Packager
Advanced configuration

Advanced Parameters

Configuring credentials for direct remote storage access

Format

The file is in the YAML format and located at /etc/mediakind/mkp/charts/customer-values.yaml. A specific script must be executed to apply the changes brought to the file that remain after a product update. If no value is specified or if a value is removed from the file, default values from installer are used.

Each entry contains the following elements:

  • url: the base URL of a storage.
  • type: the type of credential to be used for this base URL. It can be:
    • user for access with username and password
    • s3 for access using AWS S3 object store credentials
    • azureSasToken for access using Blob Azure credential
    • certificate for HTTPS access

User credential

The entry should contain the following elements:

  • username
  • password

It can be used for FTP or SFTP access (ftp://… or sftp://…).

credentials:
  [ {"type": "user", "url": "sftp://myServer/share1", "username": "test", "password": "1234"} ]

Blob Azure credential

To configure the Azure authentication for your system, the entry in the credential file should contain the following elements:

  • url: URL provided at the Blob storage creation.
  • type: Type of credential to be used for this URL. It must be: azureSasToken.
  • sasToken: Token provided at the Blob storage creation.
credentials:
    [{"type" : "azureSasToken", "url" : "https://myaccount.blob.core.windows.net/mycontainer", "sasToken" : "?sv=2020-02-10&ss=bfqt&srt=o&sp=rwdlacupx&se=2021-02-24T00:46:59Z&st=2021-02-23T16:46:59Z&spr=https&sig=..."} ]

AWS S3 object store credential

This credential corresponds to an AWS access key.

The entry should contain the following elements:

  • accessKeyId: The ID of the access key
  • secretAccessKey: The secret access key
credentials:
  [{ "type": "s3", "url" : "https://mk-cr8-poc.s3.us-east.cloud-object-storage.appdomain.cloud", "accessKeyId" : "e45d9e87d91421f2f3c69fca4c", "secretAccessKey":"236e8cc37c9ccc355b9ffb17fe8"} ]

Certificate credentials

The entry should contain the following elements:

  • certificateFile: to be defined in client_crt_certificate value
  • privateKeyFile: to be defined in client_key_certificate value
  • privateKeyPassword

Use section Managing HTTPS certificates for the Origin Server to define your certificate values

credentials:
  [ {"type": "certificate", "url": "https://mysecure-webdav.com/secure", "certificateFile": "/tmp/client-crt.pem", "privateKeyFile": "/tmp/client-key.pem", "privateKeyPassword": "xxyyzz"} ]

Multiple credentials display

credentials:
  [ 
  {"type": "user", "url": "sftp://myServer/share1", "username": "test", "password": "1234"},
  {"type" : "azureSasToken", "url" : "https://myaccount.blob.core.windows.net/mycontainer", "sasToken" : "?sv=2020-02-10&ss=bfqt&srt=o&sp=rwdlacupx&se=2021-02-24T00:46:59Z&st=2021-02-23T16:46:59Z&spr=https&sig=..."},
  { "type": "s3", "url" : "https://mk-cr8-poc.s3.us-east.cloud-object-storage.appdomain.cloud", "accessKeyId" : "e45d9e87d91421f2f3c69fca4c", "secretAccessKey":"236e8cc37c9ccc355b9ffb17fe8"} 
  ]

Deployment

This configuration file should be created by the user and needs to be deployed on every Packager server under the following path: /etc/mediakind/mkp/charts/customer-values.yaml.

Once the file customer-values.yaml is configured, the following script must be executed to apply the changes:

/etc/mediakind/mkp/charts/apply_customer_values.sh

Example

When a job is created, it will parse this file to find the associated credentials of the file URL it needs to access.

For example, if the file contains the following credentials:

credentials:
  [
  {"type" : "user", "url" : "sftp://server1", "username" : "admin", "password":"1234"},
  {"type" : "user", "url" : "sftp://server2/share", "username" : "admin", "password":"4321"}
  ]

If a job input file is sftp://server2/share/video.ts, the second credential will be used: the input URL matches with the base URL of the second credential.

Note: The selected credentials configuration is logged into the high-level logs of the job.

Managing HTTPS certificates for the Origin Server

Packaging is configured with a self-signed certificate that is used to deliver contents using HTTPS.

This certificate must be replaced by a new certificate that is provided by a trusted authority on all the servers of your headend. To apply dedicated certificates on your server:

  1. Edit the file customer-values.yaml:

    vi /etc/mediakind/mkp/charts/customer-values.yaml

  1. Update the credentials section of the file /etc/mediakind/mkp/charts/customer-values.yaml and copy in here the content of the cert.pem and key.pem files:

    client_crt_certificate: |-
  -----BEGIN CERTIFICATE-----
  MIIE3DCCA8QCCQD+258[...]tkcdSo5oqACMq
  -----END CERTIFICATE-----
client_key_certificate: |-
  -----BEGIN RSA PRIVATE KEY-----
  MIIJKQIBAAKCAgEA49D6[...]xdWOOnjI2NmH
  -----END RSA PRIVATE KEY-----

    This operation requires inserting spaces at the beginning of each line, but you can automate it by running a script. Navigate to /etc/mediakind/mkp/charts/, copy your certificate files there, and execute the following commands:

    yq w -i -- customer-values.yaml "client_crt_certificate" "$(cat client-certificate.pem)"
yq w -i -- customer-values.yaml "client_key_certificate" "$(cat client-key.pem)"

  2. Define the path to the new certificates (by default defined in the /tmp/ directory):

    originserver:
  security:
    origin:
      certificate: /tmp/client-crt.pem
      privateKey: /tmp/client-key.pem

  3. Execute the following script to apply the changes:

    /etc/mediakind/mkp/charts/apply_customer_values.sh
MonitoringHLS or Dash over CMAF