Rotate the Administrator Password

    +
    How to rotate the administrator password.

    Password rotation is an essential part of maintaining high levels of security within a Couchbase cluster. For more information see the credential rotation concepts documentation.

    Choosing and Preparing a New Password

    The first step to rotating a password is to generate a new one. It’s recommended that you delegate this task to a dedicated tool that is good at this task. For the following demonstration we will use apg:

    $ apg -M SNCL -m 32 -n 1
    MigdacalOn87scheav>odmagilEnhit9

    When replacing secrets — for simplicity — we will do a straight swap, so need to base64 encode it:

    $ echo -n 'MigdacalOn87scheav>odmagilEnhit9' | base64
    TWlnZGFjYWxPbjg3c2NoZWF2Pm9kbWFnaWxFbmhpdDk=

    Updating the Administrator Secret

    The administrator user secret is defined by the couchbaseclusters.spec.security.adminSecret attribute in a CouchbaseCluster resource:

    $ kubectl get couchbasecluster/cb-example -o json | jq .spec.security.adminSecret
    "cb-example-auth"

    Next, edit the secret:

    $ kubectl edit secret/cb-example-auth
    # Please edit the object below. Lines beginning with a '#' will be ignored,
    # and an empty file will abort the edit. If an error occurs while saving this file will be
    # reopened with the relevant failures.
    #
    apiVersion: v1
    data:
      password: cGFzc3dvcmQ= (1)
      username: QWRtaW5pc3RyYXRvcg==
    kind: Secret
    metadata:
      creationTimestamp: "2020-11-11T11:17:25Z"
      name: cb-example-auth
      namespace: default
      resourceVersion: "1890"
      selfLink: /api/v1/namespaces/default/secrets/cb-example-auth
      uid: 96350ef3-2548-4a7a-b4cc-1f074d0c1c09
    type: Opaque
    1 Replace the password data item with our new, base64 encoded value, save and quit from your editor.

    Your resource should look like the following after editing:

    # Please edit the object below. Lines beginning with a '#' will be ignored,
    # and an empty file will abort the edit. If an error occurs while saving this file will be
    # reopened with the relevant failures.
    #
    apiVersion: v1
    data:
      password: TWlnZGFjYWxPbjg3c2NoZWF2Pm9kbWFnaWxFbmhpdDk=
      username: QWRtaW5pc3RyYXRvcg==
    kind: Secret
    metadata:
      creationTimestamp: "2020-11-11T11:17:25Z"
      name: cb-example-auth
      namespace: default
      resourceVersion: "1890"
      selfLink: /api/v1/namespaces/default/secrets/cb-example-auth
      uid: 96350ef3-2548-4a7a-b4cc-1f074d0c1c09
    type: Opaque

    You can verify the change has been successfully made by consulting the logs:

    $ kubectl logs -f deployment/couchbase-operator
    ...
    {"level":"info","ts":1605093846.9616146,"logger":"cluster","msg":"Rotating admin password","cluster":"default/cb-example"}

    The Operator will also raise an event that can be monitored by an external client:

    $ kubectl describe couchbasecluster/cb-example
    ...
    Events:
      Type    Reason                Age    From  Message
      ----    ------                ----   ----  -------
      Normal  AdminPasswordChanged  3m23s        The cluster admin password was changed