Most secrets in cf-for-k8s can be rotated by simply changing the values in your
cf-values.yml file and running a standard deploy using ytt and kapp. The rotation is complete when the kapp deploy succeeds.
The following fields currently cannot be rotated:
For example, rotating the cloud controller db encryption key is a breaking change. Rotating the key will require a recreating your environment (including deleting database contents) in order to prevent decryption errors when fetching previously-saved data.
If you find you must rotate one of the above fields:
kapp delete -a cf
cf-values.yaml, you will need to update the properties that need rotating.
kapp deploy -a cf ....
The following fields can be modified and are updated eventually, but
uptimer-type checking in the pipelines are currently configured to
use either the old password or the new one, and will fail.
cf_admin_password- manual upgrade works, CI/upgrade fails
To rotate the application domain certificate or system domain certificate, you can do the following:
cf-values.yaml, the system domain certificate is called
system_certificateand the application domain certificate is called
workloads_certificate. These two properties can be independently updated.
If you have multiple app domains, they all share the
You cannot rotate the app domains' certificates separately because there is only