Powered by Algolia

    Password update for OpenIAM services in Kubernetes

    Redis passwords

    1. Update the default Redis password in terraform.tfvars.
    vi terraform.tfvars

    Here, locate the Redis password variable and update it.

    Password variable

    1. Take a backup of the existing Kubernetes secret and verify current password in secret.
    kubectl -n default get secret secrets -o yaml > ~/secrets.defaults.backup.yaml
    kubectl -n default get secret secrets -o jsonpath='{.data.redisPassword}' | base64 --decode && echo
    kubectl -n default get secret secrets -o jsonpath='{.data.redisSentinelPassword}' | base64 --decode && echo
    1. Uninstall Redis via Helm and remove its resources from the Terraform state.
    root@ubuntu-test:~/kubernetes-docker-configuration# helm ls | grep redis
          test2025-redis          default         2               2025-10-           14 14:45:41.873592306 +0000 UTC deployed        redis-18.17.0                  7.2.4
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# helm delete test2025-redis
          release "test2025-redis" uninstalled
          root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# helm ls | grep redis
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state list| grep redis
          module.deployment.module.redis.helm_release.redis
                module.deployment.module.redis.null_resource.depends_on
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state rm module.deployment.module.redis.helm_release.redis
          Removed module.deployment.module.redis.helm_release.redis
          Successfully removed 1 resource instance(s).
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state rm module.deployment.module.redis.null_resource.depends_on
          Removed module.deployment.module.redis.null_resource.depends_on
          Successfully removed 1 resource instance(s).
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state list| grep redis
    root@ubuntu-test:~/kubernetes-docker-configuration#
    1. Verify the installed ConfigMap that contains the secret intended for injection into pods, and then delete it.
    root@ubuntu-test:~/kubernetes-docker-configuration# helm ls | grep config
    test2025-configmap      default         3               2025-10-14 14:45:39.681903426 +0000 UTC deployed        openiam-configmap-4.2.1-12    1.0
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# helm delete test2025-configmap
    release "test2025-configmap" uninstalled
    root@ubuntu-test:~/kubernetes-docker-configuration# helm ls | grep config
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state list | grep config
    module.deployment.module.helm.helm_release.configmap
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state rm module.deployment.module.helm.helm_release.configmap
    Removed module.deployment.module.helm.helm_release.configmap
    Successfully removed 1 resource instance(s).
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state list | grep config
    root@ubuntu-test:~/kubernetes-docker-configuration#
    1. Delete vault bootstrap job. 
    root@kube-access:~# kubectl get jobs| grep boot
    test2025-vault-bootstrap-job     Complete   1/1           2m13s      39m
    root@kube-access:~#
    kubectl delete job test2025-vault-bootstrap-job
    1. Apply terraform using the command below.
    terraform apply --auto-approve
    1. Monitor the status of the pods.
    kubectl get pods

    Once all pods are up and running, log in to the webconsole and verify that all services are functioning correctly.

    Note: The above steps have been prepared assuming the namespace is default.
    If any pod remains in a 0/1 state, delete it using the command below.
    kubectl delete pod <pod-name>

    Elasticsearch passwords

    1. Update the default Elasticsearch password in terraform.tfvars.
    vi terraform.tfvars

    Locate the ElasticSearch password variable and update it.

    Located password

    1. Take a backup of the existing Kubernetes secret and verify current password in secret.
    kubectl -n default get secret secrets -o yaml > ~/secrets.defaults.backup.yaml
    kubectl -n default get secret secrets -o jsonpath='{.data.elasticsearchUserName}' | base64 --decode && echo
    kubectl -n default get secret secrets -o jsonpath='{.data.elasticsearchPassword}' | base64 --decode && echo
    1. Update the Elasticsearch password in the Elasticsearch pod with the new value. Log in to the Elasticsearch pod and verify the current cluster health using the existing password.
    kubectl get pods | grep elas
    kubectl exec -it elasticsearch-master-0 sh
    curl -u elastic:ChangeMeToSomethingMoreSecure123#51 -X GET "http://localhost:9200/_cluster/health?pretty"

