--- title: Migrate secrets to Secret Generator description: The kubernetes-secret-generator (secret generator) is supported and the preferred secret management utility from ForgeOps release 2025.2 onwards. The ForgeOps team provides the migrate.py Python script in the upgrade/secret-agent-to-secret-generator folder. Use this script to migrate secrets to secret generator. component: forgeops version: 2026.1 page_id: forgeops:preview:migrate-to-secgen canonical_url: https://docs.pingidentity.com/forgeops/2026.1/preview/migrate-to-secgen.html keywords: ["Security", "Secret Agent", "Secret Generator"] section_ids: steps_to_migrate: Steps to migrate --- # Migrate secrets to Secret Generator The `kubernetes-secret-generator` (secret generator) is supported and the preferred secret management utility from ForgeOps release 2025.2 onwards. The ForgeOps team provides the migrate.py Python script in the upgrade/secret-agent-to-secret-generator folder. Use this script to migrate secrets to `secret generator`. Before initiating migration, make sure that your DS images are built with the ForgeOps 2025.2.0 release. The DS image in ForgeOps 2025.2.0 release allows for multiple password values in DS which enables password rotation with no downtime. | | | | - | ----------------------------------------------------- | | | This script makes changes in your Kubernetes context. | * Prerequisites To migrate secrets from secret agent to secret generator, you must have: * A running ForgeOps deployment that uses secret agent for managing secrets. * Upgrade the ForgeOps tools to release 2025.2.0. * Back up the secrets in your ForgeOps environment. * To use the password rotation with no downtime, deploy DS image from the ForgeOps 2025.2.0 release: * Use `forgeops build` in 2025.2.0 to build a new image. * Then redeploy DS using the newly built image. | | | | - | --------------------------------------------------------------------- | | | In a single-instance deployment, password rotation involves downtime. | * For deployments using DS images from 2025.1 or earlier If you are using the DS image from the 2025.1 release or earlier, then perform these steps to enable multiple passwords in DS. 1. In your terminal window, set up environment variables to get the password and connection string (DSPASS and CONN\_STR): ``` $ export DSPASS=$(kubectl get secret ds-passwords -n my_ns -o yaml | yq '.data["dirmanager.pw"]' | tr -d '"' | base64 -d -i -) $ export CONN_STR="--hostname localhost --port 4444 --bindDn uid=admin --trustAll --no-prompt --bindPassword $DSPASS" ``` 2. Set up DS pods to enable multiple passwords: ``` $ kubectl exec -it ds-cts-0 — bin/dsconfig set-password-policy-prop \ set-password-policy-prop --policy-name "Default Password Policy" \ --set allow-multiple-password-values:true $CONN_STR $ kubectl exec -it ds-cts-0 — bin/dsconfig set-password-policy-prop \ set-password-policy-prop --policy-name "Root Password Policy" \ --set allow-multiple-password-values:true $CONN_STR $ kubectl exec -it ds-idrepo-0 — bin/dsconfig set-password-policy-prop \ set-password-policy-prop --policy-name "Default Password Policy" \ --set allow-multiple-password-values:true $CONN_STR $ kubectl exec -it ds-idrepo-0 — bin/dsconfig set-password-policy-prop \ set-password-policy-prop --policy-name "Root Password Policy" \ --set allow-multiple-password-values:true $CONN_STR ``` ## Steps to migrate 1. Verify the pods in the ForgeOps deployment are in **Running** status: ``` $ kubectl get pods NAME READY STATUS RESTARTS AGE admin-ui-55d6fc59fd-ths88 1/1 Running 0 14h am-9f9b5b97c-76qgf 1/1 Running 0 14h ds-cts-0 1/1 Running 0 14h ds-idrepo-0 1/1 Running 0 14h end-user-ui-7df54dcc7f-zz4gs 1/1 Running 0 14h idm-5f6b658-dgtb5 1/1 Running 0 14h login-ui-b78d5b646-hsklj 1/1 Running 0 14h ``` 2. Verify that secrets are currently managed by secret