6.1.1. Secrets in Nubus for Kubernetes#
Nubus for Kubernetes uses and needs sensitive data such as passwords, tokens, and keys. Kubernetes uses Secrets for such sensitive data.
This section describes the supported use cases for configuring secrets in Nubus for Kubernetes:
Nubus generates the Secrets automatically from a seed. See Auto-generated secrets.
The operator defines custom secret values in the Helm Chart
custom_values.yamlvalues file and lets the Nubus Helm Chart create the Kubernetes Secrets. See Custom secret values.The operator brings their own Kubernetes Secrets and tells the Helm Chart the name of each secret and the key therein. See Existing secrets.
Important
Regardless of the option you choose, keep in mind that Nubus doesn’t support changing secrets after the initial rollout. Credential roll-over is the process of changing credentials after initial rollout.
To make sure that you configured all necessary secrets, consult the List of secrets.
See also
- Secrets | Kubernetes
in Kubernetes Documentation [1] for concept information about the Kubernetes Secrets object.
6.1.1.1. Auto-generated secrets#
Nubus for Kubernetes creates Secrets automatically, if you as the operator don’t provide any further information about sensitive data.
Important
Using auto-generated secrets is for evaluation deployments only.
- Recommendation
For a production deployment, generate your own secrets and configure them as described in the following sections:
To let Nubus for Kubernetes create the Secrets
with automatically generated values,
you need to ensure to provide a seed value in
global.nubusMasterPassword
of your custom_values.yaml values file
before you start the initial deployment of Nubus.
Caution
Running a helm upgrade with a changed seed breaks the deployment.
6.1.1.2. Custom secret values#
In Nubus for Kubernetes you can define custom values for various Secrets
while letting the Nubus helm chart configure and deploy the secret Manifests.
This option is for scenarios where you need more control on the secret values.
The credential configuration in the Nubus Helm Chart follows the pattern componentName.auth.
- Example
For example, to provide the secret value for the Provisioning API to the Self Service Consumer, you need to define
nubusSelfServiceConsumer.provisioningApi.auth.passwordin your values file as shown in Listing 6.1.nubusSelfServiceConsumer: provisioningApi: auth: password: "<Some-secret-value>"
6.1.1.3. Existing secrets#
In Nubus for Kubernetes, you can also use existing Kubernetes Secrets. This option is for scenarios, where you as the operator manage the secrets in the cluster or delegate this task to third party software.
To provide references to existing Kubernetes Secrets, look for the following keys in the Helm Chart:
credentialSecretorauth.credentialSecretexistingSecretorauth.existingSecret
For each individual setting you need to have a closer look into the Helm Chart and the respective sub chart.
- Example
For example, to provide an existing secret for the Provisioning API to the Self Service Consumer, you need to define the following values, as shown in Listing 6.2:
nubusSelfServiceConsumer.provisioningApi.auth.existingSecret.namenubusSelfServiceConsumer.provisioningApi.auth.existingSecret.keyMapping.password
nubusSelfServiceConsumer: provisioningApi: auth: existingSecret: name: "<name-of-secret-for-provisioning-api-in-self-service-consumer>" keyMapping: password: "<name-of-the-key-whose-value-holds-the-password>"
Tip
To configure a custom secret key, you can add an optional
keyMappingsection to yourexistingSecret. It let’s you map the default key to a custom key. You can find the default key in thevalues.yamlfile of the Helm Chart.In the example in Listing 6.2, the default key is
password.
6.1.1.4. List of secrets#
This section lists the secrets used in Nubus for Kubernetes. It helps you as the operator to verify that you configured all necessary secrets and that you don’t get stuck with auto-generated secrets.
