Managing security for your Watson Speech services datastores

You can manage the access credentials for your PostgreSQL datastores by creating secrets objects for each datastore. You can create the credentials before you install Watson Speech services or update them after installation. You can also rotate your credentials for added security. Creating secrets objects for your datastores is optional. Secrets are generated automatically during installation if you do not create your own.

Note: The PostgreSQL datastores are installed only with some microservices. For information about the microservices that depend on these datastores, see Datastores properties.

Note: From version 5.4, RabbitMQ is not installed for the sttAsync microservice.

Permissions you need for these tasks:: You must be an administrator of the Red Hat® OpenShift® project to manage the cluster.

Datastore management topics

For information about creating secrets objects for your datastores before you install Watson Speech services, see:

Updating secrets objects for your datastores after you install the Speech services

For information about creating secrets objects for your datastores after you install Watson Speech services, see:

Updating secrets objects for your datastores after you install the Speech services

You can also use the information in the second topic to rotate the credentials for your datastores at any time after installation.

To modify your datastores, you edit your custom resource. For more information, see Editing the custom resource.

Note: Because Watson Speech services depend on third-party datastores, they are limited by the password policies that the datastores enforce. For more information about restrictions on the length of passwords and the characters they can include, see the documentation for the datastores or contact your IBM Support representative.

Creating secrets objects for your datastores before you install the Speech services

To access the PostgreSQL datastore, the installation reads credentials from a secret. By default, the installation creates objects that contain randomly generated password when you install the Speech services. However, you can use the instructions in the following sections to create the secrets for authentication with the datastores before you install the Speech services:

Creating a secrets object for your PostgreSQL datastore

Creating a secrets object for your PostgreSQL datastore

PostgreSQL object storage is used to store persistent data that is needed by the Speech services microservices. For information about the data that PostgreSQL stores, see Configuring the PostgreSQL datastore.

To specify the security secrets for the PostgreSQL datastore, create a YAML file (for example, user-provided-postgressql.yaml) that has the following contents:

apiVersion: v1
kind: Secret
type: kubernetes.io/basic-auth
metadata:
  name: <speech-cr>-postgres-auth-secret
  namespace: <namespace>
data:
  password: <base64-encoded-password>
  username: cG9zdGdyZXM=

Use the following steps to specify the values for the secrets object:

Set the value of the name property in the YAML file to <speech-cr>-postgres-auth-secret to match the default name that is used for the property global.datastores.postgres.authSecretName in the Speech services custom resource. You must use this value for the name property when you create the secrets before installation.
Set the value of the namespace property to the name of the project (the namespace) where you plan to install the Speech services.
Create a password and encode the value in base64. The following command encodes the value password1234 in base64. Use a different value for the password that you encode.
```
echo -n "password1234" | base64
cGFzc3dvcmQxMjM0Cg==
```
Set the value of the username property to cG9zdGdyZXM=, which is postgres in base64. Do not change this value.

To create the secrets object from the YAML file, run the following command, where user-provided-postgressql.yaml is the name of the YAML file that you created for the secrets object:

kubectl create -f user-provided-postgressql.yaml

Updating secrets objects for your datastores after you install the Speech services

When you install Watson Speech services, you can either create your own credentials before installation or let the service create them for you during installation. You can update the access credentials for your datastores at any time after you install Watson Speech services.

The following procedure documents how to re-create the secrets objects for both datastores at once. But you can update the secrets objects individually if you want. (Rather than duplicate information, the steps rely on other procedures from the documentation.)

You can follow this same procedure to rotate the credentials for your datastores. You can create new secrets objects on a periodic basis to provide greater security for your datastores.

Back up the Speech service using the methodology described in Backing up and restoring Cloud Pak for Data. Store the backups in a safe location.
Shut down the Watson Speech services by adding a property to the custom resource. Edit the custom resource by using the following command:
```
oc edit watsonspeech ${CUSTOM_RESOURCE_SPEECH} -n ${PROJECT_CPD_INST_OPERANDS}
```
Add the shutdown: true property beneath the spec tag:
```
spec:
  shutdown: true
```
Save the change to the custom resource.
Wait for the Watson Speech services to shut down. To check the status of the services, enter the following command:
```
oc get watsonspeech ${CUSTOM_RESOURCE_SPEECH} -n ${PROJECT_CPD_INST_OPERANDS} \
    -o 'jsonpath={.status.speechStatus}'
```
The services are shut down when the command returns the status shutdown.
Use the procedures in the previous sections to create new secrets objects for the datastores:
- Creating a secrets object for your PostgreSQL datastore
To preserve the existing objects, choose new names for the secrets objects. If you use new names, you must update the authSecretName property for each datastore in the custom resource.

Note: Change the names of only the passwords and secrets. Do not change the usernames that are associated with those passwords and secrets.
Restart the Watson Speech services by reverting the previous shutdown step. Edit the custom resource by using the following command:
```
oc edit watsonspeech ${CUSTOM_RESOURCE_SPEECH} -n ${PROJECT_CPD_INST_OPERANDS}
```
Change the value of the property that you added previously to shutdown: false:
```
spec:
  shutdown: false
```
Save the change to the custom resource.
Wait for the Watson Speech services to restart. To check the status of the services, enter the following command:
```
oc get watsonspeech ${CUSTOM_RESOURCE_SPEECH} -n ${PROJECT_CPD_INST_OPERANDS} \
    -o 'jsonpath={.status.speechStatus}'
```
The services are running again when the command returns the status Completed.
Use the curl commands described in Creating a service instance for Watson Speech services programmatically to ensure that the Watson Speech services are functional and that all previous data is intact and reachable.

If you used new names for the secrets objects and you no longer need the old objects, you can delete them by running the following command once for each object. In the command, <auth-secret-name> is the name of the secrets object that you want to delete.

oc delete secret <auth-secret-name> -n ${PROJECT_CPD_INST_OPERANDS}>