| Title | alwaysopen | categories | linkTitle | weight | |||
|---|---|---|---|---|---|---|---|
Manage Redis Enterprise cluster (REC) credentials |
false |
|
Manage REC credentials |
93 |
Redis Enterprise for Kubernetes uses a custom resource called [RedisEnterpriseCluster]({{< relref "/operate/kubernetes/reference/redis_enterprise_cluster_api" >}}) to create a Redis Enterprise cluster (REC). During creation it generates random credentials for the operator to use. The credentials are saved in a Kubernetes (K8s) secret. The secret name defaults to the name of the cluster.
{{}} This procedure is only supported for operator versions 6.0.20-12 and above. {{}}
The credentials can be used to access the Redis Enterprise admin console or the API. Connectivity must be configured to the REC pods using an appropriate service (or port forwarding).
-
Inspect the random username and password created by the operator during creation with the
kubectl get secretcommand.kubectl get secret rec -o jsonpath='{.data}'The command outputs the encoded password and username, similar to the example below.
map[password:MTIzNDU2NzgK username:ZGVtb0BleGFtcGxlLmNvbQo=] -
Decode the password and username with the
echocommand and the password from the previous step.echo MTIzNDU2NzgK | base64 --decode
This outputs the password and username in plain text. In this example, the plain text password is
12345678and the username is[email protected].
- Access a pod running a Redis Enterprise cluster.
kubectl exec -it <rec-resource-name>-0 bash- Add a new password for the existing user.
REC_USER="`cat /opt/redislabs/credentials/username`" \
REC_PASSWORD="`cat /opt/redislabs/credentials/password`" \
curl -k --request POST \
--url https://localhost:9443/v1/users/password \
-u "$REC_USER:$REC_PASSWORD" \
--header 'Content-Type: application/json' \
--data "{\"username\":\"$REC_USER\", \
\"old_password\":\"$REC_PASSWORD\", \
\"new_password\":\"<NEW PASSWORD>\"}"- From outside the pod, update the REC credential secret.
kubectl create secret generic <cluster_secret_name> \
--save-config \
--dry-run=client \
--from-literal=username=<current-username> \
--from-literal=password=<new-password> \
-o yaml | \
kubectl apply -f --
Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked.
-
Access a pod running a Redis Enterprise cluster again.
kubectl exec -it <rec-resource-name>-0 bash- Remove the previous password to ensure only the new one applies.
REC_USER="`cat /opt/redislabs/credentials/username`"; \
REC_PASSWORD="`cat /opt/redislabs/credentials/password`"; \
curl -k --request DELETE \
--url https://localhost:9443/v1/users/password \
-u "$REC_USER:$REC_PASSWORD" \
--header 'Content-Type: application/json' \
--data "{\"username\":\"$REC_USER\", \
\"old_password\":\"<OLD PASSWORD\"}"{{}} The username for the K8s secret is the email displayed on the Redis Enterprise admin console. {{}}
-
[Connect to the admin console]({{< relref "/operate/kubernetes/re-clusters/connect-to-admin-console.md" >}})
-
[Add another admin user]({{< relref "/operate/rs/security/access-control/create-users" >}}) and choose a new password.
-
Specify the new username in the
usernamefield of your REC custom resource spec. -
Update the REC credential secret:
kubectl create secret generic <cluster_secret_name> \
--save-config \
--dry-run=client \
--from-literal=username=<new-username> \
--from-literal=password=<new-password> \
-o yaml | \
kubectl apply -f --
Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked.
-
Delete the previous admin user from the cluster.
{{}} The operator may log errors in the time between updating the username in the REC spec and the secret update. {{}}
If you store your secrets with Hashicorp Vault, update the secret for the REC credentials with the following key-value pairs:
username:<desired_username>, password:<desired_password>For more information about Vault integration with the Redis Enterprise Cluster see Integrating Redis Enterprise for Kubernetes with Hashicorp Vault.