# Rotating Credentials

This guide demonstrates how to update credentials referenced in the Immuta Enterprise Helm chart (IEHC).

{% hint style="info" %}
**Kubernetes namespace**

The following section(s) presume the IEHC was deployed into namespace `immuta` and that the current namespace is `immuta`.
{% endhint %}

## Kubernetes secrets

### Edit secrets

{% hint style="info" %}
**Using an alternative editor**

Set environment variable `KUBE_EDITOR` to specify an alternative text editor.
{% endhint %}

1. Validate that secret `immuta-secret` exists in the current namespace.

   ```shell
   kubectl get secret/immuta-secret
   ```
2. Edit secret `immuta-secret` in place.

   ```shell
   kubectl edit secret/immuta-secret
   ```
3. Edit secret `immuta-legacy-secret` in place. *Skip this step if the legacy query engine and fingerprint services are disabled (the default).*

   ```sh
   kubectl edit secret/immuta-legacy-secret
   ```
4. Restart pods.

   ```shell
   kubectl rollout restart deployment --all --selector "app.kubernetes.io/component=audit,app.kubernetes.io/component=secure"
   ```

### Legacy query engine

{% hint style="info" %}
**Considerations when using the legacy query engine**

The following section is only necessary if the [legacy query engine and fingerprint services have been enabled](/2024.2/self-managed-deployment/configure/enabling-legacy-query-engine-and-fingerprint.md).
{% endhint %}

1. Validate that secret `immuta-legacy-secret` exists in the current namespace.

   ```shell
   kubectl get secret/immuta-legacy-secret
   ```
2. Get the query engine replica count, this value will be referenced in subsequent step(s).

   ```shell
   kubectl get statefulset --selector "app.kubernetes.io/component=query-engine" --output name
   ```
3. Scale the replica count down to `1`.

   ```shell
   kubectl scale statefulset --all --replicas 1 --selector "app.kubernetes.io/component=query-engine"
   ```
4. Get the query engine pod name, this value will be referenced in subsequent step(s).

   ```shell
   kubectl get pod --selector "app.kubernetes.io/component=query-engine"
   ```
5. Update the [placeholder value](/2024.2/self-managed-deployment/conventions.md) with a query engine superuser password.

   ```shell
   kubectl exec pod/<query-engine-pod-name> -- \
       psql -d immuta -c \
       "ALTER USER postgres WITH ENCRYPTED PASSWORD '<new-patroni-superuser-password>'"
   ```
6. Update the [placeholder value](/2024.2/self-managed-deployment/conventions.md) with a query engine replication password.

   ```shell
   kubectl exec pod/<query-engine-pod-name> -- \
       psql -d immuta -c \
       "ALTER USER replicator WITH ENCRYPTED PASSWORD '<new-patroni-replication-password>'"
   ```
7. Update the [placeholder value](/2024.2/self-managed-deployment/conventions.md) with a query engine feature password.

   ```shell
   kubectl exec pod/<query-engine-pod-name> -- \
       psql -d immuta -c \
       "ALTER USER feature_service WITH ENCRYPTED PASSWORD '<new-immuta-feature-password>'"
   ```
8. Scale the replica count back up to the previous value by updating the [placeholder value](/2024.2/self-managed-deployment/conventions.md).

   ```shell
   kubectl scale statefulset --all --replicas <query-engine-previous-replica-count> --selector "app.kubernetes.io/component=query-engine"
   ```

## Apply Helm values

1. Update credentials in the `immuta-values.yaml` file.
2. Perform a [Helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) to apply the changes made to `immuta-values.yaml`. Update the [placeholder value](/2024.2/self-managed-deployment/conventions.md) with your own release name.

   ```shell
   helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.20
   ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/2024.2/self-managed-deployment/configure/rotating-credentials.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.