Managing security for your Watson Assistant datastores
You can manage the access credentials for your MinIO, PostgreSQL, Elasticsearch, RabbitMQ, Kafka, Redis, and etcd data stores by creating secret objects for each data store. Secrets are generated automatically during installation. You can create new credentials after installation. You can also rotate your credentials at any time for added security. Creating secret objects for your data stores is optional.
- Permissions you need for these tasks:
- You must be an administrator of the Red Hat® OpenShift® project to manage the cluster.
Updating secrets objects for your data stores
The following procedures describe how to update each data source's secret objects individually. Use these steps to change the secrets for your data stores after you install the service or to rotate the secrets for added security.
Prerequisite step
Before you re-create secret objects for data stores, you must follow the below steps.
- You must take back up the data stores by using the backup script that is described in Backing up and restoring data. Store the backups in a safe location.
- Run the following command to ensure that you're logged in to the correct namespace, the
installation is complete, and the service is
stable:
The service is stable when the command returns the statusoc get WatsonAssistant wa -o jsonpath='{.status.watsonAssistantStatus}'
Completed
.
Creating a secret object for your Watson Assistant PostgreSQL data store
- Complete the prerequisite steps.
- Create the new secret by using the oc create secret
command:
where the following values are specified:oc create secret generic new-auth-secret-name --from-literal=password=new-wa-postgres-password
- new-auth-secret-name is a new secret name, such as credentials-psql.
- new-wa-postgres-password is replaced by the new password value.
- To confirm that the new secret value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service:
oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"postgres":{"credentials":{"secretName":"new-auth-secret-name"}}}}}'
- Wait for WA Postgres to quiesce and update the secret. To confirm that the new secret credential
is being used, you can use the following command:
oc extract secret/wa-postgres-admin-auth-cr --to=-
Creating a secret object for your Model Train PostgreSQL data store
- Complete the prerequisite steps.
- Create the new secret by using the oc create secret
command:
where the following values are specified:oc create secret generic new-auth-secret-name --from-literal=password=new-mt-postgres-password
- new-auth-secret-name is a new secret name, such as credentials-psql-mt.
- new-mt-postgres-password is replaced by the new password value.
- To confirm that the new secret value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"modelTrain":{"postgres":{"credentials":{"secretName":"new-auth-secret-name"}}}}}}'
- Wait for Model train Postgres to quiesce and update the secret. To confirm that the new secret
credential is being used, you can use the following
command:
oc extract secret/wa-dwf-ibm-mt-dwf-pg-app-cr --to=-
Creating a secret object for your MinIO data store
- Complete the prerequisite steps.
- Create the new secret by using the oc create secret
command:
where the following values are specified:oc create secret generic new-auth-secret-name --from-literal=accesskey=new-access-key --from-literal=secretkey=new-secret-key
- new-auth-secret-name is a new secret name, such as credentials-minio.
- new-access-key is replaced by the new access key value.
- new-secret-key is replaced by the new secret key value.
- To confirm that the new secret value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"cos":{"credentials":{"secretName":"new-auth-secret-name"}}}}}'
- Wait for MinIO to quiesce and update the secret. To confirm that the new secret credential is
being used, you can use the following
command:
oc extract secret/wa-minio-creds-cr-secret --to=-
Creating a secret object for your Model Train RabbitMQ data store
- Complete the prerequisite steps.
- Create the new secret by using the oc create secret
command:
where the following values are specified:oc create secret generic new-auth-secret-name --from-literal=password=new-mt-rabbitmq-password
- new-auth-secret-name is a new secret name, such as credentials-rabbitmq-mt.
- new-mt-rabbitmq-password is replaced by the new password value.
- To confirm that the new secret value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"modelTrain":{"rabbitmq":{"credentials":{"secretName":"new-auth-secret-name"}}}}}}'
- Wait for Model Train RabbitMQ to quiesce and update the secret. To confirm that the new secret
credential is being used, you can use the following
command:
oc extract secret/wa-dwf-ibm-mt-dwf-rabbitmq-auth-secret-cr --to=-
Creating a secret object for your Data Governor Kafka data store
- Complete the prerequisite steps.
- Create the new secret by using the oc create secret
command:
where the following values are specified:oc create secret generic new-auth-secret-name --from-literal=password=new-dg-kafka-password
- new-auth-secret-name is a new secret name, such as credentials-kafka-dg.
