Create Secrets for Installation and Deployment

The C3 Agentic AI Platform installation and deployment process requires secrets as inputs in the Helm charts to create Kubernetes resources. This topic identifies the required secrets, what those secrets are for, how to create them, and common resources for secrets management. Use these secrets as inputs to the C3 AI Helm charts if you are installing and deploying the platform for your organization.

Copy link to this section

Prerequisites

Complete the following prerequisites before creating secrets and proceeding with the platform installation and deployment process.

• Complete the resource requirements for deploying the platform. See Non-Standard Deployment Requirements
• Create the following namespaces and use them during secret creation and the rest of the installation and deployment process. The platform requires the c3-opsadmin and <cluster_id> namespace.

Copy link to this section

Create the c3-opsadmin namespace

Run the following command to create the c3-opsadmin namespace:

kubectl create namespace c3-opsadmin

Copy link to this section

Create the <cluster_id> namespace

The <cluster_id> namespace must match your cluster name. Refer to the C3 AI Installation Guides for rules that your cluster name must follow.

Run the following command to create the <cluster_id> namespace and replace <cluster_id> with your cluster name:

kubectl create namespace <cluster_id>

Copy link to this section

Required secrets for C3 AI Helm Charts

The following tables list required secrets, which namespace to create them in, their usage, and their application as inputs to the C3 AI Helm charts.

Create these secrets in the in the c3-aiopsadmin namespace:

Create these secrets in the <cluster_id> namespace:

Copy link to this section

Secrets for backend functionality

The following table lists secret names and their purpose. These secrets serve backend functionality but are not required as inputs to the C3 AI Helm charts.

Copy link to this section

Create the secrets

Here is how to create each of the required secrets.

Copy link to this section

registryc3ai

Refer to the Kubernetes documentation, kubectl create secret docker-registry, to create the registryc3ai secret in the c3-opsadmin namespace.

Copy link to this section

helm-repo-c3aiops

Add the following content to a Kubernetes secret manifest file:

apiVersion: v1
data:
  C3_REPO_URL: "helm repo url (base64 encoded)" 
  C3_HELM_USER: "helm repo username (base64 encoded)" 
  C3_HELM_PASS: "helm repo password (base64 encoded)" 
kind: Secret
metadata:
  name: "helm-repo-c3aiops" 
  namespace: c3-opsadmin
type: Opaque

Then run the following command in the command line to apply the manifest file and to create the helm-repo-c3aiops secret:

kubectl apply -f <manifest_file> 

Copy link to this section

c3postgres-admin-secret

Run the following command in the command line to create the c3postgres-admin-secret secret. Replace <pg_password>, <pg_username>, and <pg_endpoint> with your Postgres password, username, and endpoint from your cloud provider:

kubectl -n c3-opsadmin create secret generic c3postgres-admin-secret \
# Replace <pg_password>, <pg_username>, and <pg_endpoint>
--from-literal=connection-string="postgresql://<pg_username>:<pg_password>@<pg_endpoint>:5432/postgres?sslmode=disable" \
--from-literal=postgres-admin-password="<pg_password>" \
--from-literal=postgres-admin-username="<pg_username>" \
--from-literal=postgres-db-endpoint="<pg_endpoint>" \
--from-literal=postgres-db-port="5432"

Copy link to this section

docker-registry-secret

Refer to the Kubernetes documentation, kubectl create secret docker-registry, to create the docker-registry-secret secret in the <cluster_id> namespace.

Copy link to this section

tls-cert

If your deployment will use Nginx TLS termination, run the following command in the command line to create the <cluster_id>/tls-cert secret:

kubectl create secret tls tls-cert --cert=path/to/cert/file --key=path/to/key/file -n <cluster_id> 

Copy link to this section

<cluster_id>-c3-c3-k8spg-cs-001

Run the following command in the command line to create the <cluster_id>-c3-c3-k8spg-cs-001 secret. Replace <cluster_id> with your cluster name, and replace <pg_password>, <pg_username>, and <pg_endpoint> with your Postgres password, username, and endpoint from your cloud provider:

kubectl -n <cluster_id> create secret generic <cluster_id>-c3-c3-k8spg-cs-001 \
# Replace <pg_password>, <pg_username>, and <pg_endpoint>
--from-literal=connection-string="postgresql://<pg_username>:<pg_password>@<pg_endpoint>:5432/postgres?sslmode=disable" \
--from-literal=postgres-admin-password="<pg_password>" \
--from-literal=postgres-admin-username="<pg_username>" \
--from-literal=postgres-db-endpoint="<pg_endpoint>" \
--from-literal=postgres-db-port="5432"

Copy link to this section

vault-approle

Run the following command in the command line to create the vault-approle secret:

kubectl create secret generic vault-approle \
  --from-literal=address="https://vault.c3iot.io/" \
  --from-literal=path="$YOUR_CLUSTER_NAME" \
  --from-file=role-id=./role_id.txt \
  --from-file=secret-id=./secret_id.txt \
  -n c3-opsadmin

Copy link to this section

opensearch-security-internaluser and opensearch-admin-user

The default roles in OpenSearch provide varied access to OpenSearch data for the platform. See Predefined roles in the OpenSearch documentation to learn more about OpenSearch roles.

Map these default roles to the secret name, opensearch-security-internaluser. See Mapping users to roles in the OpenSearch documentation.

Copy link to this section

Manage secrets

Manage these secerts according to your organization's needs. You can use popular secrets management tools such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager.

Refer to your secret management tool documentation to learn how to manage secrets.

Copy link to this section

Next step

After you create the required secrets, deploy the C3 AI Helm charts. See C3 AI Helm Chart Overview and Installation.