owned this note
owned this note
Published
Linked with GitHub
# Inventory of Credentials in the DITP Environments
### Traction
- `bc0192-Traction`
- `dev`
- `test`
- `prod`
| Secret Name | Rotatable Keys | Type | Instances | Notes |
|-------------|----------------|------|-----------|-------|
| traction-database-pguser-acapy | password | pg user credentials | crunchy postgres cluster |
| traction-database-pguser-pgadmin | password | pg user credentials | crunchy postgres cluster |
| traction-database-pguser-walletman | password | pg user credentials | crunchy postgres cluster |
| traction-database-pgbouncer | pgbouncer-password | pgbouncer credentials | crunchy postgres cluster |
| traction-database-acapy | acapy-password, walletman-password | pg user credentials | traction acapy pods |
| traction-database-pgbackrest | pgbackrest cert/keys | | crunchy HA pods | potentially rotate the pgbackrest certs/keys |
| traction-database-replication-cert | ca.crt, tls.crt, tls.key | pg replication cert/key |
| traction-database-ha-\*-certs | pgbackrest-server.crt, pgbackrest-server.key | crunchy HA pods | | potentially rotate pgbackrest stuff |
| traction-acapy-api | | acapy api keys | traction tenant ui | potentially adminApiKey, webhookapi |
| traction-acapy-plugin-innkeeper | | acapy innkeeper key | traction acapy, tenant ui | potentially walletkey |
traction-acapy-walletkey | walletKey | acapy wallet key | traction acapy | |
### VC-AuthN-OIDC
- `e79518-Digital Trust Services Trust Over IP`
- `dev`
- `test`
- `prod`
| Secret Name | Rotatable Keys | Type | Instances | Notes |
|-------------|----------------|------|-----------|-------|
| vc-authn-oidc-agent | | vc-authn-oidc-agent pods |
| vc-authn-controller | | controller key | vc-authn pods | potentially controller-api-key |
| vc-authn-database | admin-password, database-password | pg credential | vc-authn, vc-authn pg pods |
| vc-authn-oidc-acapy-secret | | agent keys | vc-authn-oidc-agent pods | potentially adminApiKey, walletKey |
]
| vc-authn-oidc-api-key | | controller key | vc-authn-oidc pods | potentially controllerApiKey |
| vc-authn-oidc-mongodb | mongodb-passwords, mongodb-replica-set-key, mongodb-root-password | mongo credentials | vc-authn-oidc pods, vc-authn mongodb pods | |
| vc-authn-oidc-postgresql | admin-password, database-password | pg credentials | vc-authn agent pods, vc-authn pg pods | |
### Endorser Service
Instances (`4a9599-Digital Trust Shared Service`):
- `dev`
- CANdy-Dev
- BCovrin Dev - Depricated
- `test`
- CANdy-Test
- Sovrin TestNet
- BCovrin Test
- `prod`
- CANdy-Prod
- Sovrin MainNet
- BCovrin Prod - Depricated
Each application instance will have it's own set of secrets. The table below contains the list of secrets for the application in general.
Note:- secrets for backup containers are not listed here. See the Backup Containers section.
