Creating Secrets
To separate application secrets from the Helm Release, a Kubernetes secret must be created based
on the examples given below and be referenced in the Helm chart as
secret.secretName
value. To create Secrets using the command line, follow the steps
below:
To create Secrets using command line, follow the steps given below:
- Create a template file with Secret defined as described in the example below:
Secure Proxy Configuration Manager
apiVersion: v1 kind: Secret metadata: name: ibm-ssp-cm-secret type: Opaque data: sysPassphrase: UGFzc3dvcmRAMTIz adminPassword: UGFzc3dvcmRAMTIz keyCertStorePassphrase: cGFzc3dvcmQ= keyCertEncryptPassphrase: cGFzc3dvcmQ= commonCertPassword: cGFzc3dvcmQ= engCertPassword: cGFzc3dvcmQ= cmClientCertPassword: cGFzc3dvcmQ= cmCertPassword: cGFzc3dvcmQ= cmServerCertPassword: cGFzc3dvcmQ= webCertPassword: cGFzc3dvcmQ= exportCertPassword: cGFzc3dvcmQ=
Here:- The
sysPassphrase
is required to unlock the key that allows encryption and decryption of configuration files - The
adminPassword
is used when logging into Configuration Manager for the first time. - The private key is encrypted using the
keyCertStorePassphrase
and it is required if you are installing Configuration Manager first. - The
keyCertEncryptPassphrase
required to allows encryption and decryption of exported/imported the key certificate. - The
commonCertPassword
is required if you want to use Common certificate for all components of SSP. - The
engCertPassword
is required if you want to use Engine certificate during the installation. - The
cmClientCertPassword
is required if you want to use CM Client certificate during the installation. - The
cmCertPassword
is required if you want to use CM certificate during the installation. - The
cmServerCertPassword
is required if you want to use CM server certificate during the installation. - The
webCertPassword
is required if you want to use Jetty Web certificate during the installation. - The
exportCertPassword
is required to allows encryption of exported the custom (Common, Engine, CM Client, CM SSL) key certificate.
Secure Proxy Engine
apiVersion: v1 kind: Secret metadata: name: <secret name> type: Opaque data: sysPassphrase: UGFzc3dvcmRAMTIz keyCertStorePassphrase: cGFzc3dvcmQ= keyCertEncryptPassphrase: cGFzc3dvcmQ= customKeyCertPassphrase: cGFzc3dvcmQ=
Here:- The
sysPassphrase
is required to unlock the key that allows encryption and decryption of configuration files - The private key is encrypted using the
keyCertStorePassphrase
and it is required if you are installing Engine first. - The
keyCertEncryptPassphrase
required to allows encryption and decryption of exported/imported the key certificate. - The
customKeyCertPassphrase
is required if you want to use custom certificate during the installation.
Note: Once container is up after that delete the secret yaml file and resource object which was created from secret yaml file for security reasons. Base64 encoded passwords must be generated manually by invoking the below command.
Use the output of this command in the <secret yaml file>.echo -n “<password>” | base64
- The
- Run the following command to create the
Secret:
kubectl create -f <secret yaml file>
secret.keyCertsecretName
: To map the exported key certificate from Configuration Manager/ Engine using following command:kubectl create secret generic <KeyCert Secret Name> --from-file=<Key Name>=<Exported Key Certificate File>
Configuration ManagerTo copy the exported certificate from Engine's PV (<Volume mapped Dir>/ENG/defkeyCert.txt) to an appropriate location.Suppose you have copied exported certificate file from Engine's PV to /home/<user>/defkeyCert.txt location and then, execute following command to create cm cert secret:kubectl create secret generic cm-key-cert --from-file=keyCert=/home/<user>/defkeyCert.txt
Note: It is required only when you are installing Configuration Manager after Engine otherwise it is not needed.EngineTo copy the exported certificate from CM's PV (<Volume mapped Dir>/CM/defkeyCert.txt) to an appropriate location.Suppose you have copied exported certificate file from CM's PV to /home/<user>/defkeyCert.txt location and then after execute below command to create engine cert secret:kubectl create secret generic engine-key-cert --from-file=keyCert=/home/<user>/defkeyCert.txt
Note: It is required only when you are installing Engine after Configuration Manager otherwise it is not needed.For more details see, Secrets. Default Kubernetes secrets management has certain security risks as documented here, Kubernetes Security. You should evaluate Kubernetes secrets management based on your enterprise policy requirements and should take steps to harden security.