A newer version of this documentation is available.

View Latest

Rotate the Administrator Password

      How to rotate the administrator password.

      Password rotation is an essential part of maintaining high levels of security within a Couchbase cluster. For more information see the credential rotation concepts documentation.

      Choosing and Preparing a New Password

      The first step to rotating a password is to generate a new one. It’s recommended that you delegate this task to a dedicated tool that is good at this task. For the following demonstration we will use apg:

      $ apg -M SNCL -m 32 -n 1

      When replacing secrets — for simplicity — we will do a straight swap, so need to base64 encode it:

      $ echo -n 'MigdacalOn87scheav>odmagilEnhit9' | base64

      Updating the Administrator Secret

      The administrator user secret is defined by the couchbaseclusters.spec.security.adminSecret attribute in a CouchbaseCluster resource:

      $ kubectl get couchbasecluster/cb-example -o json | jq .spec.security.adminSecret

      Next, edit the secret:

      $ kubectl edit secret/cb-example-auth
      # Please edit the object below. Lines beginning with a '#' will be ignored,
      # and an empty file will abort the edit. If an error occurs while saving this file will be
      # reopened with the relevant failures.
      apiVersion: v1
        password: cGFzc3dvcmQ= (1)
        username: QWRtaW5pc3RyYXRvcg==
      kind: Secret
        creationTimestamp: "2020-11-11T11:17:25Z"
        name: cb-example-auth
        namespace: default
        resourceVersion: "1890"
        selfLink: /api/v1/namespaces/default/secrets/cb-example-auth
        uid: 96350ef3-2548-4a7a-b4cc-1f074d0c1c09
      type: Opaque
      1 Replace the password data item with our new, base64 encoded value, save and quit from your editor.

      Your resource should look like the following after editing:

      # Please edit the object below. Lines beginning with a '#' will be ignored,
      # and an empty file will abort the edit. If an error occurs while saving this file will be
      # reopened with the relevant failures.
      apiVersion: v1
        password: TWlnZGFjYWxPbjg3c2NoZWF2Pm9kbWFnaWxFbmhpdDk=
        username: QWRtaW5pc3RyYXRvcg==
      kind: Secret
        creationTimestamp: "2020-11-11T11:17:25Z"
        name: cb-example-auth
        namespace: default
        resourceVersion: "1890"
        selfLink: /api/v1/namespaces/default/secrets/cb-example-auth
        uid: 96350ef3-2548-4a7a-b4cc-1f074d0c1c09
      type: Opaque

      You can verify the change has been successfully made by consulting the logs:

      $ kubectl logs -f deployment/couchbase-operator
      {"level":"info","ts":1605093846.9616146,"logger":"cluster","msg":"Rotating admin password","cluster":"default/cb-example"}

      The Operator will also raise an event that can be monitored by an external client:

      $ kubectl describe couchbasecluster/cb-example
        Type    Reason                Age    From  Message
        ----    ------                ----   ----  -------
        Normal  AdminPasswordChanged  3m23s        The cluster admin password was changed