Replace the value of the secret that is used for encrypting database fields in the
Management subsystem.
About this task
This update does not require an outage; however some operations might take longer than usual due
to database locking.
Procedure
-
Create a secret rotation CR that specifies the name of your management cluster.
You can optionally specify the name of a secret containing the new
encryption_secret.bin
as shown in the following example, or you can omit it so that
a new key is generated automatically.
apiVersion: management.apiconnect.ibm.com/v1beta1
kind: ManagementSecretRotation
metadata:
name: rotate-secret
spec:
managementCluster: management
rotateEncryptionSecret:
rotate: true
# encryptionSecret: name_of_secret
Note: If you upgraded from V2018, the database encryption key was carried forward and is called
managementUpgradeName-encryption-secret
.
-
Run the following command to apply the CR and change the secret:
kubectl -n namespace create -f rotate_secret.yaml
where:
namespace
is the namespace where you installed the
Management subsystem.
- rotate_secret.yaml is the name of the file containing
the CR. Notice that the file name does not have to match the value of the
name
specified in the CR.
-
Verify that the secret was generated using one of the following methods:
- Run the
kubectl get job
command and verify that the results include a job for
the new CR.The job is named based on the management cluster name and the CR name, using the
following format: managementCluster-crName
.
For the example CR rotate-secret
created for the management
cluster, the job is named management-rotate-secret
.
- Look in the pod logs of the
apiconnect
operator and locate the record with the
name that you specified in the kind
field in the CR, and check its progress. For
the example CR, the kind
value is "ManagementSecretRotation".You can also use
the log to verify that database tables were updated.