Add a Kubernetes secret

Abstract

Learn how to add or extend a KeyVault secret.

Your Sitecore Managed Cloud configuration is provided by environment variables that refer to Kubernetes secrets (secretRef). Sensitive data is stored in Azure Key Vault and mounted to the Kubernetes secret through the Secrets Store CSI driver.

MCC-k8secret.png

You might want to create a new secret, for example, to pass sensitive values for your container service through the environment variable.

To add or extend a secret:

  1. Add a secret to Azure KeyVault.

  2. In the Application repository, go to roles/sitecore-{topology}/templates/ and in the secrets.yaml file, go to the spec.parameters.objects section and add the new secrets reference:

    array:
      - |
        objectName: {keyName of secret in Azure KeyVault}
        objectType: secret
    

    To add a new secret, add:

    - data:
      - key: {name of the kubernetes secret key}
        objectName: {keyName of secret in Azure KeyVault}
        secretName: {name of the Kubernetes secret}
        type: Opaque
    

    To extend a secret from spec.secretObjects, find the appropriate {secretName} that you want to extend:

    - data:
      - key: {name of the kubernetes secret key}
        objectName: {keyName of secret in Azure KeyVault}
        secretName: {name of the Kubernetes secret}
        type: Opaque
    

    When the new secret has been added to the Azure KeyVault and the secrets.yaml file, you can use it as a reference in the AKS deployment/pod configuration. Here is an example of asecret configuration:

    In the secrets.yaml’ there is a secret called sitecore-hostname with the keys id and cm:

    - data:    
        - key: id      
          objectName: sitecore-id-host-name    
        - key: cm      
          objectName: sitecore-cm-host-name    
          secretName: sitecore-hostname

    This secret is used by the id.yaml deployment overlay in /roles/sitecore-{topology}/overlays/id.yaml:

    - name: SITECORE_HOSTNAME_ID   
      valueFrom:     
       secretKeyRef:       
        key: id       
        name: sitecore-hostname

    To add secrets to other deployments, follow the same procedure.

  3. Run the application pipeline to apply the changes.

When you update the secret value in the Azure KeyVault, the secrets-synchronizer pod automatically synchronizes it with the AKS secret.