add REDB password steps

Author: kaitlynmichael

content/operate/_index.md

@@ -45,7 +45,7 @@ hideListLinks: true
 | | <nobr>{{<color-bubble color="bg-blue-bubble" >}} Redis</nobr> Cloud | <nobr>{{<color-bubble color="bg-yellow-bubble">}} Redis</nobr> Software | <nobr>{{<color-bubble color="bg-purple-bubble">}} Redis</nobr> Open Source | <nobr><div class="h-3 w-3 rounded-md border border-redis-pen-600 inline-block mr-1" style="background-color: #8A99A0"></div> Redis for</nobr> Kubernetes |
 |:-----------|:--------------|:-----------|:--------------|:--------------|
 | Transport Layer Security (TLS) | [TLS]({{<relref "/operate/rc/security/database-security/tls-ssl">}}) | [TLS]({{<relref "/operate/rs/security/encryption/tls">}}) | [TLS]({{< relref "/operate/oss_and_stack/management/security/encryption" >}}) | [REDB tlsMode]({{<relref "/operate/kubernetes/reference/api/redis_enterprise_database_api/#spec">}}) |
-| Role-based access control (RBAC) | [Role-based access control]({{<relref "/operate/rc/security/access-control/data-access-control/role-based-access-control">}}) | [Access control]({{<relref "/operate/rs/security/access-control">}}) | [Access control list]({{< relref "/operate/oss_and_stack/management/security/acl" >}}) | [REC credentials]({{<relref "/operate/kubernetes/security/manage-rec-credentials/">}}) |
+| Role-based access control (RBAC) | [Role-based access control]({{<relref "/operate/rc/security/access-control/data-access-control/role-based-access-control">}}) | [Access control]({{<relref "/operate/rs/security/access-control">}}) | [Access control list]({{< relref "/operate/oss_and_stack/management/security/acl" >}}) | [REC credentials]({{<relref "/operate/kubernetes/security/manage-credentials/">}}) |
 | Lightweight Directory Access Protocol (LDAP) |  | [LDAP authentication]({{<relref "/operate/rs/security/access-control/ldap">}}) |  | [Enable LDAP]({{<relref "/operate/kubernetes/security/ldap/">}}) |
 | Single sign-on (SSO) | [SAML SSO]({{< relref "/operate/rc/security/access-control/saml-sso" >}}) |  |  |  |
 | Self-signed certificates |  | [Certificates]({{<relref "/operate/rs/security/certificates">}}) | [Certificate configuration]({{< relref "/operate/oss_and_stack/management/security/encryption#certificate-configuration" >}}) | [REC certificates]({{<relref "operate/kubernetes/security/manage-rec-certificates/">}}) |

content/operate/kubernetes/_index.md

@@ -67,7 +67,7 @@ Set up globally distributed [Active-Active databases]({{< relref "/operate/kuber
 
 Manage [secure connections]({{< relref "/operate/kubernetes/security" >}}) and access control for your Redis Enterprise deployment.
 
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}})
+- [Manage credentials]({{< relref "/operate/kubernetes/security/manage-credentials" >}})
 - [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}})
 - [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}})
 - [LDAP authentication]({{< relref "/operate/kubernetes/security/ldap" >}})

content/operate/kubernetes/active-active/create-aa-crdb-cli.md

@@ -69,7 +69,7 @@ You'll need to create DNS aliases to resolve your API hostname `<api-hostname>`,
   - Description: Combined with database name to create the Active-Active database hostname
   - Format: string
   - Example value: `-cluster.ijk.example.com`
-- [**REC admin credentials**]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}}) `<username> <password>`:
+- [**REC admin credentials**]({{< relref "/operate/kubernetes/security/manage-credentials" >}}) `<username> <password>`:
   - Description: Admin username and password for the REC stored in a secret
   - Format: string
   - Example value: username: `user@example.com`, password: `something`

content/operate/kubernetes/architecture/_index.md

@@ -90,7 +90,7 @@ Redis Enterprise for Kubernetes uses [secrets](https://kubernetes.io/docs/concep
 
 Redis Enterprise for Kubernetes uses the [RedisEnterpriseCluster (REC)]({{<relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api">}}) [custom resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to create a Redis Enterprise cluster. During creation it generates random credentials for the operator to use. The credentials are saved in a Kubernetes (K8s) [secret](https://kubernetes.io/docs/concepts/configuration/secret/). The secret name defaults to the name of the cluster.
 
-See [Manage REC credentials]({{<relref "/operate/kubernetes/security/manage-rec-credentials">}}) for more details.
+See [Manage credentials]({{<relref "/operate/kubernetes/security/manage-credentials">}}) for more details.
 
 ### REC certificates
 

content/operate/kubernetes/networking/database-connectivity.md

@@ -212,6 +212,10 @@ spec:
               key: password
 ```
 
+### Rotate the database password
+
+To rotate a database password, update the `password` key in the database secret. See [Change the REDB password]({{< relref "/operate/kubernetes/security/manage-credentials#change-the-redb-password" >}}).
+
 ### Default user configuration
 
 By default, databases create a default user with full access. You can disable this behavior:

content/operate/kubernetes/re-databases/_index.md

@@ -38,6 +38,7 @@ Explore advanced database features and configurations:
 Connect applications to your Redis Enterprise databases:
 
 - [Database connectivity]({{< relref "/operate/kubernetes/networking/database-connectivity" >}}) - Comprehensive guide to in-cluster and external database access, service discovery, and credentials management.
+- [Manage credentials]({{< relref "/operate/kubernetes/security/manage-credentials" >}}) - Retrieve and rotate REC admin credentials and REDB database passwords.
 - [Networking]({{< relref "/operate/kubernetes/networking" >}}) - Configure ingress, routes, and service exposure for database access
 - [Security]({{< relref "/operate/kubernetes/security" >}}) - Set up TLS, authentication, and access control for secure database connections
 

content/operate/kubernetes/security/_index.md

@@ -17,7 +17,7 @@ Configure security settings for your Redis Enterprise deployment on Kubernetes.
 
 Manage cluster credentials and authentication settings:
 
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}}) - Configure and manage Redis Enterprise cluster credentials
+- [Manage credentials]({{< relref "/operate/kubernetes/security/manage-credentials" >}}) - Retrieve and rotate REC admin credentials and REDB database passwords
 - [Configuration secrets]({{< relref "/operate/kubernetes/security/configuration-secrets" >}}) - Store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management
 - [LDAP authentication]({{< relref "/operate/kubernetes/security/ldap" >}}) - Integrate with LDAP for centralized authentication
 - [SSO authentication]({{< relref "/operate/kubernetes/security/sso" >}}) - Enable SAML-based single sign-on for Cluster Manager UI access

content/operate/kubernetes/security/configuration-secrets.md

@@ -70,7 +70,7 @@ You can customize the credential secret name during cluster creation using the `
 The `clusterCredentialSecretName` field cannot be changed after cluster creation.
 {{</note>}}
 
-For detailed instructions, see [Customize the credential secret name]({{< relref "/operate/kubernetes/security/manage-rec-credentials#customize-the-credential-secret-name" >}}).
+For detailed instructions, see [Manage credentials]({{< relref "/operate/kubernetes/security/manage-credentials" >}}).
 
 ## TLS certificate configuration
 
@@ -150,7 +150,7 @@ Field names vary by deployment.
 
 ## See also
 
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}})
+- [Manage credentials]({{< relref "/operate/kubernetes/security/manage-credentials" >}})
 - [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}})
 - [Add client certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}})
 - [Redis Enterprise Cluster API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}})

content/operate/kubernetes/security/manage-credentials.md

@@ -0,0 +1,205 @@
+---
+Title: Manage Redis Enterprise credentials
+aliases: [/operate/kubernetes/security/manage-rec-credentials/]
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: Retrieve and rotate Redis Enterprise cluster (REC) admin credentials and Redis Enterprise database (REDB) passwords on Kubernetes.
