Required for deployments with the migration installation scenario enabled. These secrets manage internal communication between the Migration Portal, the AI Copilot, and the underlying databases.
While edbctl can generate these automatically, production environments often require manual overrides for specific service accounts:
Database accounts: Internal service users and superuser credentials.
Copilot authentication: HTTP and Metrics authentication for secure component inter-communication.
While our standard installation guide already includes instructions on using edbctl to generate these custom secrets, this page provides a deeper dive, which includes the manual creation of secrets as an alternative and how to override existing secrets to update or rotate your credentials.
Creating Migration Portal secrets using edbctl
Note
Required for deployments with the migration installation scenario enabled. This scenario is included by default unless it is manually excluded via the scenarios configuration (spec.scenarios in the HybridControlPlane CR).
Create custom secrets required for the Migration Portal:
For manual installations, run this command and follow the interactive prompts:
edbctl hybrid-manager create-install-secrets --version <version> --scenario migration
If you are running the installation via a CI/CD pipeline, you must suppress interactive prompts. The method for achieving this depends on your
edbctlversion:Configure
edbctlfor non-interactive behavior:edbctl config set interactive_mode off edbctl config set confirm_mode off
Run the setup command:
edbctl hybrid-manager create-install-secrets --version <version> --scenario migration
This creates the namespaces, custom secrets, and generates secure random passwords for all five service accounts:
edb-migration-portal.db_secretsedb-migration-portal.db_superuser_secretsedb-migration-portal.copilot_secretsedb-migration-copilot.db_secretsedb-migration-copilot.metrics_auth_secrets
For more information, see Understanding Migration Portal secrets.
Overriding existing secrets manually
If you need specific usernames or passwords, you can create the secrets manually. For production environments, we recommend using appropriate secure processes that don’t expose the data to your terminal.
Creating secrets
Create a function that generates secure passwords for each of the service user accounts:
function generate_pw { dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr ‘+/’ ‘-_’ | tr -d ‘=’ }
Set environment variables for all the users and passwords required by your secrets:
HTTP_USERNAME=test_user_001 HTTP_PASSWORD=$(generate_pw) DB_SUPERUSER_USERNAME=postgres DB_SUPERUSER_PASSWORD=$(generate_pw) PORTAL_DB_USERNAME=test_user_002 PORTAL_DB_PASSWORD=$(generate_pw) COPILOT_DB_USERNAME=test_user_003 COPILOT_DB_PASSWORD=$(generate_pw) METRICS_USERNAME=test_user_004 METRICS_PASSWORD=$(generate_pw)
Create the namespaces where you will store the custom secrets:
kubectl create namespace edb-migration-copilot kubectl create namespace edb-migration-portal
Create the secret that determines the database user credentials:
kubectl create secret generic custom-db-secrets \ --namespace=edb-migration-portal \ --from-literal=username="${PORTAL_DB_USERNAME}" \ --from-literal=password="${PORTAL_DB_PASSWORD}" \ --type=kubernetes.io/basic-auth
Create the secret that determines the database superuser credentials:
kubectl create secret generic custom-db-superuser-secrets \ --namespace=edb-migration-portal \ --from-literal=username="${DB_SUPERUSER_USERNAME}" \ --from-literal=password="${DB_SUPERUSER_PASSWORD}" \ --type=kubernetes.io/basic-auth
Create the secret that authenticates HTTP communication between the copilot and Migration Portal:
kubectl create secret generic custom-edb-migration-copilot-auth \ --namespace=edb-migration-portal \ --from-literal=username=${HTTP_USERNAME} \ --from-literal=password=${HTTP_PASSWORD} \ --type=kubernetes.io/basic-auth
Create the secret that provides the copilot with access to the Migration Portal database:
kubectl create secret generic custom-ragchew-db-secrets \ --namespace=edb-migration-copilot \ --from-literal=username="${COPILOT_DB_USERNAME}" \ --from-literal=password="${COPILOT_DB_PASSWORD}" \ --type=kubernetes.io/basic-auth
Create the secret that enables monitoring of the copilot instance:
kubectl create secret generic custom-edb-migration-copilot-metrics-auth \ --namespace=edb-migration-copilot \ --from-literal=username=${METRICS_USERNAME} \ --from-literal=password=${METRICS_PASSWORD} \ --type=kubernetes.io/basic-auth
Apply the secrets to your installation
To override the default secrets, reference the new secret names in your configuration.
