Managing security for your Watson Discovery data stores
You can manage the access credentials for your MinIO, PostgreSQL, Elasticsearch, RabbitMQ, and etcd data stores by creating secrets objects for each data store. Secrets are generated automatically during installation. You can create new credentials after installation. You can also rotate your credentials at any time for added security. Creating secrets objects for your data stores is optional.
- Permissions you need for these tasks:
- You must be an administrator of the Red Hat® OpenShift® project to manage the cluster.
Updating secrets objects for your data stores
Prerequisite step
Before you re-create secrets objects for MinIO, PostgreSQL, Elasticsearch, and RabbitMQ, you must shut down the Watson Discovery service.
-
Back up the data stores by using the backup script that is described in Backup and restore data. Store the backups in a safe location.
- Run the following command to ensure that you're logged in to the correct namespace, the
installation is complete, and the service is
stable:
oc get WatsonDiscovery wd -o jsonpath='{.status.watsonDiscoveryStatus}'
The service is stable when the command returns the status
Completed
. -
Shut down the Watson Discovery by editing your custom resource with the following command:
oc patch WatsonDiscovery wd --type=merge \ --patch='{"spec": {"shutdown": "true"}}'
Save the change to the custom resource.
-
Wait for the Watson Discovery to shut down. To check the status of the services, enter the following commands:
oc get WatsonDiscovery wd -o jsonpath='{.status.customResourceQuiesce}'
oc get WatsonDiscovery wd -o jsonpath='{.status.datastoreQuiesce}'
The services are ready when the commands return the status
QUIESCED
. -
Use the procedures in the following sections to create new secrets objects for the data stores.
Note: Change the names of only the passwords and secrets. Do not change the usernames that are associated with those passwords and secrets.
Creating a secrets object for your PostgreSQL data store
- Complete the prerequisite step to quiesce the service first.
- Create the new secret by using the
oc create secret
command.
where the following values are specified:oc create secret generic new-auth-secret-name \ --from-literal=password=new-postgres-password
new-auth-secret-name
is a new secret name, such ascredentials-psql
.new-postgres-password
is replaced by the new password value.
- To confirm that the new value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonDiscovery wd --type=merge \ --patch='{"spec":{"postgres":{"authSecretName": "auth-secret-name"}}}'
- Now that new credentials exist, you can delete the previous
secret.
oc delete secret old-auth-secret-name
To delete the secrets that are generated by the installation process, use the following command:oc delete secret wd-discovery-cn-postgres-su wd-discovery-cn-postgres-wd
Creating a secrets object for your RabbitMQ data store
- Complete the prerequisite step to quiesce the service first.
- Create the new secret by using the
oc create secret
command.
where the following values are specified:oc create secret generic new-auth-secret-name \ --from-literal=rabbitmq-password=new-rabbitmq-password \ --from-literal=rabbitmq-management-password=new-rabbitmq-mgmt-password
new-auth-secret-name
is a new secret name, such ascredentials-rmq
.new-rabbitmq-password
is replaced by the new password value.new-rabbitmq-mgmt-password
is replaced by the new management password value.
- To confirm that the new values were saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonDiscovery wd --type=merge \ --patch='{"spec":{"rabbitmq":{"authSecretName": "new-auth-secret-name"}}}'
- Now that new credentials exist, you can delete the previous
secret.
oc delete secret old-auth-secret-name
To delete the secret that is generated by the installation process, use the following command:oc delete secret wd-discovery-rabbitmq-auth
Creating a secrets object for your MinIO data store
- Complete the prerequisite step to quiesce the service first.
- Create the new secret by using the
oc create secret
command.
where the following values are specified:oc create secret generic new-auth-secret-name \ --from-literal=accesskey=new-access-key --from-literal=secretkey=new-secret-key \ --from-literal=sseMasterKey=wire-master-key:new-master-key
new-auth-secret-name
is a new secret name, such ascredentials-minio
.new-access-key
is replaced by the new access key value.new-secret-key
is replaced by the new secret key value.new-master-key
is replaced by the new master key value.
- To confirm that the new values were saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonDiscovery wd --type=merge \ --patch='{"spec":{"minio":{"authSecretName": "new-auth-secret-name"}}}'
- Now that new credentials exist, you can delete the previous
secret.
oc delete secret old-auth-secret-name
To delete the secret that is generated by the installation process, use the following command:oc delete secret wd-discovery-minio-auth
Creating a secrets object for your Elasticsearch data store
- Complete the prerequisite step to quiesce the service first.
- Create the new secret by using the
oc create secret
command.
where the following values are specified:oc create secret generic new-auth-secret-name \ --from-literal=password=new-elastic-password
new-auth-secret-name
is a new secret name, such ascredentials-elastic
.new-elastic-password
is replaced by the new password value.
- To confirm that the new value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonDiscovery wd --type=merge \ --patch='{"spec":{"elasticsearch":{"authSecretName": "new-auth-secret-name"}}}'
- Now that new credentials exist, you can delete the previous
secret.
oc delete secret old-auth-secret-name
To delete the secrets that are generated by the installation process, use the following command:oc delete secret wd-discovery-elastic-secret wd-discovery-elastic-secret-es
Restarting the service
- Restart the service by applying a patch that changes the
shutdown
status for the service to false.oc patch WatsonDiscovery wd --type=merge --patch='{"spec": {"shutdown": "false"}}'
- Wait for the services to restart, and then run the following commands to check the
status:
oc get WatsonDiscovery wd -o jsonpath='{.status.customResourceQuiesce}'
The service is fully restarted when theoc get WatsonDiscovery wd -o jsonpath='{.status.datastoreQuiesce}'
NOT_QUIESCED
status is displayed.
Creating a secrets object for your etcd data store
Do not create a secrets object or perform any rotation of credentials for the etcd service while the service is quiesced or shut down. Only when the service is up and running, complete the following steps to re-create the secrets object for etcd.
The etcd operator requires both credentials to exist in the namespace to perform rotation, do not delete the existing credentials until after the new credentials are created.
- Verify that the etcd pods are up and
running.
oc get pods -lapp=etcd,app.kubernetes.io/instance=wd
- Create the new secret by using the
oc create secret
command.
where the following values are specified:oc create secret generic new-auth-secret-name \ --from-literal=password=new-etcd-password
new-auth-secret-name
is a new secret name, such ascredentials-etcd
.new-etcd-password
is replaced by the new password value.
- To confirm that the new value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonDiscovery wd --type=merge \ --patch='{"spec":{"etcd":{"authSecretName": "new-auth-secret-name"}}}'
-
Monitor the etcd pods as they restart after the credential is rotated internally.
oc get pods -lapp=etcd,app.kubernetes.io/instance=wd
This change causes other Watson Discovery pods to restart as they adopt the new credential.
- Monitor the other service pods as they
restart.
oc get WatsonDiscovery wd -w