Secrets Management
Release Notice
GoodData.CN ready for Kubernetes will be published during May 2021. Stay tuned and watch GoodData Developers website.
The GoodData.CN helm chart uses several credentials which are stored in the plain text form directly in the chart. This is convenient as the installation works out of the box. However, this setup shall never be used in production environments. Instead, proper secrets management shall be used.
Provide existing secrets
It is possible to provide existing Kubernetes secrets with required credentials. You can provide the secret in following ways.
Postgres secrets
This is the required format of data fields:
apiVersion: v1
kind: Secret
metadata:
name: your-postgres-secret
type: Opaque
data:
postgresql-password: "a29rb3Q="
repmgr-password: "Q3RicU40WmVvWA=="
This secrets is then referenced in the GoodData.CN helm chart as it is shown below.
Installation with included Postgres helm chart
You can reference the secret in following ways:
deployPostgresHA: true
global:
postgresql:
existingSecret: your-postgres-secret
deployPostgresHA: true
postgresql-ha:
postgresql:
existingSecret: your-postgres-secret
Note: You can define it both ways, however the global setting has priority.
Installation with external Postgres
deployPostgresHA: false
service:
postgres:
existingSecret: your-postgres-secret
Metadata Bootstrap secret
This is the required format of data fields:
apiVersion: v1
kind: Secret
metadata:
name: your-metadata-bootstrap-secret
type: Opaque
data:
user: "a29rb3Q="
password: "Q3RicU40WmVvWA=="
You can reference the secret in following way:
metadataApi:
bootstrap:
existingSecret: your-metadata-bootstrap-secret
Secrets management
GoodData.CN is un-opinionated about how secrets are managed as long they are secure. There are many ways to do it and there’s no one-size-fits-all solution. Here are some solutions for managing secrets: