ForgeOps

Migrate secrets to Secret Generator

The kubernetes-secret-generator (secret generator) is supported and the preferred secret management utility from ForgeOps release 2025.2 onwards. The ForgeOps team provides the migrate.py Python script in the upgrade/secret-agent-to-secret-generator folder. Use this script to migrate secrets to secret generator.

Before initiating migration, make sure that your DS images are built with the ForgeOps 2025.2.0 release. The DS image in ForgeOps 2025.2.0 release allows for multiple password values in DS which enables password rotation with no downtime.

This script makes changes in your Kubernetes context.
Prerequisites

To migrate secrets from secret agent to secret generator, you must have:

  • A running ForgeOps deployment that uses secret agent for managing secrets.

  • Upgrade the ForgeOps tools to release 2025.2.0.

  • Back up the secrets in your ForgeOps environment.

  • To use the password rotation with no downtime, deploy DS image from the ForgeOps 2025.2.0 release:

    • Use forgeops build in 2025.2.0 to build a new image.

    • Then redeploy DS using the newly built image.

In a single-instance deployment, password rotation involves downtime.

Steps to migrate

  1. Verify the pods in the ForgeOps deployment are in Running status:

    $ kubectl get pods
    NAME                           READY   STATUS    RESTARTS   AGE
    admin-ui-55d6fc59fd-ths88      1/1     Running   0          14h
    am-9f9b5b97c-76qgf             1/1     Running   0          14h
    ds-cts-0                       1/1     Running   0          14h
    ds-idrepo-0                    1/1     Running   0          14h
    end-user-ui-7df54dcc7f-zz4gs   1/1     Running   0          14h
    idm-5f6b658-dgtb5              1/1     Running   0          14h
    login-ui-b78d5b646-hsklj       1/1     Running   0          14h
  2. Verify that secrets are currently managed by secret agent:

    $ kubectl get sac
    NAME            STATUS      NUMSECRETS   NUMK8SSECRETS
    forgerock-sac   Completed   11           11
    
    
    $ kubectl get secrets -o custom-columns=NAME:.metadata.name,LABELS:.metadata.labels
    NAME                                      LABELS
    am-env-secrets                            map[managed-by-secret-agent:true ...]
    am-keystore                               map[managed-by-secret-agent:true ...]
    am-passwords                              map[managed-by-secret-agent:true ...]
    amster                                    map[managed-by-secret-agent:true ...]
    amster-env-secrets                        map[managed-by-secret-agent:true ...]
    ds-env-secrets                            map[managed-by-secret-agent:true ...]
    ds-master-keypair                         map[app:ds controller.cert-manager.io/fao:true]
    ds-passwords                              map[managed-by-secret-agent:true ...]
    ds-ssl-keypair                            map[app:ds controller.cert-manager.io/fao:true]
    idm                                       map[managed-by-secret-agent:true ...]
    idm-env-secrets                           map[managed-by-secret-agent:true ...]
    platform-ca                               map[managed-by-secret-agent:true ...]
    sh.helm.release.v1.identity-platform.v1   map[...]
    sh.helm.release.v1.identity-platform.v2   map[...]
    tls-forgeops.example.com-tn657            map[cert-manager.io...]
    truststore-pem                            map[managed-by-secret-agent:true ...]
  3. Get the following secrets and any that you have deployed, so that you can backup those secrets:

    am-env-secrets, am-keystore, am-passwords, amster, amster-env-secrets, ds-env-secrets, ds-passwords, idm-env-secrets, and idm.

    $ kubectl get secret secret-name -o jsonpath='{.data}'
  4. Install secret generator in your cluster using the forgeops prereqs command:

    $ ./bin/forgeops prereqs --secret-generator
    
    Cert Manager has already been installed.
    NGINX Ingress has already been installed.
    Secret Generator not found. Installing...
    Release "kubernetes-secret-generator" does not exist. Installing it now.
    NAME: kubernetes-secret-generator
    ...
  5. Run the migrate.py script in the upgrade/secret-agent-to-secret-generator directory to migrate secrets.

    The migrate.py script performs the migration in a few phases requiring user confirmation at the end of each phase.

    1. Initiate the migration script. Provide the following parameters in the script:

      • Name of your ForgeOps deployment environment: my-env in the example.

      • The deployment mode (--helm or --kustomize) you used: --helm in the example.

        • If using Helm, you can specify alternate Helm chart location.

      • Namespace of your ForgeOps deployment: myns in the example.

        $ ./upgrade/secret-agent-to-secret-generator/migrate.py \
          --env-name my-env --helm --namespace myns
        ...
        
        Would you like to continue? (Y/N)

        When it prompts, Would like to continue? (Y/N), enter "Y".

    2. Let the script run pre-migration steps. Press ENTER to continue when it prompts:

      ...
      Proceeding with migration.
      Running pre-migration checks
      ...
      Switching my-env env to secret-generator
      .../forgeops env -e my-env -k /.../forgeops/kustomize -H /.../forgeops/helm/my-env -n myns --secret-generator
      Press <ENTER> to proceed.
    3. Let the script set ds_set_passwords.force to true by pressing ENTER at the prompt:

      Using ClusterIssuer: default-issuer
      Setting ds_set_passwords.force to true in /.../forgeops/helm/my-env/values.yaml.
      Press <ENTER> to continue
    4. Let it run forgeops upgrade to update secrets in AM and Amster overlays. Then press ENTER to continue:

      ...
      .../forgeops/kustomize/overlay/my-env/am already updated
      ...forgeops/kustomize/overlay/my-env/amster already updated
      .../forgeops/kustomize/overlay/my-env/idm already updated
      ...
      Switching my-env env to secret-generator
      .../forgeops/bin/forgeops env -e my-env -k .../forgeops/kustomize -H .../forgeops/helm -n myns --secret-generator
      Press <ENTER> to proceed.
    5. Similarly, enter "Y" or press ENTER appropriately when the script prompts to complete secrets migration.

  6. Run the kubectl get secretagentconfiguration command to confirm no secrets are managed by the secret agent.

  7. View the revised Kustomize overlay and Helm values to confirm that secret generator is used in your environment.

  8. Using the forgeops info command to get the revised passwords for admin users.

  9. Access the platform administration UI and confirm migration has completed successfully.