Abstract

Learn how to add or extend a KeyVault secret.

Your Sitecore Managed Cloud configuration is provided by environment variables that refer to Kubernetes secrets (secretRef). Sensitive data is stored in Azure Key Vault and mounted to the Kubernetes secret through the Secrets Store CSI driver.

You might want to create a new secret, for example, to pass sensitive values for your container service through the environment variable.

To add or extend a secret:

1. Add a secret to Azure KeyVault.

2. In the Application repository, go to roles/sitecore-{topology}/templates/ and in the secrets.yaml file, go to the spec.parameters.objects section and add the new secrets reference:

array:
- |
objectName: {keyName of secret in Azure KeyVault}
objectType: secret


- data:
- key: {name of the kubernetes secret key}
objectName: {keyName of secret in Azure KeyVault}
secretName: {name of the Kubernetes secret}
type: Opaque


To extend a secret from spec.secretObjects, find the appropriate {secretName} that you want to extend:

- data:
- key: {name of the kubernetes secret key}
objectName: {keyName of secret in Azure KeyVault}
secretName: {name of the Kubernetes secret}
type: Opaque


When the new secret has been added to the Azure KeyVault and the secrets.yaml file, you can use it as a reference in the AKS deployment/pod configuration. Here is an example of asecret configuration:

In the secrets.yaml’ there is a secret called sitecore-hostname with the keys id and cm:

- data:
- key: id
objectName: sitecore-id-host-name
- key: cm
objectName: sitecore-cm-host-name
secretName: sitecore-hostname

This secret is used by the id.yaml deployment overlay in /roles/sitecore-{topology}/overlays/id.yaml:

- name: SITECORE_HOSTNAME_ID
valueFrom:
secretKeyRef:
key: id
name: sitecore-hostname

When you update the secret value in the Azure KeyVault, the secrets-synchronizer pod automatically synchronizes it with the AKS secret.