Skip to main contentMerative SPM on Kubernetes

Handling Secrets

All values defined in the Helm Chart values.yaml file or in your custom override file become part of the Helm release definition.

As of Helm v3, the release definition is stored as a Kubernetes Secret resource by default, as opposed to a ConfigMap. This provides additional security to any credentials defined as values in the release, in comparison to release definitions being stored as ConfigMaps in Helm v2.

You may find additional information about Secrets and how to define them in Kubernetes in the official documentation:

By default, the spm chart will generate all of the secrets it needs. However, you may want to manage them outside of a Helm release, and point to existing secrets. The following is a list of the Secrets which may be provided externally, and the data they must provide.

The descriptions refer to 2 variants of encryption/encoding: SPM and XOR.

  • SPM encryption refers to the values obtained from the build.sh encrypt -Dpassword=<password> command.
  • XOR encoding refers to the values obtained from the $WLP_HOME/bin/securityUtility encode <password> command.

SPM Secrets

The secrets are structured the following way - the top-level key is the property, which must be set in the override values file, and nested in it are the keys that must be defined for the secret along with their description. If the following top-level keys are not provided, the secrets will be generated by the Helm Chart, prefixed with the Helm release name.

  • global.imagePullSecret.secretName (type: kubernetes.io/dockerconfigjson)
  • global.hubPullSecret.secretName (type: kubernetes.io/dockerconfigjson)
  • global.database.credsSecretName (type: Opaque)
    • SPM_DB_USR: Database username for datastore connections
    • SPM_DB_PSW: SPM encrypted password for the datastore connections (used by Batch processes)
    • XOR_DB_PSW: XOR encoded password for the datastore connections (used by WebSphere Liberty)
  • global.mq.queueManager.secret.name (type: Opaque)
  • global.mq.tlsSecretName (type: variable - see options)
    • When IBM MQ is hosted on VMs outside the cluster (type: Opaque):
      • key_{{ $qmgrName }}.arm: A certificate file for each of the Queue Managers (one for every application)
    • When IBM MQ is hosted in containers inside the cluster (type: kubernetes.io/tls)
      • tls.key: (optional) A private key file to configure in IBM MQ Containers
      • tls.crt: (optional) A certificate file to configure in IBM MQ Containers
  • SPM 8.0.0.0apps.jwtConfig.secretName (type: kubernetes.io/tls)
    • tls.key: A private key file for signing JSON Web Tokens
    • tls.crt: A certificate file for signing JSON Web Tokens
  • apps.ltpaKeys.secretName (type: Opaque)
    • ltpa.keys: Contents of the ltpa.keys file generated using securityUtility createLTPAKeys --password=<password> --file=ltpa.keys
    • passwordKey: XOR encoded password for the ltpa.keys file
  • apps.systemUser.credsSecretName (type: Opaque)
    • SYSTEM_USER: The user under which JMS messages are executed (default: SYSTEM)
    • SYSTEM_PASSWORD: XOR encoded password for SYSTEM_USER
  • apps.wlpAdmin.secretName (type: Opaque)
    • KeystorePassword: Password for the default WebSphere Liberty keystore
    • XORKeystorePassword: XOR encoded password for the default WebSphere Liberty keystore
    • WebSphereUsername: Username of the administrative user for accessing the Liberty Admin Center, when enabled
    • WebSpherePassword: Password of the Liberty administrative user
    • XORWebSpherePassword: XOR encoded password of the Liberty administrative user
Previous
Deploying with Helm Charts: Configuration Reference
Next
Deploying with Helm Charts: Deploying Helm Charts