Bootstrapping Authorization Server Credentials and Secrets(4.2)

Prior to installation, the system must be bootstrapped with certain authorization server credentials and secrets. There are a few alternative ways to perform this task.

Authorization Server Credentials

The authorization server credentials can be provided to the system in the following ways:

Manually creating a Kubernetes Secret in advance, followed by helm install command without having to set the keystore, username and passsword.
Run the helm install command, passing all the credentials as Helm values.

These options are explained in the following sections.

Necessary authorization server credentials for Secret or Helm, respectively, are listed in the table. These credentials need to be provided before installation can complete:

Secret Parameter	Helm Parameter	Description

Secret Parameter	Helm Parameter	Description
managementApiUsername	authorizationServer.management-api.username	HTTP Basic Authentication Username
managementApiPassword	authorizationServer.management-api.password	HTTP Basic Authentication Password
jwtKeystore	authorizationServer.jwt.keystore	Secret Parameter - File path of a keystore encoded in Base64 format Helm Parameter - File path of a keystore
jwtKeyId	authorizationServer.jwt.key-id	Alias of the RSA private/public key pair used for JWT
jwtKeyPassword	authorizationServer.jwt.key-password	Password of the RSA private/public key pair used for JWT
jwtKeystorePassword	authorizationServer.jwt.keystore-password	Password of the keystore

Kubernetes Secret

Credentials can be written into a Secret object, which must be named authorization-server-secrets prior to installation.

kubectl create secret generic authorization-server-secrets --namespace <namespace> \
--from-literal=managementApiUsername=<username> \
--from-literal=managementApiPassword=<password> \
--from-file=jwtKeystore=<keystore file path> \
--from-literal=jwtKeyId=<id> \
--from-literal=jwtKeyPassword=<password> \
--from-literal=jwtKeystorePassword=<password>

Helm Values

helm upgrade <installation name> --install ue-internal/usage-engine-private-edition --version <helm chart version> --set "global.imagePullSecrets[0].name=ecrcred" \
--set persistence.enabled=true \
--set environment=docker-desktop \
--set operator.installCRDs=false \
--set authorizationServer.enabled=true

helm upgrade <installation name> --install ue-internal/usage-engine-private-edition --version <helm chart version> --set "global.imagePullSecrets[0].name=ecrcred" \
--set persistence.enabled=true \
--set environment=docker-desktop \
--set operator.installCRDs=false \
--set authorizationServer.enabled=true \
--set-file authorizationServer.jwt.keystore=<keystore file path encoded in Base64 format> \
--set authorizationServer.jwt.key-id=<id> \
--set authorizationServer.jwt.key-password=<password> \
--set authorizationServer.jwt.keystore-password=<password> \
--set authorizationServer.management-api.username=<username> \
--set authorizationServer.management-api.password=<password>

Keystore file can be encoded in Base64 format with the following command:

Random

If neither Secret nor Helm values are used to provide managementApiPassword credentials, the required values are automatically populated with random data. For users with access rights, the randomized credentials can be retrieved by doing:

The values are stored base64 encoded and need to be decoded to be viewed.

If authorization-server-secrets exists, its secret value will be utilized.
When the --set option is used with the helm command, the specified value will overwrite the existing secret, if one exists.
If neither the secret nor the specified Helm values exist, the installation will fail.