Secret Manager Secrets Reference
Define Google Secret Manager (GSM) secret names and map them in global.remoteSecrets before your first Helm deploy.
This page lists GSM secret names (chart defaults). These are configuration identifiers — not passwords or credentials. Store actual values only in Secret Manager; never commit them to Git or Helm values files.
The chart maps GSM secret names to Kubernetes secret keys via External Secrets. Defaults live in values.yaml; per-environment overrides go in values-<env>.yaml (see sample values-release.yaml in the chart — placeholder project IDs and hostnames only).
Flow
- Platform prerequisites — DB passwords and optional SSL material exist in GSM (your provisioning tool, console, or automation).
- One-time setup — run
bh_gsm_onetime_setup.shto verify prerequisites and create application secrets. - SecretStore (
gcp-secret-store) authenticates with Workload Identity. - ExternalSecret per service syncs into K8s Secrets.
- Pods consume env vars or mounted files.
Platform prerequisites (verify only)
bh_gsm_onetime_setup.sh checks these with gcloud secrets describe. The script does not create them — provision them before running the script or deploying Helm.
| GSM secret | Required | Purpose |
|---|---|---|
bh-dev-user-password | Yes | bh_dev_user (migrations / Alembic) |
bh-app-user-password | Yes | bh_app_user (runtime DML) |
db-postgres-password | Yes | postgres superuser (bootstrap SQL) |
bh-kcdbpwd | Yes | keycloak_db_user (KC_DB_PASSWORD on bhkeycloak) |
db-client-cert | No | Cloud SQL client certificate |
db-server-ca-cert | No | Cloud SQL server CA |
db-client-private-key | No | Cloud SQL client key (PEM) |
Optional SSL secrets produce a warning only when missing — skip them if postgresSSLMode does not require client certificates.
One-time application secrets (script creates if missing)
Created by bh_gsm_onetime_setup.sh when absent (edit placeholders in the script or set env vars before running):
| GSM secret | Env var override | Purpose |
|---|---|---|
bh-kcadminpwd | KC_ADMIN_PWD | Keycloak admin UI password |
bh-keycloak-grant-type | KC_GRANT_TYPE | Grant type (default: password) |
bh-catalog-decryption-key | DECRYPTION_KEY | Catalog decryption key |
bh-temp-tenant-user-password | TEMP_TENANT_PASSWORD | Temporary tenant password |
bh-rabbitmq-password | RABBITMQ_PASSWORD | RabbitMQ password |
bh-redis-password | REDIS_PASSWORD | Redis password |
bh-langchain-api-key | LANGCHAIN_API_KEY | LangChain API key |
bh-oauth-token | OAUTH_TOKEN | OAuth token (audit API) |
license-catalog | LICENSE_CATALOG | Catalog license string |
license-catalog-pub-key | LICENSE_CATALOG_PUB_KEY | Catalog license public key |
Optional file-based secrets
| GSM secret | When needed | Purpose |
|---|---|---|
db-client-private-key-der | Keycloak JDBC SSL | DER conversion from db-client-private-key PEM |
bh-gcp-sa-key | Dev overlay only (global.dev.enabled: true) | bhkeycloakapi dummy.json mount — skip for production overlays |
TLS edge secrets follow the pattern <env>-<cloud>-bighammer-tls-{crt,key} (for example <env>-gcp-bighammer-tls-crt). They are normally created by cert-manager PushSecret — see TLS Options.
Application database dual-role
Services on the application database use two PostgreSQL roles, matching bighammer_db_setup.sql:
| Env var | DB role | GSM secret | Used for |
|---|---|---|---|
POSTGRES_USER + POSTGRES_PASSWORD | bh_dev_user | bh-dev-user-password | Alembic / migrations — DDL |
BH_APP_USER + BH_APP_USER_PASSWORD | bh_app_user | bh-app-user-password | Runtime SQLAlchemy — DML only |
global:
remoteSecrets:
postgres:
password: bh-dev-user-password # POSTGRES_PASSWORD → bh_dev_user
app:
userPassword: bh-app-user-password # BH_APP_USER_PASSWORD → bh_app_user
Each service that runs migrations and serves traffic needs both env var pairs in its env: block:
bhcatalogapi:
env:
POSTGRES_USER: bh_dev_user
BH_APP_USER: bh_app_user
POSTGRES_DB: <your_app_database>
DB_SCHEMA: catalog_db
Privileges (bighammer_db_setup.sql)
| Role | Schema access | Tables / sequences / functions |
|---|---|---|
bh_dev_user | USAGE, CREATE on app schemas | ALL PRIVILEGES (DDL + DML) |
bh_app_user | USAGE only | DML + EXECUTE; no schema DDL |
ALTER DEFAULT PRIVILEGES grants future objects created by bh_dev_user to bh_app_user.
