Skip to main content
Version: 5.13.0

Setup Application Credentials

After you have deployed your applications, refer to this guide to set up default credentials for various applications.

tip

The following command will generate a random password to use for setting up these default credentials:

LC_ALL=C </dev/urandom tr -dc 'A-Za-z0-9+/@.~' | head -c 48

Updating Administrative (Admin) Passwords

Grafana: Resetting the Admin Password in a Kubernetes Environment

In a Kubernetes-based Grafana deployment, within the monitoring namespace, you may need to reset the admin password.

1. Prepare the New Password

Before proceeding, prepare a new password to set for the Grafana admin user, and store it in an environment variable. Replace $NEW_GRAFANA_ADMIN_PASSWORD with your desired password.

export GRAFANA_ADMIN_PASSWORD=$NEW_GRAFANA_ADMIN_PASSWORD

2. Execute Password Reset Command

To reset the Grafana admin password, run the following command:

kubectl exec -n monitoring $(kubectl get po -n monitoring -l app.kubernetes.io/name=grafana -o name) -c grafana -- \
grafana-cli --homepath "/usr/share/grafana" admin reset-admin-password $GRAFANA_ADMIN_PASSWORD

This command performs the following actions:

  • -n monitoring: Specifies the namespace where Grafana is deployed.
  • $(kubectl get po -n monitoring -l app.kubernetes.io/name=grafana -o name): Dynamically fetches the name of the Grafana pod.
  • -c grafana: Specifies the Grafana container within the pod.
  • grafana-cli --homepath "/usr/share/grafana" admin reset-admin-password $GRAFANA_ADMIN_PASSWORD: Invokes the Grafana command-line interface (CLI) to reset the admin password.
caution

Executing this command will overwrite the existing admin password. Ensure you store the new password in a secure location and only share it with authorized personnel.

GitLab: Managing Root User Password and Web Authentication

In a GitLab Kubernetes deployment, you may need to modify the root user password and toggle password authentication settings.

1. Enable Password Authentication (Optional)

Before setting the root password, you may have to enable password authentication. Run the following command to access the GitLab Rails console and enable this setting:

kubectl exec -it $(kubectl get po -n gitlab -l app=toolbox -o name) -n gitlab -c toolbox -- /srv/gitlab/bin/rails console
Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: true)

2. Reset Root User Password

Once password authentication is enabled, you can set or reset the root user password with the following command:

kubectl exec -it $(kubectl get po -n gitlab -l app=toolbox -o name) -n gitlab -c toolbox -- gitlab-rake "gitlab:password:reset[root]"

3. Disable Password Authentication (Optional)

After setting the root password, you have the option to disable password authentication for web access. This can be completed either through the GitLab User Interface (UI) or by executing the following command:

kubectl exec -it $(kubectl get po -n gitlab -l app=toolbox -o name) -n gitlab -c toolbox -- /srv/gitlab/bin/rails console
Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: false)
caution

Use caution when modifying the password and authentication settings in order to maintain the security of your GitLab instance. These commands give you direct access to GitLab's internal configurations.

Mattermost: Initial User and Admin Access

Upon your first login to Mattermost, you will be prompted to create the initial user account. This initial user is granted full admin privileges by default, allowing complete control over the Mattermost settings and configurations.

caution

The user created during the first login is automatically designated as the original admin with comprehensive access to all admin functionalities.

Confluence: Default Credentials and Admin Access

When you first log into Confluence, the tool prompts you to create a default username and password while entering licensing information. Similar to Mattermost, the first user created is given full admin permissions.

caution

The initial user account generated during the setup phase is automatically granted admin rights, providing complete control over Confluence's features and settings.

Jira: Default Credentials and Admin Access

Jira follows a similar pattern to Confluence in terms of initial setup. During the initial login process, you will be asked to create a default username and password while entering the licensing details. This user is automatically assigned admin roles.

caution

Similar to Mattermost and Confluence, the initial user created in Jira becomes the original admin user and is provided full admin access to manage all aspects of the Jira environment.

By understanding the access levels of initial user accounts in these platforms, you can better manage your security policies and configurations.

Keycloak: Managing Default Credentials and Updating Admin Password

In a Keycloak deployment, it is essential to manage default credentials and update the admin password, when necessary.

1. Retrieve Initial Credentials

The initial username and password for Keycloak are stored in a Kubernetes secret, named keycloak-credentials. To retrieve the initial password, execute the following command:

kubectl get secret -n keycloak keycloak-credentials -o json | jq -r .data.password | base64 -d
note

The default username and password are only applicable for the initial setup. If you modify the password post-creation, the keycloak-credentials secret will not be updated automatically. For the updated password, check the secrets.enc.yaml file.

