⚙️Configure credentials

When deploying the stack for the first time, credentials are generated randomly.

While it could be "enough", there are issues with generated credentials:

  • The credentials will conflict when uninstalling the stack and reinstalling it.

  • Integration with secret managers is not possible.

  • Breaks configuration-as-code principles, reducing predictability and traceability.

Per best practices, it is recommended to use a secret manager to store credentials.

Parameters

Here's the location of the parameters you need to configure:

yaml: values.override.yaml
global:
  oauth2:
    # OAuth client secrets
    clientSecrets:
      # Explicitely, random strings
      gatewayToucan: ''
      toucanAdminManagement: ''
      toucanEmbed: ''
      toucanImpersonateService: ''
      toucanImpersonateServiceEmbed: ''
      toucanInfraAdmin: ''
      toucanLaputaWebsocket: ''
      toucanMicroService: ''
      # OR a secret that contains the keys:
      # - curity-gateway-toucan-client-secret
      # - toucan-admin-management-client-secret
      # - toucan-embed-client-secret
      # - toucan-impersonate-service-client-secret
      # - toucan-impersonate-service-embed-client-secret
      # - toucan-infra-admin-client-secret
      # - toucan-laputa-websocket-client-secret
      # - toucan-micro-service-client-secret
      existingSecret: ''

  toucan:
    auth:
      adminAccount: [email protected]

      password: ''
      # OR a secret that contains the key: toucan-admin-password
      existingSecret: ''

  postgresql:
    auth:
      postgresPassword: "" # super admin user password (username is 'postgres')
      username: "" # default user, owner of the default database
      password: "" # default user password
      database: "" # default database name
      # OR, a secret that contains the keys:
      existingSecret: ''
      secretKeys:
        userPasswordKey: password

laputa:
  secrets:
    # Encrypt the database
    dbEncryptionSecret: ''
    # Used to sign the JWT
    jwtSecretKey: ''
    # OR a secret that contains the keys:
    # - laputa-db-encryption-secret
    # - laputa-jwt-secret-key
    existingSecret: ''

layout:
  initconfig:
    secrets:
      # Used to provision users. There is no need to use a secret manager
      # for this one.
      USER_PROVISIONING_SHARED_SECRET:
        name: ''
        key: layout-user-provisioning-shared-secret

curity:
  config:
    # Admin UI password
    adminPassword: ''
    # Encryption Key is used to encrypt the configuration.
    # To generate one: `openssl rand -hex 32`.
    encryptionKey: ''
    # OR a secret that contains the keys:
    # - curity-admin-password
    # - curity-encryption-key
    existingSecret: ''

    cluster:
      ## To generate one `docker run --rm -it curity.azurecr.io/curity/idsvr genclust -c unused -e <encryptionKey>`:
      ## keystore: "v:S.Tz..."
      ##
      keystore: ''
      ## OR:
      ## - A secret that contains the key: curity-config-cluster-keystore
      existingSecret: ''

vault:
  oauthapp:
    # A Vault token scoped to oauthapp. A random string.
    token: ''
    # OR a secret that contains the key: vault-token
    existingSecret: ''

mongodb:
  auth:
    # Root credentials. Unused by toucan.
    rootUser: admin
    rootPassword: ''

    # App credentials. Owner of any database inside mongodb.
    user: app
    password: ''
    readonlyUser: app_readonly
    readonlyPassword: ''

    # OR a secret that contains the keys:
    # - mongodb-root-password
    # - mongodb-app-password
    # - mongodb-app-readonly-password
    existingSecret: ''

spicedb:
  config:
    auth:
      # A random string
      presharedKey: ''
      # OR a secret that contains the key: spicedb-preshared-key
      existingSecret: ''

laputa-redis:
  auth:
    password: ''
    # OR a secret that contains the key: redis-password
    existingSecret: ''
    existingSecretPasswordKey: redis-password

Generating a secret quickly

Here's an all-in-one secret, containing all the credentials:

yaml: /work/toucan-secret.local.yaml.tpl
apiVersion: v1
kind: Secret
metadata:
  name: toucan-secret
  namespace: 'toucan'
type: Opaque
stringData:
  # The toucan Admin password. This is the most important one as it is the one used
  # to login to the Toucan Admin UI.
  toucan-admin-password: '{{ random.Alpha 32 }}'

  # Laputa's secrets
  laputa-db-encryption-secret: '{{ random.Alpha 32 }}'
  laputa-jwt-secret-key: '{{ random.Alpha 32 }}'

  # Curity admin password. This is also important if you plan to manage the
  # identity provider.
  curity-admin-password: '{{ random.Alpha 32 }}'
  curity-encryption-key: ''
  curity-cluster-keystore: ''

  # OAuth2 Secrets
  curity-gateway-toucan-client-secret: '{{ random.Alpha 32 }}'
  curity-toucan-admin-management-client-secret: '{{ random.Alpha 32 }}'
  curity-toucan-embed-client-secret: '{{ random.Alpha 32 }}'
  curity-toucan-impersonate-service-client-secret: '{{ random.Alpha 32 }}'
  curity-toucan-impersonate-service-embed-client-secret: '{{ random.Alpha 32 }}'
  curity-toucan-infra-admin-client-secret: '{{ random.Alpha 32 }}'
  curity-toucan-laputa-websocket-client-secret: '{{ random.Alpha 32 }}'
  curity-toucan-micro-service-client-secret: '{{ random.Alpha 32 }}'

  # SpiceDB credentials
  # NOTE: SpiceDB is also protected by mTLS.
  spicedb-preshared-key: '{{ random.Alpha 32 }}'

  # Vault shared token
  vault-token: '{{ random.Alpha 32 }}'

  # MongoDB credentials
  mongodb-root-password: '{{ random.Alpha 32 }}'
  mongodb-app-password: '{{ random.Alpha 32 }}'
  mongodb-app-readonly-password: '{{ random.Alpha 32 }}'

  # Redis credentials
  redis-password: '{{ random.Alpha 32 }}'

  # PostgreSQL credentials
  postgresql-postgres-password: '{{ random.Alpha 32 }}'
  postgresql-password: '{{ random.Alpha 32 }}'
  postgresql-replication-password: '{{ random.Alpha 32 }}'

  # Layout service shared secret
  layout-user-provisioning-shared-secret: '{{ random.Alpha 32 }}'

In which, you can generate with gomplate:

shell
gomplate -f /work/toucan-secret.local.yaml.tpl > /work/toucan-secret.local.yaml

Replace the value of curity-encryption-key with the result of the command:

shell
openssl rand -hex 32

Replace the value of curity-cluster-keystore with the result of the command:

shell
docker run --rm -it curity.azurecr.io/curity/idsvr genclust -c unused -e <encryptionKey> | grep keystore | sed -E 's/.*<keystore>(.*)<\/keystore>.*/\1/'

Last updated

Was this helpful?