Add Docs notes for custom secret keys (#969)

ansible · Jun 28, 2022 · c45a7bd · c45a7bd
1 parent 34b6354
commit c45a7bd
Showing 1 changed file with 37 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -198,6 +198,8 @@ spec:
   nodeport_port: <nodeport_port>
 ```
 
+> It may make sense to create and specify your own secret key for your deployment so that if the k8s secret gets deleted, it can be re-created if needed.  If it is not provided, one will be auto-generated, but cannot be recovered if lost. Read more [here](#secret-key-configuration).
+
 Make sure to add this new file to the list of "resources" in your `kustomization.yaml` file:
 
 ```yaml
@@ -312,6 +314,41 @@ stringData:
 ```
 
 
+### Secret Key Configuration
+
+This key is used to encrypt sensitive data in the database.
+
+| Name              | Description                                           | Default          |
+| ----------------- | ----------------------------------------------------- | ---------------- |
+| secret_key_secret | Secret that contains the symmetric key for encryption | Generated     |
+
+
+> :warning: **secret_key_secret must be a Kubernetes secret and not your text clear secret value**.
+
+If `secret_key_secret` is not provided, the operator will look for a secret named `<resourcename>-secret-key` for the secret key. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-secret-key`. It is important to not delete this secret as it will be needed for upgrades and if the pods get scaled down at any point. If you are using a GitOps flow, you will want to pass a secret key secret.
+
+The secret should be formatted as follow:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: custom-awx-secret-key
+  namespace: <target namespace>
+stringData:
+  secret_key: supersecuresecretkey
+```
+
+Then specify the secret name on the AWX spec:
+
+```yaml
+---
+spec:
+  ...
+  secret_key_secret: custom-awx-secret-key
+```
+
 ### Network and TLS Configuration
 
 #### Service Type
@@ -1165,4 +1202,3 @@ We welcome your feedback and ideas. The AWX operator uses the same mailing list
 
 - Join the `#ansible-awx` channel on irc.libera.chat
 - Join the [mailing list](https://groups.google.com/forum/#!forum/awx-project)
-