Skip to main content
Skip table of contents

Updating Passwords in Vault

This guide demonstrates the process of updating the passwords in the Vault.

Step 1: Log In To the Vault

To update the secret in the vault, follow the below steps

CODE 
kubectl -n vault exec -it vault-0 -- sh
CODE 
vault login

Input the token that was generated during the vault initialization to login.

Step 2: Patch the Secret In the Vault

Use the following command to update the value in the secret.

CODE 
vault kv patch secret/<secret name> <key>=<value>

an example is given below:-

CODE 
vault kv patch secret/postgresql postgres-password=postgresql464
/ $ vault kv patch secret/postgresql postgres-password=postgresql464
===== Secret Path =====
secret/data/postgresql

======= Metadata =======
Key                Value
---                -----
created_time       2024-09-16T08:49:51.954215622Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            2

Information Regarding Keycloak:

There are two admin users for Keycloak:

  1. Master Realm Admin (Super Admin)

  2. Expertflow Realm Admin

  • Admin 1’s Password: Stored as admin-password in the vault-external secret of Vault.

  • Admin 2’s Password: Stored as password in the vault-external secret and as KEYCLOAK_PASSWORD_ADMIN in the ef-connection-env secret of Vault.

To update any of the passwords mentioned above, follow these steps:

  1. Update the password in the Keycloak web interface.

  2. Update the corresponding key-value pairs in Vault for all relevant secrets. For example, update the vault-external and ef-connection-env secrets for Admin 2’s password.

Important: No password is automatically injected from Vault to Keycloak; you must update it manually in the interface.

Step 2: Reflect The Changes In Namespace

Changes in the secret will be reflected by following these steps:-

Delete the secret in the namespace:-

Follow this command to delete the secret:-

CODE 
kubectl get secret -n <namespace>
kubectl delete secret -n <namespace> <secret-name>

An example is given below:-

CODE 
kubectl get secret -n ef-external
root@efcx:~# kubectl get secrets -n ef-external
NAME                                  TYPE                             DATA   AGE
ef-postgresql-crt                     kubernetes.io/tls                3      3d9h
expertflow-reg-cred                   kubernetes.io/dockerconfigjson   1      3d9h
minio                                 Opaque                           2      3d9h
minio-crt                             kubernetes.io/tls                3      3d9h
mongo-mongodb-ca                      Opaque                           3      3d9h
mongodb                               Opaque                           1      3d9h
postgresql                            Opaque                           2      3d9h
redis                                 Opaque                           1      3d9h
redis-crt                             kubernetes.io/tls                3      3d9h
sh.helm.release.v1.ef-postgresql.v1   helm.sh/release.v1               1      3d9h
sh.helm.release.v1.keycloak.v1        helm.sh/release.v1               1      3d9h
sh.helm.release.v1.minio.v1           helm.sh/release.v1               1      3d9h
sh.helm.release.v1.mongo.v1           helm.sh/release.v1               1      3d9h
sh.helm.release.v1.redis.v1           helm.sh/release.v1               1      3d9h
vault-external                        Opaque                           2      3d9h
CODE 
kubectl delete secret -n ef-external postgresql

root@efcx:~# kubectl delete secret -n ef-external postgresql
secret "postgresql" deleted

Restart Pods in the namespace:-

CODE 
kubectl get pod -n ef-external
root@efcx:~# k get pods -n ef-external
NAME                     READY   STATUS    RESTARTS       AGE
ef-amq-0                 1/1     Running   1 (122m ago)   7h31m
ef-postgresql-0          0/1     Unknown   0              34h
keycloak-0               0/1     Unknown   0              34h
minio-84cfcdbd48-8n6g2   0/1     Unknown   0              34h
mongo-mongodb-0          0/1     Unknown   0              34h
redis-master-0           0/1     Unknown   0              34h
CODE 
kubectl delete pod -n ef-external ef-postgresql-0
root@efcx:~# k delete pod -n ef-external ef-postgresql-0
pod "ef-postgresql-0" deleted

Pods will now be using the updated secrets.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close