The platform requires some prerequisite secrets to fully function. We store these secrets in AWS Secret Manager, using the Kubernetes External Secrets Operator
The secrets listed here are either:
- generated by external systems and imported into our platform, for example GitHub OAuth secrets; or
- generated manually and used between different components of our platform; for example OAuth shared secret between ArgoCD (continuous delivery tool) and Dex (federated OpenID Connect provider). We don't have a method yet to auto-generate these
- GOV.UK app specific secrets, referred to in
the
app-confighelm chart of the govuk-helm-charts GitHub repository. These are usually copied across from govuk-secrets
You can list the canonical source of all the required platform secrets in the govuk-helm-charts GitHub repository.
The purpose of this document is to give information about:
- how to generate/obtain these secrets
- the JSON format used when adding the secrets to AWS Secret Manager
The format of a secret (given after) will aid you in creating one from scratch:
name of the secret in AWS Secrets Manager: description
{
<key_1>: <secret_1>,
<key_2>: <secret_2>
}
In addition, there are:
-
govuk/dex/github: shared OAuth secret between Dex and GitHub. Created via GitHub admin portal.{ "clientID": "<secret_1>", "clientSecret": "<secret_2>" } -
govuk/logit-host: used by FileBeat in Kubernetes cluster to access the Logit stack. Obtained from the Logit portal.
{
"host": "<secret_1>",
"port": "<secret_2>
}
govuk/slack-webhook-url: Slack URL used to post on Slack channel#govuk-deploy-alerts. Obtained from GDS/CO IT, who manage Slack.
{
url": "<secret_1>"
}
govuk/alertmanager/pagerduty-routing-key: routing key used to access PagerDuty.
Obtained from the Integration Key value of the Events API V2 integrations for the service in PagerDuty.
<secret_1>
-
govuk/dex/argocd: shared OAuth secret between Dex and ArgoCD. You can generate it manually using OpenSSL; for exampleopenssl rand -hex 16.{ "clientID": "<secret_1>", "clientSecret": "<secret_2>" } -
govuk/dex/argo-workflows: shared OAuth secret between Dex and Argo-workflows. You can generate it manually using OpenSSL; for exampleopenssl rand -hex 16.{ "clientID": "<secret_1>", "clientSecret": "<secret_2>" } -
govuk/dex/grafana: shared OAuth secret between Dex and Grafana. You can generate it manually using OpenSSL; for exampleopenssl rand -hex 16.{ "clientID": "<secret_1>", "clientSecret": "<secret_2>" } -
govuk/dex/alert-manager: shared OAuth secret between Dex and Alertmanager. You can generate it manually using OpenSSL; for exampleopenssl rand -hex 16.{ "clientID": "<secret_1>", "clientSecret": "<secret_2>", :cookieSecret": "<secret_3>" } -
govuk/dex/prometheus: shared OAuth secret between Dex and Alertmanager. You can generate it manually using OpenSSL; for exampleopenssl rand -hex 16.
{
"clientID": "<secret_1>",
"clientSecret": "<secret_2>",
cookieSecret: <secret_3>
}
-
govuk/fastly/api: The Fastly exporter uses this in Kubernetes to scrape Fastly metrics. The secret gets created in the Fastly management web console, using a the API key belonging to a user account which has access only to the Fastly service associated with a particular GOV.UK environment.{ "token": "<secret_1>" } -
govuk/github/govuk-ci: used by ArgoCD to access GOV.UK GitHub repositories. Created via GitHub portal of usergovuk-ci.{ "token": "<secret_1>", "username": "govuk-ci" }