Rotate the Administrator Password

      +
      How to rotate the administrator password.

      Password rotation is an essential part of maintaining high levels of security within a Couchbase cluster. For more information see the credential rotation concepts documentation.

      Choosing and Preparing a New Password

      The first step to rotating a password is to generate a new one. It’s recommended that you delegate this task to a dedicated tool that is good at this task. For the following demonstration we will use apg:

      $ apg -M SNCL -m 32 -n 1
      MigdacalOn87scheav>odmagilEnhit9

      When replacing secrets — for simplicity — we will do a straight swap, so need to base64 encode it:

      $ echo -n 'MigdacalOn87scheav>odmagilEnhit9' | base64
      TWlnZGFjYWxPbjg3c2NoZWF2Pm9kbWFnaWxFbmhpdDk=

      Updating the Administrator Secret

      The administrator user secret is defined by the couchbaseclusters.spec.security.adminSecret attribute in a CouchbaseCluster resource:

      $ kubectl get couchbasecluster/cb-example -o json | jq .spec.security.adminSecret
      "cb-example-auth"

      Next, edit the secret:

      $ kubectl edit secret/cb-example-auth
      # Please edit the object below. Lines beginning with a '#' will be ignored,
      # and an empty file will abort the edit. If an error occurs while saving this file will be
      # reopened with the relevant failures.
      #
      apiVersion: v1
      data:
        password: cGFzc3dvcmQ= (1)
        username: QWRtaW5pc3RyYXRvcg==
      kind: Secret
      metadata:
        creationTimestamp: "2020-11-11T11:17:25Z"
        name: cb-example-auth
        namespace: default
        resourceVersion: "1890"
        selfLink: /api/v1/namespaces/default/secrets/cb-example-auth
        uid: 96350ef3-2548-4a7a-b4cc-1f074d0c1c09
      type: Opaque
      1 Replace the password data item with our new, base64 encoded value, save and quit from your editor.

      Your resource should look like the following after editing:

      # Please edit the object below. Lines beginning with a '#' will be ignored,
      # and an empty file will abort the edit. If an error occurs while saving this file will be
      # reopened with the relevant failures.
      #
      apiVersion: v1
      data:
        password: TWlnZGFjYWxPbjg3c2NoZWF2Pm9kbWFnaWxFbmhpdDk=
        username: QWRtaW5pc3RyYXRvcg==
      kind: Secret
      metadata:
        creationTimestamp: "2020-11-11T11:17:25Z"
        name: cb-example-auth
        namespace: default
        resourceVersion: "1890"
        selfLink: /api/v1/namespaces/default/secrets/cb-example-auth
        uid: 96350ef3-2548-4a7a-b4cc-1f074d0c1c09
      type: Opaque

      You can verify the change has been successfully made by consulting the logs:

      $ kubectl logs -f deployment/couchbase-operator
      ...
      {"level":"info","ts":1605093846.9616146,"logger":"cluster","msg":"Rotating admin password","cluster":"default/cb-example"}

      The Operator will also raise an event that can be monitored by an external client:

      $ kubectl describe couchbasecluster/cb-example
      ...
      Events:
        Type    Reason                Age    From  Message
        ----    ------                ----   ----  -------
        Normal  AdminPasswordChanged  3m23s        The cluster admin password was changed