    Replace the old and new passwords in the following command to update Elasticsearch with the new password.

    curl -u "elastic:Oldpassword" -XPOST -H "Content-Type: application/json" \
    "http://localhost:9200/_security/user/elastic/_password" \
    -d '{ "password": "NEWPASSWORD" }'

    Verify that the new password is working using the following command.

    curl -u elastic:ChangeMeToSomethingMoreSecure123#51 -X GET "http://localhost:9200/_cluster/health?pretty"
    1. Uninstall Elasticsearch via Helm and remove its resources from the Terraform state.
    helm ls | grep elas
    helm delete test2025-elasticsearch
    root@ubuntu-test:~/kubernetes-docker-configuration# helm ls | grep elas
          test2025-elasticsearch  default         1               2025-10-14 08:39:01.24106775 +0000 UTC  deployed        elasticsearch-7.17.3          7.17.3
    root@ubuntu-test:~/kubernetes-docker-configuration# helm delete test2025-elasticsearch
    release "test2025-elasticsearch" uninstalled
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state list | grep elas
    module.deployment.module.elasticsearch.helm_release.elasticsearch
    module.deployment.module.elasticsearch.null_resource.depends_on
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state rm module.deployment.module.elasticsearch.helm_release.elasticsearch
    Removed module.deployment.module.elasticsearch.helm_release.elasticsearch
    Successfully removed 1 resource instance(s).
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state rm module.deployment.module.elasticsearch.null_resource.depends_on
    Removed module.deployment.module.elasticsearch.null_resource.depends_on
    Successfully removed 1 resource instance(s).
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state list | grep elas
    root@ubuntu-test:~/kubernetes-docker-configuration#
    1. Verify the installed ConfigMap that contains the secret intended for injection into pods, and then delete it.
    root@ubuntu-test:~/kubernetes-docker-configuration# helm ls | grep config
    test2025-configmap      default         3               2025-10-14 14:45:39.681903426 +0000 UTC deployed        openiam-configmap-4.2.1-12    1.0
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# helm delete test2025-configmap
    release "test2025-configmap" uninstalled
    root@ubuntu-test:~/kubernetes-docker-configuration# helm ls | grep config
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state list | grep config
    module.deployment.module.helm.helm_release.configmap
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state rm module.deployment.module.helm.helm_release.configmap
    Removed module.deployment.module.helm.helm_release.configmap
    Successfully removed 1 resource instance(s).
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state list | grep config
    root@ubuntu-test:~/kubernetes-docker-configuration#
    1. Delete vault bootstrap job.
    root@kube-access:~# kubectl get jobs| grep boot
    test2025-vault-bootstrap-job     Complete   1/1           2m13s      39m
    root@kube-access:~#
    kubectl delete job test2025-vault-bootstrap-job
    1. Apply terraform using the command below.
    terraform apply --auto-approve
    1. Monitor the status of the pods.
    kubectl get pods
    1. Once all pods are up and running, log in to the webconsole and verify that all services are functioning correctly.
    Note: The above steps have been prepared assuming the namespace is default.
    If any pod remains in a 0/1 state, delete it using the command below.
    kubectl delete pod <pod-name>

    RabbitMQ passwords

    1. Update the default RabbitMQ password in terraform.tfvars.
    vi terraform.tfvars

    Locate the RabbitMQ password variable and update it.