2. Update Admin Password Using Shell Script

The admin password can be updated directly within the Keycloak pod, using the kcadm.sh shell script. The following steps outline the process:

a. Authenticate Admin User:

Run this command to authenticate and configure the admin credentials:

kubectl exec --tty --stdin keycloak-0 -n keycloak -- /opt/jboss/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin

You will be prompted to enter the current admin password.

b. Update Admin Password:

To change the admin password, execute the following command:

kubectl exec --tty --stdin keycloak-0 -n keycloak -- /opt/jboss/keycloak/bin/kcadm.sh set-password --username admin -p <new_admin_password>

Both of these commands automatically pick up Java Tool Options and Memory Percentage for optimized resource management within the container.

Twistlock - Prisma Cloud Compute: Password Management

Securely managing passwords is crucial when using Prisma Cloud Compute (previously known as Twistlock). This guide outlines the steps to update the admin password for the Twistlock Console, generating a secure hash, and updating the database.

1. Generate Secure Password Hash

To create an SHA-256 hash of your desired password, execute the following command:

echo -n "{{ some_password }}" | openssl dgst -binary -sha256 | openssl base64

2. Access the Twistlock Console Pod

Navigate to the Twistlock namespace and access the Twistlock Console pod:

kubectl exec -it -n twistlock $(sudo /var/lib/rancher/rke2/bin/kubectl --kubeconfig=/etc/rancher/rke2/rke2.yaml get pods -n twistlock -l name=twistlock-console | tail -1 | awk '{print $1}') -- sh

3. Update Password in MongoDB

After gaining shell access to the Twistlock Console pod, perform the following steps:

a. Start MongoDB CLI:

mongo

b. Switch to the Twistlock Database:

use twistlock

c. Update the Admin Password:

db.users.update({username: "admin"}, {$set: {password: "{{ some_password_hash }}"}})

d. Exit MongoDB CLI:

exit

This updates the admin user's password with the securely hashed password. Make sure to replace {{ some_password }} and {{ some_password_hash }} with your desired password and its corresponding hash, respectively.

Kibana

The AWS CLI can be used to reset the Elasticsearch master password using the following syntax:

aws es update-elasticsearch-domain-config --advanced-security-options MasterUserOptions={MasterUserPassword=string}
tip

For more information on the MasterUserOptions parameter, see the official AWS docs.

SonarQube: Retrieving and Modifying Database Credentials

For managing SonarQube's database credentials, it is important to know where and how to retrieve them, especially when hosted within Kubernetes.

1. Retrieve Database Credentials

To obtain the database name, username, and hostname stored in the gitlab-sonarqube-values secret, execute the following commands:

a. Retrieve Database Admin Username:

kubectl get secrets -n bigbang bigbang-sonarqube-values -ojsonpath="{.data.defaults}" | base64 -d | grep -i postgresqlUsername | awk '{print $2}'

b. Retrieve PostgreSQL Hostname:

kubectl get secrets -n bigbang bigbang-sonarqube-values -ojsonpath="{.data.defaults}" | base64 -d | grep -i postgresqlServer | awk '{print $2}'

2. Access the Database Password

For the database password, refer to the postgres.enc.yaml file:

note

Replace environment with the actual environment name, e.g., structsure-dev2, for the environment.

sops -d infra-iac/envs/environment/postgres.enc.yaml | grep -i SonarQube: -A 3 | grep -i data

3. Connect to the Database

To access the SonarQube database, initiate a connection from the gitlab-task-runner pod, which has the psql utility installed:

a. Get a Shell inside the Pod:

kubectl exec -it $(kubectl get pods -n gitlab | grep gitlab-task-runner | awk '{print $1}' | head -n1) -n gitlab -c task-runner -- /bin/sh

b. Access the Database with psql:

Replace USER and HOSTNAME with values retrieved from the secrets above. Enter the password when prompted:

psql -U USER -h HOSTNAME

c. Reset the Password to Default:

Following the guidelines in the SonarQube documentation, reset the password back to the default (i.e., "admin") with the following command:

update users set crypted_password = '<password>', salt=null, hash_method='BCRYPT' where login = 'admin'

Argo CD: Retrieving Default Username and Password

The initial username and password for Argo CD are securely stored in a Kubernetes secret, named argocd-initial-admin-secret. You can retrieve these credentials using the kubectl command-line tool with the following command.

Command to Retrieve Initial Password

Execute the following command to retrieve the initial password:

kubectl get secret -n argocd argocd-initial-admin-secret -o json | jq -r .data.password | base64 -d
info

The default username and password are applicable only during the initial setup. If you update the password after the initial provisioning, the argocd-initial-admin-secret will not reflect the changes. In such cases, you can view the secrets.enc.yaml file for the updated password.