layout-3 layout-6 layout-1 layout-top
layout-top layout-6 layout-1

Credentials and Secrets Configuration

Credentials and Secrets Configuration

Overview

The DPS server requires various secrets for secure operations, including database credentials, authentication details, and BMC credentials depending on the configured store.

Secrets

The following outlines the key secret types and their requirements:

Database Secrets

Database Credentials: Essential for the PostgreSQL database connection. These are always file-mounted in the DPS server filesystem.

The DPS server looks for database credentials using the following process:

Username:

  • Read from --db-user command line parameter, or
  • Read from DB_USERNAME environment variable, or
  • Defaults to “dps” if neither is set

Password:

  • Read from file: <DB_SECRET_MOUNT_PATH>/postgres/password
  • If file reading fails, falls back to credentials store (if configured)

File Structure:

<DB_SECRET_MOUNT_PATH>/postgres/
└── password    # Database password (required)

Example of the Password File Contents:

# /home/nonroot/secrets/postgres/password
your-secure-password

The database credentials can be configured using command line parameters or environment variables.

Command Line Parameters

dps-server \
  --db-host="localhost" \
  --db-port=5432 \
  --db-name="dps" \
  --db-user="dps" \
  --db-password="your-password" \
  --db-ssl-mode="disable" \
  --db-secret-mount-path="/home/nonroot/secrets"

Environment Variables

export DB_HOST="localhost"
export DB_PORT=5432
export DB_NAME="dps"
export DB_USERNAME="dps"
export DB_PASSWORD="your-password"
export DB_SSLMODE="disable"
export DB_SECRET_MOUNT_PATH="/home/nonroot/secrets"
dps-server

Helm Chart Configuration

global:
  postgresql:
    auth:
      database: "dps"
      username: "dps"
      password: "your-db-password"
      postgresPassword: ""
    host: ""
    service:
      ports:
        postgresql: "5432"
    sslMode: "disable"
dps:
  dbSecretsMountPath: "/home/nonroot/secrets"
  extraVolumeMounts:
    - name: db-secret
      mountPath: "/home/nonroot/secrets/postgres"
      readOnly: true
  extraVolumes:
    - name: db-secret
      secret:
        secretName: "dps-db-secret"
        items:
          - key: "password"
            path: "password"
            mode: 0400

Kubernetes Secret Example:

apiVersion: v1
kind: Secret
metadata:
  name: dps-db-secret
type: Opaque
data:
  password: <base64-encoded-password>

LDAP Credentials

LDAP Credentials: Required if LDAP authentication is enabled. These include the bind DN, bind password, and TLS certificates for secure LDAP communication. LDAP configuration allows DPS to authenticate users against an external directory service.

Command Line Parameters

dps-server \
  --ldap-enabled=true \
  --ldap-server-url="ldaps://openldap.dps.svc.cluster.local:636" \
  --ldap-bind-dn="cn=root,dc=cm,dc=cluster" \
  --ldap-bind-password="root" \
  --ldap-default-role="admin" \
  --ldap-tls-ca-cert="/home/nonroot/secrets/dps-openldap/ca.crt" \
  --ldap-tls-client-cert="/home/nonroot/secrets/dps-openldap/client.crt" \
  --ldap-tls-client-key="/home/nonroot/secrets/dps-openldap/client.key"

Environment Variables

export LDAP_ENABLED=true
export LDAP_SERVER_URL="ldaps://openldap.dps.svc.cluster.local:636"
export LDAP_BIND_DN="cn=root,dc=cm,dc=cluster"
export LDAP_BIND_PASSWORD="root"
export LDAP_DEFAULT_ROLE="admin"
export LDAP_TLS_CA_CERT="/home/nonroot/secrets/dps-openldap/ca.crt"
export LDAP_TLS_CLIENT_CERT="/home/nonroot/secrets/dps-openldap/client.crt"
export LDAP_TLS_CLIENT_KEY="/home/nonroot/secrets/dps-openldap/client.key"
dps-server