| Secret Name | Key | Type | Instances | Notes |
| --------------------------------------- | ----------------- | ------------- | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| aries-endorser-agent | admin-api-key | API Key | ACA-Py Agent | Used by controllers, sometimes external, to authenticate with the Admin API. In the case of an endorser service the controller is the internal endorser API. |
| aries-endorser-agent | webhook-url | API Key | ACA-Py Agent | Only the API key portion of the webhook URL is rotatable. This is used by ACA-Py to authenticate with it's associated, sometimes external, controller's webhook endpoint. In the case of an endorser service the controller is the internal endorser API. |
| aries-endorser-agent-wallet-credentials | DID | DID | ACA-Py Agent | NOT Rotatable |
| aries-endorser-agent-wallet-credentials | key | Wallet Key | ACA-Py Agent | The wallet encryption key. The process to rotate wallet keys can be complicated. |
| aries-endorser-agent-wallet-credentials | seed | Wallet Seed | ACA-Py Agent | The DID's seed. The seed itself can not be rotated (confirm this), however the keys associated to a DID can be rotated. The process to rotate a DIDs keys can be complicated. |
| aries-endorser-api | admin-api-key | API Key | Endorser API | Used by controllers, possibly external, to authenticate with the endorser API. |
| aries-endorser-api | webhook-api-key | API Key | Endorser API | Used by the associated ACA-Py instance to authenticate with the endorsers webhook endpoint. |
| aries-endorser-db | admin-password | password | Endorser DB | The admin password for the database instance. |
| aries-endorser-db | admin-user | username | Endorser DB | The admin username for the database instance. |
| aries-endorser-db | database-name | database name | Endorser DB | NOT Rotatable |
| aries-endorser-db | database-password | password | Endorser DB | The password associated to the `database-user` account. |
| aries-endorser-db | database-user | username | Endorser DB | The username of the account used by the application for database access. |
| aries-endorser-wallet | admin-password | password | ACA-Py Wallet Database | The admin password for the wallet's database instance. |
| aries-endorser-wallet | database-name | database name | ACA-Py Wallet Database | NOT Rotatable |
| aries-endorser-wallet | database-password | password | ACA-Py Wallet Database | The password associated to the `database-user` account. |
| aries-endorser-wallet | database-user | username | ACA-Py Wallet Database | The username of the account used by the application for wallet database access. | |
### Mediator Service
Instances (`4a9599-Digital Trust Shared Service`):
- `dev`
- `test`
- `prod`
Each application instance will have it's own set of secrets. The table below contains the list of secrets for the application in general.
Note:- secrets for backup containers are not listed here. See the Backup Containers section.
| Secret Name | Key | Type | Instances | Notes |
| ------------------------------------ | ------------------ | ----------- | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| aries-mediator-agent | key | Wallet Key | ACA-Py Agent | The wallet encryption key. The process to rotate wallet keys can be complicated. |
| aries-mediator-agent | seed | Wallet Seed | ACA-Py Agent | The seed for the agent's DID. The seed itself can not be rotated (confirm this), however the keys associated to a DID can be rotated. The process to rotate a DIDs keys can be complicated. |
| aries-mediator-agent-api | webhook-api-key | API Key | - | The mediator doe not have an API. This secret is an artifact of a previous implementation and should be removed. |
| aries-mediator-agent-firebase-plugin | notification-body | text | firebase plugin | Not sensitive information |
| aries-mediator-agent-firebase-plugin | notification-title | text | firebase plugin | Not sensitive information |
| aries-mediator-agent-firebase-plugin | project-id | account id | firebase plugin | NOT Rotatable |
| aries-mediator-agent-firebase-plugin | service-account | various | firebase plugin | Contains various credentials and keys. If/How these can be rotated needs to be determined. |
| aries-mediator-db | admin-password | password | ACA-Py Wallet Database | The admin password for the wallet's database instance. |
| aries-mediator-db | database-password | password | ACA-Py Wallet Database | The password associated to the `database-user` account. |
| aries-mediator-db | database-user | username | ACA-Py Wallet Database | The username of the account used by the application for wallet database access. |
### Redis Clusters
Instances (`4a9599-Digital Trust Shared Service`):
- `dev`
- `test`
- `prod`
Instances (`e79518-Digital Trust Services Trust Over IP`):
- `dev`
- `test`
- `prod`
| Secret Name | Key | Type | Instances | Notes |
| ------------ | ----------------- | --------------------- | ------------------- | ------------------------------------------------------------------------------------------------------------------ |
| redis-shared | clustermode | string | Redis Cluster Nodes | Not sensitive information |
| redis-shared | connection-string | username and password | Redis Cluster Nodes | The connection string contains a username and password used by clients to connect to the redis cluster. |
| redis-shared | password | password | Redis Cluster Nodes | The password used for the `default` user account. This is contained in both `connection-string` and `redis.conf`. |
| redis-shared | redis.conf | username and password | Redis Cluster Nodes | Contains username and passwords for the redis cluster. |
### Allure
Instances (`4a9599-Digital Trust Shared Service`):
- `prod`
- AATH
- AMTH
Each application instance will have it's own set of secrets. The table below contains the list of secrets for the application in general.
