The GoodData.CN helm chart uses several credentials which are stored in the plain text form directly in the chart. This is convenient as the installation works out of the box, but we do not recommend this setup for production environments. Instead, proper secrets management should be used.
Default SecretsIf you just want to evaluate GoodData.CN helm chart installation, you do not need to setup secrets. The default secrets will be used.
Provide existing secrets
It is possible to provide existing Kubernetes secrets with the required credentials. You can provide the credentials to the secrets in the following ways.
apiVersion: v1 kind: Secret metadata: name: your-postgres-secret type: Opaque data: postgresql-password: "a29rb3Q=" repmgr-password: "Q3RicU40WmVvWA=="
This secret is referenced in the GoodData.CN helm chart as shown below.
Installation with Included Postgres Helm Chart
You can reference the secret in the following ways:
deployPostgresHA: true global: postgresql: existingSecret: your-postgres-secret
deployPostgresHA: true postgresql-ha: postgresql: existingSecret: your-postgres-secret
Note: You can define it both ways, however the
global setting has priority.
Installation with external Postgres
deployPostgresHA: false service: postgres: existingSecret: your-postgres-secret
Metadata Bootstrap secret
apiVersion: v1 kind: Secret metadata: name: your-metadata-bootstrap-secret type: Opaque data: user: "a29rb3Q=" password: "Q3RicU40WmVvWA=="
You can reference the secret in following way:
metadataApi: bootstrap: existingSecret: your-metadata-bootstrap-secret
GoodData.CN is un-opinionated about how secrets are managed as long they are secure. There are many ways to do it and there’s no one-size-fits-all solution. Here are some solutions for managing secrets: