diff --git a/content/operate/kubernetes/security/manage-rec-credentials.md b/content/operate/kubernetes/security/manage-rec-credentials.md index 09a3f9f47..6b4d000d7 100644 --- a/content/operate/kubernetes/security/manage-rec-credentials.md +++ b/content/operate/kubernetes/security/manage-rec-credentials.md @@ -44,107 +44,111 @@ The credentials can be used to access the Redis Enterprise admin console or the 1. Access a [pod](https://kubernetes.io/docs/concepts/workloads/pods/) running a Redis Enterprise cluster. - ```bash - kubectl exec -it -0 bash - ``` +```sh +kubectl exec -it -0 bash +``` -1. Add a new password for the existing user. +2. Add a new password for the existing user. + +```bash +REC_USER="`cat /opt/redislabs/credentials/username`" \ +REC_PASSWORD="`cat /opt/redislabs/credentials/password`" \ +curl -k --request POST \ + --url https://localhost:9443/v1/users/password \ + -u "$REC_USER:$REC_PASSWORD" \ + --header 'Content-Type: application/json' \ + --data "{\"username\":\"$REC_USER\", \ + \"old_password\":\"$REC_PASSWORD\", \ + \"new_password\":\"\"}" +``` - ```bash - REC_USER="`cat /opt/redislabs/credentials/username`" \ - REC_PASSWORD="`cat /opt/redislabs/credentials/password`" \ - curl -k --request POST \ - --url https://localhost:9443/v1/users/password \ - -u "$REC_USER:$REC_PASSWORD" \ - --header 'Content-Type: application/json' \ - --data "{\"username\":\"$REC_USER\", \ - \"old_password\":\"$REC_PASSWORD\", \ - \"new_password\":\"\"}" - ``` +3. From outside the pod, update the REC credential secret. -1. From outside the pod, update the REC credential secret. +3a. Save the existing username to a text file. - 1. Save the existing username to a text file . - ```bash - echo -n "" > username - ``` +```sh +echo -n "" > username +``` - 1. Save the new password to a text file. - ```bash - echo -n "" > password - ``` +3b. Save the new password to a text file. - 1. Update the REC credential secret. - ```bash - kubectl create secret generic \ - --from-file=./username \ - --from-file=./password --dry-run \ - -o yaml - kubectl apply -f - ``` +```sh +echo -n "" > password +``` -1. Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked. +3c. Update the REC credential secret. -1. Access a pod running a Redis Enterprise cluster again. +```sh +kubectl create secret generic \ + --from-file=./username \ + --from-file=./password --dry-run \ + -o yaml | \ +kubectl apply -f +``` - ```bash - kubectl exec -it -0 bash - ``` +4. Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked. - 1. Remove the previous password to ensure only the new one applies. +5. Access a pod running a Redis Enterprise cluster again. - ```sh - REC_USER="`cat /opt/redislabs/credentials/username`"; \ - REC_PASSWORD="`cat /opt/redislabs/credentials/password`"; \ - curl -k --request DELETE \ - --url https://localhost:9443/v1/users/password \ - -u "$REC_USER:$REC_PASSWORD" \ - --header 'Content-Type: application/json' \ - --data "{\"username\":\"$REC_USER\", \ - \"old_password\":\"-0 bash +``` + +6. Remove the previous password to ensure only the new one applies. - {{}} The username for the K8s secret is the email displayed on the Redis Enterprise admin console. {{}} +```sh +REC_USER="`cat /opt/redislabs/credentials/username`"; \ +REC_PASSWORD="`cat /opt/redislabs/credentials/password`"; \ +curl -k --request DELETE \ + --url https://localhost:9443/v1/users/password \ + -u "$REC_USER:$REC_PASSWORD" \ + --header 'Content-Type: application/json' \ + --data "{\"username\":\"$REC_USER\", \ + \"old_password\":\"}} The username for the K8s secret is the email displayed on the Redis Enterprise admin console. {{}} ### Change both the REC username and password 1. [Connect to the admin console]({{< relref "/operate/kubernetes/re-clusters/connect-to-admin-console.md" >}}) -1. [Add another admin user]({{< relref "/operate/rs/security/access-control/create-users" >}}) and choose a new password. +2. [Add another admin user]({{< relref "/operate/rs/security/access-control/create-users" >}}) and choose a new password. -1. Specify the new username in the `username` field of your REC custom resource spec. +3. Specify the new username in the `username` field of your REC custom resource spec. -1. Update the REC credential secret: +4. Update the REC credential secret: - 1. Save the existing username to a text file. +4a. Save the new username to a text file. - ```bash - echo -n "" > username - ``` +```sh +echo -n "" > username +``` - 1. Save the new password to a text file. +4b. Save the new password to a text file. - ```bash - echo -n "" > password - ``` +```sh +echo -n "" > password +``` - 1. Update the REC credential secret. +4c. Update the REC credential secret. - ```bash - kubectl create secret generic \ - --from-file=./username \ - --from-file=./password --dry-run \ - -o yaml - kubectl apply -f - ``` +```sh +kubectl create secret generic \ + --save-config \ + --dry-run=client \ + --from-file=./username --from-file=./password \ + -o yaml | \ +kubectl apply -f +``` -1. Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked. +5. Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked. -1. Delete the previous admin user from the cluster. +6. Delete the previous admin user from the cluster. - {{}} +{{}} The operator may log errors in the time between updating the username in the REC spec and the secret update. - {{}} +{{}} ### Update the credentials secret in Vault