Edit your HybridControlPlane CR to reference the custom secrets under spec.componentsParameters:
apiVersion: edbpgai.edb.com/v1alpha1 kind: HybridControlPlane metadata: name: edbpgai spec: componentsParameters: edb-migration-copilot: db_secrets: custom-ragchew-db-secrets metrics_auth_secrets: custom-edb-migration-copilot-metrics-auth edb-migration-portal: copilot_secrets: custom-edb-migration-copilot-auth db_owner: ${PORTAL_DB_USERNAME} db_secrets: custom-db-secrets db_superuser_secrets: custom-db-superuser-secrets # ... your other componentsParameters
Apply the updated CR:
kubectl apply -f hybridmanager.yamlThe operator reconciles the change and configures the installation to use the secret overrides.
If you're overriding the secrets after installation, reapply the CR to make the modifications effective.
Back up the secrets
You can fetch the secrets like this:
kubectl get secret -n <namespace> <secret_name> -o yaml
This command prints the secret's contents in YAML format, which you can then copy and store safely and securely. Repeat this with each of the created secrets.
Understanding Migration Portal secrets
For each secret, Description explains why you need it. Configuration key shows where to reference it in the HybridControlPlane CR. Parameters shows how to set non-default values.
See Apply the secrets to your installation for an example of how to configure custom secrets and override the default ones.
Migration Portal database account
Description: Configures a database service account used by Hybrid Manager to store Migration Portal system data and schema assessment results into a dedicated database.
Configuration key: spec.componentsParameters.edb-migration-portal.db_secrets
apiVersion: v1 kind: Secret metadata: name: <db-secret-name> namespace: edb-migration-portal stringData: username: "<db username>" password: "<db password>" type: kubernetes.io/basic-auth
Parameters:
metadata.name: Name of the secret you will later reference in the configuration key.stringData.username: User that connects to the database. Also enter this user in thedb_ownerkey foredb-migration-portal(see Apply the secrets to your installation).stringData.password: Assign a generated password for this user.
Migration Portal database superuser account
Description: Configures a database superuser account used by Hybrid Manager to provision Migration Portal and the copilot databases.
Configuration key: spec.componentsParameters.edb-migration-portal.db_superuser_secrets
apiVersion: v1 kind: Secret metadata: name: <db-superuser-secret-name> namespace: edb-migration-portal stringData: username: "postgres" password: "<db superuser password>" type: kubernetes.io/basic-auth
Parameters:
metadata.name: Name of the secret you will later reference in the configuration key.stringData.username: Must always bepostgres.stringData.password: Assign a generated password for this user.
Migration Copilot HTTP access from Migration Portal
Description: Defines the credentials used to authenticate HTTP communication between the copilot and Migration Portal.
Configuration key: spec.componentsParameters.edb-migration-portal.copilot_secrets
apiVersion: v1 kind: Secret metadata: name: <copilot-auth-secret> namespace: edb-migration-portal stringData: username: "<http username>" password: "<http password>" type: kubernetes.io/basic-auth
Parameters:
metadata.name: Name of the secret used to authenticate HTTP requests that you will later reference in the configuration key.stringData.username: Choose a username for Migration Portal to use when authenticating with the copilot.stringData.password: Assign a generated password for this user.
Migration Copilot and Migration Portal database account
Description: Allows the copilot to communicate with the Migration Portal database. On initialization, the edb-migration-copilot component ensures this user is created and that correct ownership and permissions are set in the copilot database.
Configuration key: spec.componentsParameters.edb-migration-copilot.db_secrets
apiVersion: v1 kind: Secret metadata: name: <copilot_mp_secret_name> namespace: edb-migration-copilot stringData: username: "<db username>" password: "<db password>" type: kubernetes.io/basic-auth
Parameters:
metadata.name: Name of the secret used to provide the copilot with access to the Migration Portal database.stringData.username: Choose a username for the copilot to use when accessing the Migration Portal database.stringData.password: Assign a generated password for this user.
Monitoring and Migration Copilot
Description: Allows Hybrid Manager to monitor the state of the copilot deployment via Grafana.
Configuration key: spec.componentsParameters.edb-migration-copilot.metrics_auth_secrets
apiVersion: v1 kind: Secret metadata: name: <copilot-metrics-secret-name> namespace: edb-migration-copilot stringData: username: <metrics-http-username> password: <metrics http password> type: kubernetes.io/basic-auth
Parameters:
metadata.name: Name of the secret used to allow monitoring of the copilot.stringData.username: Set this to a username different from the one configured for Migration Copilot HTTP access from Migration Portal.stringData.password: Assign a generated password for this user.