Skip to content

Changing Configuration Settings

Configuration settings for Intel SecL-DC services can be changed by applying updates to a configmap and executing an appropriate service setup task.

Changing Service Configurations Using Configmaps

Edit the configmap of respective service to be reconfigured:

kubectl edit cm cms -n isecl
Add or Update all the variables required for setup tasks refer here for more details

Set the SETUP_TASK variable in the service configmap with one or more setup task names

SETUP_TASK: "download-ca-cert,download-tls-cert"

Some of the sensitive variables such as credentials, db credentials, tpm-owner-secret must be updated in Kubernetes secrets:

kubectl get secret -n <namespace> <secret-name> -o json | jq --arg val "$(echo <value> > | base64)" '.data["<variable-name>"]=$val' | kubectl apply -f -

For example, updating the AAS_ADMIN_USERNAME in aas-credentials:

kubectl get secret -n isecl aas-credentials -o json | jq --arg val "$(echo aaspassword | base64)" '.data["AAS_ADMIN_USERNAME"]=$val' | kubectl apply -f -

Restart the service by deleting the pod. The Kubernetes deployment will automatically launch a new pod, which will reflect the updated settings.

kubectl delete pod -n <namespace> <podname>

Reset the configmap by removing SETUP_TASK variable:

kubectl patch configmap -n <namespace> <configmap name> --type=json -p='[{"op": "remove", "path": "/data/SETUP_TASK"}]'

For example, to clear the SETUP_TASK variable in the CMS configmap:

kubectl patch configmap -n isecl cms --type=json -p='[{"op": "remove", "path": "/data/SETUP_TASK"}]'

For setup tasks which requires BEARER_TOKEN variable. One must need to update the -bearer-token secret. Here are the steps. 1. Check for the bearer-token secret availaibility for service for which setup task needs to be run, by executing kubectl get secrets -n <namespace> 2. Delete already available bearer token secret. kubectl delete secret <service-name>-bearer-token -n <namespace> e.g for hvs kubectl delete secret hvs-bearer-token -n <namespace>
3. Generate token using service specific install credentials via REST API.The service specific credentials could be found in values.yaml under each service section, used along with helm install command. 4. export BEARER_TOKEN=<token created with step 3> 5. kubectl create secret generic <name> -n <namespace> --from-literal=BEARER_TOKEN=$BEARER_TOKEN e.g for hvs: kubectl create secret generic hvs-bearer-token -n <namespace> --from-literal=BEARER_TOKEN=$BEARER_TOKEN

Available setup tasks and configuration variable names are provided in later sections.

Manually Editing Persistent Storage

Configuration settings can also be changed by editing the service config.yml file in the persistent storage volume for that service.

For example, if using the provided sample folder structure from the setup-nfs.sh script, the CMS configuration will be stored in /mnt/nfs_share/isecl/cms/config/config.yml.

After making any desired configuration changes, delete the pod for that service to make the changes take effect.