Skip to content

Move secrets to keyvault

This guide explains the steps for the app to start using keyvaults secrets.

Steps

1) Create the keyvaults in terraform. This will create all the azure infrastructure and access your application need.
2) Open the network policy for the new keyvault(make sure its deployed through pipelines)
3) Copy the secrets from cluster to keyvault. We have the below file that you can run to copy secrets

https://dev.azure.com/MAJORITY/Bank/_git/adhoc-automation?path=/Keyvaults/copy-secrets.py

Download copy-secrets.py and create a mappings yaml file for your secrets. It should look like this

mappings:
- namespace: minority
  keyvault: carddata-kv
  secrets:
    - card-data-keyvault-credentials
    - minority-bank-i2c-api-credentials

To run the file. use this command

python3 copy-secrets.py --env dev --file <path to your mappings yaml file>

Please look into the logs carefully when you run this file. If for some reason the secrets uploaded to keyvault does not match the original secrets in cluster, the logs will print the details.

4) Now add the keyvault names in the app-setting config for area. Once this config map is deployed, the app will start using the secrets from keyvault. I think the pods need a restart for the configs in app-settings for the change to take affect.
5) Set secrets section in values.yaml file to an empty list like this:

secrets: []