Replace a leaked integration secret key

If you need to replace the integration secret key for Kubernetes for any reason, qTest can automatically transition from an old secret key to a new one. To make this transition, you must provide both the old key and add a new key.

To replace a leaked integration secret key, follow these steps:

1. Use the following command to dump the secret YAML to the console:

   kubectl get secret qtest-aes-secret-keys -o json

2. The console provides a key that looks something like this example: "AESsecretKeys": "TWZiMUEzUXBKVjQ5eG0wbTh5Mi9qQ2VVTUFtUFhNaUVSZlBVUEFtMlNRaz0=". Decode this to base64 with the following command:

   echo -n <paste your key here>| base64 -d

3. Generate a new key with this command:

   head -c 32 /dev/urandom | base64

4. Once you have both the old key decoded and the new key generated, encode both keys to the base64 Kubernetes secret. The keys should be separated by a comma, with the old key first and the new key second. This command should look like the following example:

   echo -n <old key>,<new key> | base64

5. The console outputs a new value. Note that the console may add an extra line. If that happens, remove the extra line that the console added. When you're finished, you'll have a value that looks like this example:

   TWZiMUEzUXBKVjQ5eG0wbTh5Mi9qQ2VVTUFtUFhNaUVSZlBVUEFtMlNRaz0sbDZKcFV5RXJ2bENuZno4VGM0NllWb1hNQVo5MHJmWmplK0Fyc08zbTR4QT0=

6. Enter the following command to edit the secret YAML file in Vim.

   kubectl edit secret qtest-aes-secret-keys

7. Paste the value you got from the console to the AES_SECRET_KEYS property, then save and close the YAML file.

8. When you're finished, restart all pods. Then, you can check the secret. That command and the output it returns should look like this:

   env | grep AES

   # output:

   <old key>,<new key>