Creating secrets to protect sensitive Enterprise Records configuration data

A secret is an object that contains a small amount of sensitive data such as a password, a token, or a key. Before you install Enterprise Records, create secrets manually to protect the configuration data you are going to enter, for creating a keystore that you configured in preparation for use with Enterprise Records.

Procedure

  1. Prepare your ibm-ier-secret.
    Using your password value, run the following command:
    kubectl create secret generic ibm-ier-secret --from-literal=keystorePassword="<password>"

    The secret you create, ibm-ier-secret, is the value for the parameter ier_secret_name.

  2. Configure the root Certificate Authority (CA) secret and trusted certificate list.
    The custom YAML file also requires values for the root_ca_secret and trusted_certificate_list parameters.

    Note that if the root CA is generated by the operator, you do not need to add it to the trusted_certificate_list parameter.

    The Transport Layer Security (TLS) secret contains the key value pair of root CA and your options are:
    • You can generate a self-signed root CA.
    • You can allow the operator (or ROOTCA ansible role) to generate the secret with a self-signed root CA (by not specifying one).
    • You can use a signed root CA. In this case, you create a secret that contains the key value pair of the root CA in advance.

    The list of the trusted certificate secrets can be a TLS secret or an opaque secret. An opaque secret must contain a tls.crt file for the trusted certificate. The TLS secret has a tls.key file as the private key.