Secrets are Kubernetes objects that are used to store sensitive information. The secrets listed in this topic are required and have the Opaque type unless otherwise specified.

Image Pull Secrets

The NI container repository that hosts SystemLink Enterprise is private and requires authenticated access. You will have received credentials with access to SystemLink Enterprise. Configure image pull secrets for SystemLink Enterprise using the global.imagePullSecrets array in systemlink-values.yaml and systemlink-admin-values.yaml. Image pull secrets must conform to the kubernetes.io/dockerconfigjson format.

Secret Details
niartifacts-secret

Authentication Secrets

Secret Details
oidc-secret Identifies SystemLink Enterprise with your OpenID Connect authentication provider and has the following fields.
  • clientId: An OpenID Connect client ID.
  • clientSecret: The secret corresponding to clientId.
  • jwks: A JSON web key set. If none is required, set to an empty string value.

Whitelisted API Keys

SystemLink Enterprise uses Whitelisted API keys to authenticate inter-cluster service to service communication. The Whitelisted API keys are used for operations that do not execute in the context of a specific user. This secret contains a single field.
  • apiKey: A 42-byte random number sequence that is Base64-encoded.
If you are managing secrets with Helm, use the userservices.secrets.whitelistedApiKeys value in _systemlink-secrets.yaml_ to define each secret and its corresponding hash. Use the generate_whitelisted_key.sh script to simplify key generation.
Secret Details
alarmservice-apikey
alarmserviceroutineexecutor-apikey
assetservice-apikey
comments-apikey
dashboardhost-apikey
jupyterhub-apikey
nbexec-argo-workflow-apikey
routineeventtrigger-apikey
routineexecutor-apikey
routinescheduletrigger-apikey
saltmaster-init-apikey
sessionmanagerservice-apikey
systemsmanagement-service-apikey
tageventprocessor-apikey
testmonitor-apikey
webserver-apikey
workordereventprocessor-apikey

Whitelisted API Key Hashes

Secret Details
userservices-apikey-whitelist Manages the list of authorized whitelisted API keys. This secret contains a single field.
  • whitelistedApiKeyHashes: An array of hexadecimal-encoded SHA-512 hashes, separated by commas, with no whitespace and no trailing delimiter.

Encryption Keys

Secret Details
fileingestionservices-encryption-key

Field: encryptionKey

Key Type: AES-256

Encoding: Base64
fileingestionservices-download-encryption-key

Field: encryptionKey

Key Type: AES-256

Encoding: Base64
saltmaster-rsa-keys

Field: saltmaster-private-key

Type: RSA

Format: PKCS

Field: saltmaster-public-key

Type: RSA

Format: PKCS1
systemsmanagementservice-dataprotection

Field: aesKey

Key Type: AES-128

Encoding: Base64
systemsstateservice-dataprotection

Field: aesKey

Key Type: AES-128

Encoding: Base64
taghistorian-continuation-token

Field: encryptionKey

Key Type: AEAD

Key Length: 32 bytes

Encoding: Base64
userservices-continuation-token

Field: encryptionKey

Key Type: AEAD

Key Length: 32 bytes

Encoding: Base64
webappservices-continuation-token

Field: encryptionKey

Key Type: AEAD

Key Length: 32 bytes

Encoding: Base64
webserver-session

Field: encryptionKey

Key Type: AES-128

Encoding: Base64

Field: signatureKey

Key Type: SHA-256

Encoding: Base64

Dremio Credentials

Secret Details
nidataframe-dremio-credentials Has the following fields.
  • username: A user name used to access the Dremio instance.
  • password: A password used to access the Dremio instance.

Grafana Credentials

Secret Details
grafana-login Defines an admin user for Grafana with the following fields.
  • admin-user: A user name.
  • admin-password: The password for admin-user.

