Kubernetes External Secrets with qTest

The containerization through Kubernetes allows you to integrate qTest with external secrets managers, such as AWS Secrets Manager. This enables support for password rotation and the storing of the qTest database password in an external secret manager. Changes are rapidly caught by qTest Manager.

The secret which contains the password the database should be named as qtest-manager-secret. To use SSL database connections, map the certificate as qtest-db-root-secret.

It works as follows:

  1. The integration with external secret managers is accomplished via CustomResourceDefinitions (CRDs).

  2. Changes to external secrets are upserted into Kubernetes Secrets, which is mounted as volume within the container.

  3. qTest Manager hot-reloads the secret and refreshes DB connections .

  4. Other qTest applications then use Stakater Reloader to reload secrets as a rolling update.

The diagram below offers an overview of this feature.

Note that only AWS Secrets Manager is currently officially supported.

Configuration example for AWS Secrets Manager

The AWS Secrets Manager integration example below relies on the Kubernetes External Secrets framework.

apiVersion: "kubernetes-client.io/v1"
kind: ExternalSecret
metadata:
  name: qtest-liquibase-secret
  namespace: qtest
spec:
  backendType: secretsManager
  data:
    - key: <AWS SECRET MANAGER KEY>
      name: client.jdbc.postgres.password
      property: password
---
apiVersion: "kubernetes-client.io/v1"
kind: ExternalSecret
metadata:
  name: qtest-manager-secret
  namespace: qtest
spec:
  backendType: secretsManager
  data:
    - key: <AWS SECRET MANAGER KEY>
      name: client.jdbc.postgres.password
      property: password
    - key: <AWS SECRET MANAGER KEY>
      name: mail.password
      property: password
    - key: <AWS SECRET MANAGER KEY>
      name: client.jdbc.postgres.readonly.password
      property: password
    - key: <AWS SECRET MANAGER KEY>
      name: s3.secretKey
      property: s3secretkey
    - key: <AWS SECRET MANAGER KEY>
      name: s3.accessKey
      property: s3accesskey