| Secret Name | Key | Type | Instances | Notes |
| -------------- | --------------- | -------- | -------------- | ------------------------------------ |
| allure-service | username | username | allure-service | The username for the admin account. |
| allure-service | password | password | allure-service | The password for the admin account. |
| allure-service | public-username | username | allure-service | The username for the public account. |
| allure-service | public-password | password | allure-service | The password for the public account. |
### Issuer Kit Instances
Issuer kit instances utilizing the admin interfaces (those that are protected) are integrated with a KeyCloak instance where use roles and access are defined.
Each application instance will have it's own set of secrets. The table below contains the list of secrets for the application in general.
Depending on the issuer kit features utilized by a particular instance, the instance may only utilize a sub-set of the listed secrets.
In several cases issuer kit instances are using a shared database instance.
Instances (`a99fd4-Digital Trust Demo Apps`):
- `dev`
- Revocable Open VP (Unverified Person Credential Issuer)
- Open VP CANdy (Unverified Person Credential Issuer)
- A2A (Fake LSBC Credential Issuer)
- BC VC Pilot (BC VC Invitation Credential Issuer)
- `test`
- Revocable Open VP (Unverified Person Credential Issuer)
- Open VP CANdy (Unverified Person Credential Issuer)
- A2A (Fake LSBC Credential Issuer)
- BC VC Pilot (BC VC Invitation Credential Issuer)
- `prod`
- Revocable Open VP (Unverified Person Credential Issuer)
- Open VP CANdy (Unverified Person Credential Issuer)
- BC VC Pilot (BC VC Invitation Credential Issuer)
| Secret Name | Key | Type | Instances | Notes |
| ------------------------ | -------------- | ------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| agent | admin-api-key | API Key | Issuer Kit ACA-Py Agent | Used by controllers, sometimes external, to authenticate with the Admin API. |
| agent | webhook-url | API Key | Issuer Kit ACA-Py Agent | Only the API key portion of the webhook URL is rotatable. This is used by ACA-Py to authenticate with it's associated, sometimes external, controller's webhook endpoint. |
| agent-wallet-credentials | DID | DID | Issuer Kit ACA-Py Agent | NOT Rotatable |
| agent-wallet-credentials | key | Wallet Key | Issuer Kit ACA-Py Agent | The wallet encryption key. The process to rotate wallet keys can be complicated. |
| agent-wallet-credentials | seed | Wallet Seed | Issuer Kit ACA-Py Agent | The DID's seed. The seed itself can not be rotated (confirm this), however the keys associated to a DID can be rotated. The process to rotate a DIDs keys can be complicated. |
| api | admin-email | email address | Issuer Kit API | NOT Rotatable |
| api | invite-subject | text | Issuer Kit API | Not sensitive |
| api | smtp-host | fqdn | Issuer Kit API | NOT Rotatable |
| api | smtp-port | port number | Issuer Kit API | NOT Rotatable |
| issuer-kit-db | admin-password | password | Endorser DB | The admin password for the database instance. |
| issuer-kit-db | database-password | password | Endorser DB | The password associated to the `database-user` account. |
| issuer-kit-db | database-user | username | Endorser DB | The username of the account used by the application for database access. |
| issuer-kit-wallet | admin-password | password | ACA-Py Wallet Database | The admin password for the wallet's database instance. |
| issuer-kit-wallet | database-password | password | ACA-Py Wallet Database | The password associated to the `database-user` account. |
| issuer-kit-wallet | database-user | username | ACA-Py Wallet Database | The username of the account used by the application for wallet database access. | |
Instances (`e79518-Digital Trust Services Trust Over IP`):
- `dev`
- BC Reg (Forget what this is for) - Unused?
