Authentication & Security

Configure API keys, secrets management, TLS settings, and pod security policies.

  3 minute read  

This page covers Helm values for authentication, secrets management, and security configuration.

API Key

Variable: apiKey or secretApiKey

Description: The apiKey is a plaintext key used to access the Pipeline configuration in Edge Delta. The secretApiKey is used to alter the kubernetes Secret name and key. To provide a Pipeline ID to the agents, you should use either the apiKey or use a Kubernetes Secret, but not both. By default, ed-api-key is the secret’s name and key.

Note: Passing in a secret in plain text using apiKey is not recommended for production due to security concerns. See an example of using a secrets management tool.

Example: This command creates a Kubernetes secret in the edgedelta namespace, with ed-api-key as the secret’s name and key, and 12345678987654321 as the secret’s value.

helm upgrade edgedelta edgedelta/edgedelta -i --version v1.17.0 --set secretApiKey.value=12345678987654321 -n edgedelta --create-namespace

You can run this command to retrieve the secret value:

kubectl get secret -n edgedelta ed-api-key -o jsonpath="{.data['ed-api-key']}" | base64 --decode

Secret API Key - Name

Variable: secretApiKey.name

Description: The name to use for the Kubernetes secret object when the secretApiKey.value is passed in.

Example: secretApiKey.name='ed-api-key'

Secret API Key - Key

Variable: secretApiKey.key

Description: The reference to use to create the key part of a key/value pair stored in a Kubernetes secret when the secretApiKey.value is passed in.

Example: secretApiKey.key='ed-api-key, username, password'

Secret API Key - Value

Variable: secretApiKey.value

Description: The value part of a key/value pair that is saved in a Kubernetes secret. Passing in this parameter saves it in the secret rather than the values file, and it uses the name and key specified by secretApiName and secretApiKey. Use either apiKey or secretApiKey.value, not both, to provide an ID to the pipeline.

Example: secretApiKey.value='1a2b3c4d5e6f7g8h9i'

Edge Delta Skip TLS Verify

Variable: edSkipTlsVerify

Description: Ignore SSL/TLS certificate errors when providing a client certificate and key directly. This can be useful in environments where self-signed certificates are used or where certificate verification may fail due to other reasons.

Example:

--set edSkipTlsVerify=true

Pod-Security / SCC (OpenShift & hardened clusters)

Configure pod security policies, Security Context Constraints (SCC) for OpenShift, SELinux labels, and AppArmor profiles for hardened Kubernetes environments.

VariableDefaultDescription
podSecurity.securityContextConstraints.createfalseWhen true, the chart creates an OpenShift SCC or equivalent PodSecurityPolicy so Edge Delta agents can run.
podSecurity.privilegedfalseGrants privileged: true to containers: required for eBPF traffic-tracer or when host-network access is needed.
podSecurity.seLinuxContext.*Defines SELinux labels; OpenShift expects spc_t for privileged workloads.
podSecurity.apparmor.enabled / profilefalse / unconfinedEnable AppArmor and select a profile (Ubuntu, AWS Bottlerocket, etc.).

Typical values file:

podSecurity:
  securityContextConstraints:
    create: true           # generate SCC/PSP
  privileged: true         # container runs privileged (required by eBPF)
  seLinuxContext:
    type: MustRunAs
    seLinuxOptions:
      type: spc_t          # OpenShift privileged profile
  apparmor:
    enabled: true
    profile: runtime/default

Inline:

--set podSecurity.securityContextConstraints.create=true \
--set podSecurity.privileged=true