Migrate to generated secrets
This guide is used to perform migrations when updating from an old instance with hardcoded default credentials.
To migrate to hardened worker-group-secret enter the following commands in a terminal:
kubectl patch secret pliant-secrets -p "{\"data\": {\"worker-group-secret-key\": \"$(echo -n $(openssl rand -base64 32) | base64)\"}}" echo "Enter admin username for pliant-front (pliant UI):" read temp_username echo "Enter admin password for pliant-front (pliant UI):" read temp_password curl "https://$(echo $(kubectl get services | grep api | awk '{print $4}'))/api/v1/worker-group/default" \ -X PUT \ -H "Authorization: Bearer $(echo $(curl -s "https://$(echo $(kubectl get services | grep api | awk '{print $4}'))/api/oauth/token" \ -u "pliant.io-spa:V7UOGzAlvxWLUX8Fc5aT" \ --data-raw "grant_type=password&username=$temp_username&password=$temp_password" \ --compressed \ --insecure) | jq -r '.access_token')" \ -H 'content-type: application/json' \ -d "{\"name\": \"default\", \"secret\": \"$(kubectl get secret pliant-secrets -o jsonpath='{.data.worker-group-secret-key}' | base64 -d)\" }" \ --compressed \ --insecure kubectl get pods | grep "worker" | awk '{print $1}' | xargs kubectl delete pod
Perform the following commands to migrate to hardened MySQL credentials (only password and root password)
temp_mysql_username=$(echo $(kubectl get secret pliant-secrets -o jsonpath="{.data['mysqldb-user']}" | base64 -d)) temp_mysql_root_password=$(echo $(kubectl get secret pliant-secrets -o jsonpath="{.data['mysqldb-root-password']}" | base64 -d)) kubectl patch secret pliant-secrets -p "{\"data\": {\"mysqldb-password\": \"$(echo -n $(openssl rand -base64 32) | base64)\"}}" kubectl patch secret pliant-secrets -p "{\"data\": {\"mysqldb-root-password\": \"$(echo -n $(openssl rand -base64 32) | base64)\"}}" kubectl exec -it mysqldb-0 -- mysql -u root -p$temp_mysql_root_password --execute "REQUERED STEP TO BYPASS - Error from server: error dialing backend: EOF" kubectl exec -it mysqldb-0 -- mysql -u root -p$temp_mysql_root_password --execute "SET PASSWORD FOR '$temp_mysql_username'@'%' = '$(echo $(kubectl get secret pliant-secrets -o jsonpath="{.data['mysqldb-password']}" | base64 -d))'; FLUSH PRIVILEGES;" kubectl exec -it mysqldb-0 -- mysql -u root -p$temp_mysql_root_password --execute "SET PASSWORD FOR 'root'@'localhost' = '$(echo $(kubectl get secret pliant-secrets -o jsonpath="{.data['mysqldb-root-password']}" | base64 -d))'; FLUSH PRIVILEGES;" kubectl get pods | grep "db-migration" | awk '{print $1}' | xargs kubectl delete pod kubectl get pods | grep "api" | awk '{print $1}' | xargs kubectl delete pod
Perform the following commands to migrate to hardened Object storage (MinIO)
kubectl patch secret pliant-secrets -p "{\"data\": {\"object-storage-access-key\": \"$(echo -n $(openssl rand -base64 32) | base64)\"}}" kubectl patch secret pliant-secrets -p "{\"data\": {\"object-storage-secret-key\": \"$(echo -n $(openssl rand -base64 32) | base64)\"}}" kubectl get pods | grep "api" | awk '{print $1}' | xargs kubectl delete pod