in postgres analytics service |
| ANALYTICS_ROOT_PASSWORD | Password for root user in postgres analytics service |
| DATASOURCESVC_ENCRYPTION_KEY | Key for encrypting certain datasourcesvc data |
| DATASOURCESVC_ENCRYPTION_SALT | Salt for encrypting certain datasourcesvc data |
| FILESVC_AWS_CLOUDFRONT_KEYFILE | URL encoded version of the private key for used for CloudFront |
| FILESVC_AWS_CLOUDFRONT_KEYID | AWS Cloudfront public key id |
| HOOPS_LICENSE_KEY | Hoops license key for the graphicssvc |
| ITEMSVC_ENCRYPTION_KEY | Key for encrypting certain itemsvc data |
| KAFKA_ADMINISTRATOR_PASSWORD | Password for administrator user in Kafka service |
| MONGODB_GRAPHICSSVC_PASSWORD | Password for graphcissvc user in MongoDB service |
| MONGODB_ITEMSVC_PASSWORD | Password for itemsvc user in MongoDB service |
| MONGODB_METRICSSVC_PASSWORD | Password for metricssvc user in MongoDB service |
| NEO4J1_ADMINISTRATOR_PASSWORD | Password for administrator user in neo4j primary service |
| NEO4J2_ADMINISTRATOR_PASSWORD | Password for administrator user in neo4j secondary service |
| PASSPORTSVC_ENCRYPTION_KEY | Key for encrypting certain passportsvc data |
| PASSPORTSVC_JWT_PRIVATE_KEY | Private RSA PEM formatted key that is URL encoded |
| PASSPORTSVC_JWT_PUBLIC_KEY | Public RSA PEM formatted key that is URL encoded |
| PASSPORTSVC_SAML_CERT | Public x509 PEM formatted certificate formatted key that is URL encoded |
| PASSPORTSVC_SAML_PRIVATE_KEY | Private x509 PEM formatted key used to create PASSPORTSVC_SAML_CERT formatted key that is URL encoded |
| PLATFORMIAMSVC_ADMINISTRATOR_PASSWORD | Password for admin user in Keycloak/platformiamsvc |
| PLATFORMIAMSVC_ADMINISTRATORCLI_PASSWORD | Password for admin cli in Keycloak/platformiamsvc |
| PLATFORMIAMSVC_ENCRYPTION_KEY | Key for encrypting certain platformiamsvc data |
| POSTGRES_ADMINISTRATOR_PASSWORD | Password for root/administrator user in postgres service |
| POSTGRES_DATASOURCESVC_PASSWORD | Password for datasoursesvc user in postgres service |
| POSTGRES_FILESVC_PASSWORD | Password for filesvc user in postgres service |
| POSTGRES_ITEMSVC_PASSWORD | Password for itemsvc user in postgres service |
| POSTGRES_NOTIFICATIONSVC_PASSWORD | Password for notificationsvc user in postgres service |
| POSTGRES_OBJECTMODELSVC_PASSWORD | Password for objectmodelsvc user in postgres service |
| POSTGRES_PASSPORTSVC_PASSWORD | Password for passportsvc user in postgres service |
| POSTGRES_PLATFORMIAMSVC_PASSWORD | Password for platformiamsvc user in postgres service |
| POSTGRES_SCRIPTMANAGER_PASSWORD | Password for scriptmanager user in postgres service |
| REDIS_APIGATEWAY_PASSWORD | Password for api-gateway user in redis service |
| REDIS_EVENTSTRANSFORMSVC_PASSWORD | Password for eventstransformsvc user in redis service |
| REDIS_ITEMSVC_PASSWORD | Password for itemsvc user in redis service |
| REDIS_NOTIFICATIONSVC_PASSWORD | Password for notificationsvc user in redis service |
| REDIS_PASSPORTSVC_PASSWORD | Password for passportsvc user in redis service |
| SCRIPTMANAGER_ENCRYPTION_KEY | Key for encrypting certain scriptmanager data |
| SCRIPTMANAGER_ENCRYPTION_SALT | Salt for encrypting certain scriptmanager data |
| SISENSE_SECRET_KEY | (optional) Sisense shared JWT key for SSO |
| SMTP_DEFAULT_PASSWORD | Password for default user in smtp service |
Environment variables by secret#
This section lists the environmental variables you should be aware of and their associated secrets.