agent: ``` $ kubectl get sac NAME STATUS NUMSECRETS NUMK8SSECRETS forgerock-sac Completed 11 11 $ kubectl get secrets -o custom-columns=NAME:.metadata.name,LABELS:.metadata.labels NAME LABELS am-env-secrets map[managed-by-secret-agent:true ...] am-keystore map[managed-by-secret-agent:true ...] am-passwords map[managed-by-secret-agent:true ...] amster map[managed-by-secret-agent:true ...] amster-env-secrets map[managed-by-secret-agent:true ...] ds-env-secrets map[managed-by-secret-agent:true ...] ds-master-keypair map[app:ds controller.cert-manager.io/fao:true] ds-passwords map[managed-by-secret-agent:true ...] ds-ssl-keypair map[app:ds controller.cert-manager.io/fao:true] idm map[managed-by-secret-agent:true ...] idm-env-secrets map[managed-by-secret-agent:true ...] platform-ca map[managed-by-secret-agent:true ...] sh.helm.release.v1.identity-platform.v1 map[...] sh.helm.release.v1.identity-platform.v2 map[...] tls-forgeops.example.com-tn657 map[cert-manager.io...] truststore-pem map[managed-by-secret-agent:true ...] ``` 3. Get the following secrets and any that you have deployed, so that you can back up those secrets: `am-env-secrets`, `am-keystore`, `am-passwords`, `amster`, `amster-env-secrets`, `ds-env-secrets`, `ds-passwords`, `idm-env-secrets`, and `idm`. ``` $ kubectl get secret secret-name -o jsonpath='{.data}' ``` 4. Install secret generator in your cluster using the forgeops prereqs command: ``` $ ./bin/forgeops prereqs --secret-generator Cert Manager has already been installed. ... ``` 5. Run the migrate.py script in the upgrade/secret-agent-to-secret-generator directory to migrate secrets. The migrate.py script performs the migration in a few phases requiring user confirmation at the end of each phase. 1. Initiate the migration script. Provide the following parameters in the script: * Name of your ForgeOps deployment environment: my-env in the example. * The deployment mode (--helm or --kustomize) you used: --helm in the example. * If using Helm, you can specify an alternate Helm chart location. * Namespace of your ForgeOps deployment: myns in the example. ``` $ ./upgrade/secret-agent-to-secret-generator/migrate.py \ --env-name my-env --helm --namespace myns ... Would you like to continue? (Y/N) ``` When it prompts, `Would like to continue? (Y/N)`, enter "Y". 2. Let the script run pre-migration steps. Press `ENTER` to continue when it prompts: ``` ... Proceeding with migration. Running pre-migration checks ... Switching my-env env to secret-generator .../forgeops env -e my-env -k /.../forgeops/kustomize -H /.../forgeops/helm/my-env -n myns --secret-generator Press to proceed. ``` 3. Let the script set `ds_set_passwords.force` to true by pressing `ENTER` at the prompt: ``` Using ClusterIssuer: default-issuer Setting ds_set_passwords.force to true in /.../forgeops/helm/my-env/values.yaml. Press to continue ``` 4. Let it run forgeops upgrade to update secrets in AM and Amster overlays. Then press `ENTER` to continue: ``` ... .../forgeops/kustomize/overlay/my-env/am already updated ...forgeops/kustomize/overlay/my-env/amster already updated .../forgeops/kustomize/overlay/my-env/idm already updated ... Switching my-env env to secret-generator .../forgeops/bin/forgeops env -e my-env -k .../forgeops/kustomize -H .../forgeops/helm -n myns --secret-generator Press to proceed. ``` 5. Similarly, enter "Y" or press `ENTER` appropriately when the script prompts to complete secrets migration. 6. Run the kubectl get secretagentconfiguration command to confirm no secrets are managed by the secret agent. 7. View the revised Kustomize overlay and Helm values to confirm that secret generator is used in your environment. 8. Using the forgeops info command to get the revised passwords for admin users. 9. Access the platform administration UI and confirm migration has completed successfully.