Changing the password seed

As an administrator, you can change the password seed that is used when you install HCL DevOps Test Hub (Test Hub) to provide enhanced security to Test Hub.

Before you begin

You must have completed the following tasks:

About this task

When you install Test Hub, you supply a password seed when you run the helm install command. This password seed is used to generate several Kubernetes secrets. Kubernetes Secrets can contain the following information:

  • The authentication credentials for micro-services.

  • An encryption key for the user-created secrets.

When you change the password seed for Test Hub, you must consider the following scenarios:

  • Test Hub cannot communicate until you reconcile the passwords which are in Kubernetes Secrets by using the old and a new password seed.

  • Users cannot read secret collections or other secrets that they have created in Test Hub until you re-encrypt them using a new password seed.

    Important: You must provide an offline token and old password seed that you used during the installation of Test Hub to re-encrypt user secrets.

Procedure

  1. Run the following command to change the password seed for Test Hub: 
    helm upgrade {{main}} ./hcl-onetest-server -n devops-system \
--reuse-values \
--set global.hclOneTestPasswordAutoGenSeed= {my-new-super-secret}
    Notes: You must substitute the value of the following variables with the actual value in the command:

    • {{main}} with the release name that you used during the installation of Test Hub.

    • {my-new-super-secret} with a new value of your choice as the password seed.

    • You must run the following helm upgrade command from the same directory where the helm install command was run during the installation of Test Hub. Because the upgrade is dependent on the helm charts and .yaml file values used during the run time of the helm install command.

  2. Run the following script to generate new server secrets from the updated password seed and to save them to the persistent storage: 
    ./hcl-onetest-server/files/reconcile-secrets.sh -n devops-system {{main}}
  3. Run the following command to restart all the pods: 
    kubectl delete pods -n devops-system \
  -lapp.kubernetes.io/instance={{main}} \
  -lapp.kubernetes.io/managed-by=Helm
  4. Run the following commands to re-encrypt the user-created secrets by providing the old password seed: 
    export ACCESS_TOKEN=$(curl -k -X POST {SERVER_URL}/rest/tokens/ \
-H "Content-Type: application/x-www-form-urlencoded" \
-H "accept: application/json" \
-d "refresh_token={OFFLINE_TOKEN}" | jq -r '.access_token')

curl -k -X POST {SERVER_URL}/rest/secrets/re-encrypt/ \
     -H "Authorization: Bearer $ACCESS_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{\"type\":\"helm\",\"password_auto_gen_seed\":\"{OLD_SEED}\"}"
    Note: You must substitute the value of the following variables with the actual value in the following commands:

    • {SERVER_URL} with the URL of your Test Hub UI.

    • {OFFLINE_TOKEN} with the offline token that belongs to a user with the administrator role.

    • {OLD_SEED} with the previous password seed that you used during the installation of Test Hub.

  5. Run the following command to display the log file of the gateway pod: 
    kubectl logs {{main}} -gateway-abcdefghij-abcde -n devops-system
    Note: You must substitute the value of the following variables with the actual value in the command:

    • {{main}} with the release name that you used during the installation of Test Hub.

    • abcdefghij-abcde with an identifier that is assigned to the name of the gateway pod.

      You can run the kubectl get pods -n devops-system command to obtain the identifier that is assigned to the gateway pod.

    The following message is displayed when re-encryption is completed:

    reEncrypt complete. StringyReEncryptor [total=100, fixed=100, broken=0, noop=0]

Results

You have successfully changed the password seed for Test Hub.