Creating Secrets

To separate application secrets from the Helm Release, a Kubernetes secret must be created based on the examples given below and be referenced in the Helm chart as secret.secretName value. To create Secrets using the command line, follow the steps below:

To create Secrets using command line, follow the steps given below:

Create a template ﬁle with Secret deﬁned as described in the example below:
Secure Proxy Configuration Manager
```
apiVersion: v1
kind: Secret
metadata:
  name: <secret name>
type: Opaque
data:
  sysPassphrase: <base64 encoded password>
  adminPassword: <base64 encoded password>
  keyCertStorePassphrase: <base64 encoded password>
  keyCertEncryptPassphrase: <base64 encoded password>
  customKeyCertPassphrase: <base64 encoded password>
```
Here:
- The sysPassphrase is required to unlock the key that allows encryption and decryption of configuration files
- The adminPassword is used when logging into Configuration Manager for the first time.
- The private key is encrypted using the keyCertStorePassphrase and it is required if you are installing Configuration Manager first.
- The keyCertEncryptPassphrase required to allows encryption and decryption of exported/imported the key certificate.
- The customKeyCertPassphrase is required if you want to use custom certificate during the installation.
Secure Proxy Engine
```
apiVersion: v1
kind: Secret
metadata:
  name: <secret name>
type: Opaque
data:
  sysPassphrase: <base64 encoded password>
  keyCertStorePassphrase: <base64 encoded password>
  keyCertEncryptPassphrase: <base64 encoded password>
     customKeyCertPassphrase: <base64 encoded password>
```
Here:
- The sysPassphrase is required to unlock the key that allows encryption and decryption of configuration files
- The private key is encrypted using the keyCertStorePassphrase and it is required if you are installing Engine first.
- The keyCertEncryptPassphrase required to allows encryption and decryption of exported/imported the key certificate.
- The customKeyCertPassphrase is required if you want to use custom certificate during the installation.
Note: Once container is up after that delete the secret yaml file and resource object which was created from secret yaml file for security reasons. Base64 encoded passwords must be generated manually by invoking the below command.
```
echo -n “<password>” | base64
```
Use the output of this command in the <secret yaml ﬁle>.
Run the following command to create the Secret:
```
kubectl create -f <secret yaml file>
```
secret.keyCertsecretName: To map the exported key certificate from Configuration Manager/ Engine using following command:
```
 kubectl create secret generic <KeyCert Secret Name> --from-file=<Key Name>=<Exported Key Certificate File> 
```
Configuration Manager
To copy the exported certificate from Engine's PV (<Volume mapped Dir>/ENG/defkeyCert.txt) to an appropriate location.
Suppose you have copied exported certificate file from Engine's PV to /home/<user>/defkeyCert.txt location and then, execute following command to create cm cert secret:
```
 kubectl create secret generic cm-key-cert --from-file=keyCert=/home/<user>/defkeyCert.txt
```
Note: It is required only when you are installing Configuration Manager after Engine otherwise it is not needed.
Engine
To copy the exported certificate from CM's PV (<Volume mapped Dir>/CM/defkeyCert.txt) to an appropriate location.
Suppose you have copied exported certificate file from CM's PV to /home/<user>/defkeyCert.txt location and then after execute below command to create engine cert secret:
```
 kubectl create secret generic engine-key-cert --from-file=keyCert=/home/<user>/defkeyCert.txt
```
Note: It is required only when you are installing Engine after Configuration Manager otherwise it is not needed.
For more details see, Secrets. Default Kubernetes secrets management has certain security risks as documented here, Kubernetes Security. You should evaluate Kubernetes secrets management based on your enterprise policy requirements and should take steps to harden security.