# Rotating Credentials

This guide demonstrates how to update credentials referenced in the Immuta Enterprise Helm chart (IEHC).

{% hint style="info" %}
**Kubernetes namespace**

The following section(s) presume the IEHC was deployed into namespace `immuta` and that the current namespace is `immuta`.
{% endhint %}

## Kubernetes secrets

### Edit secrets

{% hint style="info" %}
**Using an alternative editor**

Set environment variable `KUBE_EDITOR` to specify an alternative text editor.
{% endhint %}

1. Validate that secret `immuta-secret` exists in the current namespace.

   ```shell
   kubectl get secret/immuta-secret
   ```
2. Edit secret `immuta-secret` in place.

   ```shell
   kubectl edit secret/immuta-secret
   ```
3. Edit secret `immuta-legacy-secret` in place. *Skip this step if the legacy query engine and fingerprint services are disabled (the default).*

   ```sh
   kubectl edit secret/immuta-legacy-secret
   ```
4. Restart pods.

   ```shell
   kubectl rollout restart deployment --all --selector "app.kubernetes.io/component=audit,app.kubernetes.io/component=secure"
   ```

### Legacy query engine

{% hint style="info" %}
**Considerations when using the legacy query engine**

The following section is only necessary if the [legacy query engine and fingerprint services have been enabled](https://documentation.immuta.com/2024.2/self-managed-deployment/configure/enabling-legacy-query-engine-and-fingerprint).
{% endhint %}

1. Validate that secret `immuta-legacy-secret` exists in the current namespace.

   ```shell
   kubectl get secret/immuta-legacy-secret
   ```
2. Get the query engine replica count, this value will be referenced in subsequent step(s).

   ```shell
   kubectl get statefulset --selector "app.kubernetes.io/component=query-engine" --output name
   ```
3. Scale the replica count down to `1`.

   ```shell
   kubectl scale statefulset --all --replicas 1 --selector "app.kubernetes.io/component=query-engine"
   ```
4. Get the query engine pod name, this value will be referenced in subsequent step(s).

   ```shell
   kubectl get pod --selector "app.kubernetes.io/component=query-engine"
   ```
5. Update the [placeholder value](https://documentation.immuta.com/2024.2/self-managed-deployment/conventions) with a query engine superuser password.

   ```shell
   kubectl exec pod/<query-engine-pod-name> -- \
       psql -d immuta -c \
       "ALTER USER postgres WITH ENCRYPTED PASSWORD '<new-patroni-superuser-password>'"
   ```
6. Update the [placeholder value](https://documentation.immuta.com/2024.2/self-managed-deployment/conventions) with a query engine replication password.

   ```shell
   kubectl exec pod/<query-engine-pod-name> -- \
       psql -d immuta -c \
       "ALTER USER replicator WITH ENCRYPTED PASSWORD '<new-patroni-replication-password>'"
   ```
7. Update the [placeholder value](https://documentation.immuta.com/2024.2/self-managed-deployment/conventions) with a query engine feature password.

   ```shell
   kubectl exec pod/<query-engine-pod-name> -- \
       psql -d immuta -c \
       "ALTER USER feature_service WITH ENCRYPTED PASSWORD '<new-immuta-feature-password>'"
   ```
8. Scale the replica count back up to the previous value by updating the [placeholder value](https://documentation.immuta.com/2024.2/self-managed-deployment/conventions).

   ```shell
   kubectl scale statefulset --all --replicas <query-engine-previous-replica-count> --selector "app.kubernetes.io/component=query-engine"
   ```

## Apply Helm values

1. Update credentials in the `immuta-values.yaml` file.
2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`. Update the [placeholder value](https://documentation.immuta.com/2024.2/self-managed-deployment/conventions) with your own release name.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```