From 82bd922da2fa224e583813d0d977ab82d2cea313 Mon Sep 17 00:00:00 2001 From: Tobia De Koninck Date: Mon, 29 Jul 2024 10:06:51 +0200 Subject: [PATCH] Document changing Redis password --- docs/deployment/README.md | 81 ++++++++++++++----- .../1-namespaced/patches/redis.secret.yaml | 4 +- .../redis/resources/redis.secret.yaml | 4 +- .../resources/redis.secret.yaml | 4 +- .../shinyproxy/resources/redis.secret.yaml | 4 +- .../shinyproxy/patches/redis.secret.yaml | 4 +- .../patches/redis.secret.yaml | 4 +- 7 files changed, 73 insertions(+), 32 deletions(-) diff --git a/docs/deployment/README.md b/docs/deployment/README.md index 0d90fab..768963d 100644 --- a/docs/deployment/README.md +++ b/docs/deployment/README.md @@ -29,7 +29,9 @@ and dependencies of the operator. used to secure Redis. Each example (see below) already changes the password to `mySecurePassword12`. For an example see the [`overlays/1-namespaced/patches/redis.secret.yaml`](overlays/1-namespaced/patches/redis.secret.yaml) - file. + file. Make sure to change the password **before** deploying, + see [changing Redis password](#changing-redis-password) for instructions on how + to change the password after deploying. ## Tutorial using minikube @@ -45,7 +47,7 @@ ShinyProxy operator on minikube. 2. Start minikube: ```bash - minikube start --kubernetes-version='v1.25.6' --addons=metrics-server,ingress --container-runtime=containerd + minikube start --kubernetes-version='v1.30.3' --addons=metrics-server,ingress --container-runtime=containerd ```` 3. Clone this repository and change the working directory: @@ -119,32 +121,33 @@ ShinyProxy operator on minikube. imagePullPolicy: Always fqdn: shinyproxy-demo.local ``` + 10. Apply this change using `kubectl`: -```bash -kubectl apply -f resources/shinyproxy.shinyproxy.yaml -``` + ```bash + kubectl apply -f resources/shinyproxy.shinyproxy.yaml + ``` -The operator now deploys a new ShinyProxy instance. The old instance will be -kept intact as long as a Websocket connection is active on the old instance. The -old instance will automatically be removed once it no longer has any open -Websocket connections. New requests will immediately be handled by the new -server as soon as it is ready. Try going to the main page of ShinyProxy and -check whether the change your made has been applied. + The operator now deploys a new ShinyProxy instance. The old instance will be + kept intact as long as a Websocket connection is active on the old instance. The + old instance will automatically be removed once it no longer has any open + Websocket connections. New requests will immediately be handled by the new + server as soon as it is ready. Try going to the main page of ShinyProxy and + check whether the change your made has been applied. 11. Try the other examples. The following commands first remove the current example, next you can open another example (e.g. `2-clustered`) and deploy it using `kubectl`: -```bash -kubectl delete namespace/shinyproxy -kubectl delete namespace/shinyproxy-operator # may fail -kubectl delete namespace/shinyproxy-dept2 # may fail -kubectl delete namespace/my-namespace # may fail -kubectl delete namespace/redis # may fail -cd ../2-clustered -kustomize build . | kubectl apply -f - -``` + ```bash + kubectl delete namespace/shinyproxy + kubectl delete namespace/shinyproxy-operator # may fail + kubectl delete namespace/shinyproxy-dept2 # may fail + kubectl delete namespace/my-namespace # may fail + kubectl delete namespace/redis # may fail + cd ../2-clustered + kustomize build . | kubectl apply -f - + ``` ## Overview of examples @@ -452,3 +455,41 @@ behavior can be changed by setting `antiAffinityRequired` to `true` in your ShinyProxy configuration. It is also possible to change the topology, by setting the `antiAffinityTopologyKey`, e.g. to not run multiple replicas in the same availability zone you can set this property to `topology.kubernetes.io/zone `. + +## Changing Redis password + +Each example changes the password to `mySecurePassword12`. It's important to +change this password in your environment. Ideally, the password must be changed +before deploying Redis for the first time, since changing the password after +initial deployment requires deleting all data. + +In order to change the password after deployment: + +**Note**: during this process ShinyProxy will be stopped and all apps and users +are stopped! + +1. change the password in the yaml file (e.g. + in [`overlays/1-namespaced/patches/redis.secret.yaml`](overlays/1-namespaced/patches/redis.secret.yaml)) +2. stop ShinyProxy by removing the ShinyProxy resource (pods of running apps are + not automatically removed): + + ```bash + kubectl delete shinyproxy -n shinyproxy shinyproxy + ``` + +3. delete all Redis related resources: + + ```bash + kubectl delete statefulset -n shinyproxy redis-node + kubectl delete pvc -n shinyproxy redis-data-redis-node-0 + kubectl delete pvc -n shinyproxy redis-data-redis-node-1 + kubectl delete pvc -n shinyproxy redis-data-redis-node-2 + ``` + +4. wait for all related pods to be stopped and all resources to be removed +5. check that the `PersistentVolumes` of Redis are removed using `kubectl get pv` +6. re-deploy Redis and ShinyProxy: + + ```bash + kustomize build . | kubectl apply -f - --server-side + ``` diff --git a/docs/deployment/overlays/1-namespaced/patches/redis.secret.yaml b/docs/deployment/overlays/1-namespaced/patches/redis.secret.yaml index 54d278e..c01e68a 100644 --- a/docs/deployment/overlays/1-namespaced/patches/redis.secret.yaml +++ b/docs/deployment/overlays/1-namespaced/patches/redis.secret.yaml @@ -3,6 +3,6 @@ kind: Secret metadata: name: redis type: Opaque -data: +stringData: # IMPORTANT: replace this password! - redis-password: bXlTZWN1cmVQYXNzd29yZDEy + redis-password: "todoreplacethis" diff --git a/docs/deployment/overlays/2-clustered/redis/resources/redis.secret.yaml b/docs/deployment/overlays/2-clustered/redis/resources/redis.secret.yaml index 54d278e..3a26a0f 100644 --- a/docs/deployment/overlays/2-clustered/redis/resources/redis.secret.yaml +++ b/docs/deployment/overlays/2-clustered/redis/resources/redis.secret.yaml @@ -3,6 +3,6 @@ kind: Secret metadata: name: redis type: Opaque -data: +stringData: # IMPORTANT: replace this password! - redis-password: bXlTZWN1cmVQYXNzd29yZDEy + redis-password: "mySecurePassword12" diff --git a/docs/deployment/overlays/2-clustered/shinyproxy-dept2/resources/redis.secret.yaml b/docs/deployment/overlays/2-clustered/shinyproxy-dept2/resources/redis.secret.yaml index 54d278e..3a26a0f 100644 --- a/docs/deployment/overlays/2-clustered/shinyproxy-dept2/resources/redis.secret.yaml +++ b/docs/deployment/overlays/2-clustered/shinyproxy-dept2/resources/redis.secret.yaml @@ -3,6 +3,6 @@ kind: Secret metadata: name: redis type: Opaque -data: +stringData: # IMPORTANT: replace this password! - redis-password: bXlTZWN1cmVQYXNzd29yZDEy + redis-password: "mySecurePassword12" diff --git a/docs/deployment/overlays/2-clustered/shinyproxy/resources/redis.secret.yaml b/docs/deployment/overlays/2-clustered/shinyproxy/resources/redis.secret.yaml index 54d278e..3a26a0f 100644 --- a/docs/deployment/overlays/2-clustered/shinyproxy/resources/redis.secret.yaml +++ b/docs/deployment/overlays/2-clustered/shinyproxy/resources/redis.secret.yaml @@ -3,6 +3,6 @@ kind: Secret metadata: name: redis type: Opaque -data: +stringData: # IMPORTANT: replace this password! - redis-password: bXlTZWN1cmVQYXNzd29yZDEy + redis-password: "mySecurePassword12" diff --git a/docs/deployment/overlays/3-namespaced-app-ns/shinyproxy/patches/redis.secret.yaml b/docs/deployment/overlays/3-namespaced-app-ns/shinyproxy/patches/redis.secret.yaml index 54d278e..3a26a0f 100644 --- a/docs/deployment/overlays/3-namespaced-app-ns/shinyproxy/patches/redis.secret.yaml +++ b/docs/deployment/overlays/3-namespaced-app-ns/shinyproxy/patches/redis.secret.yaml @@ -3,6 +3,6 @@ kind: Secret metadata: name: redis type: Opaque -data: +stringData: # IMPORTANT: replace this password! - redis-password: bXlTZWN1cmVQYXNzd29yZDEy + redis-password: "mySecurePassword12" diff --git a/docs/deployment/overlays/4-namespaced-multi/patches/redis.secret.yaml b/docs/deployment/overlays/4-namespaced-multi/patches/redis.secret.yaml index 54d278e..3a26a0f 100644 --- a/docs/deployment/overlays/4-namespaced-multi/patches/redis.secret.yaml +++ b/docs/deployment/overlays/4-namespaced-multi/patches/redis.secret.yaml @@ -3,6 +3,6 @@ kind: Secret metadata: name: redis type: Opaque -data: +stringData: # IMPORTANT: replace this password! - redis-password: bXlTZWN1cmVQYXNzd29yZDEy + redis-password: "mySecurePassword12"