Key Vault Secrets Reference
The platform uses Azure Key Vault with External Secrets Operator. Secrets are synced into Kubernetes as needed.
Auto-created by Install Script
These can be generated and pushed by the install script (see Scripts Reference):
| Secret Name | Description |
|---|---|
azure-postgres-master-password | Password for application database user |
bh-kcadminpwd | Keycloak admin console password |
bh-kcdbpwd | Keycloak database user password |
bh-app-user-password | BigHammer app user password |
bh-temp-tenant-user-password | Temporary tenant user password |
bh-rabbitmq-password | RabbitMQ admin password |
bh-redis-password | Redis password |
bh-catalog-decryption-key | Catalog decryption key (base64) |
Customer-provided Secrets
You must provision these in Key Vault before deployment:
| Secret Name | Description |
|---|---|
bh-client-secret | Azure AD app client secret (Workload Identity / Key Vault access) |
bh-github-token | GitHub personal access token |
bh-aws-access-key | AWS access key (if using AWS integration) |
bh-aws-secret-access-key | AWS secret key |
bh-oauth-token | OAuth token for audit/API |
bh-langchain-api-key | LangChain API key |
azure-storage-account-name | Azure Storage account name |
azure-storage-account-key | Azure Storage account key |
wildcard-dev-az-bighammer-crt | PEM TLS certificate |
wildcard-dev-az-bighammer-key | PEM TLS private key |
bh-postgres-ssl-cert | PostgreSQL SSL CA certificate (PEM) |
bh-keycloak-grant-type | Keycloak grant type (e.g. password) |
license-catalog | License file content |
bh-azure-eks-dev | Public key for license verification |
Creating Secrets in Key Vault
Use Azure CLI to add secrets:
# Example (replace placeholders)
az keyvault secret set --vault-name <YOUR_KEY_VAULT_NAME> \
--name <SECRET_NAME> \
--value "<SECRET_VALUE>"
For file-based secrets (e.g. TLS certificate):
az keyvault secret set --vault-name <YOUR_KEY_VAULT_NAME> \
--name wildcard-dev-az-bighammer-crt \
--file /path/to/cert.pem