Creating the application secret

Edit online

A secret is used for setting sensitive information for creating IBM Engineering AI Hub through IBM Engineering AI Hub operator.

About this task

The administrator must create IBM Engineering AI Hub secret and then configure the values in the secret file before the IBM Engineering AI Hub instance is created on the supported cluster.

Procedure

Create the secret either on the supported cluster or by using command line.
  • To create the secret on the supported cluster on Red Hat OpenShift console, complete the following steps:
  1. Log in to the
  2. Select the project from the
    Alternatively, you can run the oc project <project name> command.
  3. Create the secret in the same project.
  1. Go to Workloads > Secrets.
  2. On the Secrets page, select Key/Value Secret from the Create list.
  3. On the Create Key/Value Secret page, provide the following details:
    1. In the Secret Name field, add the following value: engineering-ai-hub-application-secrets
    2. Add the following key-value pairs.
      Keys Description Values
      oidcClientId The client ID forms part of the credentials to use to communicate with your OIDC provider. This ID must be registered with your OIDC provider. Contact your OIDC provider to get this value. <engineeringaihub_client_id>
      oidcClientSecret The client secret forms part of the credentials to communicate with your ODIC provider. Contact your OIDC provider to get this value. <engineeringaihubclient_secret>
      dbcredentials.dbName Database name used by IBM® Engineering AI Hub. The recommended database name is elmaihub. elmaihub
      dbcredentials.dbUserName Username used to connect to the database. db_user
      dbcredentials.dbPassword Password used to authenticate to the database. db_password
      dbcredentials.dbHost Hostname of the PostgreSQL database server. db.example.com
      dbcredentials.dbPort Port on which the PostgreSQL database is running. 5432
      dbcredentials.dbMinPoolSize Optional. Minimum database connection pool size. If not specified, the system uses the default value of 1. 1
      dbcredentials.dbMaxPoolSize Optional. Maximum database connection pool size. If not specified, the system uses the default value of 5. 5
      dbcredentials.sslmode

      Specifies the SSL/TLS mode used to secure the PostgreSQL database connection. Supported values are disable, require, verify-ca, and verify-full. The default value is disable. For more information, see SSL Mode Descriptions.

      		 For example:verify-ca
      dbcredentials.sslCertSecret
      Directory that contains the SSL certificate files required for establishing a secure PostgreSQL database connection. For more information, see Creating database SSL certificate secret.
      Note:

      For SSL-enabled PostgreSQL connections, the required certificate files depend on the configured SSL mode and the server-side authentication settings:

      • For verify-ca and verify-full modes, the ca.crt file is mandatory and is used to verify the server certificate against a trusted Certificate Authority.
      • The tls.crt and tls.key files (client certificate and private key) are not required by default, even in verify-full mode.

        They become mandatory only when the PostgreSQL server is configured to require client certificate authentication, for example when pg_hba.conf uses the cert authentication method.

      • In such cases, the server explicitly requests a client certificate, and the connection will fail if tls.crt and tls.key are not provided.

      All certificate files must use the exact filenames ca.crt, tls.crt, and tls.key in the referenced Kubernetes/OpenShift secret. Any deviation from these filenames is not supported and can cause SSL connection failures.

      		aihubdbsslsecret
  4. Click Create.
  • To create the secret by using command line, complete the following steps:
  1. Write the <sample_secret_file>.yaml file. The following is a sample file. 
    kind: Secret
apiVersion: v1
metadata:
  name: ibmaihub-application-secrets
  namespace: <namespace>
stringData:
  dbPassword: <postgres>
  dbAdminPassword: <postgres>
  oidcClientId: <rse-client>
  oidcClientSecret: <D8ElPYt9BS4sADJzWaUFaBV25IfE3Zj9>
    Important: Do not use the following characters in the password: "#", "?", "/", and "\".
  2. Pass the name of the secret as a value to the secret parameter of IBM Engineering AI Hub specification.
  3. Run the following command. A secret based on the values entered in the <sample_secret_file>.yaml file is created and encoded.
    Red Hat OpenShift
    oc create -f <sample_secret_file>.yaml -n <namespace>
    Kubernetes
    kubectl create -f <sample_secret_file>.yaml -n <namespace>