Add Custom GitHub secrets to Kubernetes

GitHub secrets are widely used to store sensitive information for CI/CD and Runtime. Secrets examples are DockerHub credentials, Disk encryption key, Kibana credentials, Postgres and Elasticsearch admin passwords, etc.

GitHub secrets are grouped per environment and at repository level, secret defined for environment will override value at repository level.

Default secrets mapping

OpenCRVS Helm chart stores database connection properties and other sensitive data like SMTP configuration, backup credentials as Kubernetes secrets.

Check following link for default secrets specification at Authentication configuration (helm chart README.md)

SMTP secret mapping example

Country config image requires SMTP server configuration for emails. Following environment variables are required for container:

• SENDER_EMAIL_ADDRESS

• SMTP_HOST

• SMTP_PASSWORD

• SMTP_PORT

• SMTP_SECURE

• SMTP_USERNAME

• ALERT_EMAIL

Full description is at 4.3.1.1 Environment secrets and variables explained

Steps to add GitHub secrets to Kubernetes

1. Create required variables at GitHub. E.g if you need SMTP configuration, make sure all variables from the list above are present under GitHub environment or repository level.

   
2. Map GitHub secrets to respective Kubernetes secret or secrets by defining secret in mapping file. One Kubernetes secret may contain multiple GitHub secrets as keys. It's reasonable to store all SMTP secrets as one Kubernetes secret smtp-config:

   1. For mapping secrets in dependencies: .github/TEMPLATES/secret-mapping-opencrvs-deps.yml

   2. For mapping secrets in OpenCRVS: .github/TEMPLATES/secret-mapping-opencrvs.yml

3. Map values from secret to particular container in helm chart values: Check documentation for more information: Mapping secrets (Helm chart README.md)