Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

K8s: docs issue 1105 #1108

Merged
merged 3 commits into from
Feb 3, 2025
Merged

K8s: docs issue 1105 #1108

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cabfdc7
new username in "update rec cred secret" step
kaitlynmichael Jan 29, 2025
4ba44cd
fix step and code formating
kaitlynmichael Jan 29, 2025
25416a2
fix similar command issue
kaitlynmichael Feb 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
148 changes: 76 additions & 72 deletions content/operate/kubernetes/security/manage-rec-credentials.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,107 +44,111 @@ The credentials can be used to access the Redis Enterprise admin console or the

1. Access a [pod](https://kubernetes.io/docs/concepts/workloads/pods/) running a Redis Enterprise cluster.

```bash
kubectl exec -it <rec-resource-name>-0 bash
```
```sh
kubectl exec -it <rec-resource-name>-0 bash
```

1. Add a new password for the existing user.
2. Add a new password for the existing user.

```bash
REC_USER="`cat /opt/redislabs/credentials/username`" \
REC_PASSWORD="`cat /opt/redislabs/credentials/password`" \
curl -k --request POST \
--url https://localhost:9443/v1/users/password \
-u "$REC_USER:$REC_PASSWORD" \
--header 'Content-Type: application/json' \
--data "{\"username\":\"$REC_USER\", \
\"old_password\":\"$REC_PASSWORD\", \
\"new_password\":\"<NEW PASSWORD>\"}"
```

```bash
REC_USER="`cat /opt/redislabs/credentials/username`" \
REC_PASSWORD="`cat /opt/redislabs/credentials/password`" \
curl -k --request POST \
--url https://localhost:9443/v1/users/password \
-u "$REC_USER:$REC_PASSWORD" \
--header 'Content-Type: application/json' \
--data "{\"username\":\"$REC_USER\", \
\"old_password\":\"$REC_PASSWORD\", \
\"new_password\":\"<NEW PASSWORD>\"}"
```
3. From outside the pod, update the REC credential secret.

1. From outside the pod, update the REC credential secret.
3a. Save the existing username to a text file.

1. Save the existing username to a text file .
```bash
echo -n "<current_username>" > username
```
```sh
echo -n "<current_username>" > username
```

1. Save the new password to a text file.
```bash
echo -n "<new_password>" > password
```
3b. Save the new password to a text file.

1. Update the REC credential secret.
```bash
kubectl create secret generic <cluster_secret_name> \
--from-file=./username \
--from-file=./password --dry-run \
-o yaml
kubectl apply -f
```
```sh
echo -n "<new_password>" > password
```

1. Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked.
3c. Update the REC credential secret.

1. Access a pod running a Redis Enterprise cluster again.
```sh
kubectl create secret generic <cluster_secret_name> \
--from-file=./username \
--from-file=./password --dry-run \
-o yaml | \
kubectl apply -f
```

```bash
kubectl exec -it <rec-resource-name>-0 bash
```
4. Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked.

1. Remove the previous password to ensure only the new one applies.
5. Access a pod running a Redis Enterprise cluster again.

```sh
REC_USER="`cat /opt/redislabs/credentials/username`"; \
REC_PASSWORD="`cat /opt/redislabs/credentials/password`"; \
curl -k --request DELETE \
--url https://localhost:9443/v1/users/password \
-u "$REC_USER:$REC_PASSWORD" \
--header 'Content-Type: application/json' \
--data "{\"username\":\"$REC_USER\", \
\"old_password\":\"<OLD PASSWORD\"}"
```
```sh
kubectl exec -it <rec-resource-name>-0 bash
```

6. Remove the previous password to ensure only the new one applies.

{{<note>}} The username for the K8s secret is the email displayed on the Redis Enterprise admin console. {{</note>}}
```sh
REC_USER="`cat /opt/redislabs/credentials/username`"; \
REC_PASSWORD="`cat /opt/redislabs/credentials/password`"; \
curl -k --request DELETE \
--url https://localhost:9443/v1/users/password \
-u "$REC_USER:$REC_PASSWORD" \
--header 'Content-Type: application/json' \
--data "{\"username\":\"$REC_USER\", \
\"old_password\":\"<OLD PASSWORD\"}"
```

{{<note>}} The username for the K8s secret is the email displayed on the Redis Enterprise admin console. {{</note>}}

### Change both the REC username and password

1. [Connect to the admin console]({{< relref "/operate/kubernetes/re-clusters/connect-to-admin-console.md" >}})

1. [Add another admin user]({{< relref "/operate/rs/security/access-control/create-users" >}}) and choose a new password.
2. [Add another admin user]({{< relref "/operate/rs/security/access-control/create-users" >}}) and choose a new password.

1. Specify the new username in the `username` field of your REC custom resource spec.
3. Specify the new username in the `username` field of your REC custom resource spec.

1. Update the REC credential secret:
4. Update the REC credential secret:

1. Save the existing username to a text file.
4a. Save the new username to a text file.

```bash
echo -n "<current_username>" > username
```
```sh
echo -n "<new_username>" > username
```

1. Save the new password to a text file.
4b. Save the new password to a text file.

```bash
echo -n "<new_password>" > password
```
```sh
echo -n "<new_password>" > password
```

1. Update the REC credential secret.
4c. Update the REC credential secret.

```bash
kubectl create secret generic <cluster_secret_name> \
--from-file=./username \
--from-file=./password --dry-run \
-o yaml
kubectl apply -f
```
```sh
kubectl create secret generic <cluster_secret_name> \
--save-config \
--dry-run=client \
--from-file=./username --from-file=./password \
-o yaml | \
kubectl apply -f
```

1. Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked.
5. Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked.

1. Delete the previous admin user from the cluster.
6. Delete the previous admin user from the cluster.

{{<note>}}
{{<note>}}
The operator may log errors in the time between updating the username in the REC spec and the secret update.
{{</note>}}
{{</note>}}

### Update the credentials secret in Vault

Expand Down