Changing Database Passwords for Helm Deployment

Resetting Passwords

The following procedure walks through the process of changing passwords for the database users in the Immuta Database.

The commands outlined here will need to be altered depending on your Helm release name and chosen passwords. Depending on your environment, there may be other changes required for the commands to complete successfully, including, but not limited to, Kubernetes namespace, kubectl context, and Helm values file name.

This process results in downtime.

Helm Values

1. Scale database StatefulSet to 1 replica:

   Copy

   kubectl scale statefulset <release-name>-immuta-database --replicas 1

2. Change database.superuserPassword:

   1. Alter Postgres user password:

      Copy

      kubectl exec <release-name>-immuta-database-0 -- \
        psql -d bometadata -c \
        "ALTER USER postgres WITH ENCRYPTED PASSWORD '<new-password>'

   2. Update database.superuserPassword with <new-password> in immuta-values.yaml.

3. Change database.replicationPassword:

   1. Alter replicator user password:

      Copy

      kubectl exec <release-name>-immuta-database-0 -- \
        psql -d bometadata -c \
        "ALTER USER replicator WITH ENCRYPTED PASSWORD '<new-password>'"

   2. Update database.replicationPassword with <new-password> in immuta-values.yaml.

4. Change database.password:

   1. Alter bometa user password:

      Copy

      kubectl exec <release-name>-immuta-database-0 -- \
        psql -d bometadata -c \
        "ALTER USER bometa WITH ENCRYPTED PASSWORD '<new-password>'"

   2. Update database.password with <new-password> in immuta-values.yaml.

5. Update database.patroniApiPassword with <new-password> in immuta-values.yaml.

6. Run helm upgrade to persist the changes and scale the database StatefulSet up:

   Copy

   helm upgrade --reuse-values <release-name> immuta/immuta

7. Restart web pods:

   Copy

   kubectl rollout restart deployment/<release-name>-immuta-web

Kubernetes Secret

Users have the option to use an existing Kubernetes secret for Immuta database passwords used in Helm installations.

1. Update your existingSecret values in your Kubernetes environment.

2. Get the current replica counts:

   Copy

   DATABASE_REPLICA_COUNT=$(kubectl get statefulset --selector "app.kubernetes.io/component=database" --output=jsonpath='{.items[0].status.replicas}')

3. Scale database StatefulSet to 1 replica:

   Copy

   kubectl scale statefulset <release-name>-immuta-database --replicas 1

4. Change the value corresponding to database.superuserPassword in the existing Kubernetes Secret.

5. Alter Postgres user password:

   Copy

   kubectl exec <release-name>-immuta-database-0 -- \
     psql -d bometadata -c \
     "ALTER USER postgres WITH ENCRYPTED PASSWORD '<new-password>'"

6. Change the value corresponding to database.replicationPassword in the existing Kubernetes Secret.

7. Alter replicator user password:

   Copy

   kubectl exec <release-name>-immuta-database-0 -- \
     psql -d bometadata -c \
     "ALTER USER replicator WITH ENCRYPTED PASSWORD '<new-password>'"

8. Change the value corresponding to database.password in the existing Kubernetes Secret.

9. Alter bometa user password:

   Copy

   kubectl exec <release-name>-immuta-database-0 -- \
     psql -d bometadata -c \
     "ALTER USER bometa WITH ENCRYPTED PASSWORD '<new-password>'"

10. Scale the immuta-database StatefulSet up to the previous replica count determined in the previous step:

    Copy

    kubectl scale statefulset <release-name>-immuta-database --replicas $DATABASE_REPLICA_COUNT

11. Restart web pods:

    Copy

    kubectl rollout restart deployment/<release-name>-immuta-web