6.3. Secrets in Nubus for Kubernetes

Nubus for Kubernetes uses and needs sensitive data such as passwords, tokens, and keys. Kubernetes uses Secrets for such sensitive data.

This section describes the supported use cases for configuring secrets in Nubus for Kubernetes:

1. Nubus generates the Secrets automatically from a seed. See Auto-generated secrets.

2. The operator defines custom secret values in the Helm Chart custom_values.yaml values file and lets the Nubus Helm Chart create the Kubernetes Secrets. See Custom secret values.

3. The operator brings their own Kubernetes Secrets and tells the Helm Chart the name of each secret and the key therein. See Existing secrets.

Important

Regardless of the option you choose, keep in mind that Nubus doesn’t support changing secrets after the initial rollout. Credential roll-over is the process of changing credentials after initial rollout.

To make sure that you configured all necessary secrets, consult the List of secrets.

See also

Secrets | Kubernetes

in Kubernetes Documentation [1] for concept information about the Kubernetes Secrets object.

6.3.1. Auto-generated secrets

Nubus for Kubernetes creates Secrets automatically, if you as the operator don’t provide any further information about sensitive data.

Important

Using auto-generated secrets is for evaluation deployments only.

Recommendation

For a production deployment, generate your own secrets and configure them as described in the following sections:

• Custom secret values

• Existing secrets

To let Nubus for Kubernetes create the Secrets with automatically generated values, you need to ensure to provide a seed value in global.secrets.masterPassword of your custom_values.yaml values file before you start the initial deployment of Nubus.

Caution

Running a helm upgrade with a changed seed breaks the deployment.

6.3.2. Custom secret values

In Nubus for Kubernetes you can define custom values for various Secrets while letting the Nubus helm chart configure and deploy the secret Manifests. This option is for scenarios where you need more control on the secret values. The credential configuration in the Nubus Helm Chart follows the pattern componentName.auth.

Example

For example, to provide the secret value for the Provisioning API to the Self Service Consumer, you need to define nubusSelfServiceConsumer.provisioningApi.auth.password in your values file as shown in Listing 6.3.

Listing 6.3 Example for custom defined secret value in the values file

nubusSelfServiceConsumer:
  provisioningApi:
    auth:
      password: "<Some-secret-value>"

6.3.3. Existing secrets

In Nubus for Kubernetes, you can also use existing Kubernetes Secrets. This option is for scenarios, where you as the operator manage the secrets in the cluster or delegate this task to third party software.

To provide references to existing Kubernetes Secrets, look for the following keys in the Helm Chart:

• credentialSecret or auth.credentialSecret

• existingSecret or auth.existingSecret

For each individual setting you need to have a closer look into the Helm Chart and the respective sub chart.

Example

For example, to provide an existing secret for the Provisioning API to the Self Service Consumer, you need to define the following values, as shown in Listing 6.4:

• nubusSelfServiceConsumer.provisioningApi.auth.existingSecret.name

• nubusSelfServiceConsumer.provisioningApi.auth.existingSecret.keyMapping.password

Listing 6.4 Example for using existing secret in the values file

nubusSelfServiceConsumer:
  provisioningApi:
    auth:
      existingSecret:
        name: "<name-of-secret-for-provisioning-api-in-self-service-consumer>"
        keyMapping:
          password: "<name-of-the-key-whose-value-holds-the-password>"

Tip

To configure a custom secret key, you can add an optional keyMapping section to your existingSecret. It let’s you map the default key to a custom key. You can find the default key in the values.yaml file of the Helm Chart.

In the example in Listing 6.4, the default key is password.

6.3.4. List of secrets

This section lists the secrets used in Nubus for Kubernetes.

Nubus Administrator password

• Initial administrator account password.

• You can only change it manually through the Management UI.

• You can’t configure it as an existing secret.

• Custom secret values: nubusStackDataUms.templateContext.initialPasswordAdministrator.

LDAP administrator password

• LDAP cn=admin account password.

• You can’t change it in an existing deployment.

• Custom secret value: nubusLdapServer.ldapServer.auth.password.

• Existing secret:

  • global.ldap.auth.admin.existingSecret.name

  • nubusLdapServer.ldapServer.auth.existingSecret.name

6.3.4.1. Portal Service secrets

Portal Server UDM password

• The password for the UDM and LDAP service account of the Portal Server.

