Updating RabbitMQ credentials for OpenPages

You can rotate the credentials for the message queue that is used by OpenPages.

Procedure

  1. Edit the auth secret generated for the OpenPages instance.
    It is created in the same namespace where the instance is provisioned.
    oc edit secret openpages-<instance_name>-<instance_id>-rabbitmq-auth-secret
  2. Update the keys with the new password.
    Key values are base64 encoded.
    • rabbitmq-password, rabbitmq-management-password
    • definitions.json is a JSON object that is base64 encoded. You decode it, update the user credentials, and encode it again before saving.

    Ensure the credentials in the definitions.json JSON object match those in the rabbitmq-password and rabbitmq-management-password fields.

    The following lines show an example of the auth secret:
    data:
      definitions.json: eyd1c2Vycyc6IFt7J25hbWUnOiAnbWFuYWdlbWVudCcsICdwYXNzd29yZCc6ICdiN2JiYTBjMWVmJywgJ3RhZ3MnOiAnbWFuYWdlbWVudCd9LCB7J25hbWUnOiAnYWRtaW4nLCAncGFzc3dvcmQnOiAnYjdiYmEwYzFlZicsICd0YWdzJzogJ2FkbWluaXN0cmF0b3InfV0sICd2aG9zdHMnOiBbeyduYW1lJzogJy8nfV0sICdwZXJtaXNzaW9ucyc6IFt7J3VzZXInOiAnYWRtaW4nLCAndmhvc3QnOiAnLycsICdjb25maWd1cmUnOiAnLionLCAncmVhZCc6ICcuKicsICd3cml0ZSc6ICcuKid9XSwgJ3BhcmFtZXRlcnMnOiBbXSwgJ3BvbGljaWVzJzogW3snbmFtZSc6ICdoYS1hbGwnLCAncGF0dGVybic6ICcuKicsICd2aG9zdCc6ICcvJywgJ2RlZmluaXRpb24nOiB7J2hhLW1vZGUnOiAnYWxsJywgJ2hhLXN5bmMtbW9kZSc6ICdhdXRvbWF0aWMnLCAnaGEtc3luYy1iYXRjaC1zaXplJzogMX19XSwgJ3F1ZXVlcyc6IFtdLCAnZXhjaGFuZ2VzJzogW10sICdiaW5kaW5ncyc6IFtdfQ==
      rabbitmq-erlang-cookie: ZlFTYlFzSzVUMFNoaG1vVkE3dk0wTnhZdms5eU5wblFWVS8wQUxYMDNVST0=
      rabbitmq-management-password: YjdiYmEwYzFlZg==
      rabbitmq-password: YjdiYmEwYzFlZg==

    The following line is an example of the decoded definitions.json string:

    {'users': [{'name': 'management', 'password': 'b7bba0c1ef', 'tags': 'management'}, {'name': 'admin', 'password': 'b7bba0c1ef', 'tags': 'administrator'}], 'vhosts': [{'name': '/'}], 'permissions': [{'user': 'admin', 'vhost': '/', 'configure': '.*', 'read': '.*', 'write': '.*'}], 'parameters': [], 'policies': [{'name': 'ha-all', 'pattern': '.*', 'vhost': '/', 'definition': {'ha-mode': 'all', 'ha-sync-mode': 'automatic', 'ha-sync-batch-size': 1}}], 'queues': [], 'exchanges': [], 'bindings': []}
  3. Restart the RabbitMQ pods.
    oc delete po -lrelease=openpages-<instance_name>-<instance_id> -l icpdsupport/app=rabbitmq-server
    Tip: If you want a preview of what the oc delete command will do, you can do a dry run of the command:
    oc delete po -lrelease=openpages-<instance_name>-<instance_id> -l icpdsupport/app=rabbitmq-server --dry-run='client'
  4. Add the secret to the internal vault.
    For more information about adding secrets to the vault, see Adding secrets to the internal vault.