⚙️Configure credentials
When deploying the stack for the first time, credentials are generated randomly.
While it could be "enough", there are issues with generated credentials:
The credentials will conflict when uninstalling the stack and reinstalling it.
Integration with secret managers is not possible.
Breaks configuration-as-code principles, reducing predictability and traceability.
Per best practices, it is recommended to use a secret manager to store credentials.
Parameters
Here's the location of the parameters you need to configure:
global:
oauth2:
# OAuth client secrets
clientSecrets:
# Explicitely, random strings
gatewayToucan: ''
toucanAdminManagement: ''
toucanEmbed: ''
toucanImpersonateService: ''
toucanImpersonateServiceEmbed: ''
toucanInfraAdmin: ''
toucanLaputaWebsocket: ''
toucanMicroService: ''
# OR a secret that contains the keys:
# - curity-gateway-toucan-client-secret
# - toucan-admin-management-client-secret
# - toucan-embed-client-secret
# - toucan-impersonate-service-client-secret
# - toucan-impersonate-service-embed-client-secret
# - toucan-infra-admin-client-secret
# - toucan-laputa-websocket-client-secret
# - toucan-micro-service-client-secret
existingSecret: ''
toucan:
auth:
adminAccount: [email protected]
password: ''
# OR a secret that contains the key: toucan-admin-password
existingSecret: ''
postgresql:
auth:
postgresPassword: "" # super admin user password (username is 'postgres')
username: "" # default user, owner of the default database
password: "" # default user password
database: "" # default database name
# OR, a secret that contains the keys:
existingSecret: ''
secretKeys:
userPasswordKey: password
laputa:
secrets:
# Encrypt the database
dbEncryptionSecret: ''
# Used to sign the JWT
jwtSecretKey: ''
# OR a secret that contains the keys:
# - laputa-db-encryption-secret
# - laputa-jwt-secret-key
existingSecret: ''
layout:
initconfig:
secrets:
# Used to provision users. There is no need to use a secret manager
# for this one.
USER_PROVISIONING_SHARED_SECRET:
name: ''
key: layout-user-provisioning-shared-secret
curity:
config:
# Admin UI password
adminPassword: ''
# Encryption Key is used to encrypt the configuration.
# To generate one: `openssl rand -hex 32`.
encryptionKey: ''
# OR a secret that contains the keys:
# - curity-admin-password
# - curity-encryption-key
existingSecret: ''
cluster:
## To generate one `docker run --rm -it curity.azurecr.io/curity/idsvr genclust -c unused -e <encryptionKey>`:
## keystore: "v:S.Tz..."
##
keystore: ''
## OR:
## - A secret that contains the key: curity-config-cluster-keystore
existingSecret: ''
vault:
oauthapp:
# A Vault token scoped to oauthapp. A random string.
token: ''
# OR a secret that contains the key: vault-token
existingSecret: ''
mongodb:
auth:
# Root credentials. Unused by toucan.
rootUser: admin
rootPassword: ''
# App credentials. Owner of any database inside mongodb.
user: app
password: ''
readonlyUser: app_readonly
readonlyPassword: ''
# OR a secret that contains the keys:
# - mongodb-root-password
# - mongodb-app-password
# - mongodb-app-readonly-password
existingSecret: ''
spicedb:
config:
auth:
# A random string
presharedKey: ''
# OR a secret that contains the key: spicedb-preshared-key
existingSecret: ''
laputa-redis:
auth:
password: ''
# OR a secret that contains the key: redis-password
existingSecret: ''
existingSecretPasswordKey: redis-password
Generating a secret quickly
Here's an all-in-one secret, containing all the credentials:
apiVersion: v1
kind: Secret
metadata:
name: toucan-secret
namespace: 'toucan'
type: Opaque
stringData:
# The toucan Admin password. This is the most important one as it is the one used
# to login to the Toucan Admin UI.
toucan-admin-password: '{{ random.Alpha 32 }}'
# Laputa's secrets
laputa-db-encryption-secret: '{{ random.Alpha 32 }}'
laputa-jwt-secret-key: '{{ random.Alpha 32 }}'
# Curity admin password. This is also important if you plan to manage the
# identity provider.
curity-admin-password: '{{ random.Alpha 32 }}'
curity-encryption-key: ''
curity-cluster-keystore: ''
# OAuth2 Secrets
curity-gateway-toucan-client-secret: '{{ random.Alpha 32 }}'
curity-toucan-admin-management-client-secret: '{{ random.Alpha 32 }}'
curity-toucan-embed-client-secret: '{{ random.Alpha 32 }}'
curity-toucan-impersonate-service-client-secret: '{{ random.Alpha 32 }}'
curity-toucan-impersonate-service-embed-client-secret: '{{ random.Alpha 32 }}'
curity-toucan-infra-admin-client-secret: '{{ random.Alpha 32 }}'
curity-toucan-laputa-websocket-client-secret: '{{ random.Alpha 32 }}'
curity-toucan-micro-service-client-secret: '{{ random.Alpha 32 }}'
# SpiceDB credentials
# NOTE: SpiceDB is also protected by mTLS.
spicedb-preshared-key: '{{ random.Alpha 32 }}'
# Vault shared token
vault-token: '{{ random.Alpha 32 }}'
# MongoDB credentials
mongodb-root-password: '{{ random.Alpha 32 }}'
mongodb-app-password: '{{ random.Alpha 32 }}'
mongodb-app-readonly-password: '{{ random.Alpha 32 }}'
# Redis credentials
redis-password: '{{ random.Alpha 32 }}'
# PostgreSQL credentials
postgresql-postgres-password: '{{ random.Alpha 32 }}'
postgresql-password: '{{ random.Alpha 32 }}'
postgresql-replication-password: '{{ random.Alpha 32 }}'
# Layout service shared secret
layout-user-provisioning-shared-secret: '{{ random.Alpha 32 }}'
In which, you can generate with gomplate:
gomplate -f /work/toucan-secret.local.yaml.tpl > /work/toucan-secret.local.yaml
Replace the value of curity-encryption-key
with the result of the command:
openssl rand -hex 32
Replace the value of curity-cluster-keystore
with the result of the command:
docker run --rm -it curity.azurecr.io/curity/idsvr genclust -c unused -e <encryptionKey> | grep keystore | sed -E 's/.*<keystore>(.*)<\/keystore>.*/\1/'
Last updated
Was this helpful?