• You can’t change it in an existing deployment.

• Custom secret value: You must configure the same value in the following configuration values:

  • nubusPortalServer.udm.auth.password

  • nubusStackDataUms.templateContext.svcPortalServerUserPassword

• You can’t configure it as existing secrets.

Portal Server object storage credentials

• Object storage credentials for the Portal Server.

• You can change it in an existing deployment.

• Custom secret value:

  • nubusPortalServer.objectStorage.auth.accessKeyId

  • nubusPortalServer.objectStorage.auth.secretAccessKey

• Existing secret:

  • nubusPortalServer.objectStorage.auth.existingSecret.name

  • nubusPortalServer.objectStorage.auth.existingSecret.keyMapping.access_key_id

  • nubusPortalServer.objectStorage.auth.existingSecret.keyMapping.secret_access_key

See also

Kubernetes secrets for credentials configuration

for more information about S3-compatible object storage.

Portal Server central navigation shared secret

• Central navigation shared secret to authenticate with the Portal Server central navigation endpoint.

• You can change it in an existing deployment.

• Custom secret value: nubusPortalServer.portalServer.centralNavigation.auth.sharedSecret

• Existing secret:

  • nubusPortalServer.portalServer.centralNavigation.auth.existingSecret.name

  • nubusPortalServer.portalServer.centralNavigation.auth.existingSecret.keyMapping.shared_secret

See also

customization-api-central-navigation-configure

in Univention Nubus for Kubernetes - Nubus Customization and Modification Manual [3] for information about customization of entries in the central navigation.

Notifications API PostgreSQL credentials

• The Notifications API uses this password for the PostgreSQL database.

• You can change it in an existing deployment.

• Custom secret values:

  • nubusNotificationsApi.postgresql.auth.username

  • nubusNotificationsApi.postgresql.auth.password

• Existing secret: nubusNotificationsApi.postgresql.auth.existingSecret.name

Portal Consumer Provisioning API credentials

• Provisioning subscription password for the Portal Consumer.

• You can’t change it in an existing deployment.

• Custom secret values:

  • nubusPortalConsumer.provisioningApi.auth.username

  • nubusPortalConsumer.provisioningApi.auth.password

• Existing secret: Requires the same password in the following secrets:

  • nubusPortalConsumer.provisioningApi.auth.existingSecret.name nubusPortalConsumer.provisioningApi.auth.existingSecret.keyMapping.password

  • nubusProvisioning.registerConsumers.createUsers.portalConsumer.existingSecret.name nubusProvisioning.registerConsumers.createUsers.portalConsumer.existingSecret.keyMapping.registration

Portal Consumer object storage credentials

• Credentials for accessing object storage from Portal Consumer.

• You can’t change it in an existing deployment.

• Custom secret value:

  • nubusPortalConsumer.objectStorage.auth.accessKeyId

  • nubusPortalConsumer.objectStorage.auth.secretAccessKey

• Existing secret:

  • nubusPortalConsumer.objectStorage.auth.existingSecret.name

  • nubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.access_key_id

  • nubusPortalConsumer.objectStorage.auth.existingSecret.keyMapping.secret_access_key

See also

Kubernetes secrets for credentials configuration

for more information about S3-compatible object storage.

6.3.4.2. Provisioning Service secrets

Provisioning API administrator password

• The administrator password of the Provisioning API. You use it to register consumers.

• You can change it in an existing deployment.

• Custom secret value: nubusProvisioning.api.auth.admin.password

• Existing secret:

  • nubusProvisioning.api.auth.admin.existingSecret.name

  • nubusProvisioning.api.auth.admin.existingSecret.keyMapping.password

Provisioning API events password

• The password for the events endpoint of the Provisioning API. The UDM Transformer in the Provisioning Service uses it to queue events.

• You can change it in an existing deployment.

• Custom secret value: nubusProvisioning.api.auth.eventsUdm.password

• Existing secret:

  • nubusProvisioning.api.auth.eventsUdm.existingSecret.name

  • nubusProvisioning.api.auth.eventsUdm.existingSecret.keyMapping.password

Provisioning API Prefill password

• The password for the Prefill endpoint of the Provisioning API. The Prefill Service of the Provisioning Service uses the password to confirm successful Prefill events.

• You can change it in an existing deployment.

