Changing the password seed
As an administrator, you can change the password seed that is used when you install HCL DevOps Test Hub (Test Hub) to provide enhanced security to Test Hub.
Before you begin
You must have completed the following tasks:
-
Installed Test Hub. See Installation of DevOps Test Hub.
-
Installed the JSON command-line tool, jq, and ensured that the jq is in your environment PATH. For information about jq, refer to jq documentation.
-
Installed the Curl command line tool. For more information refer to curl documentation.
About this task
When you install Test Hub, you
supply a password seed when you run the helm install
command. This
password seed is used to generate several Kubernetes secrets. Kubernetes Secrets can
contain the following information:
-
The authentication credentials for micro-services.
-
An encryption key for the user-created secrets collection or other secrets.
When you change the password seed for Test Hub, you must consider the following scenarios:
-
Test Hub cannot communicate until you reconcile the passwords which are in Kubernetes Secrets by using the old and a new password seed.
-
Users cannot read secret collections or other secrets that they have created in Test Hub until you re-encrypt them using a new password seed.
Important: You must provide an offline token and old password seed that you used during the installation of Test Hub to re-encrypt user secrets.
Procedure
-
Run the following command to change the password seed for Test Hub:
helm upgrade {{main}} ./hcl-onetest-server -n devops-system \ --reuse-values \ --set global.hclOneTestPasswordAutoGenSeed= {my-new-super-secret}
Notes: You must substitute the value of the following variables with the actual value in the command:-
{{main}}
with the release name that you used during the installation of Test Hub. -
{my-new-super-secret}
with a new value of your choice as the password seed. -
You must run the following
helm upgrade
command from the same directory where thehelm install
command was run during the installation of Test Hub. Because the upgrade is dependent on the helm charts and .yaml file values used during the run time of thehelm install
command.
-
-
Run the following script to generate new server secrets from the updated
password seed and to save them to the persistent storage:
./hcl-onetest-server/files/reconcile-secrets.sh -n devops-system {{main}}
-
Run the following command to restart all the pods:
kubectl delete pods -n devops-system \ -lapp.kubernetes.io/instance={{main}} \ -lapp.kubernetes.io/managed-by=Helm
-
Run the following commands to re-encrypt the user-created secrets collection or
other secrets by providing the old password seed:
export ACCESS_TOKEN=$(curl -k -X POST {SERVER_URL}/rest/tokens/ \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "accept: application/json" \ -d "refresh_token={OFFLINE_TOKEN}" | jq -r '.access_token') curl -k -X POST {SERVER_URL}/rest/secrets/re-encrypt/ \ -H "Authorization: Bearer $ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d "{\"type\":\"helm\",\"password_auto_gen_seed\":\"{OLD_SEED}\"}"
Note: You must substitute the value of the following variables with the actual value in the following commands:-
{SERVER_URL}
with the URL of your Test Hub UI. -
{OFFLINE_TOKEN}
with the offline token that belongs to a user with the administrator role. -
{OLD_SEED}
with the previous password seed that you used during the installation of Test Hub.
-
-
Run the following command to display the log file of the gateway pod:
kubectl logs {{main}} -gateway-abcdefghij-abcde -n devops-system
Note: You must substitute the value of the following variables with the actual value in the command:-
{{main}}
with the release name that you used during the installation of Test Hub. -
abcdefghij-abcde
with an identifier that is assigned to the name of the gateway pod.You can run the
kubectl get pods -n devops-system
command to obtain the identifier that is assigned to the gateway pod.
The following message is displayed when re-encryption is completed:reEncrypt complete. StringyReEncryptor [total=100, fixed=100, broken=0, noop=0]
-