4.3.4.1 Environment secrets and variables explained

Global repository secrets

Parameter	Description
DOCKER_USERNAME	Your Dockerhub username to access the container registry. If you are using a different container registry, you will need to manually edit the deploy.yml appropriately.
DOCKER_TOKEN	Your Dockerhub access token.
DOCKERHUB_ACCOUNT	The name of your Dockerhub account or organisation that forms the URL to your country config docker image on Dockerhub before the slash. e.g: opencrvs
DOCKERHUB_REPO	The name of your Dockerhub repository that forms the URL to your country config docker image on Dockerhub after the slash.. e.g. ocrvs-farajaland
GH_TOKEN	The personal Github Token used in all Action runners.
GH_ENCRYPTION_PASSWORD	Using the Github Token, a password is created that allows automated actions to access the secrets from other environments. This occurs during provisioning so that the production, backup and staging environments use the same BACKUP_ENCRYPTION_PASSPHRASE.

Parameter

Description

DOCKER_USERNAME

Your Dockerhub username to access the container registry. If you are using a different container registry, you will need to manually edit the deploy.yml appropriately.

DOCKER_TOKEN

Your Dockerhub access token.

DOCKERHUB_ACCOUNT

The name of your Dockerhub account or organisation that forms the URL to your country config docker image on Dockerhub before the slash. e.g: opencrvs

DOCKERHUB_REPO

The name of your Dockerhub repository that forms the URL to your country config docker image on Dockerhub after the slash.. e.g. ocrvs-farajaland

GH_TOKEN

The personal Github Token used in all Action runners.

GH_ENCRYPTION_PASSWORD

Using the Github Token, a password is created that allows automated actions to access the secrets from other environments. This occurs during provisioning so that the production, backup and staging environments use the same BACKUP_ENCRYPTION_PASSPHRASE.

Environment secrets

Secret	Description
BACKUP_ENCRYPTION_PASSPHRASE	This is the password that is used to encrypt all the backups that OpenCRVS creates from a production server and that are stored on the backup server. Use this passphrase to decrypt the backups.
ELASTICSEARCH_SUPERUSER_PASSWORD	The Elasticsearch superuser password. You can also use this to login to Kibana with the username "elastic" and you have superuser Elastic privileges. Kibana URL: https://kibana.<your_domain>
KIBANA_USERNAME	A username for a regular Kibana user to login and monitor OpenCRVS stack health. Useful for developers as this user will have no superuser privileges.
KIBANA_PASSWORD	A password for a regular Kibana user to login and monitor OpenCRVS stack health
MONGODB_ADMIN_USER	The MongoDB superuser admin username. A powerful account that has all rights to OpenCRVS data
MONGODB_ADMIN_PASSWORD	The MongoDB superuser admin password.
MINIO_ROOT_USER	A username for a Minio superuser admin to login to the Minio console to view supporting document attachments submitted during registrations. https://minio-console.<your_domain>
MINIO_ROOT_PASSWORD	A password for a Minio superuser admin
SMTP_HOST
SMTP_PORT
SMTP_USERNAME
SMTP_PASSWORD
SMTP_SECURE	Whether or not your SMTP port requires TLS
ALERT_EMAIL	Email address or Slack channel address to send system technical alerts to.
SENDER_EMAIL_ADDRESS	The sender email address that appears in all emails will need to be configured.
SSH_KEY	This is a copy of the id_rsa file for the SSH Key, not the id_rsa.pub!
SSH_USER	Equal to "provision"
OPENCRVS_METABASE_ADMIN_EMAIL	Email address for metabase admin panel login
OPENCRVS_METABASE_ADMIN_PASSWORD	Password for metabase admin panel login

Secret

Description

BACKUP_ENCRYPTION_PASSPHRASE

This is the password that is used to encrypt all the backups that OpenCRVS creates from a production server and that are stored on the backup server. Use this passphrase to decrypt the backups.

