$schema: https://json-schema.org/draft/2020-12/schema $id: https://github.com/elastisys/compliantkubernetes-apps/raw/main/config/schemas/secrets.yaml title: Welkin Apps Secrets description: | This describes the structure of the secrets for both the service and workload clusters. $comment: | Since these are intended to be encrypted each property should have the `encrypted` definition combined with `anyOf` or `oneOf` with the actual format. $defs: encrypted: $comment: Combine this and the decrypted format using oneOf or anyOf pattern: ^ENC\[ title: String encrypted using sops. type: string password: oneOf: - minLength: 8 type: string - $ref: '#/$defs/encrypted' title: Password token: anyOf: - minLength: 20 type: string - $ref: '#/$defs/encrypted' title: Opaque Token properties: objectStorage: title: Object Storage Secrets description: |- Configuration options for using object storage in Welkin. type: object properties: azure: additionalProperties: false title: Azure Backend Secrets description: |- Secrets for using Azure as object storage in Welkin. type: object properties: storageAccountName: description: Storage account name to authenticate with. type: string storageAccountKey: description: Storage account key to authenticate with. type: string s3: additionalProperties: false title: S3 Backend Secrets description: |- Secrets for using S3 as object storage in Welkin. type: object properties: accessKey: description: Access key to authenticate with. type: string secretKey: description: Secret key to authenticate with. type: string swift: additionalProperties: false title: Swift Backend Secrets description: |- Secrets for using Swift as object storage in Welkin. > [!important] > Currently Harbor only supports `username` and `password` authentication. type: object properties: applicationCredentialID: description: |- Application Credential ID to authenticate with. type: string applicationCredentialName: description: |- Application Credential Name to authenticate with, requires username to be set. type: string applicationCredentialSecret: description: |- Application Credential Secret to authenticate with, requires username to be set. type: string password: type: string username: type: string sync: additionalProperties: false title: Rclone Sync Secrets description: |- Secrets for syncing object storage from the primary site to a secondary site with Rclone. type: object properties: encrypt: title: Rclone Crypt Secrets description: |- Secrets for encrypt data when syncing. properties: password: description: Crypt password, generate with `pwgen 32 1`. type: string passwordObscured: description: Obscured crypt password, generate with `rclone obscure `. type: string salt: description: Crypt salt, generate with `pwgen 32 1`. type: string saltObscured: description: Obscured crypt salt, generate with `rclone obscure `. type: string type: object azure: $ref: '#/properties/objectStorage/properties/azure' s3: $ref: '#/properties/objectStorage/properties/s3' swift: $ref: '#/properties/objectStorage/properties/swift' restore: additionalProperties: false title: Rclone Restore Secrets description: |- Secrets for restoring object storage from a secondary site to the primary site with Rclone. type: object properties: destinations: title: Rclone Restore Destinations Secrets description: |- Allows for complete or partial overrides of the destinations of the restore, the main object storage configuration. type: object properties: azure: $ref: '#/properties/objectStorage/properties/azure' s3: $ref: '#/properties/objectStorage/properties/s3' swift: $ref: '#/properties/objectStorage/properties/swift' default: {} sources: title: Rclone Restore Sources Secrets description: |- Allows for complete or partial overrides of the sources of the restore, the sync object storage configuration. type: object properties: azure: $ref: '#/properties/objectStorage/properties/azure' s3: $ref: '#/properties/objectStorage/properties/s3' swift: $ref: '#/properties/objectStorage/properties/swift' default: {} decrypt: description: |- Allows for complete or partial overrides of the decrypt of the restore, the sync encrypt configuration. $ref: '#/properties/objectStorage/properties/sync/properties/encrypt' default: {} grafana: title: Grafana Secrets description: Configure secrets for Grafana. type: object properties: password: title: Admin Grafana Password type: string opsClientSecret: title: Admin Grafana OIDC Client Secret type: string clientSecret: title: Dev Grafana OIDC Client Secret type: string ops: title: Admin Grafana Secrets description: Configure secrets for Admin Grafana. type: object properties: envRenderSecret: title: Environment Variables Render type: array user: title: Dev Grafana Secrets description: Configure secrets for Dev Grafana. type: object properties: envRenderSecret: title: Environment Variables Render type: array fluentd: title: Fluentd Secret Config description: |- Secret configuration options for Fluentd. type: object properties: objectStorage: title: Object Storage Secrets description: |- Configuration options for using object storage specific to Fluentd. type: object properties: s3: $ref: '#/properties/objectStorage/properties/s3' velero: title: