add docs for google secret rotation#1996
Open
vivki wants to merge 2 commits into
Open
Conversation
github-actions
Bot
added
the
documentation
JTorreG
reviewed
May 26, 2026
JTorreG
reviewed
May 26, 2026
JTorreG
reviewed
May 26, 2026
JTorreG
reviewed
May 26, 2026
JTorreG
reviewed
May 26, 2026
JTorreG
approved these changes
May 26, 2026
Contributor
JTorreG
left a comment
JTorreG
left a comment
There was a problem hiding this comment.
approved with suggestions
mjang
reviewed
May 26, 2026
tstraley
reviewed
May 26, 2026
vivki
force-pushed
the
gcp-docs
branch
3 times, most recently
from
94a4946 to
1e22dce
Compare
valyria257
requested changes
May 27, 2026
tstraley
reviewed
May 27, 2026
|
|
||
| 1. In the NGINXaaS console, go to your deployment. | ||
| 2. Open the **Configuration Info** panel. | ||
| 3. Select **Reapply Configuration**. |
Contributor
There was a problem hiding this comment.
I'm thinking this is missing a step:
The user either needs to update their config to reference the new Version ID, or they need to update their alias to point at the new secret version, or we are assuming they are using latest here but that isn't clear.
Maybe we should be better about calling out all of these approaches here as options? I guess changing their config to a new Version ID doesn't also require "Reapply Configuration" but it definitely seems like a "manual" secret manager cert rotation method.
Contributor
Author
There was a problem hiding this comment.
I think touching on the various scenarios is a good idea, which is why I left the above portion in:
"This [manual rotation] is useful in the following scenarios:
- New secret version: You've uploaded a new certificate and want NGINXaaS to use it right away.
- WIF or permissions fix: You've updated a WIF provider or granted Secret Manager permissions and want NGINXaaS to retry immediately."
I don't want to complicate the sequence with more steps, as the user may choose to Reapply Config/manually rotate intentionally having made no updates.
vivki
force-pushed
the
gcp-docs
branch
4 times, most recently
from
83fa697 to
07cd4ee
Compare
valyria257
reviewed
May 27, 2026
|
|
||
| **Automatic rotation** — Let NGINXaaS pick up new certificate versions automatically with no configuration changes needed. See [Rotate a Secret Manager certificate (automatic)]({{< ref "/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-secret-manager.md#rotate-a-secret-manager-certificate-automatic" >}}). | ||
|
|
||
| **Manual rotation** — When you need an immediate update, use **Reapply Configuration** in the console to refetch secrets right away. See [Rotate a Secret Manager certificate (manual)]({{< ref "/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-secret-manager.md#rotate-a-secret-manager-certificate-manual" >}}). |
Contributor
There was a problem hiding this comment.
nit (clarification on what's being updated):
Suggested change
| **Manual rotation** — When you need an immediate update, use **Reapply Configuration** in the console to refetch secrets right away. See [Rotate a Secret Manager certificate (manual)]({{< ref "/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-secret-manager.md#rotate-a-secret-manager-certificate-manual" >}}). | |
| **Manual rotation** — When you need to update certificates immediately, use **Reapply Configuration** in the console to refetch secrets right away. See [Rotate a Secret Manager certificate (manual)]({{< ref "/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-secret-manager.md#rotate-a-secret-manager-certificate-manual" >}}). |
| | Field | Description | Note | | ||
| |---------------------------- | ---------------------------- | ---- | | ||
| | Google Secret ID | The resource name of the secret in Secret Manager | The resource name must match the format `projects/$PROJECT_ID/secrets/$SECRET_ID/versions/$VERSION` where `$VERSION` can be a specific version or an alias such as `latest`. | | ||
| | Google Secret ID | The resource name of the secret in Secret Manager | The resource name must match the format `projects/$PROJECT_ID/secrets/$SECRET_ID/versions/$VERSION`, where `$VERSION` can be a specific version ID (for example, `3`) or the special version ID `latest`. | |
Contributor
There was a problem hiding this comment.
Suggested change
| | Google Secret ID | The resource name of the secret in Secret Manager | The resource name must match the format `projects/$PROJECT_ID/secrets/$SECRET_ID/versions/$VERSION`, where `$VERSION` can be a specific version ID (for example, `3`) or the special version ID `latest`. | | |
| | Google Secret ID | The resource name of the secret in Secret Manager | The resource name must match the format `projects/$PROJECT_ID/secrets/$SECRET_ID/versions/$VERSION`, where `$VERSION` can be a specific version ID (for example, `3`), a custom alias, or the special version ID `latest`. | |
|
|
||
| ## Rotate a Secret Manager certificate (automatic) | ||
|
|
||
| If your configuration uses `latest` as the version ID, NGINXaaS fetches the latest secret version on the next scheduled sync. When you add a new secret version in Secret Manager, the next sync picks it up and reloads NGINX. |
Contributor
There was a problem hiding this comment.
