Migrate secrets to Secret Generator
The kubernetes-secret-generator
(secret generator) is supported and the
preferred secret management utility from ForgeOps release 2025.2 onwards.
The ForgeOps team provides the migrate.py Python script in the
upgrade/secret-agent-to-secret-generator folder.
Use this script to migrate secrets to secret generator
.
Before initiating migration, make sure that your DS images are built with the ForgeOps 2025.2.0 release. The DS image in ForgeOps 2025.2.0 release allows for multiple password values in DS which enables password rotation with no downtime.
This script makes changes in your Kubernetes context. |
- Prerequisites
-
To migrate secrets from secret agent to secret generator, you must have:
-
A running ForgeOps deployment that uses secret agent for managing secrets.
-
Upgrade the ForgeOps tools to release 2025.2.0.
-
Back up the secrets in your ForgeOps environment.
-
To use the password rotation with no downtime, deploy DS image from the ForgeOps 2025.2.0 release:
-
Use
forgeops build
in 2025.2.0 to build a new image. -
Then redeploy DS using the newly built image.
-
-
In a single-instance deployment, password rotation involves downtime. |
Steps to migrate
-
Verify the pods in the ForgeOps deployment are in Running status:
$ kubectl get pods NAME READY STATUS RESTARTS AGE admin-ui-55d6fc59fd-ths88 1/1 Running 0 14h am-9f9b5b97c-76qgf 1/1 Running 0 14h ds-cts-0 1/1 Running 0 14h ds-idrepo-0 1/1 Running 0 14h end-user-ui-7df54dcc7f-zz4gs 1/1 Running 0 14h idm-5f6b658-dgtb5 1/1 Running 0 14h login-ui-b78d5b646-hsklj 1/1 Running 0 14h
-
Verify that secrets are currently managed by secret agent:
$ kubectl get sac NAME STATUS NUMSECRETS NUMK8SSECRETS forgerock-sac Completed 11 11 $ kubectl get secrets -o custom-columns=NAME:.metadata.name,LABELS:.metadata.labels NAME LABELS am-env-secrets map[managed-by-secret-agent:true ...] am-keystore map[managed-by-secret-agent:true ...] am-passwords map[managed-by-secret-agent:true ...] amster map[managed-by-secret-agent:true ...] amster-env-secrets map[managed-by-secret-agent:true ...] ds-env-secrets map[managed-by-secret-agent:true ...] ds-master-keypair map[app:ds controller.cert-manager.io/fao:true] ds-passwords map[managed-by-secret-agent:true ...] ds-ssl-keypair map[app:ds controller.cert-manager.io/fao:true] idm map[managed-by-secret-agent:true ...] idm-env-secrets map[managed-by-secret-agent:true ...] platform-ca map[managed-by-secret-agent:true ...] sh.helm.release.v1.identity-platform.v1 map[...] sh.helm.release.v1.identity-platform.v2 map[...] tls-forgeops.example.com-tn657 map[cert-manager.io...] truststore-pem map[managed-by-secret-agent:true ...]
-
Get the following secrets and any that you have deployed, so that you can backup those secrets:
am-env-secrets
,am-keystore
,am-passwords
,amster
,amster-env-secrets
,ds-env-secrets
,ds-passwords
,idm-env-secrets
, andidm
.$ kubectl get secret secret-name -o jsonpath='{.data}'
-
Install secret generator in your cluster using the forgeops prereqs command:
$ ./bin/forgeops prereqs --secret-generator Cert Manager has already been installed. NGINX Ingress has already been installed. Secret Generator not found. Installing... Release "kubernetes-secret-generator" does not exist. Installing it now. NAME: kubernetes-secret-generator ...
-
Run the migrate.py script in the upgrade/secret-agent-to-secret-generator directory to migrate secrets.
The migrate.py script performs the migration in a few phases requiring user confirmation at the end of each phase.
-
Initiate the migration script. Provide the following parameters in the script:
-
Name of your ForgeOps deployment environment: my-env in the example.
-
The deployment mode (--helm or --kustomize) you used: --helm in the example.
-
If using Helm, you can specify alternate Helm chart location.
-
-
Namespace of your ForgeOps deployment: myns in the example.
$ ./upgrade/secret-agent-to-secret-generator/migrate.py \ --env-name my-env --helm --namespace myns ... Would you like to continue? (Y/N)
When it prompts,
Would like to continue? (Y/N)
, enter "Y".
-
-
Let the script run pre-migration steps. Press
ENTER
to continue when it prompts:... Proceeding with migration. Running pre-migration checks ... Switching my-env env to secret-generator .../forgeops env -e my-env -k /.../forgeops/kustomize -H /.../forgeops/helm/my-env -n myns --secret-generator Press <ENTER> to proceed.
-
Let the script set
ds_set_passwords.force
to true by pressingENTER
at the prompt:Using ClusterIssuer: default-issuer Setting ds_set_passwords.force to true in /.../forgeops/helm/my-env/values.yaml. Press <ENTER> to continue
-
Let it run forgeops upgrade to update secrets in AM and Amster overlays. Then press
ENTER
to continue:... .../forgeops/kustomize/overlay/my-env/am already updated ...forgeops/kustomize/overlay/my-env/amster already updated .../forgeops/kustomize/overlay/my-env/idm already updated ... Switching my-env env to secret-generator .../forgeops/bin/forgeops env -e my-env -k .../forgeops/kustomize -H .../forgeops/helm -n myns --secret-generator Press <ENTER> to proceed.
-
Similarly, enter "Y" or press
ENTER
appropriately when the script prompts to complete secrets migration.
-
-
Run the kubectl get secretagentconfiguration command to confirm no secrets are managed by the secret agent.
-
View the revised Kustomize overlay and Helm values to confirm that secret generator is used in your environment.
-
Using the forgeops info command to get the revised passwords for admin users.
-
Access the platform administration UI and confirm migration has completed successfully.