+linkTitle: Manage credentials
+weight: 93
+---
+
+Redis Enterprise for Kubernetes stores both cluster admin credentials and database passwords in Kubernetes [secrets](https://kubernetes.io/docs/concepts/configuration/secret/). The operator reconciles changes to these secrets and applies them to the cluster, so you rotate credentials by updating the secret rather than calling the cluster API directly.
+
+{{<note>}}
+The procedures on this page are supported for operator versions 6.0.20-12 and later.
+{{</note>}}
+
+## Redis Enterprise cluster (REC) credentials
+
+The [`RedisEnterpriseCluster`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}) custom resource generates random admin credentials during cluster creation. The credentials are stored in a Kubernetes secret named by the `clusterCredentialSecretName` field (defaults to the cluster name).
+
+### Retrieve the REC username and password
+
+REC credentials authenticate to the Redis Enterprise admin console or REST API. You need cluster connectivity through a service or port forwarding.
+
+1. Read the secret created by the operator:
+
+    ```sh
+    kubectl get secret rec -o jsonpath='{.data}'
+    ```
+
+    The command outputs the base64-encoded password and username:
+
+    ```sh
+    map[password:MTIzNDU2NzgK username:ZGVtb0BleGFtcGxlLmNvbQo=]
+    ```
+
+1. Decode each value:
+
+    ```sh
+    echo MTIzNDU2NzgK | base64 --decode
+    ```
+
+    In this example, the plain text password is `12345678` and the username is `demo@example.com`.
+
+### Change the REC password for the current username
+
+1. Open a shell in a Redis Enterprise [pod](https://kubernetes.io/docs/concepts/workloads/pods/):
+
+    ```sh
+    kubectl exec -it <rec-resource-name>-0 -c redis-enterprise-node -- /bin/bash
+    ```
+
+2. Add a new password for the existing user:
+
+    ```bash
+    REC_USER="`cat /opt/redislabs/credentials/username`" \
+    REC_PASSWORD="`cat /opt/redislabs/credentials/password`" \
+    curl -k --request POST \
+      --url https://localhost:9443/v1/users/password \
+      -u "$REC_USER:$REC_PASSWORD" \
+      --header 'Content-Type: application/json' \
+      --data "{\"username\":\"$REC_USER\", \
+      \"old_password\":\"$REC_PASSWORD\", \
+      \"new_password\":\"<NEW PASSWORD>\"}"
+    ```
+
+3. From outside the pod, update the REC credential secret:
+
+    ```sh
+    kubectl create secret generic <cluster_secret_name> \
+      --save-config \
+      --dry-run=client \
+      --from-literal=username=<current-username> \
+      --from-literal=password=<new-password> \
+      -o yaml | \
+    kubectl apply -f -
+    ```
+
+4. Wait five minutes for all components to read the new password. Proceeding too soon can lock the account.
+
+5. Open a shell in the pod again:
+
+    ```sh
+    kubectl exec -it <rec-resource-name>-0 -c redis-enterprise-node -- /bin/bash
+    ```
+
+6. Remove the previous password so only the new one applies:
+
+    ```sh
+    REC_USER="`cat /opt/redislabs/credentials/username`"; \
+    REC_PASSWORD="`cat /opt/redislabs/credentials/password`"; \
+    curl -k --request DELETE \
+      --url https://localhost:9443/v1/users/password \
+      -u "$REC_USER:$REC_PASSWORD" \
+      --header 'Content-Type: application/json' \
+      --data "{\"username\":\"$REC_USER\", \
+      \"old_password\":\"<OLD PASSWORD\"}"
+    ```
+
+{{<note>}}
+The username in the K8s secret is the email displayed in the Redis Enterprise admin console.
+{{</note>}}
+
+### Change both the REC username and password
+
+1. [Connect to the admin console]({{< relref "/operate/kubernetes/re-clusters/connect-to-admin-console.md" >}}).
+
+2. [Add another admin user]({{< relref "/operate/rs/security/access-control/create-users" >}}) and choose a new password.
