As an administrator, you can change the password seed that is used when you install
IBM® DevOps Test Hub (Test Hub) to provide enhanced
security to Test Hub.
You must have completed the following tasks:
When you install Test Hub, you
supply a password seed when you run the helm install
command. This
password seed is used to generate several Kubernetes secrets. Kubernetes Secrets can
contain the following information:
When you change the password seed for Test Hub, you must consider the
following scenarios:
-
Test Hub cannot
communicate until you reconcile the passwords which are in Kubernetes
Secrets by using the old and a new password seed.
-
Users cannot read secret collections or other secrets that they have created
in Test Hub until you
re-encrypt them using a new password seed.
Important: You must provide an offline token and old password seed
that you used during the installation of Test Hub to re-encrypt
user secrets.
-
Run the following command to change the password seed for Test Hub:
helm upgrade {{main}} ./ibm-rtas-prod -n devops-system \
--reuse-values \
--set global.ibmRtasPasswordAutoGenSeed={my-new-super-secret}
Notes: You must substitute the value of the
following variables with the actual value in the command:
-
{{main}}
with the release name that you used
during the installation of Test Hub.
-
{my-new-super-secret}
with a new value of your
choice as the password seed.
-
You must run the following helm upgrade
command
from the same directory where the helm install
command was run during the installation of Test Hub.
Because the upgrade is dependent on the helm charts and .yaml
file values used during the run time of the helm
install
command.
-
Run the following script to generate new server secrets from the updated
password seed and to save them to the persistent storage:
./ibm-rtas-prod/files/reconcile-secrets.sh -n devops-system {{main}}
-
Run the following command to restart all the pods:
kubectl delete pods -n devops-system \
-lapp.kubernetes.io/instance={{main}} \
-lapp.kubernetes.io/managed-by=Helm
-
Run the following commands to re-encrypt the user-created secrets by providing
the old password seed:
export ACCESS_TOKEN=$(curl -k -X POST {SERVER_URL}/rest/tokens/ \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "accept: application/json" \
-d "refresh_token={OFFLINE_TOKEN}" | jq -r '.access_token')
curl -k -X POST {SERVER_URL}/rest/secrets/re-encrypt/ \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"type\":\"helm\",\"password_auto_gen_seed\":\"{OLD_SEED}\"}"
Note: You must substitute the value of the following variables with
the actual value in the following commands:
-
{SERVER_URL}
with the URL of your Test Hub
UI.
-
{OFFLINE_TOKEN}
with the offline token that
belongs to a user with the administrator role.
-
{OLD_SEED}
with the previous password seed
that you used during the installation of Test Hub.
-
Run the following command to display the log file of the gateway pod:
kubectl logs {{main}} -gateway-abcdefghij-abcde -n devops-system
Note: You must substitute the value of the following variables with
the actual value in the command:
-
{{main}}
with the release name that you
used during the installation of Test Hub.
-
abcdefghij-abcde
with an identifier that is
assigned to the name of the gateway pod.
You can run the kubectl get pods -n devops-system
command to obtain the identifier that is
assigned to the gateway pod.
The following message is displayed when re-encryption is
completed:
reEncrypt complete. StringyReEncryptor
[total=100, fixed=100, broken=0, noop=0]
You have successfully changed the password seed for Test Hub.