Migrate to generated secrets

This guide is used to perform migrations when updating from an old instance with hardcoded default credentials.
To migrate to hardened worker-group-secret enter the following commands in a terminal: 

kubectl patch secret pliant-secrets -p "{\"data\": {\"worker-group-secret-key\": \"$(echo -n $(openssl rand -base64 32) | base64)\"}}"

echo "Enter admin username for pliant-front (pliant UI):"
read temp_username
echo "Enter admin password for pliant-front (pliant UI):"
read temp_password

curl "https://$(echo $(kubectl get services | grep api | awk '{print $4}'))/api/v1/worker-group/default" \
  -X PUT \
  -H "Authorization: Bearer $(echo $(curl -s "https://$(echo $(kubectl get services | grep api | awk '{print $4}'))/api/oauth/token" \
  -u "pliant.io-spa:V7UOGzAlvxWLUX8Fc5aT" \
  --data-raw "grant_type=password&username=$temp_username&password=$temp_password" \
  --compressed \
  --insecure) | jq -r '.access_token')" \
  -H 'content-type: application/json' \
  -d "{\"name\": \"default\", \"secret\": \"$(kubectl get secret pliant-secrets -o jsonpath='{.data.worker-group-secret-key}' | base64 -d)\" }" \
  --compressed \
  --insecure

kubectl get pods | grep "worker" | awk '{print $1}' | xargs kubectl delete pod

Perform the following commands to migrate to hardened MySQL credentials (only password and root password)

temp_mysql_username=$(echo $(kubectl get secret pliant-secrets -o jsonpath="{.data['mysqldb-user']}" | base64 -d))
temp_mysql_root_password=$(echo $(kubectl get secret pliant-secrets -o jsonpath="{.data['mysqldb-root-password']}" | base64 -d))

kubectl patch secret pliant-secrets -p "{\"data\": {\"mysqldb-password\": \"$(echo -n $(openssl rand -base64 32) | base64)\"}}"
kubectl patch secret pliant-secrets -p "{\"data\": {\"mysqldb-root-password\": \"$(echo -n $(openssl rand -base64 32) | base64)\"}}"

kubectl exec -it mysqldb-0 -- mysql -u root -p$temp_mysql_root_password --execute "REQUERED STEP TO BYPASS - Error from server: error dialing backend: EOF"
kubectl exec -it mysqldb-0 -- mysql -u root -p$temp_mysql_root_password --execute "SET PASSWORD FOR '$temp_mysql_username'@'%' = '$(echo $(kubectl get secret pliant-secrets -o jsonpath="{.data['mysqldb-password']}" | base64 -d))'; FLUSH PRIVILEGES;"
kubectl exec -it mysqldb-0 -- mysql -u root -p$temp_mysql_root_password --execute "SET PASSWORD FOR 'root'@'localhost' = '$(echo $(kubectl get secret pliant-secrets -o jsonpath="{.data['mysqldb-root-password']}" | base64 -d))'; FLUSH PRIVILEGES;"

kubectl get pods | grep "db-migration" | awk '{print $1}' | xargs kubectl delete pod
kubectl get pods | grep "api" | awk '{print $1}' | xargs kubectl delete pod

Perform the following commands to migrate to hardened Object storage (MinIO) 

kubectl patch secret pliant-secrets -p "{\"data\": {\"object-storage-access-key\": \"$(echo -n $(openssl rand -base64 32) | base64)\"}}"
kubectl patch secret pliant-secrets -p "{\"data\": {\"object-storage-secret-key\": \"$(echo -n $(openssl rand -base64 32) | base64)\"}}"

kubectl get pods | grep "api" | awk '{print $1}' | xargs kubectl delete pod

Search