• Custom secret value: nubusProvisioning.api.auth.prefill.password

• Existing secret:

  • nubusProvisioning.api.auth.prefill.existingSecret.name

  • nubusProvisioning.api.auth.prefill.existingSecret.keyMapping.password

Provisioning NATS passwords

• The passwords for the Provisioning Service to authenticate with the NATS message queue and key-value store.

• You can change it in an existing deployment.

• Custom secret values: By default, Nubus for Kubernetes configures a separate NATS password for each component:

  • nubusProvisioning.nats.auth.adminPassword

  • nubusProvisioning.api.nats.auth.password

  • nubusProvisioning.dispatcher.nats.auth.password

  • nubusProvisioning.udmTransformer.nats.auth.password

  • nubusProvisioning.prefill.nats.auth.password

• Existing secret for components in Provisioning Service:

  Recommendation: use a separate NATS password for each component. To configure a separate NATS password for each component, you need to define a list for nubusProvisioning.nats.extraEnvVars with name and valueFrom sections.

  In the following you find a component list for the Provisioning Service and their component specific NATS password configuration.

  NATS admin password

  Listing 6.5 NATS password for Provisioning Service

  nubusProvisioning:
    nats:
      extraEnvVars:
           - name: NATS_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: "<name for the secretKeyRef>"
                 key: admin_password
  

  Provisioning API

  nubusProvisioning.api.nats.auth.existingSecret.name nubusProvisioning.api.nats.auth.existingSecret.keyMapping.provisioningApiPassword

  Listing 6.6 NATS password for Provisioning API

  nubusProvisioning:
    nats:
      extraEnvVars:
           - name: NATS_PROVISIONING_API_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: "<name for the secretKeyRef>"
                 key: NATS_PASSWORD
  

  Dispatcher

  nubusProvisioning.dispatcher.nats.auth.existingSecret.name nubusProvisioning.dispatcher.nats.auth.existingSecret.keyMapping.password

  Listing 6.7 NATS password for Dispatcher

  nubusProvisioning:
    nats:
      extraEnvVars:
           - name: NATS_DISPATCHER_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: "<name for the secretKeyRef>"
                 key: NATS_PASSWORD
  

  UDM Transformer

  nubusProvisioning.udmTransformer.nats.auth.existingSecret.name nubusProvisioning.udmTransformer.nats.auth.existingSecret.keyMapping.password

  Listing 6.8 NATS password for UDM Transfomer

  nubusProvisioning:
    nats:
      extraEnvVars:
           - name: NATS_UDM_TRANSFORMER_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: "<name for the secretKeyRef>"
                 key: NATS_PASSWORD
  

  Prefill

  nubusProvisioning.prefill.nats.auth.existingSecret.name nubusProvisioning.prefill.nats.auth.existingSecret.keyMapping.prefillPassword

  Listing 6.9 NATS password for Prefill

  nubusProvisioning:
    nats:
      extraEnvVars:
           - name: NATS_PREFILL_PASSWORD
             valueFrom:
               secretKeyRef:
                 name: "<name for the secretKeyRef>"
                 key: NATS_PASSWORD
  

Provisioning UDM Listener NATS password

• Credentials for the UDM Listener to queue messages for the Provisioning Service.

• You can change it in an existing deployment.

• Custom secret value: nubusUdmListener.nats.auth.password

• Existing secret:

  • nubusUdmListener.nats.auth.existingSecret.name

  • nubusUdmListener.nats.auth.existingSecret.keyMapping.password

  Listing 6.10 NATS password for the UDM Listener

  nubusProvisioning:
    nat:
      extraEnvVars:
        - name: NATS_UDM_LISTENER_PASSWORD
          valueFrom:
            secretKeyRef:
              name: "<name of the secretKeyRef>"
              key: "<key of the secretKeyRef>"
  

6.3.4.3. Keycloak secrets

Keycloak administrator password

• The Keycloak provisioning job uses this password.

• You can’t change it in an existing deployment.