- IDIM (BC Person Credential Issuer)
- IDIM-SIT (BC Person Credential Issuer)
- LSBC (Lawyer Credential Issuer)
- Buy BC (Buy BC Credential Issuer) - Unused?
- LCRB (LCRB Credential Issuer) - Unused?
- `test`
- BC Reg (Forget what this is for) - Unused?
- IDIM-QA (BC Person Credential Issuer)
- IDIM-PREPROD (BC Person Credential Issuer)
- LSBC (Lawyer Credential Issuer)
- Buy BC (Buy BC Credential Issuer) - Unused?
- LCRB (LCRB Credential Issuer) - Unused?
- `prod`
- IDIM (BC Person Credential Issuer)
- LSBC (Lawyer Credential Issuer)
- Buy BC (Buy BC Credential Issuer) - Unused?
- LCRB (LCRB Credential Issuer) - Unused?
| Secret Name | Key | Type | Instances | Notes |
| ------------------------ | -------------- | ------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| agent | admin-api-key | API Key | Issuer Kit ACA-Py Agent | Used by controllers, sometimes external, to authenticate with the Admin API. |
| agent | webhook-url | API Key | Issuer Kit ACA-Py Agent | Only the API key portion of the webhook URL is rotatable. This is used by ACA-Py to authenticate with it's associated, sometimes external, controller's webhook endpoint. |
| agent-wallet-credentials | DID | DID | Issuer Kit ACA-Py Agent | NOT Rotatable |
| agent-wallet-credentials | key | Wallet Key | Issuer Kit ACA-Py Agent | The wallet encryption key. The process to rotate wallet keys can be complicated. |
| agent-wallet-credentials | seed | Wallet Seed | Issuer Kit ACA-Py Agent | The DID's seed. The seed itself can not be rotated (confirm this), however the keys associated to a DID can be rotated. The process to rotate a DIDs keys can be complicated. |
| wallet | admin-password | password | ACA-Py Wallet Database | The admin password for the wallet's database instance. |
| wallet | database-password | password | ACA-Py Wallet Database | The password associated to the `database-user` account. |
| wallet | database-user | username | ACA-Py Wallet Database | The username of the account used by the application for wallet database access. | |
### Backup Containers
Instances:
- ToDo: List instances
| Secret Name | Key | Type | Instances | Notes |
| ----------- | ---------------- | --------- | --------- | ----------------------------------------------------------------------------------------------------------------------------- |
| backup | webhook-url | API Token | backup | The field contains the webhook URL and token, only the token is rotatable. Typically this is a Rocket.Chat webhook endpoint. |
| backup | webhook-url-host | fqdn | backup | NOT Rotatable |
| ftp-secret | ftp-user | username | backup | The username used to authenticate with the ftp site |
| ftp-secret | ftp-password | password | backup | The password used to authenticate with the ftp site |
| ftp-secret | ftp-url | url | backup | NOT Rotatable |
| ftp-secret | ftp-url-host | fqdn | backup | NOT Rotatable |
### BC Wallet Showcase Instances
Instances (`a99fd4-Digital Trust Demo Apps`):
- `dev`
- `test`
- `prod`
| Secret Name | Key | Type | Instances | Notes |
| --------------------- | ---------------- | ------------------ | --------------------- | -------------------------------------------------------------------------------------------------- |
| bc-wallet-demo-server | tenantId | Traction Tenant ID | bc-wallet-demo-server | NOT Rotatable |
| bc-wallet-demo-server | tractionDid | DID | bc-wallet-demo-server | NOT Rotatable, though keys for the DID are. The process to rotate a DIDs keys can be complicated. |
| bc-wallet-demo-server | tractionUrl | url | bc-wallet-demo-server | NOT Rotatable |
