Changing Database Passwords

Resetting Passwords

The following procedure walks through the process of changing passwords for the database users in the Immuta Database and Query Engine.

The commands outlined here will need to be altered depending on your Helm release name and chosen passwords. Depending on your environment, there may be other changes required for the commands to complete successfully, including, but not limited to, Kubernetes namespace, kubectl context, and Helm values file name.

This process results in downtime.

Database

1. Scale database StatefulSet to 1 replica:

   kubectl scale statefulset < release-name >-immuta-database --replicas 1
   

2. Change database.superuserPassword:

   1. Alter Postgres user password:

   kubectl exec < release-name >-immuta-database-0 -- \
     psql -d bometadata -c \
     "ALTER USER postgres WITH ENCRYPTED PASSWORD '< new password >'"
   

   1. Update database.superuserPassword with < new password > in immuta-values.yaml.

3. Change database.replicationPassword:

   1. Alter replicator user password:

   kubectl exec < release-name >-immuta-database-0 -- \
     psql -d bometadata -c \
     "ALTER USER replicator WITH ENCRYPTED PASSWORD '< new password >'"
   

   1. Update database.replicationPassword with < new password > in immuta-values.yaml.

4. Change database.password:

   1. Alter bometa user password:

   kubectl exec < release-name >-immuta-database-0 -- \
     psql -d bometadata -c \
     "ALTER USER bometa WITH ENCRYPTED PASSWORD '< new password >'"
   

   1. Update database.password with < new password > in immuta-values.yaml.

5. Update database.patroniApiPassword with < new password > in immuta-values.yaml.

6. Run helm upgrade to persist the changes and scale the database StatefulSet up:

   helm upgrade --reuse-values < release name > immuta/immuta
   

7. Restart web pods:

   kubectl rollout restart deployment/< release name >-immuta-web