Environment secrets and variables explained
Global repository secrets
DOCKER_USERNAME
Your Dockerhub username to access the container registry. If you are using a different container registry, you will need to manually edit the deploy.yml at OpenCRVS Countryconfig repository appropriately.
NOTE: Dockerhub is used to store only OpenCRVS Countryconfig docker images. All Core images are stored in GitHub Packages
DOCKER_TOKEN
Your Dockerhub access token.
DOCKERHUB_ACCOUNT
The name of your Dockerhub account or organisation that forms the URL to your country config docker image on Dockerhub before the slash. e.g: opencrvs
DOCKERHUB_REPO
The name of your Dockerhub repository that forms the URL to your country config docker image on Dockerhub after the slash.. e.g. ocrvs-farajaland
GH_TOKEN
The personal Github Token used in all Action runners.
GH_ENCRYPTION_PASSWORD
Using the Github Token, a password is created that allows automated actions to access the secrets from other environments. This occurs during provisioning so that the production, backup and staging environments use the same BACKUP_ENCRYPTION_PASSPHRASE.
Global repository variables
GH_APPROVERS
List of valid GitHub accounts to approve deployments for particular environment.
Environment secrets
ENCRYPTION_KEY
A password used to LUKS encrypt the /data folder containing OpenCRVS data.
ELASTICSEARCH_SUPERUSER_PASSWORD
The Elasticsearch superuser password. You can also use this to login to Kibana with the username "elastic" and you have superuser Elastic privileges. Kibana URL: https://kibana.<your_domain>
KIBANA_USERNAME
A username for a regular Kibana user to login and monitor OpenCRVS stack health. Useful for developers as this user will have no superuser privileges.
KIBANA_PASSWORD
A password for a regular Kibana user to login and monitor OpenCRVS stack health
MONGODB_ADMIN_USER
The MongoDB superuser admin username. A powerful account that has all rights to OpenCRVS data
MONGODB_ADMIN_PASSWORD
The MongoDB superuser admin password.
MINIO_ROOT_USER
A username for a Minio superuser admin to login to the Minio console to view supporting document attachments submitted during registrations. https://minio-console.<your_domain>
MINIO_ROOT_PASSWORD
A password for a Minio superuser admin
SMTP_HOST
SMTP_PORT
SMTP_USERNAME
SMTP_PASSWORD
SMTP_SECURE
Whether or not your SMTP port requires TLS
ALERT_EMAIL
Email address or Slack channel address to send system technical alerts to.
SENDER_EMAIL_ADDRESS
The sender email address that appears in all emails will need to be configured.
OPENCRVS_METABASE_ADMIN_EMAIL
Email address for metabase admin panel login
OPENCRVS_METABASE_ADMIN_PASSWORD
Password for metabase admin panel login
Environment variables
DOMAIN
The host domain name (without www!) for your environment.
CONTENT_SECURITY_POLICY_WILDCARD
This string is supplied to the clients and nginx config and ensures that the format of your domain above can be configurable for CORS purposes.
ACTIVATE_USERS
When users are seeded, are they immediately active using a test password and six zeros as a 2-Factor auth code. Always false in production and staging.
AUTH_HOST, CLIENT_APP_URL, COUNTRY_CONFIG_HOST, GATEWAY_HOST, LOGIN_URL
URLs passed to docker-compose to support internal microservice comms.
DISK_SPACE
The amount of disk space set aside for encrypted PII data stored by OpenCRVS
NOTIFICATION_TRANSPORT
A prop which can be used to configure either Email or SMS for staff and beneficiary comms or potentially both.
KUBE_API_HOST
Kubernetes API host domain name or IP address
WORKER_NODES
Comma separated list of Kubernetes workers nodes, in case you are planning to setup kubernetes cluster with multiple nodes. This property could be left empty for single node setup or you can add worker nodes later.
APPROVAL_REQUIRED
Make approval required for this particular environment. If set to true all GitHub workflows will ask for approval, otherwise approval process will be optional even with defined GH_APPROVERS list. NOTE: "Reset environment" workflow required 3 approvals to proceed, that additional requirement was made for security reasons. Single person is not able to take decision for environment reset.
Optional environment secrets
BACKUP_SERVER_USER
User used to upload backups, users home directory is used as default path for backup. Is used by kubernetes backup jobs
BACKUP_ENCRYPTION_PASSPHRASE
Backup encryption passphrase, used only if backup is enabled. This is the password that is used to encrypt all the backups that OpenCRVS creates from a production server and that are stored on the backup server. Use this passphrase to decrypt the backups.
BACKUP_HOST_PUBLIC_KEY
ssh public key for BACKUP_SERVER_USER , used to authenticate kubernetes backup jobs on backup server
SENTRY_DSN
OpenCRVS can report application errors to Sentry in order to help you debug any issues in production.
BACKUP_HOST_PRIVATE_KEY
ssh private key for BACKUP_SERVER_USER is used for authentication by kubernetes backup jobs
Optional environment variables
BACKUP_HOST
Backup server, define this property if you would like to manage backup server as part of your environment. Check Backup and restore section for more information how to use configure backup server. Used by kubernetes backup jobs
BACKUP_ENVIRONMENT_MODE
Backup environment mode (full or differential).
RESTORE_ENVIRONMENT_NAME
GitHub environment name used to configure restore on staging line environments.
Last updated