"Next scheduled sync" feels a bit like an internal detail. I think we should also clarify where the version ID is coming from. What about this instead:
Suggested change
| If your configuration uses `latest` as the version ID, NGINXaaS fetches the latest secret version on the next scheduled sync. When you add a new secret version in Secret Manager, the next sync picks it up and reloads NGINX. | |
| If you set the version ID of your secret to `latest`, NGINXaaS fetches the latest secret version. When you [add a new secret version in Secret Manager](https://docs.cloud.google.com/secret-manager/docs/add-secret-version#add-a-secret-version), NGINXaaS automatically picks up that version within 4 hours. |
|
|
||
| If your configuration uses `latest` as the version ID, NGINXaaS fetches the latest secret version on the next scheduled sync. When you add a new secret version in Secret Manager, the next sync picks it up and reloads NGINX. | ||
|
|
||
| If your configuration uses a custom alias as the version ID, NGINXaaS fetches whichever version the alias points to on the next scheduled sync. When you update the alias to point to a different version in Secret Manager, the next sync applies that version. |
Contributor
There was a problem hiding this comment.
similar comment:
Suggested change
| If your configuration uses a custom alias as the version ID, NGINXaaS fetches whichever version the alias points to on the next scheduled sync. When you update the alias to point to a different version in Secret Manager, the next sync applies that version. | |
| If you set the version ID of your secret to a custom alias, NGINXaaS fetches the secret version the alias points to. When you [update the alias to point to a different version in Secret Manager](https://docs.cloud.google.com/secret-manager/docs/assign-alias-to-secret-version), NGINXaaS automatically picks up that version within 4 hours. |
|
|
||
| ## Monitor secret fetch events | ||
|
|
||
| NGINXaaS generates an event each time it fetches or fails to fetch a certificate or key from Secret Manager. Use these events to track successful rotations and diagnose access failures. |
Contributor
There was a problem hiding this comment.
Suggested change
| NGINXaaS generates an event each time it fetches or fails to fetch a certificate or key from Secret Manager. Use these events to track successful rotations and diagnose access failures. | |
| NGINXaaS generates an event each time it fetches or fails to fetch a secret from Secret Manager. Use these events to track successful rotations and diagnose access failures. |
Comment on lines
+76
to
+82
| No configuration changes are required in either case. | ||
|
|
||
| To ensure certificates are automatically rotated: | ||
|
|
||
| 1. Generate your new certificate and key. | ||
| 2. Follow Google's instructions to [add a new secret version in Secret Manager](https://docs.cloud.google.com/secret-manager/docs/add-secret-version#add-a-secret-version). | ||
| 3. When rotation is complete, confirm by checking the **Certificates** list for the new serial number, or by inspecting the certificate at your deployment's endpoint. |
Contributor
There was a problem hiding this comment.
These steps only apply to the latest case (adding a new secret version instead of referencing a different one). Since we can include the Google instructions in line above, can we remove most of this?
Suggested change
| No configuration changes are required in either case. | |
| To ensure certificates are automatically rotated: | |
| 1. Generate your new certificate and key. | |
| 2. Follow Google's instructions to [add a new secret version in Secret Manager](https://docs.cloud.google.com/secret-manager/docs/add-secret-version#add-a-secret-version). | |
| 3. When rotation is complete, confirm by checking the **Certificates** list for the new serial number, or by inspecting the certificate at your deployment's endpoint. | |
| No configuration changes are required in either case. To confirm your deployment is using an updated certificate, check the **Certificates** list for the new serial number or inspect the certificate at your deployment's endpoint. |
Comment on lines
+84
to
+86
| ### Rotation timeline | ||
|
|
||
| New secret versions are picked up and applied to your deployment within four hours. |
Contributor
There was a problem hiding this comment.
If we say "within 4 hours" above, do we still need this?
Suggested change
| ### Rotation timeline | |
| New secret versions are picked up and applied to your deployment within four hours. |
Contributor
Author
There was a problem hiding this comment.
Hm I think you're right, I'll drop the "Rotation Timeline" heading since it's one line away.
Co-authored-by: Jon Torre <78599298+JTorreG@users.noreply.github.com> Co-authored-by: Mike Jang <mi.jang@f5.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes
Checklist
Before sharing this pull request, I completed the following checklist:
Footnotes
Potentially sensitive information includes personally identify information (PII), authentication credentials, and live URLs. Refer to the style guide for guidance about placeholder content. ↩