管理 Redis Enterprise 集群 (REC) 凭证
| 适用于 Kubernetes 的 Redis Enterprise |
|---|
Redis Enterprise for Kubernetes 使用名为RedisEnterpriseCluster创建 Redis Enterprise 集群 (REC)。在创建过程中,它会生成随机凭证供作员使用。凭证保存在 Kubernetes (K8s) 密钥中。密钥名称默认为集群的名称。
检索当前用户名和密码
这些凭证可用于访问 Redis Enterprise Admin Console 或 API。必须使用适当的服务(或端口转发)配置与 REC Pod 的连接。
-
检查作员在创建过程中创建的随机用户名和密码,使用
kubectl get secret命令。kubectl get secret rec -o jsonpath='{.data}'The command outputs the encoded password and username, similar to the example below.map[password:MTIzNDU2NzgK username:ZGVtb0BleGFtcGxlLmNvbQo=] -
Decode the password and username with the
echocommand and the password from the previous step.echo MTIzNDU2NzgK | base64 --decodeThis outputs the password and username in plain text. In this example, the plain text password is12345678and the username isdemo@example.com.
Change the Redis Enterprise cluster (REC) credentials
Change the REC password for the current username
- Access a pod running a Redis Enterprise cluster.
kubectl exec -it <rec-resource-name>-0 bash
- Add a new password for the existing user.
REC_USER="`cat /opt/redislabs/credentials/username`" \
REC_PASSWORD="`cat /opt/redislabs/credentials/password`" \
curl -k --request POST \
--url https://localhost:9443/v1/users/password \
-u "$REC_USER:$REC_PASSWORD" \
--header 'Content-Type: application/json' \
--data "{\"username\":\"$REC_USER\", \
\"old_password\":\"$REC_PASSWORD\", \
\"new_password\":\"<NEW PASSWORD>\"}"
- From outside the pod, update the REC credential secret.
3a. Save the existing username to a text file.
echo -n "<current_username>" > username
3b. Save the new password to a text file.
echo -n "<new_password>" > password
3c. Update the REC credential secret.
kubectl create secret generic <cluster_secret_name> \
--from-file=./username \
--from-file=./password --dry-run \
-o yaml | \
kubectl apply -f
-
Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked.
-
Access a pod running a Redis Enterprise cluster again.
kubectl exec -it <rec-resource-name>-0 bash
- Remove the previous password to ensure only the new one applies.
REC_USER="`cat /opt/redislabs/credentials/username`"; \
REC_PASSWORD="`cat /opt/redislabs/credentials/password`"; \
curl -k --request DELETE \
--url https://localhost:9443/v1/users/password \
-u "$REC_USER:$REC_PASSWORD" \
--header 'Content-Type: application/json' \
--data "{\"username\":\"$REC_USER\", \
\"old_password\":\"<OLD PASSWORD\"}"
Note:
The username for the K8s secret is the email displayed on the Redis Enterprise admin console.
Change both the REC username and password
-
-
Add another admin user and choose a new password.
-
Specify the new username in the username field of your REC custom resource spec.
-
Update the REC credential secret:
4a. Save the new username to a text file.
echo -n "<new_username>" > username
4b. Save the new password to a text file.
echo -n "<new_password>" > password
4c. Update the REC credential secret.
kubectl create secret generic <cluster_secret_name> \
--save-config \
--dry-run=client \
--from-file=./username --from-file=./password \
-o yaml | \
kubectl apply -f
-
Wait five minutes for all the components to read the new password from the updated secret. If you proceed to the next step too soon, the account could get locked.
-
Delete the previous admin user from the cluster.
Note:
The operator may log errors in the time between updating the username in the REC spec and the secret update.
Update the credentials secret in Vault
If you store your secrets with Hashicorp Vault, update the secret for the REC credentials with the following key-value pairs:
username:<desired_username>, password:<desired_password>
For more information about Vault integration with the Redis Enterprise Cluster see Integrating Redis Enterprise for Kubernetes with Hashicorp Vault.
On this page