# Secrets & Config Management
## Configuration Management
Rierino's default deployment model uses ConfigMaps for storing infrastructure configuration details (such as system addresses, database connections). It is also possible to use a central KV management solution (e.g. etcd) for the same purpose.
### Infrastructure Updates
All infrastructure related configurations are kept in "properties" entry of the "global-config" config map of each related namespace (e.g. "admin-backend", "admin-gateway"). In case of a systems change (e.g. server address or port update). Related property entries can be updated on these maps.
{% hint style="info" %}
Most system configurations (such as database URI) support automated reconnect feature and reconnect commands, which means that when the service pods [auto reload](#user-content-fn-1)[^1] updated config map contents, they will automatically start using new configuration.
It is also possible to restart deployments to reflect configuration changes.
{% endhint %}
### Version Upgrade
It is possible to upgrade Rierino version used in each individual microservice separately. This can be achieved in 3 ways, depending on the deployed artifact and preferred upgrade action:
1. For runner deployments, it is possible to update rierinoVersion parameter from "Admin UI - Devops" application and redeploy from its action menu
2. For runner and gateway deployments, it is possible to update RIERINO\_VERSION environment variable from "\[DEPLOYMENT\_NAME]-config-env" config map in their respective namespace and restart the deployment, which will download and use given version artifacts
3. For UI deployments, it is possible to edit deployment configuration to use a new container image with the required Rierino version
### Environment Variables
Admin UI utilizes a predefined list of environment variables (which are stored in environment ConfigMaps and Secrets), which can be customized to change its behavior:
| Variable | Description | Default |
| --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- |
| PASS\_THRU | Whether Admin UI should act as a proxy for all API calls | false |
| RIERINO\_MODE | Whether developer Apps & UIs should be enabled | dev |
| API\_URL | Server-side URL for API calls | |
| NEXT\_PUBLIC\_API\_URL | Client-side URL for API calls (when PASS\_THRU=false) | https\://\[DOMAIN]/api/ |
| OPENAI\_API\_KEY | OpenAI API key for AI assistance | n/a |
| GPT\_ASSISTANT\_\[type] | IDs of AI assistants to use for different UIs | n/a |
| DISABLE\_COMPRESS | Whether content compression should be disabled in responses to client | false |
| REFRESH\_MS | Milliseconds to refresh cached language, icon and other lookups | 5000 |
| SCHEMA\_CACHE\_TTL | Seconds to refresh data schema | 60 |
| DISABLE\_SCHEMA\_CACHE | Whether data schema caching should be disabled | false |
| LOCALES | List of locales to allow for users to switch between | enUS,trTR |
| DEFAULT\_LOCALE | Default locale for users | enUS |
| SCRIPT\_URLS | External script URLs to include for remote webcomponents | |
| LANDING\_PATH | Path to redirect users to for admin UI root URL (if not defined, displays landing page) | /app/demo |
| RECAPTCHA\_SITE | Recaptcha site key, for enabling ReCAPTCHA during login | - |
| HELP\_TOKEN | GitBook token, for enabling embedded GitBook search | - |
| KEEP\_ALIVE | Timeout duration to be sent in Keep-Alive header (sends Connection=keep-alive as well) | - |
| FETCH\_RETRIES | Number of retry attempts in case of connection reset | 2 |
| FETCH\_RETRY\_DELAY | Milliseconds to delay retry attempts | 100 |
| CROSS\_TAB\_VALIDATION | Whether changes in one browser tab should trigger state invalidation/refresh on other tabs (uses local storage)
NOTE: If the user is editing in multiple browser tabs at the same time, this may have unexpected revert of changes on other tabs.
| false |
| CSP\_HEADER | Content Security Policy header to apply on requests | frame-ancestors 'self'; |
| NAV\_AI | Whether AI agents should be displayed on navigation | true |
| ERROR\_DETAILS | Whether error details should be displayed to users or not | false |
| NO\_BRANCH\_PROVIDER | Whether branch options should be hidden from users | false |
| REQUEST\_GEOLOCATION\_PERMISSIONS | Whether geolocation of user should be tracked | true |
| GOOGLE\_MAPS\_API\_KEY | API key for Google maps, used by map editors & listers | - |
Additional variables are used for pulling configuration elements used by the UI, which can be customized for custom backend implementations:
* **Authentication & Environment**
* LOGIN\_URL: auth/login/crud
* LOGOUT\_URL: auth/logout/crud
* REFRESH\_URL: auth/refresh/crud
* ENV\_URL: request/rpc/GetAdminEnvironment
* **User Interface**
* SOURCE\_URL: request/crud/source
* UI\_URL: request/crud/ui
* ICON\_URL: request/crud/icon
* COMPONENT\_URL: request/crud/component
* STYLE\_URL: request/crud/style
* COMPONENT\_CODE\_URL: request/crud/handler\_code
* BRANCH\_URL: request/crud/branch
* **AI Agents**
* AGENT\_LIST\_URL: request/crud/genai\_model
* TRANSLATION\_URL: request/crud/translation
## Secrets Management
Rierino's default deployment model uses Secrets for storing credential details (such as database credentials, API keys). It is also possible to use a central vault solution (e.g. HashiCorp Vault) for the same purpose.
### External System Credential Updates
It is possible to update credentials used for accessing external systems directly on those systems (such as changing username / password used for accessing MongoDB) using your company policies and procedures for credentials rotation.
Once any credential is updated, they should be also updated in "properties" entry of the "global-secrets" secret of each related namespace (e.g. "admin-backend").
{% hint style="info" %}
Similar to infrastructure updates, credential updates are automatically used for reconnection, while it is also possible to restart pods to force using new credentials.
{% endhint %}
{% hint style="info" %}
When creating credentials on external systems, it is recommended to apply least privilege policy for granting access to related microservices. Such as for a microservice responsible for reading product data, using a read-only database user with access rights to related database only.
{% endhint %}
### Rierino Token Key Updates
Rierino API gateways use encryption keys for issued JWT tokens, which can be updated simply by modifying the gateway token configuration from "Admin UI - Devops" application. Changing these keys automatically invalidate all currently active access tokens.
### Artifact Credentials Change
In case credentials for accessing Rierino artifacts (e.g. GitHub tokens) change, it is necessary to update these credentials in following secrets in each namespace:
1. ".dockerconfigjson" entries in "global-secrets-docker" secrets, which are used for accessing docker images for deployment.
2. MAVEN\_USER and MAVEN\_PASSWORD environment variable entries in "global-secrets-env" secrets, which are used for accessing Maven artifacts for deployment.
[^1]: Since config map is mounted as a volume, it is auto reloaded on kube sync