Skip to content

You are viewing documentation for Immuta version 2022.5.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Changing Database Passwords

Resetting Passwords

The following procedure walks through the process of changing passwords for the database users in the Immuta Database.

The commands outlined here will need to be altered depending on your Helm release name and chosen passwords. Depending on your environment, there may be other changes required for the commands to complete successfully, including, but not limited to, Kubernetes namespace, kubectl context, and Helm values file name.

This process results in downtime.

Helm Values

  1. Scale database StatefulSet to 1 replica:

    kubectl scale statefulset <release-name>-immuta-database --replicas 1
    
  2. Change database.superuserPassword:

    1. Alter Postgres user password:
    kubectl exec <release-name>-immuta-database-0 -- \
      psql -d bometadata -c \
      "ALTER USER postgres WITH ENCRYPTED PASSWORD '<new-password>'"
    
    1. Update database.superuserPassword with <new-password> in immuta-values.yaml.
  3. Change database.replicationPassword:

    1. Alter replicator user password:
    kubectl exec <release-name>-immuta-database-0 -- \
      psql -d bometadata -c \
      "ALTER USER replicator WITH ENCRYPTED PASSWORD '<new-password>'"
    
    1. Update database.replicationPassword with <new-password> in immuta-values.yaml.
  4. Change database.password:

    1. Alter bometa user password:
    kubectl exec <release-name>-immuta-database-0 -- \
      psql -d bometadata -c \
      "ALTER USER bometa WITH ENCRYPTED PASSWORD '<new-password>'"
    
    1. Update database.password with <new-password> in immuta-values.yaml.
  5. Update database.patroniApiPassword with <new-password> in immuta-values.yaml.

  6. Run helm upgrade to persist the changes and scale the database StatefulSet up:

    helm upgrade --reuse-values <release-name> immuta/immuta
    
  7. Restart web pods:

    kubectl rollout restart deployment/<release-name>-immuta-web
    

Kubernetes Secret

Users have the option to use an existing Kubernetes secret for Immuta database passwords used in Helm installations.

  1. Update your existingSecret values in your Kubernetes environment.

  2. Get the current replica counts:

    DATABASE_REPLICA_COUNT=$(kubectl get statefulset --selector "app.kubernetes.io/component=database" --output=jsonpath='{.items[0].status.replicas}')
    
  3. Scale database StatefulSet to 1 replica:

    kubectl scale statefulset <release-name>-immuta-database --replicas 1
    
  4. Change the value corresponding to database.superuserPassword in the existing Kubernetes Secret.

  5. Alter Postgres user password:

    kubectl exec <release-name>-immuta-database-0 -- \
      psql -d bometadata -c \
      "ALTER USER postgres WITH ENCRYPTED PASSWORD '<new-password>'"
    
  6. Change the value corresponding to database.replicationPassword in the existing Kubernetes Secret.

  7. Alter replicator user password:

    kubectl exec <release-name>-immuta-database-0 -- \
      psql -d bometadata -c \
      "ALTER USER replicator WITH ENCRYPTED PASSWORD '<new-password>'"
    
  8. Change the value corresponding to database.password in the existing Kubernetes Secret.

  9. Alter bometa user password:

    kubectl exec <release-name>-immuta-database-0 -- \
      psql -d bometadata -c \
      "ALTER USER bometa WITH ENCRYPTED PASSWORD '<new-password>'"
    
  10. Scale the immuta-database StatefulSet up to the previous replica count determined in the previous step:

    kubectl scale statefulset <release-name>-immuta-database --replicas $DATABASE_REPLICA_COUNT
    
  11. Restart web pods:

    kubectl rollout restart deployment/<release-name>-immuta-web