Skip to main content

Secret Manager Secrets Reference

Define Google Secret Manager (GSM) secret names and map them in global.remoteSecrets before your first Helm deploy.

Secret names are not secret values

This page lists GSM secret names (chart defaults). These are configuration identifiers — not passwords or credentials. Store actual values only in Secret Manager; never commit them to Git or Helm values files.

The chart maps GSM secret names to Kubernetes secret keys via External Secrets. Defaults live in values.yaml; per-environment overrides go in values-<env>.yaml (see sample values-release.yaml in the chart — placeholder project IDs and hostnames only).

Flow

  1. Platform prerequisites — DB passwords and optional SSL material exist in GSM (your provisioning tool, console, or automation).
  2. One-time setup — run bh_gsm_onetime_setup.sh to verify prerequisites and create application secrets.
  3. SecretStore (gcp-secret-store) authenticates with Workload Identity.
  4. ExternalSecret per service syncs into K8s Secrets.
  5. Pods consume env vars or mounted files.

Platform prerequisites (verify only)

bh_gsm_onetime_setup.sh checks these with gcloud secrets describe. The script does not create them — provision them before running the script or deploying Helm.

GSM secretRequiredPurpose
bh-dev-user-passwordYesbh_dev_user (migrations / Alembic)
bh-app-user-passwordYesbh_app_user (runtime DML)
db-postgres-passwordYespostgres superuser (bootstrap SQL)
bh-kcdbpwdYeskeycloak_db_user (KC_DB_PASSWORD on bhkeycloak)
db-client-certNoCloud SQL client certificate
db-server-ca-certNoCloud SQL server CA
db-client-private-keyNoCloud SQL client key (PEM)

Optional SSL secrets produce a warning only when missing — skip them if postgresSSLMode does not require client certificates.

One-time application secrets (script creates if missing)

Created by bh_gsm_onetime_setup.sh when absent (edit placeholders in the script or set env vars before running):

GSM secretEnv var overridePurpose
bh-kcadminpwdKC_ADMIN_PWDKeycloak admin UI password
bh-keycloak-grant-typeKC_GRANT_TYPEGrant type (default: password)
bh-catalog-decryption-keyDECRYPTION_KEYCatalog decryption key
bh-temp-tenant-user-passwordTEMP_TENANT_PASSWORDTemporary tenant password
bh-rabbitmq-passwordRABBITMQ_PASSWORDRabbitMQ password
bh-redis-passwordREDIS_PASSWORDRedis password
bh-langchain-api-keyLANGCHAIN_API_KEYLangChain API key
bh-oauth-tokenOAUTH_TOKENOAuth token (audit API)
license-catalogLICENSE_CATALOGCatalog license string
license-catalog-pub-keyLICENSE_CATALOG_PUB_KEYCatalog license public key

Optional file-based secrets

GSM secretWhen neededPurpose
db-client-private-key-derKeycloak JDBC SSLDER conversion from db-client-private-key PEM
bh-gcp-sa-keyDev overlay only (global.dev.enabled: true)bhkeycloakapi dummy.json mount — skip for production overlays

TLS edge secrets follow the pattern <env>-<cloud>-bighammer-tls-{crt,key} (for example <env>-gcp-bighammer-tls-crt). They are normally created by cert-manager PushSecret — see TLS Options.

Application database dual-role

Services on the application database use two PostgreSQL roles, matching bighammer_db_setup.sql:

Env varDB roleGSM secretUsed for
POSTGRES_USER + POSTGRES_PASSWORDbh_dev_userbh-dev-user-passwordAlembic / migrations — DDL
BH_APP_USER + BH_APP_USER_PASSWORDbh_app_userbh-app-user-passwordRuntime SQLAlchemy — DML only
Align values and GSM
global:
remoteSecrets:
postgres:
password: bh-dev-user-password # POSTGRES_PASSWORD → bh_dev_user
app:
userPassword: bh-app-user-password # BH_APP_USER_PASSWORD → bh_app_user