- new-dg-kafka-password is replaced by the new password value.
- To confirm that the new secret value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"datagovernor":{"kafka":{"credentials":{"secretName":"new-auth-secret-name"}}}}}}'
- Wait for Data Governor Kafka to quiesce and update the secret. To confirm that the new secret
credential is being used, you can use the following
command:
oc extract secret/wa-kafka-user-cr --to=-
Creating a secret object for your Store Elasticsearch data store
- Complete the prerequisite steps.
- Create the new secret by using the oc create secret
command:
where the following values are specified:oc create secret generic new-auth-secret-name --from-literal=username=elastic --from-literal=password=new-elasticsearch-password
- new-auth-secret-name is a new secret name, such as credentials-es.
- new-elasticsearch-password is replaced by the new password value.
- To confirm that the new secret value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"elasticSearch":{"store":{"credentials":{"secretName":"new-auth-secret-name"}}}}}}'
- Wait for Store Elasticsearch to quiesce and update the secret. To confirm that the new secret
credential is being used, you can use the following
command:
oc extract secret/wa-es-store-elastic-creds-cr --to=-
Creating a secret object for your Data Governor Elasticsearch data store
- Complete the prerequisite steps.
- Create the new secret by using the oc create secret
command:
where the following values are specified:oc create secret generic new-auth-secret-name --from-literal=password=new-dg-elasticsearch-password
- new-auth-secret-name is a new secret name, such as credentials-es-dg.
- new-dg-elasticsearch-password is replaced by the new password value.
- To confirm that the new secret value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"datagovernor":{"elasticSearch":{"credentials":{"secretName":"new-auth-secret-name"}}}}}}'
- Wait for Data Governor Elasticsearch to quiesce and update the secret. To confirm that the new
secret credential is being used, you can use the following
command:
oc extract secret/wa-data-governor-ibm-elasticsearch-cred-cr-secret --to=-
Creating a secret object for your Data Governor etcd data store
- Complete the prerequisite steps.
- Create the new secret by using the oc create secret
command:
where the following values are specified:oc create secret generic new-auth-secret-name --from-literal=password=new-dg-etcd-password
- new-auth-secret-name is a new secret name, such as credentials-etcd-dg.
- new-dg-etcd-password is replaced by the new password value.
- To confirm that the new secret value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"datagovernor":{"etcd":{"credentials":{"secretName":"new-auth-secret-name"}}}}}}'
- Wait for Data Governor etcd to quiesce and update the secret. To confirm that the new secret
credential is being used, you can use the following
command:
oc extract secret/wa-data-governor-etcd-auth-cr --to=-
Creating a secret object for your etcd data store
- Complete the prerequisite steps.
- Create the new secret by using the oc create secret
command:
where the following values are specified:oc create secret generic new-auth-secret-name --from-literal=password=new-etcd-password
- new-auth-secret-name is a new secret name, such as credentials-etcd.
- new-etcd-password is replaced by the new password value.
- To confirm that the new secret value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"etcd":{"credentials":{"secretName":"new-auth-secret-name"}}}}}'
- Wait for etcd to quiesce and update the secret. To confirm that the new secret credential is
being used, you can use the following
command:
oc extract secret/wa-etcd-auth-cr --to=-
- Monitor the etcd pods as they restart after the credential is rotated
internally:
This change causes other Watson Assistant pods to restart as they adopt the new credential.oc get pods -l app=etcd,app.kubernetes.io/instance=wa
-
Monitor the other service pods as they restart:
oc get WatsonAssistant wa -w
Creating a secret object for your Redis data store
- Complete the prerequisite steps.
- Create the new secret by using the oc create secret
command:
where the following values are specified:oc create secret generic new-auth-secret-name --from-literal=admin_password=new-redis-password
- new-auth-secret-name is a new secret name, such as credentials-redis.
- new-redis-password is replaced by the new password value.
- To confirm that the new secret value was saved successfully, you can use the following
command:
oc extract secret/new-auth-secret-name --to=-
- Create a patch to apply the new secret to the
service.
oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"redis":{"credentials":{"secretName":"new-auth-secret-name"}}}}}'
- Wait for Redis to quiesce and update the secret. To confirm that the new secret credential is
being used, you can use the following
command:
oc extract secret/wa-redis-creds --to=-