• Custom secret values: keycloak.keycloak.auth.password

• Existing secret: You must configure the same existing secret in the following places:

  • keycloak.keycloak.auth.existingSecret.name keycloak.keycloak.auth.existingSecret.keyMapping.adminPassword

  • nubusKeycloakBootstrap.keycloak.auth.existingSecret.name nubusKeycloakBootstrap.keycloak.auth.existingSecret.keyMapping.password

  • nubusKeycloakExtensions.keycloak.auth.existingSecret.name nubusKeycloakExtensions.keycloak.auth.existingSecret.keyMapping.adminPassword

  • nubusGuardian.provisioning.keycloak.auth.existingSecret.name nubusGuardian.provisioning.keycloak.auth.existingSecret.keyMapping.password

  • nubusTwofaHelpdesk.keycloak.auth.existingSecret.name nubusTwofaHelpdesk.keycloak.auth.existingSecret.keyMapping.adminPassword

Keycloak LDAP password

• Keycloak uses this password for its LDAP service account password.

• You can’t change it in an existing deployment.

• Custom secret value and existing secret: Requires the same password in the following secrets:

  • nubusStackDataUms.templateContext.readonlyUserPassword

  • nubusKeycloakBootstrap.ldap.auth.existingSecret.name nubusKeycloakBootstrap.ldap.auth.existingSecret.keyMapping.password

Keycloak PostgreSQL password

• Keycloak uses this password for its PostgreSQL account to access the PostgreSQL database.

• You can’t change it in an existing deployment.

• You can’t configure custom secret values.

• Existing secret:

  • keycloak.postgresql.auth.existingSecret.name keycloak.postgresql.auth.existingSecret.keyMapping.password

Keycloak Extensions PostgreSQL password

• Keycloak Extensions use this password for their PostgreSQL account to access the PostgreSQL database.

• You can change it in an existing deployment.

• You can’t configure custom secret values.

• Existing secret:

  • nubusKeycloakExtensions.postgresql.auth.existingSecret.name

  • nubusKeycloakExtensions.postgresql.auth.existingSecret.keyMapping.password

6.3.4.4. Authorization Service secrets

Guardian PostgreSQL password

• Guardian uses this password for its PostgreSQL database.

• You can change it in an existing deployment.

• Custom secret value: nubusGuardian.postgresql.auth.password

• Existing secret:

  • nubusGuardian.postgresql.auth.existingSecret.name

  • nubusGuardian.postgresql.auth.existingSecret.keyMapping.password

Guardian Management API OAuth client secret

• The Guardian Management API Keycloak client uses this secret for the OAuth client.

• You can’t change it in an existing deployment.

• You can’t configure custom secret values.

• Existing secret:

  • nubusGuardian.managementApi.oauth.auth.existingSecret.name

  • nubusGuardian.managementApi.oauth.auth.existingSecret.keyMapping.clientSecret

Self Service Consumer Provisioning API credentials

• Provisioning subscription password for the Self Service Consumer.

• You can’t change it in an existing deployment.

• Custom secret values:

  • nubusSelfServiceConsumer.provisioningApi.auth.username

  • nubusSelfServiceConsumer.provisioningApi.auth.password

• Existing secret: Requires the same password in the following secrets:

  • nubusSelfServiceConsumer.provisioningApi.auth.existingSecret.name nubusSelfServiceConsumer.provisioningApi.auth.existingSecret.keyMapping.password

  • nubusProvisioning.registerConsumers.createUsers.selfserviceConsumer.existingSecret.name nubusProvisioning.registerConsumers.createUsers.selfserviceConsumer.existingSecret.keyMapping.registration

6.3.4.5. UMC Server secrets

UMC Server Memcached credentials

• Credentials for Memcached in UMC Server.

• You can’t change it in an existing deployment.

• Custom secret values:

  • nubusUmcServer.memcached.auth.username

  • nubusUmcServer.memcached.auth.password

  • nubusUmcServer.memcached.auth.existingPasswordSecret

• Existing secret: nubusUmcServer.memcached.auth.existingSecret.name

UMC Server PostgreSQL password

• The UMC Server uses this password for its PostgreSQL database.

• You can change it in an existing deployment.

• Custom secret values:

  • nubusUmcServer.postgresql.auth.username

  • nubusUmcServer.postgresql.auth.password

• Existing secret: nubusUmcServer.postgresql.auth.existingSecret.name

UMC Server SMTP credentials

• SMTP credentials for the UMC Server.

• You can change it in an existing deployment.

• Custom secret value: nubusUmcServer.smtp.auth.password

• Existing secret:

  • nubusUmcServer.smtp.auth.existingSecret.name

  • nubusUmcServer.smtp.auth.existingSecret.keyMapping.password

6.3.4.6. S3-compatible object storage