Environment secrets and variables explained

Global repository secrets

Parameter
Description

DOCKER_USERNAME

Your Dockerhub username to access the container registry. If you are using a different container registry, you will need to manually edit the deploy.yml at OpenCRVS Countryconfig repository appropriately.

NOTE: Dockerhub is used to store only OpenCRVS Countryconfig docker images. All Core images are stored in GitHub Packages

DOCKER_TOKEN

Your Dockerhub access token.

DOCKERHUB_ACCOUNT

The name of your Dockerhub account or organisation that forms the URL to your country config docker image on Dockerhub before the slash. e.g: opencrvs

DOCKERHUB_REPO

The name of your Dockerhub repository that forms the URL to your country config docker image on Dockerhub after the slash.. e.g. ocrvs-farajaland

GH_TOKEN

The personal Github Token used in all Action runners.

GH_ENCRYPTION_PASSWORD

Using the Github Token, a password is created that allows automated actions to access the secrets from other environments. This occurs during provisioning so that the production, backup and staging environments use the same BACKUP_ENCRYPTION_PASSPHRASE.

Global repository variables

Variable
Description

GH_APPROVERS

List of valid GitHub accounts to approve deployments for particular environment.

Environment secrets

Secret
Description

ENCRYPTION_KEY

A password used to LUKS encrypt the /data folder containing OpenCRVS data.

ELASTICSEARCH_SUPERUSER_PASSWORD

The Elasticsearch superuser password. You can also use this to login to Kibana with the username "elastic" and you have superuser Elastic privileges. Kibana URL: https://kibana.<your_domain>

KIBANA_USERNAME

A username for a regular Kibana user to login and monitor OpenCRVS stack health. Useful for developers as this user will have no superuser privileges.

KIBANA_PASSWORD

A password for a regular Kibana user to login and monitor OpenCRVS stack health

MONGODB_ADMIN_USER

The MongoDB superuser admin username. A powerful account that has all rights to OpenCRVS data

MONGODB_ADMIN_PASSWORD

The MongoDB superuser admin password.

MINIO_ROOT_USER

A username for a Minio superuser admin to login to the Minio console to view supporting document attachments submitted during registrations. https://minio-console.<your_domain>

MINIO_ROOT_PASSWORD

A password for a Minio superuser admin

SMTP_HOST

SMTP_PORT

SMTP_USERNAME

SMTP_PASSWORD

SMTP_SECURE

Whether or not your SMTP port requires TLS

ALERT_EMAIL

Email address or Slack channel address to send system technical alerts to.

SENDER_EMAIL_ADDRESS

The sender email address that appears in all emails will need to be configured.

OPENCRVS_METABASE_ADMIN_EMAIL

Email address for metabase admin panel login

OPENCRVS_METABASE_ADMIN_PASSWORD

Password for metabase admin panel login

Environment variables

Variable
Description

DOMAIN

The host domain name (without www!) for your environment.

CONTENT_SECURITY_POLICY_WILDCARD

This string is supplied to the clients and nginx config and ensures that the format of your domain above can be configurable for CORS purposes.

ACTIVATE_USERS

When users are seeded, are they immediately active using a test password and six zeros as a 2-Factor auth code. Always false in production and staging.

AUTH_HOST, CLIENT_APP_URL, COUNTRY_CONFIG_HOST, GATEWAY_HOST, LOGIN_URL

URLs passed to docker-compose to support internal microservice comms.

DISK_SPACE

The amount of disk space set aside for encrypted PII data stored by OpenCRVS

NOTIFICATION_TRANSPORT

A prop which can be used to configure either Email or SMS for staff and beneficiary comms or potentially both.

KUBE_API_HOST

Kubernetes API host domain name or IP address

WORKER_NODES

Comma separated list of Kubernetes workers nodes, in case you are planning to setup kubernetes cluster with multiple nodes. This property could be left empty for single node setup or you can add worker nodes later.

APPROVAL_REQUIRED

Make approval required for this particular environment. If set to true all GitHub workflows will ask for approval, otherwise approval process will be optional even with defined GH_APPROVERS list. NOTE: "Reset environment" workflow required 3 approvals to proceed, that additional requirement was made for security reasons. Single person is not able to take decision for environment reset.

Optional environment secrets

Parameter
Description

BACKUP_SERVER_USER

User used to upload backups, users home directory is used as default path for backup. Is used by kubernetes backup jobs

BACKUP_ENCRYPTION_PASSPHRASE

Backup encryption passphrase, used only if backup is enabled. This is the password that is used to encrypt all the backups that OpenCRVS creates from a production server and that are stored on the backup server. Use this passphrase to decrypt the backups.

BACKUP_HOST_PUBLIC_KEY

ssh public key for BACKUP_SERVER_USER , used to authenticate kubernetes backup jobs on backup server

SENTRY_DSN

OpenCRVS can report application errors to Sentry in order to help you debug any issues in production.

BACKUP_HOST_PRIVATE_KEY

ssh private key for BACKUP_SERVER_USER is used for authentication by kubernetes backup jobs

Optional environment variables

Parameter
Description

BACKUP_HOST

Backup server, define this property if you would like to manage backup server as part of your environment. Check Backup and restore section for more information how to use configure backup server. Used by kubernetes backup jobs

BACKUP_ENVIRONMENT_MODE

Backup environment mode (full or differential).

RESTORE_ENVIRONMENT_NAME

GitHub environment name used to configure restore on staging line environments.

Last updated