MongoDB Credentials

All MongoDB instances store credentials in a secret with the following fields.
Note If you have your own MongoDB instance, you only have to populate mongodb-connection-string.
  • mongodb-root-password: A password that grants root access to the database cluster.
  • mongodb-passwords: An array of passwords that each grant full access to an individual database. These passwords cannot contain commas or any reserved characters as defined by the IETF URL specification.
    Note Separate passwords with commas. Do not include whitespace or a trailing delimiter. For example: password1,password2. All mongoDB credential secrets except userservices-mongodb-credentials and saltmaster-mongodb-credentials require one password.
  • mongodb-replica-set-key: A key used to authenticate nodes in a MongoDB replica set.
  • mongodb-connection-string: The connection string, including credentials, for authentication to the MongoDB database.
Secret Details
assetservice-mongodb-credentials
fileingestionservices-mongodb-credentials
locationservice-mongodb-credentials
nbexecservice-mongodb-credentials
nicomments-mongodb-credentials
nidataframe-mongodb-credentials
nispecificationmanagement-mongodb-credentials Optional installation
niworkorder-mongodb-credentials Optional installation
notification-mongodb-credentials
repositoryservice-mongodb-credentials
routines-mongodb-credentials
routinescheduletrigger-mongodb-credentials
systemsmanagementservice-mongodb-credentials
systemsstateservice-mongodb-credentials
saltmaster-mongodb-credentials Requires two mongodb-passwords: a password for the minions and a password for the pillars databases in that order.
taghistoriandb-mongodb-credentials
tags-mongodb-credentials
userdata-mongodb-credentials
userservices-mongodb-credentials Requires two mongodb-passwords: a password for the user and a password for the keys databases in that order.
webappservices-mongodb-credentials

PostgreSQL Credentials

Secret Details
dashboardhost-postgres-secrets Has the following fields.
  • host: The Host name of the PostgreSQL server.
  • user: A PostgreSQL user name.
  • password: The password for user.
testmonitorservicedb-connection Has two forms with the following fields depending on whether the database connection has been defined with a connection string or as parameters.
Connection string has the following field.
  • connection-string: A PostgreSQL connection string.
Connection parameters has the following field.
  • password: A password for the user defined by the testmonitorservice.database.connectionInfo.user value.

Proxy Server Credentials

Secret Details
webserver-proxy-credentials Credentials for authenticating with a proxy server for access to an Open ID Connect provider. This secret has the following fields.
  • username: The user name for the proxy server.
  • password: The password for username.

RabbitMQ Credentials

Secret Details
rabbitmq-user Credentials for authenticating with the RabbitMQ instance. This secret has the following fields.
  • rabbitmq-user: A user name.
  • rabbitmq-password: Password for rabbitmq-user.
rabbitmq-erlang-cookie An Erlang Cookie value. This secret has a single field.
  • rabbitmq-erlang-cookie: The Erlang cookie value.

Redis Credentials

Secret Details
webserver-redis-credentials Has the following field.
  • password: Password used to access the Redis database.

S3 Credentials

Note A SystemLink Enterprise configuration requires the following secrets when using an Amazon S3 or an Amazon S3 compatible file storage provider.
Secret Details
feeds-s3-credentials Has the following fields.
  • aws-access-key-id: A user name or S3 access key ID for S3 access.
  • aws-secret-access-key: A password or S3 access key ID for S3 access.
fileingestion-s3-credentials Has the following fields.
  • aws-access-key-id: A user name or S3 access key ID for S3 access.
  • aws-secret-access-key: A password or S3 access key ID for S3 access.
nbexecservice-s3-credentials Has the following fields.
  • aws-access-key-id: A user name or S3 access key ID for S3 access.
  • aws-secret-access-key: A password or S3 access key ID for S3 access.
nidataframe-s3-credentials Has the following fields.
  • access-key-id: A user name or S3 access key ID for S3 access.
  • secret-access-key: A password or S3 access key ID for S3 access.

Azure Storage Credentials

Note A SystemLink Enterprise configuration requires the following secrets when using an Azure Storage file storage provider.
Secret Details
feeds-azure-credentials Has the following fields.
  • azure-secret-access-key: A shared access key for the Azure Storage account linked to the Feed Service.
files-azure-credentials Has the following fields.
  • azure-secret-access-key: A shared access key for the Azure Storage account linked to the File Ingestion Service.
nbexecservice-azure-credentials Has the following fields.
  • azure-secret-access-key: A shared access key for the Azure Storage account linked to the Notebook Execution Service.
nidataframe-azure-credentials Has the following fields.
  • azure-secret-access-key: A shared access key for the Azure Storage account linked to the DataFrame Service.

SMTP Credentials

Secret Details
smtp-server-credentials Has the following fields.
  • username: User name for the SMTP server.
  • password: Password for the SMTP server.
Required only if smtp.smtpServer.host is configured and smtp.smtpServer.requireAuthentication is true.