Velero Secret Config description: |- Secret configuration options for Velero. type: object properties: objectStorage: title: Object Storage Secrets description: |- Configuration options for using object storage specific to Velero. type: object properties: s3: $ref: '#/properties/objectStorage/properties/s3' harbor: title: Harbor Secret Config description: |- Secret configuration options for Harbor. properties: objectStorage: title: Object Storage Secrets description: |- Configuration options for using object storage specific to harbor. type: object properties: s3: $ref: '#/properties/objectStorage/properties/s3' clientSecret: type: string coreSecret: type: string external: title: External Database description: |- External database password config. properties: databasePassword: title: External Database Password type: string type: object internal: title: Internal Database description: |- Internal database password config. properties: databasePassword: title: Internal Database Password type: string type: object jobserviceSecret: type: string password: type: string registrySecret: type: string xsrf: type: string type: object thanos: title: Thanos Secrets description: Secrets for Thanos. properties: objectStorage: title: Object Storage Secrets description: |- Configuration options for using object storage specific to thanos. type: object properties: s3: $ref: '#/properties/objectStorage/properties/s3' receiver: title: Thanos Receiver description: Secrets for Thanos Receiver. properties: basic_auth: title: Thanos Receiver Basic Auth description: Configure authentication to Thanos Receiver, properties: password: title: Thanos Receiver Basic Auth Password description: Configure the password for authenticating to Thanos Receiver. type: string type: object type: object type: object user: title: User Secret Config description: |- Admin password for user Grafana and user Alertmanager. type: object properties: alertmanagerPassword: type: string grafanaPassword: title: Dev Grafana Password type: string opensearch: title: OpenSearch Secrets description: |- Secrets for OpenSearch. type: object $defs: user: title: OpenSearch User description: Definitions for OpenSearch users. type: object properties: name: title: OpenSearch Username type: string definition: title: OpenSearch User Definition description: Configures the permissions the role will have. $comment: This schema does not cover the entire upstream object. type: object properties: attributes: $ref: "#/properties/opensearch/$defs/user/properties/attributes" backend_role: $ref: "#/properties/opensearch/$defs/user/properties/groups" opendistro_security_roles: $ref: "#/properties/opensearch/$defs/user/properties/securityRoles" password: $ref: "#/properties/opensearch/$defs/user/properties/password" attributes: title: OpenSearch User Attributes description: Configures the attributes the user will have. type: object additionalProperties: type: string groups: title: OpenSearch User Groups description: Configures the backend roles or groups the user will have. type: array items: type: string securityRoles: title: OpenSearch User Security Roles description: | Configures the security roles the user will have. > [!note] > These roles must exists or be created via `extraRoles`. type: array items: title: OpenSearch Security Role type: string examples: - kibana_user password: title: OpenSearch User Password type: string properties: adminHash: title: OpenSearch Admin User Hash type: string adminPassword: title: OpenSearch Admin User Password type: string configurerHash: title: OpenSearch Configurer User Hash type: string configurerPassword: title: OpenSearch Configurer User Password type: string dashboardsCookieEncKey: title: OpenSearch Dashboards Cookie Encryption Key type: string dashboardsHash: title: OpenSearch Dashboards User Hash type: string dashboardsPassword: title: OpenSearch Dashboards User Password type: string clientSecret: title: OpenSearch Client Secret type: string curatorPassword: title: OpenSearch Curator Password type: string fluentdPassword: title: OpenSearch Fluentd Password type: string metricsExporterPassword: title: OpenSearch Exporter Password type: string objectStorage: title: Object Storage Secrets description: |- Configuration options for using object storage specific to opensearch. type: object properties: s3: $ref: '#/properties/objectStorage/properties/s3' snapshotterPassword: title: OpenSearch Snapshot Password type: string extraUsers: title: OpenSearch Extra Users description: Configures extra users for OpenSearch Security. type: array items: title: OpenSearch Extra User description: |- Configures extra user for OpenSearch Security. > [!note] > See [the upstream documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#internal_usersyml) for reference. type: object properties: username: $ref: "#/properties/opensearch/$defs/user/properties/name" definition: $ref: "#/properties/opensearch/$defs/user/properties/definition" kubeapiMetricsPassword: type: string alerts: title: Alerts Secrets description: Configure secrets for alerting. type: object properties: opsGenie: title: OpsGenie Secrets description: Configure secrets for alerting with OpsGenie. type: object properties: apiKey: title: OpsGenie API Key $ref: '#/$defs/token' slack: title: Slack Secrets description: Configure secrets for alerting with Slack. type: object properties: apiUrl: title: Slack API URL type: string oneOf: - format: uri - $ref: '#/$defs/encrypted' kured: title: Kured Notification Secrets description: |- Notification secrets for Kured (Kubernetes Reboot Daemon). properties: slack: title: Kured Slack Notification Secrets description: |- Notification secrets to send notifications from Kured to Slack. properties: botToken: title: Kured Bot Token For Slack Notification type: string type: object type: object dex: title: Dex Secrets description: Configure secrets for Dex. type: object properties: additionalStaticClients: title: Dex Static Clients description: |- Configure additional static clients in Dex. Clients in this case is application that wants to allow users to authenticate via Dex. > [!note] > See [the upstream documentation](https://dexidp.io/docs/configuration/custom-scopes-claims-clients/) for reference. type: array items: title: Dex Static Client description: Configure an additional static client in Dex. type: object properties: id: title: Static Client ID type: string name: title: Static Client Name type: string redirectURIs: title: Static Client Redirect URIs description: Configure the redirection URIs for this static client. type: array items: title: Static Client Redirect URI type: string oneOf: - format: uri - $ref: '#/$defs/encrypted' examples: - http://192.168.42.219:31850/oauth2/callback secret: title: Static Client Secret type: string connectors: title: Dex Connectors description: |- Configure upstream Identity Providers. > [!note] > See [the upstream documentation](https://dexidp.io/docs/connectors/) for reference. type: array items: title: Dex Connector description: Configure an upstream Identity Provider. type: object properties: id: title: Connector ID description: Configure a unique ID to use for this connector in Dex. examples: - google type: string name: title: Connector Name description: Configure a display name to use for this connector in Dex. type: string examples: - Google type: title: Connector Type type: string oneOf: - enum: - atlassiancrowd - authproxy - bitbucketcloud - gitea - github - gitlab - google - keystone - ldap - linkedin - microsoft - mock - oauth - oidc - openshift - saml - $ref: '#/$defs/encrypted' config: title: Connector Config description: Configure parameters specific for this connector. type: object $comment: |- TODO: - Fields are dependent on type of parent and needs to be specified. - Fields are divergent with type `ldap` compared to `oauth` variants. properties: clientID: title: Connector Client ID type: string clientSecret: title: Connector Client Secret type: string issuer: title: Connector Issuer description: |- Used in `type: oidc`. type: string oneOf: - format: uri - $ref: '#/$defs/encrypted' domainToAdminEmail: title: Connector Admin Emails description: |- Used in `type: google`. type: object additionalProperties: oneOf: - format: email - $ref: '#/$defs/encrypted' propertyNames: format: domain hostedDomains: title: Connector Hosted Domains description: |- Configure the hosted domains for this connector. Used in `type: google`. type: array items: title: Connector Hosted Domain type: string oneOf: - format: hostname - $ref: '#/$defs/encrypted' redirectURI: title: Connector Redirect URI description: Configure the redirect URI for this connector. type: string oneOf: - format: uri - $ref: '#/$defs/encrypted' examples: - https://dex.${BASE_DOMAIN}/callback serviceAccountFilePath: title: Connector Service Account Path description: |- Used in `type: google`. type: string examples: - /etc/dex/google/sa.json required: - id - name - type - config kubeloginClientSecret: title: Dex Kubelogin Client Secret type: string staticPassword: title: Dex Static Password format: crypt type: string extraStaticLogins: title: Extra Static Logins description: Configure additional static logins for Dex. type: array items: title: Extra Static Login description: Additional static logins for Dex. type: object $comment: the password field can be used to store the password in plain text, and it will not be applied to the environment. properties: email: title: Email that the static login will use. type: string oneOf: - format: email - $ref: '#/$defs/encrypted' hash: title: Dex Static Password format: crypt type: string username: title: User ID type: string userID: title: User ID type: string issuers: title: Issuers Secrets description: Configure secrets for issuers. type: object properties: secrets: $comment: is this just passed through as-is? title: Issuer Secrets description: |- Configure secrets for issuers. This must match the configuration set on the issuers. Keys become the name of the secret, and the value the data of the secret. type: object externalDns: title: External DNS Secrets description: Configure secrets for External DNS. type: object properties: awsRoute53: title: AWS Route 53 Secrets description: Configure AWS Route 53 secrets for External DNS. type: object properties: accessKey: title: AWS Access Key type: string secretKey: title: AWS Secret Key type: string type: object