Skip to main content

Key Vault Secrets Reference

Define Azure Key Vault secret names and map them in global.remoteSecrets before your first Helm deploy.

Secret names are not secret values

This page lists Key Vault secret key names (chart defaults). These are configuration identifiers — not passwords or credentials. Store actual values only in Key Vault; never commit them to Git or Helm values files.

The chart maps Key Vault secret names to Kubernetes secret keys via External Secrets. Defaults live in values.yaml; per-environment overrides go in values-<env>.yaml (see sample values-release.yaml in the chart — placeholder hostnames and resource IDs only).

Flow

  1. Platform prerequisites — DB passwords and optional SSL material exist in Key Vault (your provisioning tool, console, or automation).
  2. One-time setup — run install scripts (create-dbs-azure.sh, platform install script) to verify prerequisites and create application secrets.
  3. SecretStore authenticates with Workload Identity.
  4. ExternalSecret per service syncs into K8s Secrets.
  5. Pods consume env vars or mounted files.

Platform prerequisites (verify only)

Install scripts check these with az keyvault secret show. Scripts may create missing application secrets but not infrastructure passwords.

Key Vault secretRequiredPurpose
azure-postgres-master-password or bh-dev-user-passwordYesbh_dev_user (migrations / Alembic) — prefer bh-dev-user-password for cross-cloud parity
bh-app-user-passwordYesbh_app_user (runtime DML)
bh-kcdbpwdYeskeycloak_db_user (KC_DB_PASSWORD on bhkeycloak)
bh-postgres-ssl-certNoPostgreSQL server CA (PEM)

Optional SSL secrets produce a warning only when missing — skip them if postgresSSLMode does not require client certificates.

One-time application secrets (script creates if missing)

Key Vault secretPurpose
bh-kcadminpwdKeycloak admin UI password
bh-keycloak-grant-typeGrant type (default: password)
bh-catalog-decryption-keyCatalog decryption key
bh-temp-tenant-user-passwordTemporary tenant password
bh-rabbitmq-passwordRabbitMQ password
bh-redis-passwordRedis password
bh-langchain-api-keyLangChain API key
bh-oauth-tokenOAuth token (audit API)
license-catalogCatalog license string
license-catalog-pub-keyPublic key for license verification

TLS edge secrets follow the pattern <env>-<cloud>-bighammer-tls-{crt,key} (for example <env>-az-bighammer-tls-crt / <env>-az-bighammer-tls-key). They are normally created by cert-manager PushSecret — see TLS Options.

Application database dual-role

Services on the application database use two PostgreSQL roles, matching create-dbs-azure.sh grants:

Env varDB roleKey Vault secretUsed for
POSTGRES_USER + POSTGRES_PASSWORDbh_dev_userbh-dev-user-password (preferred) or azure-postgres-master-passwordAlembic / migrations — DDL
BH_APP_USER + BH_APP_USER_PASSWORDbh_app_userbh-app-user-passwordRuntime SQLAlchemy — DML only
Align values and Key Vault
global:
remoteSecrets:
postgres:
password: bh-dev-user-password # POSTGRES_PASSWORD → bh_dev_user
app:
userPassword: bh-app-user-password # BH_APP_USER_PASSWORD → bh_app_user

Mismatch between Key Vault values and PostgreSQL user passwords is the most common cause of password authentication failed at pod startup.

Keycloak server database

The Keycloak server pod (bhkeycloak) is not on the application database:

ResourceReference nameChart mapping
Databasekeycloak_db_<env>global.bhkeycloak.env.KC_DB_URL
Userkeycloak_db_userglobal.bhkeycloak.env.KC_DB_USERNAME
Passwordbh-kcdbpwdglobal.remoteSecrets.keycloak.dbPassword

bhkeycloakapi uses the application database (schema keycloakapi_db), not the Keycloak server database.

Chart defaults (global.remoteSecrets)

Values pathDefault Key Vault nameK8s key
postgres.passwordbh-dev-user-passwordPOSTGRES_PASSWORD
app.userPasswordbh-app-user-passwordBH_APP_USER_PASSWORD
keycloak.dbPasswordbh-kcdbpwdKC_DB_PASSWORD
keycloak.adminPasswordbh-kcadminpwdKEYCLOAK_ADMIN_PASSWORD
rabbitmq.passwordbh-rabbitmq-passwordRABBITMQ_PASSWORD
tls.cert / tls.key<env>-az-bighammer-tls-crt / <env>-az-bighammer-tls-key (example)TLS PEM files

Override any name in values-<env>.yaml when your Key Vault naming convention differs.


How secrets flow (detail)

  1. Platform engineer stores secrets in Azure Key Vault
  2. SecretStore (namespace-scoped) authenticates via Workload Identity
  3. ExternalSecret per service syncs keys into a Kubernetes Secret
  4. Pods mount or reference env vars from the synced secret

See External Secrets Operator and Architecture.


