Changing the database encryption key
Replace the value of the secret that is used for encrypting database fields in the Management subsystem.
About this task
This update does not require an outage; however some operations might take longer than usual due to database locking.
Create a secret rotation CR that specifies the name of your management cluster.
You can optionally specify the name of a secret containing the new
encryption_secret.binas shown in the following example, or you can omit it so that a new key is generated automatically.
apiVersion: management.apiconnect.ibm.com/v1beta1 kind: ManagementSecretRotation metadata: name: rotate-secret spec: managementCluster: management rotateEncryptionSecret: rotate: true # encryptionSecret: name_of_secretNote: If you upgraded from V2018, the database encryption key was carried forward and is called
Run the following command to apply the CR and change the secret:
kubectl -n namespace create -f rotate_secret.yamlwhere:
namespaceis the namespace where you installed the Management subsystem.
- rotate_secret.yaml is the name of the file containing
the CR. Notice that the file name does not have to match the value of the
namespecified in the CR.
Verify that the secret was generated using one of the following methods:
- Run the
kubectl get jobcommand and verify that the results include a job for the new CR.
The job is named based on the management cluster name and the CR name, using the following format:
managementCluster-crName. For the example CR
rotate-secretcreated for the
managementcluster, the job is named
- Look in the pod logs of the
apiconnectoperator and locate the record with the name that you specified in the
kindfield in the CR, and check its progress. For the example CR, the
kindvalue is "ManagementSecretRotation".
You can also use the log to verify that database tables were updated.
- Run the