Helm Chart Configuration

dps:
  ldap:
    enabled: true
    serverUrl: "ldaps://openldap.dps.svc.cluster.local:636"
    bindDn: "cn=root,dc=cm,dc=cluster"
    bindPassword: "root"
    defaultRole: "admin"
    groupRoleMapping: ""
    certSource: "file"
    tlsCaCert: "/home/nonroot/secrets/dps-openldap/ca.crt"
    tlsClientCert: "/home/nonroot/secrets/dps-openldap/client.crt"
    tlsClientKey: "/home/nonroot/secrets/dps-openldap/client.key"
  extraVolumeMounts:
    - name: ldap-certs
      mountPath: "/home/nonroot/secrets/dps-openldap"
      readOnly: true
  extraVolumes:
    - name: ldap-certs
      secret:
        secretName: "dps-ldap-certs"
        items:
          - key: "ca.crt"
            path: "ca.crt"
            mode: 0444
          - key: "client.crt"
            path: "client.crt"
            mode: 0444
          - key: "client.key"
            path: "client.key"
            mode: 0400

Kubernetes Secret Example:

apiVersion: v1
kind: Secret
metadata:
  name: dps-ldap-certs
type: Opaque
data:
  ca.crt: <base64-encoded-ca-cert>
  client.crt: <base64-encoded-client-cert>
  client.key: <base64-encoded-client-key>

BMC Redfish API Credentials

The DPS server requires BMC API credentials for each node that will be managed by the DPS and included in the topology. The DPS server supports various credential stores.

The credentials store is responsible for reading BMC Redfish API credentials from a source of secrets. It can be configured to use BCM, Kubernetes secrets, file-mounted options, or other supported types like vault (not implemented).

Credentials Store Types

  • bcm: The Base Cluster Manager (BCM) is NVIDIA’s cluster management solution that provides centralized management of datacenter resources, including secure storage and retrieval of BMC (Baseboard Management Controller) credentials for Redfish API access. This store uses the BCM API to fetch credentials. Requires BCM version 11. Use this store when your infrastructure is managed by BCM to enable seamless integration and centralized credential management.
  • k8sSecret: Use in Kubernetes environments for native secret management. Supports in-cluster and cross-namespace access.
  • file: Use for secrets stored as files. You can mount these files into a pod or place them directly on the filesystem. Works with static credentials that don’t change often. Can be used in both Kubernetes and bare-metal environments.

Choose based on your environment: BCM for managed clusters, Kubernetes secrets for cloud-native, file for simple file-based setups.

Credentials Store Configuration

Setting the Credentials Store Type

The Credentials Store Type can be configured using the --bmc-credentials-store parameter or by setting the BMC_CREDENTIALS_STORE environment variable. This configuration accepts the following values:

  • bcm
  • k8sSecret
  • file

Default Configuration:

  • If no credentials store type is specified, DPS server defaults to k8sSecret
  • This means BMC Redfish API credentials will be fetched from Kubernetes secrets using the native Kubernetes API
  • The server will attempt to retrieve BMC credentials from Kubernetes secrets in the same namespace
  • If no BMC credentials are found in Kubernetes secrets, BMC Redfish API operations will not be available

Below you can find detailed configuration examples for each credentials store type.

Credentials Store Options
BCM Store
# Environment Variables Example
BMC_CREDENTIALS_STORE=bcm
BCM_BASE_URL="https://master.dps.svc.cluster.local:8443"
BCM_USERNAME="root"
BCM_PASSWORD="nvidia123"
# Command Line Example
dps-server \
  --bmc-credentials-store=bcm \
  --bcm-base-url="https://master.dps.svc.cluster.local:8443" \
  --bcm-username="root" \
  --bcm-password="nvidia123"
# Helm Example
dps:
  credentialsStore: "bcm"
  bcm:
    baseURL: "https://master.dps.svc.cluster.local:8443"
    auth:
      basic:
        username: "root"
        passwordSecret:
          name: "bcm-auth"
          key: "password"
          value: "nvidia123"
      cert:
        clientCertPath: "/home/nonroot/secrets/bcm/client.cert"
        clientKeyPath: "/home/nonroot/secrets/bcm/client.key"
        caCertPath: "/home/nonroot/secrets/bcm/ca.cert"
  extraVolumeMounts:
    - name: bcm-certs
      mountPath: "/home/nonroot/secrets/bcm"
      readOnly: true
  extraVolumes:
    - name: bcm-certs
      secret:
        secretName: "dps-bcm-certs"
        items:
          - key: "client.cert"
            path: "client.cert"
            mode: 0444
          - key: "client.key"
            path: "client.key"
            mode: 0400
          - key: "ca.cert"
            path: "ca.cert"
            mode: 0444