    Password variable located

    1. Take a backup of the existing Kubernetes secret and verify current password in secret.
    kubectl -n default get secret secrets -o yaml > ~/secrets.defaults1.backup.yaml
    kubectl -n default get secret secrets -o jsonpath='{.data.rabbitmqPassword}' | base64 --decode && echo
    1. Uninstall RabbitMQ via Helm and remove its resources from the Terraform state.
    root@ubuntu-test:~/kubernetes-docker-configuration# helm ls | grep rabbit
          test2025-rabbitmq       default         1               2025-10-     14 14:20:17.981710745 +0000 UTC deployed        rabbitmq-10.1.16              
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# helm delete test2025-rabbitmq
          release "test2025-rabbitmq" uninstalled
    root@ubuntu-test:~/kubernetes-docker-configuration# helm ls | grep rabbit
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state list | grep -i rabbit
          module.deployment.module.helm.helm_release.rabbitmq
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state rm module.deployment.module.helm.helm_release.rabbitmq
          Removed module.deployment.module.helm.helm_release.rabbitmq
          Successfully removed 1 resource instance(s).
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state list | grep -i rabbit
    root@ubuntu-test:~/kubernetes-docker-configuration#
          Delete the PVC of the RabbitMQ pod and verify that the   corresponding PV is automatically deleted.
    root@ubuntu-test:~/kubernetes-docker-configuration# kubectl get pvc | grep rabbitmq
          data-test2025-rabbitmq-0                      Bound    pvc-  f045271d-b685-4c91-9656-3855b5763759   8Gi        RWO            default        <unset>                 16h
    openiam-pvc-ldap-connector-rabbitmq           Bound    pvc-25b388f1-6bbe-4c3f-983a-afed2dadcfc0   5M         RWX            nfs            <unset>                 3d19h
    openiam-pvc-rabbitmq-jks                      Bound    pvc-f05f4ec3-52ae-433a-80cf-9f15a6940905   5M         RWX            nfs            <unset>                 3d19h
    root@ubuntu-test:~/kubernetes-docker-configuration# kubectl delete pvc data-test2025-rabbitmq-0
    persistentvolumeclaim "data-test2025-rabbitmq-0" deleted
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# kubectl get pv | grep rabbitmq
    pvc-25b388f1-6bbe-4c3f-983a-afed2dadcfc0   5M         RWX            Delete           Bound    default/openiam-pvc-ldap-connector-rabbitmq           nfs            <unset>                          3d19h
    pvc-f05f4ec3-52ae-433a-80cf-9f15a6940905   5M         RWX            Delete           Bound    default/openiam-pvc-rabbitmq-jks                      nfs            <unset>                          3d19h
    root@ubuntu-test:~/kubernetes-docker-configuration#
    1. Verify the installed ConfigMap that contains the secret intended for injection into pods, and then delete it.
    root@ubuntu-test:~/kubernetes-docker-configuration# helm ls | grep config
    test2025-configmap      default         3               2025-10-14 14:45:39.681903426 +0000 UTC deployed        openiam-configmap-4.2.1-12    1.0
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# helm delete test2025-configmap
    release "test2025-configmap" uninstalled
    root@ubuntu-test:~/kubernetes-docker-configuration# helm ls | grep config
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state list | grep config
    module.deployment.module.helm.helm_release.configmap
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state rm module.deployment.module.helm.helm_release.configmap
    Removed module.deployment.module.helm.helm_release.configmap
    Successfully removed 1 resource instance(s).
    root@ubuntu-test:~/kubernetes-docker-configuration#
    root@ubuntu-test:~/kubernetes-docker-configuration# terraform state list | grep config
    root@ubuntu-test:~/kubernetes-docker-configuration#
    1. Delete vault bootstrap job
    root@kube-access:~# kubectl get jobs| grep boot
    test2025-vault-bootstrap-job     Complete   1/1           2m13s      39m
    root@kube-access:~#
    kubectl delete job test2025-vault-bootstrap-job
    1. Apply terraform using the command below.
    terraform apply --auto-approve
    1. Monitor the status of the pods.
    kubectl get pods
    1. Once all pods are up and running, log in to the webconsole and verify that all services are functioning correctly.
    Note: The above steps have been prepared assuming the namespace is default.
    If any pod remains in a 0/1 state, delete it using the command below.
    kubectl delete pod <pod-name>
    Previous
    Manual password update for OpenIAM services in RPM
    Next
    OpenIAM report services