Skip to content

Rotating Credentials

This guide demonstrates how to update credentials referenced in the Immuta Enterprise Helm chart (IEHC).

Kubernetes namespace

The following section(s) presume the IEHC was deployed into namespace immuta and that the current namespace is immuta.

Kubernetes secrets

Edit secrets

Using an alternative editor

Set environment variable KUBE_EDITOR to specify an alternative text editor.

  1. Validate that secret immuta-secret exists in the current namespace.

    kubectl get secret/immuta-secret

  2. Edit secret immuta-secret in place.

    kubectl edit secret/immuta-secret

  3. Edit secret immuta-legacy-secret in place.

    Legacy query engine and fingerprint

    Skip this step if the legacy query engine and fingerprint services are disabled (the default).

    kubectl edit secret/immuta-legacy-secret

  4. Restart pods.

    kubectl rollout restart deployment --all --selector "app.kubernetes.io/component=audit,app.kubernetes.io/component=secure"

Legacy query engine

Considerations when using the legacy query engine

The following section is only necessary if the legacy query engine and fingerprint services have been enabled.

  1. Validate that secret immuta-legacy-secret exists in the current namespace.

    kubectl get secret/immuta-legacy-secret

  2. Get the query engine replica count, this value will be referenced in subsequent step(s).

    kubectl get statefulset --all --selector "app.kubernetes.io/component=query-engine" --output template='{{ .status.replicas }}'

  3. Scale the replica count down to 1.

    kubectl scale statefulset --all --replicas 1 --selector "app.kubernetes.io/component=query-engine"

  4. Get the query engine pod name, this value will be referenced in subsequent step(s).

    kubectl get pod --selector "app.kubernetes.io/component=query-engine"

  5. Update the placeholder value with a query engine superuser password.

    kubectl exec pod/<query-engine-pod-name> -- \
    psql -d immuta -c \
    "ALTER USER postgres WITH ENCRYPTED PASSWORD '<new-patroni-superuser-password>'"

  6. Update the placeholder value with a query engine replication password.

    kubectl exec pod/<query-engine-pod-name> -- \
    psql -d immuta -c \
    "ALTER USER replicator WITH ENCRYPTED PASSWORD '<new-patroni-replication-password>'"

  7. Update the placeholder value with a query engine feature password.

    kubectl exec pod/<query-engine-pod-name> -- \
    psql -d immuta -c \
    "ALTER USER feature_service WITH ENCRYPTED PASSWORD '<new-immuta-feature-password>'"

  8. Scale the replica count back up to the previous value by updating the placeholder value.

    kubectl scale statefulset --all --replicas <query-engine-previous-replica-count> --selector "app.kubernetes.io/component=query-engine"

Apply Helm values

  1. Update credentials in the immuta-values.yaml file.

  2. Perform a Helm upgrade to apply the changes made to immuta-values.yaml. Update the placeholder value with your own release name.

    helm upgrade <release-name> oci://ocir.immuta.com/stable/immuta-enterprise --values immuta-values.yaml --version 2024.2.3