Shift secrets for deployment configuration
Scope: Find here the main secrets available for a production KOBIL Shift deployment
Reference: Find additional info for the secrest in the KOBIL Shift README
To make use of secured handling for access credentials and sensivite parameter the KOBIL Shift Charts allows to make use of Secrets overruling the Chart configration parameter. This allows to create secrets content prior to the deployment and then to specify the secrets name (create in the targeted KOBIL Shift namespace) in the Charts.
Table of Secrets in Shift Chart
| Parameter name | Functionality | Content | Updates | Comment |
|---|---|---|---|---|
global. imagePullSecrets | Credential set for KOBIL Image repo access | docker-registry type secret for server, user, password | update in case of credential set reset/updates | See README "imagePullSecret" |
global. routing. tlsSecret | TLS-Endpoint Certificates Secret | base64 string covering Certs PEM | update in case of domain name changes or validity of certs | Standard TLS endpoint secret |
common. existingSecretDatastoreCredentials | Credential sets for KOBIL Services DB access Multiple Credential Sets | generic type secret for Credential Sets plain text | update in case of credential set reset/updates | See README "Required structure for datastore secrets" |
common. existingSecretAdminCredentials | Credential set for KOBIL IDP Service admin account | generic type secret for Credential Sets plain text | update in case of credential set reset/updates | See README "Required structure for admin credentials" |
common. datastores. database. tls. trustStore → store | Not covered by Secret - needs to be added to metaconfig completely | Truststore in base64 | update in case of domain name changes or validity of certs | Standard Truststore secret |
common. datastores. kafka. external.tls → trustStoreSecret | TLS-session TrustStore | base64 string covering full truststore in PEM and PFX/pkcs12 format | update in case of kafka-service hostname change or validity | Standard Truststore secret |
common. datastores. kafka. auth.username → password secret | Password for Credential set (given "username") | base64 string covering password | update in case of credential set reset/updates | See README "External Kafka clusters" and "Authentication" |
ast. existingSecretEncryptionKeys | Database and Communication encryption keys DATABASE_ENCRYPTION_MASTER_KEY SESSION_ENCRYPTION_MASTER_KEY | generic type secret for Credential Sets plain text | MUST NOT BE CHANGED | See README "Required structure for encryption keys" |
ast. issuer. existingSecretIssuerCA | Internal Certificate Authority Root Cert and Key ISSUER_CA_CERTIFICATE ISSUER_CA_KEY | generic type secret for Credential Sets plain text | MUST NOT BE CHANGED | See README "Required structure for issuer CA" |
Further sample info from the KOBIL Shift README - section "Credentials and other sensitive data from existing Kubernetes secrets"
Required structure for admin credentials
Create a secret using below structure and add admin credentials for idp-core. Not used (disabled) services can be omitted.
apiVersion: v1
kind: Secret
metadata:
name: shift-admin-passwords
type: Generic
stringData:
IDP_CORE_ADMIN_USERNAME: "admin"
IDP_CORE_ADMIN_PASSWORD: "password"