K8s: steps to change REDB password #3353
Conversation
🛡️ Jit Security Scan Results
✅ No security findings were detected in this PR
Security scan by Jit
|
| {{<note>}} | ||
| The procedures on this page are supported for operator versions 6.0.20-12 and later. | ||
| {{</note>}} |
There was a problem hiding this comment.
This is a super-old version, long time out of support. Not sure we should mention that.
| The command outputs the base64-encoded password and username: | ||
|
|
||
| ```sh | ||
| map[password:MTIzNDU2NzgK username:ZGVtb0BleGFtcGxlLmNvbQo=] |
There was a problem hiding this comment.
This output example is incorrect. The output is JSON:
{"password":"MTIzNDU2NzgK","username":"ZGVtb0BleGFtcGxlLmNvbQo="}| -u "$REC_USER:$REC_PASSWORD" \ | ||
| --header 'Content-Type: application/json' \ | ||
| --data "{\"username\":\"$REC_USER\", \ | ||
| \"old_password\":\"$REC_PASSWORD\", \ |
There was a problem hiding this comment.
I believe the old_password field is no longer needed (or maybe even invalid? not sure).
Ref: https://redis.io/docs/latest/operate/rs/references/rest-api/requests/users/password/#post-request
|
|
||
| #### Impact on existing client connections | ||
|
|
||
| Existing client connections authenticated with the old password remain open — Redis Enterprise does not drop sessions when the password changes. New connections, and any `AUTH` commands issued on existing connections, must use the new password. Coordinate the secret update with your client configuration to avoid authentication errors. |
There was a problem hiding this comment.
I believe we've added a new config option to determine the behavior with existing connection upon password change - I'll try to find.
| weight: 93 | ||
| --- | ||
|
|
||
| Redis Enterprise for Kubernetes stores both cluster admin credentials and database passwords in Kubernetes [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). The operator reconciles changes to these secrets and applies them to the cluster, so you rotate credentials by updating the secret rather than calling the cluster API directly. |
There was a problem hiding this comment.
Saying that we reconcile changes to the cluster admin credentials secret is ... well, inaccurate.
The password-change procedure we describe below, involves updating the password via RS API, and only then manually updating the secret.
I'd rephrase, to avoid making the impression that users can just update this secret and have their password changed their way (this would lead to the admin-user lockout).
3 participants
Note
Low Risk
Low risk documentation-only change that mainly renames/redirects a credentials page and updates internal links; primary risk is broken navigation if any references were missed.
Overview
Adds a new Kubernetes security doc page
Manage credentialsthat consolidates REC admin credential procedures and adds explicit steps to retrieve/rotate REDB database passwords via the database secret, including notes ondefaultUser: falseand client impact.Updates Kubernetes and Operate index pages and related docs to point to
manage-credentials(with an alias from the oldmanage-rec-credentialsURL), and adds a brief “Rotate the database password” callout to the database connectivity guide while removing the oldmanage-rec-credentials.mdpage.Reviewed by Cursor Bugbot for commit 3ca82f2. Bugbot is set up for automated code reviews on this repo. Configure here.