Kubernetes Secret Example:

apiVersion: v1
kind: Secret
metadata:
  name: dps-bcm-certs
type: Opaque
data:
  client.cert: <base64-encoded-client-cert>
  client.key: <base64-encoded-client-key>
  ca.cert: <base64-encoded-ca-cert>

Configuration Parameters:

  • BMC_CREDENTIALS_STORE: Set to “bcm”
  • BCM_BASE_URL: BCM server headnode API URL (required)
  • BCM_USERNAME: Username for basic authentication (optional if using cert auth)
  • BCM_PASSWORD: Password for basic authentication (optional if using cert auth)
  • BCM_CLIENT_CERT: Path to client certificate (optional if using basic auth)
  • BCM_CLIENT_KEY: Path to client key (optional if using basic auth)
  • BCM_CA_CERT: Path to CA certificate (optional)
Kubernetes Secret Store
# Environment Variables Example
BMC_CREDENTIALS_STORE=k8sSecret
# No additional parameters needed - secrets configured in cluster
# Command Line Example
dps-server --bmc-credentials-store=k8sSecret
# Helm Example
dps:
  credentialsStore: "k8sSecret"

Configuration Parameters:

  • BMC_CREDENTIALS_STORE: Set to “k8sSecret”
  • No additional parameters required - secrets are fetched from Kubernetes API
File Store

The File Store reads BMC credentials from a specific filesystem structure. When you set SECRET_MOUNT_PATH="/secrets", the store expects the following directory structure:

/secrets/
└── baremetal/
    ├── node1/
    │   └── bmc
    └── node2/
        └── bmc

Where:

  • node1, node2 are the hostnames of your BMC nodes
  • bmc is a file containing Redfish API credentials in JSON or YAML format

Deployment Options:

  • Kubernetes: Mount secrets as volumes using Helm (recommended for containerized deployments)
  • Bare Metal: Create directory structure directly on filesystem (for non-containerized deployments)

Example of the bmc file content:

{
  "username": "admin",
  "password": "your-secure-password"
}

Or in YAML format:

username: admin
password: your-secure-password
# Environment Variables Example
BMC_CREDENTIALS_STORE=file
SECRET_MOUNT_PATH="/secrets"
# Command Line Example
dps-server \
  --bmc-credentials-store=file \
  --secret-mount-path="/secrets"
# Helm Example
dps:
  credentialsStore: "file"
  dbSecretsMountPath: "/secrets"
  extraVolumeMounts:
    - name: bmc-credentials-node1
      mountPath: "/secrets/baremetal/node1"
      readOnly: true
    - name: bmc-credentials-node2
      mountPath: "/secrets/baremetal/node2"
      readOnly: true
  extraVolumes:
    - name: bmc-credentials-node1
      secret:
        secretName: "redfish-node1"
        items:
          - key: "bmc"
            path: "bmc"
            mode: 0400
    - name: bmc-credentials-node2
      secret:
        secretName: "redfish-node2"
        items:
          - key: "bmc"
            path: "bmc"
            mode: 0400

Kubernetes Secret Examples:

apiVersion: v1
kind: Secret
metadata:
  name: redfish-node1
type: Opaque
data:
  bmc: <base64-encoded-bmc-credentials>

---
apiVersion: v1
kind: Secret
metadata:
  name: redfish-node2
type: Opaque
data:
  bmc: <base64-encoded-bmc-credentials>

Configuration Parameters:

  • BMC_CREDENTIALS_STORE: Set to “file”
  • SECRET_MOUNT_PATH: Base directory where secrets are mounted (required)

Best Practices

  • Use Kubernetes Secrets for sensitive data.
  • Set dps.tls.insecureSkipVerify: false for production.
  • Regularly rotate secrets.

For more details, refer to the [Helm values](../../../../helm/dps/values.yaml) and source code.

    Copyright © 2025  NVIDIA Corporation