| Redis Enterprise for Kubernetes |
|---|
Redis Enterprise for Kubernetes uses a custom resource called RedisEnterpriseCluster to create a Redis Enterprise cluster (REC). During creation it generates random credentials for the operator to use. The credentials are saved in a Kubernetes (K8s) secret. The secret name defaults to the name of the cluster.
The credentials can be used to access the Redis Enterprise admin console or the API. Connectivity must be configured to the REC pods using an appropriate service (or port forwarding).
Inspect the random username and password created by the operator during creation with the kubectl get secret command.
kubectl get secret rec -o jsonpath='{.data}'
The command outputs the encoded password and username, similar to the example below.
map[password:MTIzNDU2NzgK username:ZGVtb0BleGFtcGxlLmNvbQo=]
Decode the password and username with the echo command and the password from the previous step.
echo MTIzNDU2NzgK | base64 --decode
This outputs the password and username in plain text. In this example, the plain text password is 12345678 and the username is [email protected] .
kubectl exec -it <rec-resource-name>-0 -c redis-enterprise-node -- /bin/bash
REC_USER="`cat /opt/redislabs/credentials/username`" \
REC_PASSWORD="`cat /opt/redislabs/credentials/password`" \
curl -k --request POST \
--url https://localhost:9443/v1/users/password \
-u "$REC_USER:$REC_PASSWORD" \
--header 'Content-Type: application/json' \
--data "{\"username\":\"$REC_USER\", \
\"old_password\":\"$REC_PASSWORD\", \
\"new_password\":\"<NEW PASSWORD>\"}"
kubectl create secret generic <cluster_secret_name> \
--save-config \
--dry-run=client \
--from-literal=username=<current-username> \
--from-literal=password=<new-password> \
-o yaml | \
kubectl apply -f -
Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked.
Access a pod running a Redis Enterprise cluster again.
kubectl exec -it <rec-resource-name>-0 -c redis-enterprise-node -- /bin/bash
REC_USER="`cat /opt/redislabs/credentials/username`"; \
REC_PASSWORD="`cat /opt/redislabs/credentials/password`"; \
curl -k --request DELETE \
--url https://localhost:9443/v1/users/password \
-u "$REC_USER:$REC_PASSWORD" \
--header 'Content-Type: application/json' \
--data "{\"username\":\"$REC_USER\", \
\"old_password\":\"<OLD PASSWORD\"}"
Add another admin user and choose a new password.
Specify the new username in the username field of your REC custom resource spec.
Update the REC credential secret:
kubectl create secret generic <cluster_secret_name> \
--save-config \
--dry-run=client \
--from-literal=username=<new-username> \
--from-literal=password=<new-password> \
-o yaml | \
kubectl apply -f -
Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked.
Delete the previous admin user from the cluster.
If you store your secrets with Hashicorp Vault, update the secret for the REC credentials with the following key-value pairs:
username:<desired_username>, password:<desired_password>
For more information about Vault integration with the Redis Enterprise Cluster see Integrating Redis Enterprise for Kubernetes with Hashicorp Vault.