| bc-wallet-demo-server | walletSecret | Wallet Key | bc-wallet-demo-server | The wallet encryption key. The process to rotate wallet keys can be complicated. |
| bc-wallet-demo-web | snowplowEndpoint | fqdn | bc-wallet-demo-web | NOT Rotatable |
### BC Wallet Attestation Controller
Instances (`e79518-Digital Trust Services Trust Over IP`):
- `dev`
- `test`
- `prod`
| Secret Name | Key | Type | Instances | Notes |
| ------------------------------------------------ | ----------------------- | ------------------ | ------------------------------- | ---------------- |
| bcwallet-attestation-controller-google-oauth-key | google_oauth_key.json | Google Oauth Key | bcwallet-attestation-controller | Google Oauth Key |
| bcwallet-attestation-controller-traction-creds | TRACTION_TENANT_API_KEY | API Key | bcwallet-attestation-controller | Traction API Key |
| bcwallet-attestation-controller-traction-creds | TRACTION_TENANT_ID | Traction Tenant ID | bcwallet-attestation-controller | NOT Rotatable |
Note:
- There is a DID associated with the Traction Tenant ID. The DID itself is not rotatable, but the keys for the DID can be rotated. The process to rotate a DIDs keys can be complicated. Likewise the wallet encryption key can be rotated. The process to rotate wallet keys can be complicated.
### Tails Server
Instances (`e79518-Digital Trust Services Trust Over IP`):
- `dev`
- `test`
- `prod`
**Does not use any secrets.**
---
### Monitoring Stack
Instances (`ca7f8f-Digital Trust Monitoring Services`):
- `dev`
- `test`
- `prod`
| Secret Name | Rotatable Keys | Type | Instances | Notes |
|-------------|----------------|------|-----------|-------|
| | | | | |
||||||
@i5okie, I'll leave this one for you to fill out.
---
### Certbot
Instances (`4a9599-Digital Trust Shared Service`):
- `prod`
Instances (`a99fd4-Digital Trust Demo Apps`):
- `dev`
- `test`
- `prod`
Instances (`ca7f8f-Digital Trust Monitoring Services`):
- `prod`
Instances (`e79518-Digital Trust Services Trust Over IP`):
- `dev`
- `test`
- `prod`
| Secret Name | Key | Type | Instances | Notes |
| ----------- | ------- | ----- | --------- | --------------------------------------------------------------------- |
| certbot | certbot | email | certbot | The email used for the automatically generated Let's Encrypt account. NOT Rotatable |
Look into what if anythig can or should be rotated on a Let's Encrypt account.
Note:- Also uses a OCP service account.
---
### Out of Scope - At least for the moment
#### Traction Tenat Secrets
All secrets related to a Traction tenant are the sole responsibility of the owner of the Tenant.
#### Sovrin MainNet Ledger Browser
- Depricated
- `ca7f8f-prod - Digital Trust Monitoring Services`
#### Email Verification Service
- Depricated
- `a99fd4`
- `dev`
- `test`
- `prod`
#### vonx.io Proxy
- `4a9599-prod`
- Used to perminently redirect a number of legacy URLs to their new home.
#### Matomo Instance(s)
- `4a9599-prod`
#### BC Registries Audit Components (`ca7f8f`) consisting of:
- Audit Script Container
#### BC Registries Agent Application Components (`7cba16`) consisting of:
- ACA-Py Agent
- BC Reg Controller API
- BC Reg Event Processor Service
- PostgreSQL FDW Instance
- PostgreSQL Instances
- Event DB
- Event Processor Log DB
- Agent Wallet
- Backup Container
- Schema Spy
#### OrgBook Application Components (`8ad0ea`) consisting of:
- ACA-Py Agent
- Aries-VCR API Instances
- Application API
- Message Queue Worker
- Offline Indexing
- OrgBook BC Client Interface
- Search Engine Instances
- Search Engine
- Offline Indexing Search Engine
- PostgreSQL Instances
- OrgBook DB
- Offline Indexing OrgBook DB
- Agent Wallet
- Message Queue
- Backup Container
- Schema Spy