Secret Management

ODA Secret

ska-oso-services requires secret values to connect to the ODA PostgreSQL instance.

The application uses the PGPASSWORD environment variable which is injected in the chart from a Kubernetes Secret. The Secret resource should pull the value from Vault on creation, using the standard VaultStaticSecret.

By default, the ska-oso-services chart will create a Secret that contains the ODA password for use by the application, without the need for any user configuration.

To use a different Secret, set the .Values.global.oda.postgres.secret.existingSecret value with the Secret name.

See Configuration for more details on the ODA connection.

Using a Secret for the full Postgres connection

The chart is configured in such a way that it pulls the PG_ environment variables from a ConfigMap and the PGPASSWORD from a Secret (as the host, etc are dynamic and can’t be pulled from Vault).

However, if the ska-oso-services application is connecting to an externally managed Postgres, and a Secret is available in the namespace with the full PG_ variables, these will be taken over the ConfigMap if the Secret is passed via .Values.global.oda.postgres.secret.existingSecret.

Application Secrets

There are a number of secrets defined on Configuration that the application needs for various PHT functionality.

By default the Helm chart will pull these from Vault into a Kubernetes Secret, using the path and keys defined in the values. This Secret is then used to set environment variables for the application.

Alternatively, the Helm value vault.enabled can be set to false and an externally managed Secret used with the value existingApplicationSecret.name