Add a Kubernetes secret
Your Sitecore Managed Cloud configuration is provided by environment variables that refer to Kubernetes secrets (secretRef
). Sensitive data is stored in Azure Key Vault and mounted to the Kubernetes secret through the Secrets Store CSI driver.
You might want to create a new secret, for example, to pass sensitive values for your container service through the environment variable.
To add or extend a secret:
-
Add a secret to Azure KeyVault.
-
In the Application repository, go to
roles/sitecore-{topology}/templates/
and in thesecrets.yaml
file, go to thespec.parameters.objects
section and add the new secrets reference:RequestResponseshellarray: - | objectName: {keyName of secret in Azure KeyVault} objectType: secret
To add a new secret, add:
RequestResponseshell- data: - key: {name of the kubernetes secret key} objectName: {keyName of secret in Azure KeyVault} secretName: {name of the Kubernetes secret} type: Opaque
To extend a secret from
spec.secretObjects
, find the appropriate {secretName
} that you want to extend:RequestResponseshell- data: - key: {name of the kubernetes secret key} objectName: {keyName of secret in Azure KeyVault} secretName: {name of the Kubernetes secret} type: Opaque
When the new secret has been added to the Azure KeyVault and the
secrets.yaml
file, you can use it as a reference in the AKS deployment/pod configuration. Here is an example of asecret configuration:In the
secrets.yaml
’ there is a secret calledsitecore-hostname
with the keysid
andcm
:RequestResponseshell- data: - key: id objectName: sitecore-id-host-name - key: cm objectName: sitecore-cm-host-name secretName: sitecore-hostname
This secret is used by the
id.yaml
deployment overlay in/roles/sitecore-{topology}/overlays/id.yaml
:RequestResponseshell- name: SITECORE_HOSTNAME_ID valueFrom: secretKeyRef: key: id name: sitecore-hostname
To add secrets to other deployments, follow the same procedure.
-
Run the application pipeline to apply the changes.
When you update the secret value in the Azure KeyVault, the secrets-synchronizer
pod automatically synchronizes it with the AKS secret.