Providing and Updating Graph API Details in a Kubernetes Secret
The client details to access the Graph API for sending email must be stored in a Kubernetes secret. Kubernetes secret must be in the same namespace as that of TIBCO Control Plane. You can use one of the following alternatives to store details in a Kubernetes secret.
Alternative 1
Put all the client details in a JSON file and then create the secret from it.
## sample content; ensure it is valid JSON content
jq . < client-details.json
{
"tenant_id": "2391a641-26b7-4339-b3b4-529b609fbf85",
"client_id": "38442a6b-8455-4de3-80e1-42201852da16",
"private_key": "MIIEvQIBADANBgkqhkiG9w0BAQEFAA... DER format; PEM also accepted",
"x509_cert": "-----BEGIN CERTIFICATE-----\nMIIC ... PEM format; DER also accepted"
}
Create a Kubernetes secret from the JSON file:
kubectl create secret generic secrets-name --namespace <namespace> --from-file=./client-details.json
Alternative 2
Create a Kubernetes secret with explicit values.
kubectl create secret generic secrets-name --namespace <namespace> \ --from-literal=tenant_id=2391a641-26b7-4339-b3b4-529b609fbf85 \ --from-literal=client_id=38442a6b-8455-4de3-80e1-42201852da16 \ --from-literal=client_secret=MyClientsSecretComesHere
Rotating Client Credentials
Use the following steps to rotate or update any client details in the Kubernetes secret:
-
Update the existing secret with the new values. When editing a secret, the values may be shown in base64-encoded format. In that case, you must encode your clear-text values. Ensure to omit the trailing newline.
echo -n secret-data | base64
-
Restart the
tp-cp-orchestratordeployment:kubectl rollout restart -n <namespace> deployment/tp-cp-orchestrator
-
Monitor the deployment for any errors. Wrong values for the
clientDetailsSecretNamewill raise aCreateContainerConfigError. Any wrong details in the secret will raise aCrashLoopBackOffwith details shown in the logs. If the secret does not exist, then deployment fails withCreateContainerConfigError.