Managing security for your Watson Assistant datastores

You can manage the access credentials for your PostgreSQL, Elasticsearch, RabbitMQ, Kafka, Redis, and etcd data stores by creating secret objects for each data store. Secrets are generated automatically during installation. You can create new credentials after installation. You can also rotate your credentials at any time for added security. Creating secret objects for your data stores is optional.

Permissions you need for these tasks:
You must be an administrator of the Red Hat® OpenShift® project to manage the cluster.

Updating secrets objects for your data stores

The following procedures describe how to update each data source's secret objects individually. Use these steps to change the secrets for your data stores after you install the service or to rotate the secrets for added security.

Note: For Watson Assistant, all of the data store passwords should be alphanumeric. No special characters are allowed. Update the secret object for the datastore one at a time, and let the system recover before making any other change.

Prerequisite step

Before you re-create secret objects for data stores, you must follow the below steps.

  1. You must take back up the data stores by using the backup script that is described in Backing up and restoring data. Store the backups in a safe location.
  2. Run the following command to ensure that you're logged in to the correct namespace, the installation is complete, and the service is stable:
    oc get WatsonAssistant wa -o jsonpath='{.status.watsonAssistantStatus}'
    The service is stable when the command returns the status Completed.
Note: Change the names of only the passwords and secrets. Do not change the usernames that are associated with those passwords and secrets.

Creating a secret object for your Watson Assistant PostgreSQL data store

  1. Complete the prerequisite steps.
  2. Create the new secret by using the oc create secret command:
    oc create secret generic new-auth-secret-name --from-literal=password=new-wa-postgres-password
    
    where the following values are specified:
    • new-auth-secret-name is a new secret name, such as credentials-psql.
    • new-wa-postgres-password is replaced by the new password value.
  3. To confirm that the new secret value was saved successfully, you can use the following command:
    oc extract secret/new-auth-secret-name --to=-
    
  4. Create a patch to apply the new secret to the service:
    oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"postgres":{"credentials":{"secretName":"new-auth-secret-name"}}}}}'
    
  5. Wait for WA Postgres to quiesce and update the secret. To confirm that the new secret credential is being used, you can use the following command:
    
    oc extract secret/wa-postgres-admin-auth-cr --to=-
    

Creating a secret object for your Model Train PostgreSQL data store

  1. Complete the prerequisite steps.
  2. Create the new secret by using the oc create secret command:
    oc create secret generic new-auth-secret-name --from-literal=password=new-mt-postgres-password
    where the following values are specified:
    • new-auth-secret-name is a new secret name, such as credentials-psql-mt.
    • new-mt-postgres-password is replaced by the new password value.
  3. To confirm that the new secret value was saved successfully, you can use the following command:
    oc extract secret/new-auth-secret-name --to=-
  4. Create a patch to apply the new secret to the service.
    oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"modelTrain":{"postgres":{"credentials":{"secretName":"new-auth-secret-name"}}}}}}'
  5. Wait for Model train Postgres to quiesce and update the secret. To confirm that the new secret credential is being used, you can use the following command:
    oc extract secret/wa-dwf-ibm-mt-dwf-pg-app-cr --to=-

Creating a secret object for your Model Train RabbitMQ data store

  1. Complete the prerequisite steps.
  2. Create the new secret by using the oc create secret command:
    oc create secret generic new-auth-secret-name --from-literal=password=new-mt-rabbitmq-password
    where the following values are specified:
    • new-auth-secret-name is a new secret name, such as credentials-rabbitmq-mt.
    • new-mt-rabbitmq-password is replaced by the new password value.
  3. To confirm that the new secret value was saved successfully, you can use the following command:
    oc extract secret/new-auth-secret-name --to=-
  4. Create a patch to apply the new secret to the service.
    oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"modelTrain":{"rabbitmq":{"credentials":{"secretName":"new-auth-secret-name"}}}}}}'
  5. Wait for Model Train RabbitMQ to quiesce and update the secret. To confirm that the new secret credential is being used, you can use the following command:
    oc extract secret/wa-dwf-ibm-mt-dwf-rabbitmq-auth-secret-cr --to=-

Creating a secret object for your Data Governor Kafka data store

  1. Complete the prerequisite steps.
  2. Create the new secret by using the oc create secret command:
    oc create secret generic new-auth-secret-name --from-literal=password=new-dg-kafka-password
    where the following values are specified:
    • new-auth-secret-name is a new secret name, such as credentials-kafka-dg.
    • new-dg-kafka-password is replaced by the new password value.
  3. To confirm that the new secret value was saved successfully, you can use the following command:
    oc extract secret/new-auth-secret-name --to=-
  4. Create a patch to apply the new secret to the service.
    oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"datagovernor":{"kafka":{"credentials":{"secretName":"new-auth-secret-name"}}}}}}'
  5. Wait for Data Governor Kafka to quiesce and update the secret. To confirm that the new secret credential is being used, you can use the following command:
    oc extract secret/wa-kafka-user-cr --to=-

