Managing Kubernetes Secret passwords with the IBM Cloud Private CLI
You can enforce password requirements, change passwords, and restart the required pods and containers by using the IBM Cloud Private CLI for a set of Secrets.
Prerequisites
-
Required user type or access level: Cluster administrator
-
Install and setup the Kubernetes command-line tool, kubectl. See Accessing your cluster from the Kubernetes CLI (kubectl).
-
Install the IBM Cloud Private CLI. See Installing the IBM Cloud Private CLI to get started.
-
Log in to IBM Cloud Private to generate tokens. The command prompts you for a password, account and namespace.
cloudctl login -a https://<cluster-domain-name>:8443 -u <username> --skip-ssl-validation
Managing passwords
You can change several IBM Cloud Private passwords that are stored in Kubernetes Secrets. The IBM Cloud Private CLI has a command to change the password and restart services that use the password.
-
Choose from the following list of secrets which password you want to change:
- platform-auth-idp-credentials: The cluster administrator access credentials
- icp-mongodb-admin: The internal password for services that are using Mongo
- platform-mariadb-credentials: The internal password for services that are using MariaDB
- platform-oidc-credentials: The internal password for authentication services
-
Run the command for the Secret that you want to change. You will receive a prompt for a password value and a prompt to confirm the change.
Note: Do not use the special character
@when you update the MongoDB password inicp-mongodb-admin.- platform-auth-idp-credentials
cloudctl pm update-secret kube-system platform-auth-idp-credentials -d admin_password - icp-mongodb-admin
cloudctl pm update-secret kube-system icp-mongodb-admin -d password - platform-mariadb-credentials
cloudctl pm update-secret kube-system platform-mariadb-credentials -d OAUTH2DB_PASSWORD - platform-oidc-credentials
cloudctl pm update-secret kube-system platform-oidc-credentials -d WLP_CLIENT_SECRET
- platform-auth-idp-credentials
Optional: Managing password rules
Password rules are optional, regular expressions (regex) that are used to set and validate managed password values within a namespace. The update-secret command checks password rules before changing the values in the secret. It validates
if rules exist on the namespace that the secret is in, and that the secret data element name change contains pass or pwd in any case combination.
Note: You can use the following regex expressions from the command line. Ensure that you wrap the expressions in single quotation marks:
| Rule | Regex |
|---|---|
| Min length 10 | ^.{10,} |
| Max length 10 | ^.{0,10}$ |
| Length range | ^.{10,20}$ |
| Require lower | .*[a-z].* |
| Require upper | .*[A-Z].* |
| Require num | .*[0-9].* |
| Require spec | .*[!@#\$%\^&\*].* |
-
Set password rules with the following command:
cloudctl pm password-rule-set <namespace> <rule_name> <rule_regex> <rule_desc>See the following example of a Regex expression:
cloudctl pm password-rule-set default min_10 '^.{10,}' "minimum length of 10" OK -
List the password rules.
cloudctl pm password-rules <namespace>See the following example:
cloudctl pm password-rules default Name Description Regex min10 minimum length 10 ^.{10,} OK -
Remove the password rule.
cloudctl pm password-rule-rm <namespace> <rule_name>See the following example:
cloudctl pm password-rule-rm default min_10 OK