Migrate secrets to Secret Generator

The kubernetes-secret-generator (secret generator) is supported and the preferred secret management utility from ForgeOps release 2025.2 onwards. The ForgeOps team provides the migrate.py Python script in the upgrade/secret-agent-to-secret-generator folder. Use this script to migrate secrets to secret generator.

Before initiating migration, make sure that your DS images are built with the ForgeOps 2025.2.0 release. The DS image in ForgeOps 2025.2.0 release allows for multiple password values in DS which enables password rotation with no downtime.

This script makes changes in your Kubernetes context.

Prerequisites

To migrate secrets from secret agent to secret generator, you must have:

A running ForgeOps deployment that uses secret agent for managing secrets.
Upgrade the ForgeOps tools to release 2025.2.0.
Back up the secrets in your ForgeOps environment.
To use the password rotation with no downtime, deploy DS image from the ForgeOps 2025.2.0 release:
- Use forgeops build in 2025.2.0 to build a new image.
- Then redeploy DS using the newly built image.

In a single-instance deployment, password rotation involves downtime.

For deployments using DS images from 2025.1 or earlier

If you are using the DS image from the 2025.1 release or earlier, then perform these steps to enable multiple passwords in DS.

In your terminal window, set up environment variables to get the password and connection string (DSPASS and CONN_STR):

$ export DSPASS=$(kubectl get secret ds-passwords -n my_ns -o yaml | yq '.data["dirmanager.pw"]' | tr -d '"' | base64 -d -i -)

$ export CONN_STR="--hostname localhost --port 4444 --bindDn uid=admin --trustAll --no-prompt --bindPassword $DSPASS"

Set up DS pods to enable multiple passwords:

$ kubectl exec -it ds-cts-0 — bin/dsconfig set-password-policy-prop \
  set-password-policy-prop --policy-name "Default Password Policy" \
  --set allow-multiple-password-values:true $CONN_STR

$ kubectl exec -it ds-cts-0 — bin/dsconfig set-password-policy-prop \
  set-password-policy-prop --policy-name "Root Password Policy" \
  --set allow-multiple-password-values:true $CONN_STR

$ kubectl exec -it ds-idrepo-0 — bin/dsconfig set-password-policy-prop \
  set-password-policy-prop --policy-name "Default Password Policy" \
  --set allow-multiple-password-values:true $CONN_STR

$ kubectl exec -it ds-idrepo-0 — bin/dsconfig set-password-policy-prop \
  set-password-policy-prop --policy-name "Root Password Policy" \
  --set allow-multiple-password-values:true $CONN_STR

Steps to migrate

Verify the pods in the ForgeOps deployment are in Running status:

$ kubectl get pods
NAME                           READY   STATUS    RESTARTS   AGE
admin-ui-55d6fc59fd-ths88      1/1     Running   0          14h
am-9f9b5b97c-76qgf             1/1     Running   0          14h
ds-cts-0                       1/1     Running   0          14h
ds-idrepo-0                    1/1     Running   0          14h
end-user-ui-7df54dcc7f-zz4gs   1/1     Running   0          14h
idm-5f6b658-dgtb5              1/1     Running   0          14h
login-ui-b78d5b646-hsklj       1/1     Running   0          14h

Verify that secrets are currently managed by secret agent:

$ kubectl get sac
NAME            STATUS      NUMSECRETS   NUMK8SSECRETS
forgerock-sac   Completed   11           11


$ kubectl get secrets -o custom-columns=NAME:.metadata.name,LABELS:.metadata.labels
NAME                                      LABELS
am-env-secrets                            map[managed-by-secret-agent:true ...]
am-keystore                               map[managed-by-secret-agent:true ...]
am-passwords                              map[managed-by-secret-agent:true ...]
amster                                    map[managed-by-secret-agent:true ...]
amster-env-secrets                        map[managed-by-secret-agent:true ...]
ds-env-secrets                            map[managed-by-secret-agent:true ...]
ds-master-keypair                         map[app:ds controller.cert-manager.io/fao:true]
ds-passwords                              map[managed-by-secret-agent:true ...]
ds-ssl-keypair                            map[app:ds controller.cert-manager.io/fao:true]
idm                                       map[managed-by-secret-agent:true ...]
idm-env-secrets                           map[managed-by-secret-agent:true ...]
platform-ca                               map[managed-by-secret-agent:true ...]
sh.helm.release.v1.identity-platform.v1   map[...]
sh.helm.release.v1.identity-platform.v2   map[...]
tls-forgeops.example.com-tn657            map[cert-manager.io...]
truststore-pem                            map[managed-by-secret-agent:true ...]

Get the following secrets and any that you have deployed, so that you can backup those secrets:

am-env-secrets, am-keystore, am-passwords, amster, amster-env-secrets, ds-env-secrets, ds-passwords, idm-env-secrets, and idm.
```
$ kubectl get secret secret-name -o jsonpath='{.data}'
```

Install secret generator in your cluster using the forgeops prereqs command:

$ ./bin/forgeops prereqs --secret-generator

Cert Manager has already been installed.
NGINX Ingress has already been installed.
Secret Generator not found. Installing...
Release "kubernetes-secret-generator" does not exist. Installing it now.
NAME: kubernetes-secret-generator
...

Run the migrate.py script in the upgrade/secret-agent-to-secret-generator directory to migrate secrets.

The migrate.py script performs the migration in a few phases requiring user confirmation at the end of each phase.
1. Initiate the migration script. Provide the following parameters in the script:
  - Name of your ForgeOps deployment environment: my-env in the example.
  - The deployment mode (--helm or --kustomize) you used: --helm in the example.
    
    If using Helm, you can specify alternate Helm chart location.
  - Namespace of your ForgeOps deployment: myns in the example.
    
    $ ./upgrade/secret-agent-to-secret-generator/migrate.py \ --env-name my-env --helm --namespace myns ... Would you like to continue? (Y/N)
    
    When it prompts, Would like to continue? (Y/N), enter "Y".
2. Let the script run pre-migration steps. Press ENTER to continue when it prompts:
  ... Proceeding with migration. Running pre-migration checks ... Switching my-env env to secret-generator .../forgeops env -e my-env -k /.../forgeops/kustomize -H /.../forgeops/helm/my-env -n myns --secret-generator Press <ENTER> to proceed.
3. Let the script set ds_set_passwords.force to true by pressing ENTER at the prompt:
  Using ClusterIssuer: default-issuer Setting ds_set_passwords.force to true in /.../forgeops/helm/my-env/values.yaml. Press <ENTER> to continue
4. Let it run forgeops upgrade to update secrets in AM and Amster overlays. Then press ENTER to continue:
  ... .../forgeops/kustomize/overlay/my-env/am already updated ...forgeops/kustomize/overlay/my-env/amster already updated .../forgeops/kustomize/overlay/my-env/idm already updated ... Switching my-env env to secret-generator .../forgeops/bin/forgeops env -e my-env -k .../forgeops/kustomize -H .../forgeops/helm -n myns --secret-generator Press <ENTER> to proceed.
5. Similarly, enter "Y" or press ENTER appropriately when the script prompts to complete secrets migration.
Run the kubectl get secretagentconfiguration command to confirm no secrets are managed by the secret agent.
View the revised Kustomize overlay and Helm values to confirm that secret generator is used in your environment.
Using the forgeops info command to get the revised passwords for admin users.
Access the platform administration UI and confirm migration has completed successfully.