Auto-created by install scripts

These can be generated and pushed by create-dbs-azure.sh and the platform install script:

Key Vault secret nameKubernetes key(s)Used by
azure-postgres-master-passwordPOSTGRES_PASSWORDAPIs, workers, Keycloak (dev path)
bh-kcadminpwdKEYCLOAK_ADMIN_PASSWORDKeycloak, Keycloak API
bh-kcdbpwdKC_DB_PASSWORDKeycloak
bh-app-user-passwordBH_APP_USER_PASSWORDAPIs (when global.dev.enabled)
bh-dev-user-password(script reference)Alternate dev DB user
bh-temp-tenant-user-passwordTEMPERORY_TENANT_USER_PASSWORDKeycloak API (dev)
bh-rabbitmq-passwordRABBITMQ_PASSWORDAPIs, workers, AI agent
bh-redis-passwordREDIS_PASSWORDAI agent
bh-catalog-decryption-keyDECRYPTION_KEYCatalog API, AI agent, Keycloak API
azure-storage-account-nameazurestorageaccountnameStorage ExternalSecret, AI agent
azure-storage-account-keyazurestorageaccountkeyStorage ExternalSecret, AI agent

Customer-provided secrets

Provision these in Key Vault before deployment (or use install script placeholder mode for non-production):

Key Vault secret nameDescription
bh-client-secretEntra app client secret (Workload Identity / API Azure SDK)
bh-github-tokenGitHub PAT for schema repository access
bh-aws-access-keyAWS access key (legacy integrations / optional)
bh-aws-secret-access-keyAWS secret key (legacy integrations / optional)
bh-oauth-tokenOAuth token for audit/API integrations
bh-langchain-api-keyLangChain / observability API key
bh-postgres-ssl-certPostgreSQL server CA certificate (PEM)
bh-keycloak-grant-typeKeycloak grant type (e.g. password)
license-catalogCatalog license file content
license-catalog-pub-keyPublic key for license verification
<env>-az-bighammer-tls-crtPEM TLS certificate (example; use <env>-az-bighammer-tls-crt)
<env>-az-bighammer-tls-keyPEM TLS private key (example; use <env>-az-bighammer-tls-key)

:::tip TLS secret naming Ingress TLS uses a Kubernetes secret name from global.ingress.tlsSecretName (for example <env>-az-bighammer-tls). The Key Vault keys that feed application consumers are defined in global.remoteSecrets.tls and ExternalSecret templates. :::


Per-service ExternalSecret mapping

Sub-chartAdditional Key Vault keys (beyond shared DB password)
bhauditapibh-oauth-token, bh-aws-access-key, bh-aws-secret-access-key, bh-rabbitmq-password, bh-client-secret
bhcatalogapibh-catalog-decryption-key, bh-github-token, bh-rabbitmq-password, license-catalog, license-catalog-pub-key, bh-client-secret
bhaiagentbh-langchain-api-key, bh-github-token, bh-redis-password, bh-catalog-decryption-key, storage keys
bhkeycloakbh-kcadminpwd, bh-kcdbpwd, wildcard TLS crt/key
bhkeycloakapibh-keycloak-grant-type, bh-kcadminpwd, bh-catalog-decryption-key
bhuiWildcard TLS crt/key (ingress TLS secret)
bhnginxWildcard TLS crt/key
Parent chartazure-storage-account-name, azure-storage-account-key

Workers (bhcatalogworker, bhauditworker, bhaiagentworker, bhcelerybeat) follow the same patterns as their corresponding APIs.


Creating secrets in Key Vault

az keyvault secret set \
--vault-name <YOUR_KEY_VAULT_NAME> \
--name <SECRET_NAME> \
--value "<SECRET_VALUE>"

For file-based secrets (TLS certificate):

az keyvault secret set \
--vault-name <YOUR_KEY_VAULT_NAME> \
--name <env>-az-bighammer-tls-crt \
--file /path/to/cert.pem

az keyvault secret set \
--vault-name <YOUR_KEY_VAULT_NAME> \
--name <env>-az-bighammer-tls-key \
--file /path/to/key.pem

RBAC requirements

PrincipalRole
ESO managed identityKey Vault Secrets User on the vault
Install / bootstrap operatorKey Vault Secrets Officer (temporary, for initial upload)
Application managed identitiesKey Vault Secrets User (if apps read vault directly)

RBAC propagation can take 60–120 seconds after assignment.


TopicLink
Bootstrap scriptsScripts Reference
TLS namingTLS Options
GCP equivalentSecret Manager Secrets
External docsAzure Key Vault secrets · ESO Azure provider