- Custom secret values
nubusGuardian.postgresql.auth.usernameandnubusGuardian.postgresql.auth.passwordnubusGuardian.provisioning.config.keycloak.usernameandnubusGuardian.provisioning.config.keycloak.passwordnubusNotificationsApi.postgresql.auth.usernameandnubusNotificationsApi.postgresql.auth.passwordnubusPortalConsumer.provisioningApi.auth.usernameandnubusPortalConsumer.provisioningApi.auth.passwordnubusSelfServiceConsumer.provisioningApi.auth.usernameandnubusSelfServiceConsumer.provisioningApi.auth.passwordnubusUmcServer.memcached.auth.usernameandnubusUmcServer.memcached.auth.passwordnubusUmcServer.postgresql.auth.username,nubusUmcServer.postgresql.auth.passwordandnubusUmcServer.postgresql.auth.postgresPasswordFor S3-compatible object storage, see Manual credential configuration for using external S3-compatible object storage.
- Existing secrets
global.ldap.auth.cnAdmin.existingSecret.nameandglobal.ldap.auth.cnAdmin.existingSecret.keyMapping.passwordkeycloak.keycloak.auth.existingSecret.nameandkeycloak.keycloak.auth.existingSecret.keyMapping.adminPasswordkeycloak.postgresql.auth.existingSecret.nameandkeycloak.postgresql.auth.existingSecret.keyMapping.passwordnubusGuardian.postgresql.auth.credentialSecret.nameandnubusGuardian.postgresql.auth.credentialSecret.keynubusGuardian.provisioning.config.keycloak.credentialSecret.nameandnubusGuardian.provisioning.config.keycloak.credentialSecret.keynubusKeycloakExtensions.keycloak.auth.existingSecret.nameandnubusKeycloakExtensions.keycloak.auth.existingSecret.keyMapping.adminPasswordnubusKeycloakExtensions.postgresql.auth.existingSecret.nameandnubusKeycloakExtensions.postgresql.auth.existingSecret.keyMapping.passwordnubusKeycloakExtensions.smtp.auth.existingSecret.nameandnubusKeycloakExtensions.smtp.auth.existingSecret.keyMapping.passwordnubusPortalConsumer.provisioningApi.auth.credentialSecret.nameandnubusPortalConsumer.provisioningApi.auth.credentialSecret.keynubusProvisioning.api.auth.admin.existingSecret.nameandnubusProvisioning.api.auth.admin.existingSecret.keyMapping.passwordnubusProvisioning.ldap.auth.existingSecret.nameandnubusProvisioning.ldap.auth.existingSecret.keyMapping.passwordnubusProvisioning.api.auth.eventsUdm.existingSecret.nameandnubusProvisioning.api.auth.eventsUdm.existingSecret.keyMapping.passwordnubusProvisioning.api.auth.prefill.existingSecret.nameandnubusProvisioning.api.auth.prefill.existingSecret.keyMapping.passwordnubusProvisioning.api.nats.auth.existingSecret.nameandnubusProvisioning.api.nats.auth.existingSecret.keyMapping.provisioningApiPasswordnubusProvisioning.dispatcher.nats.auth.existingSecret.nameandnubusProvisioning.dispatcher.nats.auth.existingSecret.keyMapping.dispatcherPasswordnubusProvisioning.prefill.nats.auth.existingSecret.nameandnubusProvisioning.prefill.nats.auth.existingSecret.keyMapping.prefillPasswordnubusProvisioning.udmTransformer.nats.auth.existingSecret.nameandnubusProvisioning.udmTransformer.nats.auth.existingSecret.keyMapping.udmTransformerPasswordnubusSelfServiceConsumer.provisioningApi.auth.existingSecret.nameandnubusSelfServiceConsumer.provisioningApi.auth.existingSecret.keyMapping.passwordnubusUmcServer.memcached.auth.existingSecret.nameandnubusUmcServer.memcached.auth.existingPasswordSecretpostgresql.auth.existingSecret, see Configure external PostgreSQL databaseFor S3-compatible object storage, see, Existing credential configuration for using external S3-compatible object storage.