+
+3. Set the new username in the `username` field of your REC custom resource spec.
+
+4. Update the REC credential secret:
+
+    ```sh
+    kubectl create secret generic <cluster_secret_name> \
+      --save-config \
+      --dry-run=client \
+      --from-literal=username=<new-username> \
+      --from-literal=password=<new-password> \
+      -o yaml | \
+    kubectl apply -f -
+    ```
+
+5. Wait five minutes for all components to read the new password. Proceeding too soon can lock the account.
+
+6. Delete the previous admin user from the cluster.
+
+{{<note>}}
+The operator may log errors between updating the username in the REC spec and updating the secret.
+{{</note>}}
+
+### Update the REC credentials secret in Vault
+
+If you store secrets in HashiCorp Vault, update the REC credential secret with these key-value pairs:
+
+```sh
+username:<desired_username>, password:<desired_password>
+```
+
+For more details, see [Integrate Redis Enterprise for Kubernetes with HashiCorp Vault](https://github.com/RedisLabs/redis-enterprise-k8s-docs/blob/master/vault/README.md).
+
+## Redis Enterprise database (REDB) password
+
+Each [`RedisEnterpriseDatabase`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}}) resource has a password stored under the `password` key of the secret named by `spec.databaseSecretName`. If you don't set `databaseSecretName`, the operator creates a secret named `redb-<database-name>` with a random password and updates the REDB spec to reference it.
+
+The operator reads the `password` key on every reconciliation and applies it to the database, so you rotate the password by updating the secret.
+
+### Retrieve the REDB password
+
+1. Find the secret name for the database:
+
+    ```sh
+    kubectl get redb <database-name> -o jsonpath="{.spec.databaseSecretName}"
+    ```
+
+2. Decode the password:
+
+    ```sh
+    kubectl get secret <secret-name> -o jsonpath="{.data.password}" | base64 --decode
+    ```
+
+### Change the REDB password
+
+{{<note>}}
+If the REDB spec sets `defaultUser: false`, the operator does not create or update the database secret. Rotating the secret has no effect in that mode — manage credentials through [Redis ACLs]({{< relref "/operate/rs/security/access-control/create-roles" >}}) instead.
+{{</note>}}
+
+1. Base64-encode the new password. Use `echo -n` to avoid encoding a trailing newline:
+
+    ```sh
+    echo -n '<new-password>' | base64
+    ```
+
+2. Patch the secret with the encoded value:
+
+    ```sh
+    kubectl patch secret <secret-name> -p='{"data":{"password":"<base64-encoded-password>"}}'
+    ```
+
+    To edit the secret interactively, use `kubectl edit secret <secret-name>` and replace the `password` value.
+
+3. Verify that the operator applied the change. The REDB status moves to `active-change-pending` while the update is in flight and returns to `active` when complete:
+
+    ```sh
+    kubectl get redb <database-name> -o jsonpath='{.status.status}'
+    ```
+
+    Then test the new password with a Redis client:
+
+    ```sh
+    redis-cli -h <service-name> -p <port> -a '<new-password>' PING
+    ```
+
+To disable authentication for the default user, set the `password` value to an empty string.
+
+#### Impact on existing client connections
+
+Existing client connections authenticated with the old password remain open — Redis Enterprise does not drop sessions when the password changes. New connections, and any `AUTH` commands issued on existing connections, must use the new password. Coordinate the secret update with your client configuration to avoid authentication errors.
+
+{{<note>}}
+For Active-Active databases, the database secret is not created automatically. See [Create a global database secret]({{< relref "/operate/kubernetes/active-active/global-db-secret" >}}).
+{{</note>}}