Add a Kubernetes secret

Current version: 10.1

Your Sitecore Managed Cloud configuration is provided by environment variables that refer to Kubernetes secrets (secretRef). Sensitive data is stored in Azure Key Vault and mounted to the Kubernetes secret through the Secrets Store CSI driver.

Illustration of how sensitive data is stored.

You might want to create a new secret, for example, to pass sensitive values for your container service through the environment variable.

To add or extend a secret:

  1. Add a secret to Azure KeyVault.

  2. In the Application repository, go to roles/sitecore-{topology}/templates/ and in the secrets.yaml file, go to the spec.parameters.objects section and add the new secrets reference:

    RequestResponse
    array:
      - |
        objectName: {keyName of secret in Azure KeyVault}
        objectType: secret

    To add a new secret, add:

    RequestResponse
    - data:
      - key: {name of the kubernetes secret key}
        objectName: {keyName of secret in Azure KeyVault}
        secretName: {name of the Kubernetes secret}
        type: Opaque

    To extend a secret from spec.secretObjects, find the appropriate {secretName} that you want to extend:

    RequestResponse
    - data:
      - key: {name of the kubernetes secret key}
        objectName: {keyName of secret in Azure KeyVault}
        secretName: {name of the Kubernetes secret}
        type: Opaque

    When the new secret has been added to the Azure KeyVault and the secrets.yaml file, you can use it as a reference in the AKS deployment/pod configuration. Here is an example of asecret configuration:

    In the secrets.yaml’ there is a secret called sitecore-hostname with the keys id and cm:

    RequestResponse
    - data:    
        - key: id      
          objectName: sitecore-id-host-name    
        - key: cm      
          objectName: sitecore-cm-host-name    
          secretName: sitecore-hostname

    This secret is used by the id.yaml deployment overlay in /roles/sitecore-{topology}/overlays/id.yaml:

    RequestResponse
    - name: SITECORE_HOSTNAME_ID   
      valueFrom:     
       secretKeyRef:       
        key: id       
        name: sitecore-hostname

    To add secrets to other deployments, follow the same procedure.

  3. Run the application pipeline to apply the changes.

When you update the secret value in the Azure KeyVault, the secrets-synchronizer pod automatically synchronizes it with the AKS secret.

Do you have some feedback for us?

If you have suggestions for improving this article,