Home / BeaverDeck / Docs / Configuration Guide / Auth Secret

Auth Configuration Secret

Auth configuration is stored in an Opaque Kubernetes Secret. The defaults are Secret beaverdeck-config, key config.yaml, in the BeaverDeck pod namespace.

Startup Behavior

• If the Secret is absent, BeaverDeck starts UI initialization and creates it only after the initial admin setup succeeds.
• If the Secret exists with valid non-empty YAML, BeaverDeck imports it, normalizes missing defaults, and writes the normalized YAML back.
• If the Secret exists but the key is missing, empty, or invalid, BeaverDeck logs the failed import stage and exits without overwriting it.
• Admin UI export and import use the same YAML snapshot stored in this Secret.

Minimal Pre-Created Secret

This is the smallest practical initialized configuration. Replace the hash before applying it. Google, OIDC defaults, and empty mappings are added during successful normalization.

apiVersion: v1
kind: Secret
metadata:
  name: beaverdeck-config
  namespace: beaverdeck
type: Opaque
stringData:
  config.yaml: |
    schema_version: 1
    initialized: true
    roles:
      - name: admin
        mode: admin
    users:
      - username: admin
        role: admin
        password_hash: bdk1$180000$<REPLACE_SALT_HEX>$<REPLACE_DIGEST_HEX>

See Auth config reference for the complete Secret with roles, permissions, local users, Google, OIDC/Entra, mappings, field descriptions, and setup steps.

Operational Notes

• mode: admin grants all application permissions and does not need a permissions block.
• Non-admin permissions use compact view, edit, or full levels.
• Local users require BeaverDeck bdk1$... hashes; raw and base64-only passwords are rejected.
• Applying the Secret to an already running installation requires a pod restart unless the Admin import workflow is used.
• Keep Secret manifests and exported snapshots out of public repositories.