api-gateway-external
- REDIS_APIGATEWAY_PASSWORD
datasourcesvc-external
- ACTIVEMQ_ADMINISTRATOR_PASSWORD
- ANALYTICS_DEFAULT_PASSWORD
- ANALYTICS_ROOT_PASSWORD
- DATASOURCESVC_ENCRYPTION_KEY
- DATASOURCESVC_ENCRYPTION_SALT
- KAFKA_ADMINISTRATOR_PASSWORD
- POSTGRES_DATASOURCESVC_PASSWORD
- SISENSE_SECRET_KEY
eventstransformsvc-external
- KAFKA_ADMINISTRATOR_PASSWORD
- REDIS_EVENTSTRANSFORMSVC_PASSWORD
filesvc-external
- FILESVC_AWS_CLOUDFRONT_KEYFILE
- FILESVC_AWS_CLOUDFRONT_KEYID
- KAFKA_ADMINISTRATOR_PASSWORD
- POSTGRES_FILESVC_PASSWORD
graphicssvc-external
- HOOPS_LICENSE_KEY
- MONGODB_GRAPHICSSVC_PASSWORD
itemsvc-external
- ACTIVEMQ_ADMINISTRATOR_PASSWORD
- ITEMSVC_ENCRYPTION_KEY
- KAFKA_ADMINISTRATOR_PASSWORD
- MONGODB_ITEMSVC_PASSWORD
- NEO4J1_ADMINISTRATOR_PASSWORD
- NEO4J2_ADMINISTRATOR_PASSWORD
- POSTGRES_ITEMSVC_PASSWORD
- REDIS_ITEMSVC_PASSWORD
metricssvc-external
- KAFKA_ADMINISTRATOR_PASSWORD
- MONGODB_METRICSSVC_PASSWORD
notificationsvc-external
- POSTGRES_NOTIFICATIONSVC_PASSWORD
- REDIS_NOTIFICATIONSVC_PASSWORD
objectmodelsvc-external
- KAFKA_ADMINISTRATOR_PASSWORD
- PASSPORTSVC_JWT_PUBLIC_KEY
- POSTGRES_OBJECTMODELSVC_PASSWORD
passportsvc-external
- KAFKA_ADMINISTRATOR_PASSWORD
- PASSPORTSVC_ENCRYPTION_KEY
- PASSPORTSVC_JWT_PRIVATE_KEY
- PASSPORTSVC_JWT_PUBLIC_KEY
- PASSPORTSVC_SAML_CERT
- PASSPORTSVC_SAML_PRIVATE_KEY
- PLATFORMIAMSVC_ADMINISTRATORCLI_PASSWORD
- PLATFORMIAMSVC_ADMINISTRATOR_PASSWORD
- POSTGRES_PASSPORTSVC_PASSWORD
- REDIS_PASSPORTSVC_PASSWORD
platform-kafka-connect-external
- ACTIVEMQ_ADMINISTRATOR_PASSWORD
- KAFKA_ADMINISTRATOR_PASSWORD
- MONGODB_ITEMSVC_PASSWORD
- NEO4J1_ADMINISTRATOR_PASSWORD
- NEO4J2_ADMINISTRATOR_PASSWORD
- POSTGRES_DATASOURCESVC_PASSWORD
- POSTGRES_FILESVC_PASSWORD
- POSTGRES_OBJECTMODELSVC_PASSWORD
- POSTGRES_PASSPORTSVC_PASSWORD
platformiamsvc-external
- PLATFORMIAMSVC_ADMINISTRATORCLI_PASSWORD
- PLATFORMIAMSVC_ADMINISTRATOR_PASSWORD
- PLATFORMIAMSVC_ENCRYPTION_KEY
- POSTGRES_PLATFORMIAMSVC_PASSWORD
- SMTP_DEFAULT_PASSWORD
postgres-root-external
- POSTGRES_ADMINISTRATOR_PASSWORD
scriptmanager-external
- KAFKA_ADMINISTRATOR_PASSWORD
- POSTGRES_SCRIPTMANAGER_PASSWORD
- SCRIPTMANAGER_ENCRYPTION_KEY
- SCRIPTMANAGER_ENCRYPTION_SALT
Other notes#
All environment variables / secrets are referenced in the config map. This allows them to be modified without needing update the default application/service code. It also allows them to be easily referenced in a single location.
All files will be mounted in their own directory to allow for auto-updates via Kubernetes API. ConfigMaps mounted by sub-key do not receive updates. For more information, refer to this Kubernetes documentation.