Skip to content

Using a Database: Secrets

Jump to bottom
Jason Shaw edited this page Jun 28, 2023 · 7 revisions

Using a Database: Secrets

If you have decided to use a remote DB, and followed the steps in the Using a Database Server or Service section, you can use a kubernetes secret to store the DB credentials, and then specify it in your Turbonomic Custom Resource.

This section describes how use Opaque Type Kubernetes Secrets to obfuscate the database credentials required to connect to a remote DB. If you would like information on how to leverage a webhook injection method that will support Kubernetes Secrets, refer to the online documentation here. The Turbonomic deployment will look for db-credentials secret first by default.

There are several options to configure the Turbonomic deployment to leverage kubernetes secrets which will store db credentials. The option that will work best for you will be dependent on how you have configured access to your remote DB.

SCENARIO 1: Single DB User with Default Application Users

This use case is applicable to any of the following DB services where the user will allow the Turbonomic application to manage its own application db users:

  • Allow Turbonomic to create application users with default password
    • AWS RDS services of MariaDB, MySQL
    • Google Cloud Storage services of MySQL
    • Bring your own MariaDB and MySQL server

In this scenario, the Turbonomic configuration only needs to supply:

  • DB Service endpoint
  • Connection properties regarding mysql dialect, secure access and port
  • Global credentials of:
    • DB Root User The Global credentials will be placed into a k8s secret and the name of the secret is referenced in the Turbo Custom Resource.

Step 1: Create the Global User k8s Secret

The example provided will use the stringData field type which allows the user to put in the contents in plain text, and this will be converted to a base-64 encoded secret when you create it on the kubernetes cluster.

Contents of global-secret.yaml showing the stringData format for db-creds:

apiVersion: v1
kind: Secret
metadata:
  name: globaldb
type: Opaque
stringData:
  db-creds: |-
    username: 'yourDBUser'
    password: 'yourUncodedDBUserPassword'

where:

  • username = DBRootUsername
  • password = DBRootPassword
    • Must be plain text
  • name of the secret can be anything, as long as it’s the same as in the Custom Resource

Step 2: Apply the secret

to the Turbonomic namespace prior to deploying Turbonomic.
kubectl create -f global-secret.yaml -n turbonomic

Step 3: With a remote DB, create the empty application databases

Even with a single global DB, we will need to pre-create the empty application databases when using a remote DB. Connect to your database with a db admin user and run the following:

create database action;
create database auth;
create database clustermgr;
create database cost;
create database group_component;
create database market;
create database plan;
create database repository;
create database suspend;
create database topology_processor;
create database vmtdb;

Step 4: Modify the Turbonomic Custom Resource to use the secret

Working with the custom resource yaml to deploy your Turbonomic instance, you will specify your secret this way:

global:
  externalDBName: yourDB.cloud.com
  dbSecretName: globaldb
properties:
  global:
    enableSecureDBConnection: true
    sqlDialect: MySQL

After you have specified all other configurations required for your Turbo instance, you will apply the CR yaml.

SCENARIO 2: Specifying All Application Users

This use case is applicable to the following scenarios where the user wants or needs to pre-create the application db users, and provides this information to the Turbonomic deployment through the Custom Resource:

  • manage the password for app users (not use default)
  • usernames that need to specify the db instance in a multi-tenant database server
  • Azure RDS services (MySQL, MariaDB) which requires the username specify the db instance

In this scenario, the Turbonomic configuration needs to supply:

  • DB Service endpoint
  • Connection properties regarding mysql dialect, secure access and port
  • Global credentials of:
    • DB Root User
    • DB Turbo Admin User
  • Application users for: action, auth, clustermgr, cost, group, market, plan orchestrator, repository, suspend, topology processor, and vmtdb (history).

All db users will need to be defined in separate kubernetes secrets.

Step 1: Create the Global User k8s Secret

The example provided will use the stringData field type which allows the user to put in the contents in plain text, and this will be converted to a base-64 encoded secret when you create it on the kubernetes cluster.

Contents of global-secret.yaml showing the stringData format for db-creds:

apiVersion: v1
kind: Secret
metadata:
  name: globaldb
type: Opaque
stringData:
  db-creds: |-
    username: 'yourDBUser'
    password: 'yourUncodedDBUserPassword'

where:

  • username = DBRootUsername
    • If required, the username will contain the db name: turboadmin@mydb
  • password = DBRootPassword
    • Must be plain text
  • name of the secret can be anything, as long as it’s the same as in the Custom Resource

Step 2: Apply the secret

to the Turbonomic namespace prior to deploying Turbonomic.
kubectl create -f global-secret.yaml -n turbonomic

Step 3: Create the Application User Secrets

Each application user will have their own secret created.

Contents of action.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: actiondb
type: Opaque
stringData:
  db-creds: |-
    username: 'yourActionDBUser'
    password: 'yourUnencodedActionDBUserPassword'

where:

  • username = app component username
    • If required, the username will container the db name: action@mydb
  • password = app component username
    • plain text
  • name of the secret can be anything, as long as it’s the same as in the Custom Resource

You will repeat this until you have defined a secret for action, auth, clustermgr, cost, group, history, plan-orchestrator, repository and topology-processor components.

Step 4: Apply all secrets

to the Turbonomic namespace prior to deploying Turbo. There will be 9 app secrets + 1 global = 10 in total.
kubectl create -f action.yaml -n turbonomic

Step 5: Modify the Turbonomic Custom Resource to use the secrets

Working with the custom resource yaml to deploy your Turbonomic instance, you will specify your secret this way:

global:
  externalDBName: yourDB.cloud.com
  dbSecretName: globaldb
properties:
  global:
    enableSecureDBConnection: true
    sqlDialect: MySQL
  action-orchestrator:
    dbSecretName: actiondb
  auth:
    dbSecretName: authdb
  clustermgr:
    dbSecretName: clustermgrdb
  cost:
    dbSecretName: costdb
  group:
    dbSecretName: groupdb
  history:
    dbSecretName: historydb
  market:
    marketSecretName: marketdb
  plan-orchestrator:
    dbSecretName: plandb
  topology-processor:
    dbSecretName: topodb
  repository:
    dbSecretName: repodb
  suspend:
    dbSecretName: suspenddb

NOTE: if you have other properties defined for these components, you must combine them. After you have specified all other configurations required for your Turbo instance, you will apply the CR yaml.

Kubernetes Secrets: Additional Information

More information about secrets can be found here.
Our examples created secrets via config files and using the stringData field type.

Encoding credentials

Opaque type secrets can take as input for data field type values that are already base-64 encoded. You will encode by running the following command in a Linux / MacOS env:
echo -n 'yourCredential' | base64
and the output of this will be placed in your config file.

Clone this wiki locally