External Secrets

Overview

SUSE® Observability can take secrets like license key, service token and authentication keys through the helm install, but can also take those from already provisioned secrets.

Here is described how to configure this.

Getting the license key from an external secret

Create a secret in the namespace SUSE Observability is installed in, of the following form, filling in the blanks:

kind: Secret
metadata:
   name: "<custom-secret-name>"
type: Opaque
data:
  LICENSE_KEY: "<base64 of the license key>"

Add the following to your helm install command to use the secret:

  --set 'stackstate.license.fromExternalSecret'='<custom-secret-name>'

Getting username and password for email notifications from an external secret

Create a secret in the namespace SUSE Observability is installed in, of the following form, filling in the blanks:

kind: Secret
metadata:
   name: "<custom-secret-name>"
type: Opaque
data:
  SMTP_USER_NAME: "<base64 of the smtp username>"
  SMTP_PASSWORD: "<base64 of the smtp password>"

Add the following to your helm install command to use the secret:

  --set 'stackstate.email.server.auth.fromExternalSecret'='<custom-secret-name>'

Getting the API key from an external secret

A service token must be used instead of API key as they are synonymous. Any environment variable that continues to refer to API_KEY is for backwards compatibility. For more information on how to set up a bootstrap service token, see Set up a bootstrap service token.

Create a secret in the namespace SUSE® Observability is installed in, of the following form, filling in the blanks:

kind: Secret
metadata:
   name: "<custom-secret-name>"
type: Opaque
data:
  API_KEY: "<base64 of the service token>"

Add the following to your helm install command to use the secret:

Helm value retains the name service token for backward compatibility, but you must pass your service token here because they are synonymous.

 
--set 'stackstate.apiKey.fromExternalSecret'='<custom-secret-name>'

Getting authentication data from an external secret

Create a secret in the namespace SUSE Observability is installed in, of the following form.

kind: Secret
metadata:
   name: "<custom-secret-name>"
type: Opaque
data:
   default_password: <base64 of bcrypted password>

Depending on the authentication method chosen, the default_password field gets replaced with different data. See the authentication options for more info. In this example the Single password setup is used.

Add the following to your helm install command to use the secret:

  --set 'stackstate.authentication.fromExternalSecret'='<custom-secret-name>'