Services with both env vars
| Service | Typical schema |
|---|---|
bhcatalogapi, bhcatalogworker | catalog_db |
bhauditapi, bhauditworker | audit_db |
bhaiagent, bhaiagentworker | agent_db |
bhcelerybeat | celery_db |
bhkeycloakapi | keycloakapi_db |
Keycloak server database
The Keycloak server pod uses a separate database from the application dual-role model:
| Resource | Typical name | GSM secret | Chart consumer |
|---|---|---|---|
| Database | keycloak_db_<env> | — | bhkeycloak → KC_DB_URL |
| User | e.g. keycloak_db_user | — | bhkeycloak → KC_DB_USERNAME |
| Password | — | bh-kcdbpwd | KC_DB_PASSWORD (ExternalSecret) |
Not created by bighammer_db_setup.sql. Rename checklist: Infrastructure — renaming.
bhkeycloak— separate Keycloak DB, envKC_DB_*.bhkeycloakapi— application DB + schemakeycloakapi_dbwith the dual-role pair.
Chart defaults (global.remoteSecrets)
| Group | Secret Manager key (default) | Used for |
|---|---|---|
postgres.password | bh-dev-user-password | POSTGRES_PASSWORD when POSTGRES_USER is bh_dev_user |
app.userPassword | bh-app-user-password | BH_APP_USER_PASSWORD |
postgres.clientCert | db-client-cert | mTLS |
postgres.clientKeyDer | db-client-private-key-der | Keycloak JDBC SSL |
keycloak.dbPassword | bh-kcdbpwd | KC_DB_PASSWORD |
keycloak.adminPassword | bh-kcadminpwd | Keycloak admin UI |
tls.cert / tls.key | env-specific TLS secret names | Edge HTTPS |
rabbitmq.password | bh-rabbitmq-password | Celery / broker |
catalog.decryptionKey | bh-catalog-decryption-key | Catalog / UI |
See chart values.yaml global.remoteSecrets for the full list.
Bootstrap script
Chart path: scripts/bh_gsm_onetime_setup.sh. See Scripts Reference.
cd bighammer/scripts
# Edit placeholder values in the script (or export env vars), then:
./bh_gsm_onetime_setup.sh <GCP_PROJECT_ID>
The script:
- Verifies platform prerequisite secrets via
gcloud(exits with error if required secrets are missing). - Creates one-time application secrets that do not already exist.
- Warns on missing optional SSL secrets.
Requires roles/secretmanager.admin (or equivalent) on the target project.
Per-environment overrides
# values-prod.yaml example
global:
namespace: bh-control-plane-prod
remoteSecrets:
tls:
cert: <env>-gcp-bighammer-tls-crt
key: <env>-gcp-bighammer-tls-key
K8s secret key names in templates stay fixed; only GSM names change.
Customer-provided secrets
Ensure these exist (via script or console) before deploy:
| Secret | Required by |
|---|---|
bh-rabbitmq-password | APIs, workers |
bh-catalog-decryption-key | Catalog, UI |
license-catalog, license-catalog-pub-key | Catalog (if licensed) |
bh-kcadminpwd | Keycloak admin UI |
bh-oauth-token | Audit API |
bh-langchain-api-key | AI agent |
Platform DB passwords (bh-dev-user-password, bh-app-user-password, db-postgres-password, bh-kcdbpwd) must exist before running the script — the script verifies but does not create them.
Related
| Topic | Link |
|---|---|
| Bootstrap scripts | Scripts Reference |
| TLS naming | TLS Options |
| Azure equivalent | Key Vault Secrets |