Adding Secrets
Passwords are used for KeyStore, by Administrator to connect to Connect:Direct server, and to decrypt certificates files.
To separate application secrets from the Helm Release, a Kubernetes secret must be created based
on the examples given below and be referenced in the Helm chart as
secret.secretName
value.
To create Secrets using the command line, follow the steps below:
- Create a template file with Secret defined as described in the example below:
apiVersion: v1 kind: Secret metadata: name: <secret name> type: Opaque data: admPwd: <base64 encoded password> crtPwd: <base64 encoded password> keyPwd: <base64 encoded password> appUserPwd: <base64 encoded password>
Here:admPwd
refers to the password that will be set for the Admin user 'cduser' after a successful deploymentcrtPwd
refers to the password used to decrypt certificate fileskeyPwd
refers to the Key Store passwordappUserPwd
refers to password for a non-admin Connect:Direct user. This user will only be created inside container ifappUserPwd
is defined in secret yaml to create Connect:Direct secret object.- After the secret is created, delete the yaml file for security reasons. The password entered for
appUserPwd
is set as password for the usercduser
at pod initialization.Note: Base64 encoded passwords need to be generated manually by invoking the below command.echo -n “<password>” | base64
Use the output of this command in the <secret yaml file>.
Note: After the secret is created, delete the yaml file for security reasons. The password entered foradmPwd
is set as password for the usercduser
at pod initialization.
- Run the following Kubernetes command to create the
Secret:
kubectl create -f <secret yaml file>
To check the secret created invoke the following command:kubectl get secrets
For more details see, Secrets.
Default Kubernetes secrets management has certain security risks as documented here, Kubernetes Security.
Users should evaluate Kubernetes secrets management based on their enterprise policy requirements and should take steps to harden security.