Creating a secret object for your Store Elasticsearch data store

  • Complete the prerequisite steps.
  • Create the new secret by using the oc create secret command:
    oc create secret generic new-auth-secret-name --from-literal=username=elastic --from-literal=password=new-elasticsearch-password
    where the following values are specified:
    • new-auth-secret-name is a new secret name, such as credentials-es.
    • new-elasticsearch-password is replaced by the new password value.
  • To confirm that the new secret value was saved successfully, you can use the following command:
    oc extract secret/new-auth-secret-name --to=-
  • Create a patch to apply the new secret to the service.
    oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"elasticSearch":{"store":{"credentials":{"secretName":"new-auth-secret-name"}}}}}}'
  • Wait for Store Elasticsearch to quiesce and update the secret. To confirm that the new secret credential is being used, you can use the following command:
    oc extract secret/wa-es-store-elastic-creds-cr --to=-
Watson Assistant on Cloud Pak for Data chat logs retention policy: Watson Assistant on Cloud Pak for Data saves chat logs for up to 90 days until the persistent volume reaches 65% capacity and starts purging the oldest logs. To avoid the Elasticsearch database filling up and failing to add new chat logs, when Elasticsearch disk utilization reaches 65%, the Analytics microservice will remove the oldest chat logs until utilization is under 65% again. Due to this behavior, if the Elasticsearch database is not big enough to hold 90 days of chat logs, chat logs less than 90 days old may be removed. If the database is frequently getting filled up (and thus logs newer than 90 days are being removed) and a higher log retention period is preferred, the Elasticsearch disk size will need to be increased. Contact Watson Assistant Support for assistance if the Elasticsearch database size needs to be increased.

Creating a secret object for your Data Governor Elasticsearch data store

  1. Complete the prerequisite steps.
  2. Create the new secret by using the oc create secret command:
    oc create secret generic new-auth-secret-name --from-literal=password=new-dg-elasticsearch-password
    where the following values are specified:
    • new-auth-secret-name is a new secret name, such as credentials-es-dg.
    • new-dg-elasticsearch-password is replaced by the new password value.
  3. To confirm that the new secret value was saved successfully, you can use the following command:
    oc extract secret/new-auth-secret-name --to=-
  4. Create a patch to apply the new secret to the service.
    oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"datagovernor":{"elasticSearch":{"credentials":{"secretName":"new-auth-secret-name"}}}}}}'
  5. Wait for Data Governor Elasticsearch to quiesce and update the secret. To confirm that the new secret credential is being used, you can use the following command:
    oc extract secret/wa-data-governor-ibm-elasticsearch-cred-cr-secret --to=-

Creating a secret object for your Data Governor etcd data store

  • Complete the prerequisite steps.
  • Create the new secret by using the oc create secret command:
    oc create secret generic new-auth-secret-name --from-literal=password=new-dg-etcd-password
    where the following values are specified:
    • new-auth-secret-name is a new secret name, such as credentials-etcd-dg.
    • new-dg-etcd-password is replaced by the new password value.
  • To confirm that the new secret value was saved successfully, you can use the following command:
    oc extract secret/new-auth-secret-name --to=-
  • Create a patch to apply the new secret to the service.
    oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"datagovernor":{"etcd":{"credentials":{"secretName":"new-auth-secret-name"}}}}}}'
  • Wait for Data Governor etcd to quiesce and update the secret. To confirm that the new secret credential is being used, you can use the following command:
    oc extract secret/wa-data-governor-etcd-auth-cr --to=-

Creating a secret object for your etcd data store

  1. Complete the prerequisite steps.
  2. Create the new secret by using the oc create secret command:
    oc create secret generic new-auth-secret-name --from-literal=password=new-etcd-password
    where the following values are specified:
    • new-auth-secret-name is a new secret name, such as credentials-etcd.
    • new-etcd-password is replaced by the new password value.
  3. To confirm that the new secret value was saved successfully, you can use the following command:
    oc extract secret/new-auth-secret-name --to=-
  4. Create a patch to apply the new secret to the service.
    oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"etcd":{"credentials":{"secretName":"new-auth-secret-name"}}}}}'
  5. Wait for etcd to quiesce and update the secret. To confirm that the new secret credential is being used, you can use the following command:
    oc extract secret/wa-etcd-auth-cr --to=-
  6. Monitor the etcd pods as they restart after the credential is rotated internally:
    oc get pods -l app=etcd,app.kubernetes.io/instance=wa
    This change causes other Watson Assistant pods to restart as they adopt the new credential.
  7. Monitor the other service pods as they restart:

    oc get WatsonAssistant wa -w

Creating a secret object for your Redis data store

  1. Complete the prerequisite steps.
  2. Create the new secret by using the oc create secret command:
    oc create secret generic new-auth-secret-name --from-literal=admin_password=new-redis-password
    where the following values are specified:
    • new-auth-secret-name is a new secret name, such as credentials-redis.
    • new-redis-password is replaced by the new password value.
  3. To confirm that the new secret value was saved successfully, you can use the following command:
    oc extract secret/new-auth-secret-name --to=-
  4. Create a patch to apply the new secret to the service.
    oc patch WatsonAssistant wa --type merge --patch '{"spec":{"datastores":{"redis":{"credentials":{"secretName":"new-auth-secret-name"}}}}}'
  5. Wait for Redis to quiesce and update the secret. To confirm that the new secret credential is being used, you can use the following command:
    oc extract secret/wa-redis-creds --to=-