4.3.4.1 Environment secrets and variables explained

Global repository secrets

Parameter
Description

DOCKER_USERNAME

Your Dockerhub username to access the container registry. If you are using a different container registry, you will need to manually edit the deploy.yml appropriately.

DOCKER_TOKEN

Your Dockerhub access token.

DOCKERHUB_ACCOUNT

The name of your Dockerhub account or organisation that forms the URL to your country config docker image on Dockerhub before the slash. e.g: opencrvs

DOCKERHUB_REPO

The name of your Dockerhub repository that forms the URL to your country config docker image on Dockerhub after the slash.. e.g. ocrvs-farajaland

GH_TOKEN

The personal Github Token used in all Action runners.

GH_ENCRYPTION_PASSWORD

Using the Github Token, a password is created that allows automated actions to access the secrets from other environments. This occurs during provisioning so that the production, backup and staging environments use the same BACKUP_ENCRYPTION_PASSPHRASE.

Environment secrets

Secret
Description

BACKUP_ENCRYPTION_PASSPHRASE

This is the password that is used to encrypt all the backups that OpenCRVS creates from a production server and that are stored on the backup server. Use this passphrase to decrypt the backups.

ELASTICSEARCH_SUPERUSER_PASSWORD

The Elasticsearch superuser password. You can also use this to login to Kibana with the username "elastic" and you have superuser Elastic privileges. Kibana URL: https://kibana.<your_domain>

KIBANA_USERNAME

A username for a regular Kibana user to login and monitor OpenCRVS stack health. Useful for developers as this user will have no superuser privileges.

KIBANA_PASSWORD

A password for a regular Kibana user to login and monitor OpenCRVS stack health

MONGODB_ADMIN_USER

The MongoDB superuser admin username. A powerful account that has all rights to OpenCRVS data

MONGODB_ADMIN_PASSWORD

The MongoDB superuser admin password.

MINIO_ROOT_USER

A username for a Minio superuser admin to login to the Minio console to view supporting document attachments submitted during registrations. https://minio-console.<your_domain>

MINIO_ROOT_PASSWORD

A password for a Minio superuser admin

SMTP_HOST

SMTP_PORT

SMTP_USERNAME

SMTP_PASSWORD

SMTP_SECURE

Whether or not your SMTP port requires TLS

ALERT_EMAIL

Email address or Slack channel address to send system technical alerts to.

SENDER_EMAIL_ADDRESS

The sender email address that appears in all emails will need to be configured.

SSH_KEY

This is a copy of the id_rsa file for the SSH Key, not the id_rsa.pub!

SSH_USER

Equal to "provision"

OPENCRVS_METABASE_ADMIN_EMAIL

Email address for metabase admin panel login

OPENCRVS_METABASE_ADMIN_PASSWORD

Password for metabase admin panel login

Environment variables

Variable
Description

REPLICAS

The number of replicas: 1, 2, 3 or 5 depending on how many servers are in the environment cluster

DOMAIN

The host domain name (without www!) for your environment.

CONTENT_SECURITY_POLICY_WILDCARD

This string is supplied to the clients and nginx config and ensures that the format of your domain above can be configurable for CORS purposes.

ACTIVATE_USERS

When users are seeded, are they immediately active using a test password and six zeros as a 2-Factor auth code. Always false in production and staging.

AUTH_HOST, CLIENT_APP_URL, COUNTRY_CONFIG_HOST, GATEWAY_HOST, LOGIN_URL

URLs passed to docker-compose to support internal microservice comms.

DISK_SPACE

The amount of disk space set aside for encrypted PII data stored by OpenCRVS

NOTIFICATION_TRANSPORT

A prop which can be used to configure either Email or SMS for staff and beneficiary comms or potentially both.

SSH_HOST, SSH_PORT, SSH_ARGS

Arguments that are passed to the SSH command to access the server as the provision user

Optional environment secrets

Parameter
Description

SENTRY_DSN

OpenCRVS can report application errors to Sentry in order to help you debug any issues in production.