Requiring users to use secrets for credentials when creating connections

When a user creates a connection, they can provide their credentials by entering them directly or by specifying a secret. A Red Hat® OpenShift® administrator can configure Cloud Pak for Data to enforce the exclusive use of secrets from an external vault (such as CyberArk or HashiCorp).

Who needs to complete this task?
To complete this task, you must be either:
  • A cluster administrator
  • An instance administrator
When do you need to complete this task?
You can complete this task anytime after Cloud Pak for Data is installed. However, it is recommended that you complete this task before you give users access to the web client.
Common core services This feature is available only when the Cloud Pak for Data common core services are installed. To determine whether the common core services are installed, run:
oc get ccs --namespace ${PROJECT_CPD_INST_OPERANDS}
  • If the common core services are installed, the command returns information about the common core services custom resource.
  • If the common core services are not installed, the command returns an empty response.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

A Red Hat OpenShift project (namespace) administrator can edit the common core services custom resource to set the wdp_connect_connection_allow_only_vaulted_password parameter to true.

Procedure

  1. Log in to Red Hat OpenShift Container Platform as a user with sufficient permissions to complete the task. 
    ${OC_LOGIN}
  2. Set the wdp_connect_connection_allow_only_vaulted_password parameter to true: 
    oc patch ccs ccs-cr \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch '{"spec": {"wdp_connect_connection_allow_only_vaulted_password": "true"}}'
  3. Restart the following pods:
    1. Restart the wdp-connect-connection pods: 
      oc delete pods \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
-l app=wdp-connect-connection \
    2. Restart the wdp-connect-connector pods: 
      oc delete pods \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
-l app=wdp-connect-connector
  4. Verify that the pods return and are running:
    1. Verify that the wdp-connect-connection pods are running: 
      oc get pods \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
-l app=wdp-connect-connection
    2. Verify that the wdp-connect-connector pods are running: 
      oc get pods \
--namespace=${PROJECT_CPD_INST_OPERANDS} \ 
-l app=wdp-connect-connector

Results

Cloud Pak for Data is configured for the exclusive use of external vault secrets for connections.