Question

US
Last activity: 16 May 2025 14:02 EDT
Plaintext credentials in Kubernetes pega contextxml parameter
Hello. I am a developer on a team that manages a Pega application, with an AWS based client managed resources. My team has recently upgraded to Pega Infinity 24.1, and deployed it to AWS using EKS and Kubernetes. We followed the documentation for deployment here: https://github.com/pegasystems/pega-helm-charts/blob/master/docs/Deploying-Pega-on-EKS.md#add-supported-custom-settings-for-pega-to-your-deployment
I am trying to remove the database credentials from our GitHub repo, and have installed and implemented the Kubernetes External Secrets per the deployment Readme. https://github.com/pegasystems/pega-helm-charts/blob/master/docs/Deploying-Pega-on-EKS.md#optional-add-support-for-providing-db-credentials-using-external-secrets-operator
However, our implementation makes use of the "context.xml" feature as described in the link below. The resource who made the stack initially has left the company, and we are just getting up to speed. https://github.com/pegasystems/pega-helm-charts/blob/master/docs/Deploying-Pega-on-EKS.md#add-supported-custom-settings-for-pega-to-your-deployment
The xml are based on the context.xml template here: https://github.com/pegasystems/pega-helm-charts/blob/978cb4c9c688cc997226774810778d4f3b6466e5/charts/pega/config/deploy/context.xml.tmpl#L4
Hello. I am a developer on a team that manages a Pega application, with an AWS based client managed resources. My team has recently upgraded to Pega Infinity 24.1, and deployed it to AWS using EKS and Kubernetes. We followed the documentation for deployment here: https://github.com/pegasystems/pega-helm-charts/blob/master/docs/Deploying-Pega-on-EKS.md#add-supported-custom-settings-for-pega-to-your-deployment
I am trying to remove the database credentials from our GitHub repo, and have installed and implemented the Kubernetes External Secrets per the deployment Readme. https://github.com/pegasystems/pega-helm-charts/blob/master/docs/Deploying-Pega-on-EKS.md#optional-add-support-for-providing-db-credentials-using-external-secrets-operator
However, our implementation makes use of the "context.xml" feature as described in the link below. The resource who made the stack initially has left the company, and we are just getting up to speed. https://github.com/pegasystems/pega-helm-charts/blob/master/docs/Deploying-Pega-on-EKS.md#add-supported-custom-settings-for-pega-to-your-deployment
The xml are based on the context.xml template here: https://github.com/pegasystems/pega-helm-charts/blob/978cb4c9c688cc997226774810778d4f3b6466e5/charts/pega/config/deploy/context.xml.tmpl#L4
The context.xml therefore contains plaintext credentials for our pega database in the helm chart value yamls. I cannot find documentation on removing the plaintext password from the context.xml files, so that the database credentials can be removed from GitHub.
The context.xml template shows this code, which was replaced with the secrets.
username="{{ .Env.SECRET_DB_USERNAME }}" password="{{ .Env.SECRET_DB_PASSWORD }}"
Please advise me the best method of removing the secrets from the context.xml file.