Each service that runs migrations and serves traffic needs both env var pairs in its env: block:

bhcatalogapi:
env:
POSTGRES_USER: bh_dev_user
BH_APP_USER: bh_app_user
POSTGRES_DB: <your_app_database>
DB_SCHEMA: catalog_db

Privileges (bighammer_db_setup.sql)

RoleSchema accessTables / sequences / functions
bh_dev_userUSAGE, CREATE on app schemasALL PRIVILEGES (DDL + DML)
bh_app_userUSAGE onlyDML + EXECUTE; no schema DDL

ALTER DEFAULT PRIVILEGES grants future objects created by bh_dev_user to bh_app_user.

Services with both env vars

ServiceTypical schema
bhcatalogapi, bhcatalogworkercatalog_db
bhauditapi, bhauditworkeraudit_db
bhaiagent, bhaiagentworkeragent_db
bhcelerybeatcelery_db
bhkeycloakapikeycloakapi_db

Keycloak server database

The Keycloak server pod uses a separate database from the application dual-role model:

ResourceTypical nameGSM secretChart consumer
Databasekeycloak_db_<env>bhkeycloakKC_DB_URL
Usere.g. keycloak_db_userbhkeycloakKC_DB_USERNAME
Passwordbh-kcdbpwdKC_DB_PASSWORD (ExternalSecret)

Not created by bighammer_db_setup.sql. Rename checklist: Infrastructure — renaming.

Keycloak server vs keycloakapi
  • bhkeycloak — separate Keycloak DB, env KC_DB_*.
  • bhkeycloakapi — application DB + schema keycloakapi_db with the dual-role pair.

Chart defaults (global.remoteSecrets)

GroupSecret Manager key (default)Used for
postgres.passwordbh-dev-user-passwordPOSTGRES_PASSWORD when POSTGRES_USER is bh_dev_user
app.userPasswordbh-app-user-passwordBH_APP_USER_PASSWORD
postgres.clientCertdb-client-certmTLS
postgres.clientKeyDerdb-client-private-key-derKeycloak JDBC SSL
keycloak.dbPasswordbh-kcdbpwdKC_DB_PASSWORD
keycloak.adminPasswordbh-kcadminpwdKeycloak admin UI
tls.cert / tls.keyenv-specific TLS secret namesEdge HTTPS
rabbitmq.passwordbh-rabbitmq-passwordCelery / broker
catalog.decryptionKeybh-catalog-decryption-keyCatalog / UI

See chart values.yaml global.remoteSecrets for the full list.

Bootstrap script

Chart path: scripts/bh_gsm_onetime_setup.sh. See Scripts Reference.

cd bighammer/scripts

# Edit placeholder values in the script (or export env vars), then:
./bh_gsm_onetime_setup.sh <GCP_PROJECT_ID>

The script:

  1. Verifies platform prerequisite secrets via gcloud (exits with error if required secrets are missing).
  2. Creates one-time application secrets that do not already exist.
  3. Warns on missing optional SSL secrets.

Requires roles/secretmanager.admin (or equivalent) on the target project.

Per-environment overrides

# values-prod.yaml example
global:
namespace: bh-control-plane-prod
remoteSecrets:
tls:
cert: <env>-gcp-bighammer-tls-crt
key: <env>-gcp-bighammer-tls-key

K8s secret key names in templates stay fixed; only GSM names change.

Customer-provided secrets

Ensure these exist (via script or console) before deploy:

SecretRequired by
bh-rabbitmq-passwordAPIs, workers
bh-catalog-decryption-keyCatalog, UI
license-catalog, license-catalog-pub-keyCatalog (if licensed)
bh-kcadminpwdKeycloak admin UI
bh-oauth-tokenAudit API
bh-langchain-api-keyAI agent

Platform DB passwords (bh-dev-user-password, bh-app-user-password, db-postgres-password, bh-kcdbpwd) must exist before running the script — the script verifies but does not create them.

TopicLink
Bootstrap scriptsScripts Reference
TLS namingTLS Options
Azure equivalentKey Vault Secrets