ELASTICSEARCH_SUPERUSER_PASSWORD

The Elasticsearch superuser password. You can also use this to login to Kibana with the username "elastic" and you have superuser Elastic privileges. Kibana URL: https://kibana.<your_domain>

KIBANA_USERNAME

A username for a regular Kibana user to login and monitor OpenCRVS stack health. Useful for developers as this user will have no superuser privileges.

KIBANA_PASSWORD

A password for a regular Kibana user to login and monitor OpenCRVS stack health

MONGODB_ADMIN_USER

The MongoDB superuser admin username. A powerful account that has all rights to OpenCRVS data

MONGODB_ADMIN_PASSWORD

The MongoDB superuser admin password.

MINIO_ROOT_USER

A username for a Minio superuser admin to login to the Minio console to view supporting document attachments submitted during registrations. https://minio-console.<your_domain>

MINIO_ROOT_PASSWORD

A password for a Minio superuser admin

SMTP_HOST

SMTP_PORT

SMTP_USERNAME

SMTP_PASSWORD

SMTP_SECURE

Whether or not your SMTP port requires TLS

ALERT_EMAIL

Email address or Slack channel address to send system technical alerts to.

SENDER_EMAIL_ADDRESS

The sender email address that appears in all emails will need to be configured.

SSH_KEY

This is a copy of the id_rsa file for the SSH Key, not the id_rsa.pub!

SSH_USER

Equal to "provision"

OPENCRVS_METABASE_ADMIN_EMAIL

Email address for metabase admin panel login

OPENCRVS_METABASE_ADMIN_PASSWORD

Password for metabase admin panel login

Environment variables

Variable	Description
REPLICAS	The number of replicas: 1, 2, 3 or 5 depending on how many servers are in the environment cluster
DOMAIN	The host domain name (without www!) for your environment.
CONTENT_SECURITY_POLICY_WILDCARD	This string is supplied to the clients and nginx config and ensures that the format of your domain above can be configurable for CORS purposes.
ACTIVATE_USERS	When users are seeded, are they immediately active using a test password and six zeros as a 2-Factor auth code. Always false in production and staging.
AUTH_HOST, CLIENT_APP_URL, COUNTRY_CONFIG_HOST, GATEWAY_HOST, LOGIN_URL	URLs passed to docker-compose to support internal microservice comms.
DISK_SPACE	The amount of disk space set aside for encrypted PII data stored by OpenCRVS
NOTIFICATION_TRANSPORT	A prop which can be used to configure either Email or SMS for staff and beneficiary comms or potentially both.
SSH_HOST, SSH_PORT, SSH_ARGS	Arguments that are passed to the SSH command to access the server as the provision user

Variable

Description

REPLICAS

The number of replicas: 1, 2, 3 or 5 depending on how many servers are in the environment cluster

DOMAIN

The host domain name (without www!) for your environment.

CONTENT_SECURITY_POLICY_WILDCARD

This string is supplied to the clients and nginx config and ensures that the format of your domain above can be configurable for CORS purposes.

ACTIVATE_USERS

When users are seeded, are they immediately active using a test password and six zeros as a 2-Factor auth code. Always false in production and staging.

AUTH_HOST, CLIENT_APP_URL, COUNTRY_CONFIG_HOST, GATEWAY_HOST, LOGIN_URL

URLs passed to docker-compose to support internal microservice comms.

DISK_SPACE

The amount of disk space set aside for encrypted PII data stored by OpenCRVS

NOTIFICATION_TRANSPORT

A prop which can be used to configure either Email or SMS for staff and beneficiary comms or potentially both.

SSH_HOST, SSH_PORT, SSH_ARGS

Arguments that are passed to the SSH command to access the server as the provision user

Optional environment secrets

Parameter	Description
SENTRY_DSN	OpenCRVS can report application errors to Sentry in order to help you debug any issues in production.

Parameter

Description

SENTRY_DSN

OpenCRVS can report application errors to Sentry in order to help you debug any issues in production.

Previous4.3.4 Create a Github environment Next4.3.4.2 VPN Recipes

Last updated 9 days ago