Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

A newer version of this documentation is available.

View Latest

Rotate the Administrator Password

    How to rotate the administrator password.

    Password rotation is an essential part of maintaining high levels of security within a Couchbase cluster. For more information see the credential rotation concepts documentation.

    Choosing and Preparing a New Password

    The first step to rotating a password is to generate a new one. It’s recommended that you delegate this task to a dedicated tool that is good at this task. For the following demonstration we will use apg:

    $ apg -M SNCL -m 32 -n 1
MigdacalOn87scheav>odmagilEnhit9

    When replacing secrets — for simplicity — we will do a straight swap, so need to base64 encode it:

    $ echo -n 'MigdacalOn87scheav>odmagilEnhit9' | base64
TWlnZGFjYWxPbjg3c2NoZWF2Pm9kbWFnaWxFbmhpdDk=

    Updating the Administrator Secret

    The administrator user secret is defined by the couchbaseclusters.spec.security.adminSecret attribute in a CouchbaseCluster resource:

    $ kubectl get couchbasecluster/cb-example -o json | jq .spec.security.adminSecret
"cb-example-auth"

    Next, edit the secret:

    $ kubectl edit secret/cb-example-auth
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  password: cGFzc3dvcmQ= (1)
  username: QWRtaW5pc3RyYXRvcg==
kind: Secret
metadata:
  creationTimestamp: "2020-11-11T11:17:25Z"
  name: cb-example-auth
  namespace: default
  resourceVersion: "1890"
  selfLink: /api/v1/namespaces/default/secrets/cb-example-auth
  uid: 96350ef3-2548-4a7a-b4cc-1f074d0c1c09
type: Opaque
    1 Replace the password data item with our new, base64 encoded value, save and quit from your editor.

    Your resource should look like the following after editing:

    # Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  password: TWlnZGFjYWxPbjg3c2NoZWF2Pm9kbWFnaWxFbmhpdDk=
  username: QWRtaW5pc3RyYXRvcg==
kind: Secret
metadata:
  creationTimestamp: "2020-11-11T11:17:25Z"
  name: cb-example-auth
  namespace: default
  resourceVersion: "1890"
  selfLink: /api/v1/namespaces/default/secrets/cb-example-auth
  uid: 96350ef3-2548-4a7a-b4cc-1f074d0c1c09
type: Opaque

    You can verify the change has been successfully made by consulting the logs:

    $ kubectl logs -f deployment/couchbase-operator
...
{"level":"info","ts":1605093846.9616146,"logger":"cluster","msg":"Rotating admin password","cluster":"default/cb-example"}

    The Operator will also raise an event that can be monitored by an external client:

    $ kubectl describe couchbasecluster/cb-example
...
Events:
  Type    Reason                Age    From  Message
  ----    ------                ----   ----  -------
  Normal  AdminPasswordChanged  3m23s        The cluster admin password was changed