Secrets Management
The GoodData.CN helm chart uses several credentials which are stored in a plain text format directly in the chart. We do not recommend this setup for production environments as it is an insecure method of protecting data. Instead, proper secrets management should be used.
Note
If you just want to evaluate GoodData.CN helm chart installation, you do not need to setup secrets. The default secrets will be used.
Provide existing secrets
It is possible to provide existing Kubernetes secrets with the required credentials. You can provide the credentials to the secrets in the following ways.
Postgres Secrets
Required Format:
apiVersion: v1
kind: Secret
metadata:
name: your-postgres-secret
type: Opaque
data:
postgresql-password: "a29rb3Q="
repmgr-password: "Q3RicU40WmVvWA=="
This secret is referenced in the GoodData.CN helm chart as shown below.
Installation with Included Postgres Helm Chart
You can reference the secret in the following ways:
deployPostgresHA: true
global:
postgresql:
existingSecret: your-postgres-secret
deployPostgresHA: true
postgresql-ha:
postgresql:
existingSecret: your-postgres-secret
Note
While you can define it both ways, the global setting has priority.
Installation with external Postgres
deployPostgresHA: false
service:
postgres:
existingSecret: your-postgres-secret
Metadata Bootstrap secret
Required Format:
apiVersion: v1
kind: Secret
metadata:
name: your-metadata-bootstrap-secret
type: Opaque
data:
user: "a29rb3Q="
password: "Q3RicU40WmVvWA=="
You can reference the secret in following way:
metadataApi:
bootstrap:
existingSecret: your-metadata-bootstrap-secret
Secrets management
GoodData.CN is un-opinionated about how secrets are managed as long they are secure. There are many ways to do it and there’s no one-size-fits-all solution. Here are some solutions for managing secrets: