Secrets Management

The GoodData.CN helm chart uses several credentials which are stored in the plain text form directly in the chart. This is convenient as the installation works out of the box, but we do not recommend this setup for production environments. Instead, proper secrets management should be used.

Provide existing secrets

It is possible to provide existing Kubernetes secrets with the required credentials. You can provide the credentials to the secrets in the following ways.

Postgres Secrets

Required Format:

apiVersion: v1
kind: Secret
metadata:
  name: your-postgres-secret
type: Opaque
data:
  postgresql-password: "a29rb3Q="
  repmgr-password: "Q3RicU40WmVvWA=="

This secret is referenced in the GoodData.CN helm chart as shown below.

Installation with Included Postgres Helm Chart

You can reference the secret in the following ways:

deployPostgresHA: true
global:
  postgresql:
    existingSecret: your-postgres-secret

deployPostgresHA: true
postgresql-ha:
  postgresql:
    existingSecret: your-postgres-secret

Note: You can define it both ways, however the global setting has priority.

Installation with external Postgres

deployPostgresHA: false
service:
  postgres:
    existingSecret: your-postgres-secret

Metadata Bootstrap secret

Required Format:

apiVersion: v1
kind: Secret
metadata:
  name: your-metadata-bootstrap-secret
type: Opaque
data:
  user: "a29rb3Q="
  password: "Q3RicU40WmVvWA=="

You can reference the secret in following way:

metadataApi:
  bootstrap:
    existingSecret: your-metadata-bootstrap-secret

Secrets management

GoodData.CN is un-opinionated about how secrets are managed as long they are secure. There are many ways to do it and there’s no one-size-fits-all solution. Here are some solutions for managing secrets:

• Bitnami Sealed Secrets
• GoDaddy Kubernetes External Secrets
• External Secrets Operator
• Hashicorp Vault
• Banzai Cloud Bank-Vaults
• Helm Secrets
• Kustomize secret generator plugins
• aws-secret-operator
• KSOPS
• argocd-vault-plugin