Setup Application Credentials
After you have deployed your applications, refer to this guide to set up default credentials for various applications.
The following command will generate a random password to use for setting up these default credentials:
LC_ALL=C </dev/urandom tr -dc 'A-Za-z0-9+/@.~' | head -c 48
Updating Administrative (Admin) Passwords
Grafana: Resetting the Admin Password in a Kubernetes Environment
In a Kubernetes-based Grafana deployment, within the monitoring namespace, you may need to reset the admin password.
1. Prepare the New Password
Before proceeding, prepare a new password to set for the Grafana admin user, and store it in an environment variable. Replace $NEW_GRAFANA_ADMIN_PASSWORD with your desired password.
export GRAFANA_ADMIN_PASSWORD=$NEW_GRAFANA_ADMIN_PASSWORD
2. Execute Password Reset Command
To reset the Grafana admin password, run the following command:
kubectl exec -n monitoring $(kubectl get po -n monitoring -l app.kubernetes.io/name=grafana -o name) -c grafana -- \
grafana-cli --homepath "/usr/share/grafana" admin reset-admin-password $GRAFANA_ADMIN_PASSWORD
This command performs the following actions:
-n monitoring: Specifies the namespace where Grafana is deployed.$(kubectl get po -n monitoring -l app.kubernetes.io/name=grafana -o name): Dynamically fetches the name of the Grafana pod.-c grafana: Specifies the Grafana container within the pod.grafana-cli --homepath "/usr/share/grafana" admin reset-admin-password $GRAFANA_ADMIN_PASSWORD: Invokes the Grafana command-line interface (CLI) to reset the admin password.
Executing this command will overwrite the existing admin password. Ensure you store the new password in a secure location and only share it with authorized personnel.
GitLab: Managing Root User Password and Web Authentication
In a GitLab Kubernetes deployment, you may need to modify the root user password and toggle password authentication settings.
1. Enable Password Authentication (Optional)
Before setting the root password, you may have to enable password authentication. Run the following command to access the GitLab Rails console and enable this setting:
kubectl exec -it $(kubectl get po -n gitlab -l app=toolbox -o name) -n gitlab -c toolbox -- /srv/gitlab/bin/rails console
Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: true)
2. Reset Root User Password
Once password authentication is enabled, you can set or reset the root user password with the following command:
kubectl exec -it $(kubectl get po -n gitlab -l app=toolbox -o name) -n gitlab -c toolbox -- gitlab-rake "gitlab:password:reset[root]"
3. Disable Password Authentication (Optional)
After setting the root password, you have the option to disable password authentication for web access. This can be completed either through the GitLab User Interface (UI) or by executing the following command:
kubectl exec -it $(kubectl get po -n gitlab -l app=toolbox -o name) -n gitlab -c toolbox -- /srv/gitlab/bin/rails console
Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: false)
Use caution when modifying the password and authentication settings in order to maintain the security of your GitLab instance. These commands give you direct access to GitLab's internal configurations.
Mattermost: Initial User and Admin Access
Upon your first login to Mattermost, you will be prompted to create the initial user account. This initial user is granted full admin privileges by default, allowing complete control over the Mattermost settings and configurations.
The user created during the first login is automatically designated as the original admin with comprehensive access to all admin functionalities.
Confluence: Default Credentials and Admin Access
When you first log into Confluence, the tool prompts you to create a default username and password while entering licensing information. Similar to Mattermost, the first user created is given full admin permissions.
The initial user account generated during the setup phase is automatically granted admin rights, providing complete control over Confluence's features and settings.
Jira: Default Credentials and Admin Access
Jira follows a similar pattern to Confluence in terms of initial setup. During the initial login process, you will be asked to create a default username and password while entering the licensing details. This user is automatically assigned admin roles.
Similar to Mattermost and Confluence, the initial user created in Jira becomes the original admin user and is provided full admin access to manage all aspects of the Jira environment.
By understanding the access levels of initial user accounts in these platforms, you can better manage your security policies and configurations.
Keycloak: Managing Default Credentials and Updating Admin Password
In a Keycloak deployment, it is essential to manage default credentials and update the admin password, when necessary.
1. Retrieve Initial Credentials
The initial username and password for Keycloak are stored in a Kubernetes secret, named keycloak-credentials. To retrieve the initial password, execute the following command:
kubectl get secret -n keycloak keycloak-credentials -o json | jq -r .data.password | base64 -d
The default username and password are only applicable for the initial setup. If you modify the password post-creation, the keycloak-credentials secret will not be updated automatically. For the updated password, check the secrets.enc.yaml file.
2. Update Admin Password Using Shell Script
The admin password can be updated directly within the Keycloak pod, using the kcadm.sh shell script. The following steps outline the process:
a. Authenticate Admin User:
Run this command to authenticate and configure the admin credentials:
kubectl exec --tty --stdin keycloak-0 -n keycloak -- /opt/jboss/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
You will be prompted to enter the current admin password.
b. Update Admin Password:
To change the admin password, execute the following command:
kubectl exec --tty --stdin keycloak-0 -n keycloak -- /opt/jboss/keycloak/bin/kcadm.sh set-password --username admin -p <new_admin_password>
Both of these commands automatically pick up Java Tool Options and Memory Percentage for optimized resource management within the container.
Twistlock - Prisma Cloud Compute: Password Management
Securely managing passwords is crucial when using Prisma Cloud Compute (previously known as Twistlock). This guide outlines the steps to update the admin password for the Twistlock Console, generating a secure hash, and updating the database.
1. Generate Secure Password Hash
To create an SHA-256 hash of your desired password, execute the following command:
echo -n "{{ some_password }}" | openssl dgst -binary -sha256 | openssl base64
2. Access the Twistlock Console Pod
Navigate to the Twistlock namespace and access the Twistlock Console pod:
kubectl exec -it -n twistlock $(sudo /var/lib/rancher/rke2/bin/kubectl --kubeconfig=/etc/rancher/rke2/rke2.yaml get pods -n twistlock -l name=twistlock-console | tail -1 | awk '{print $1}') -- sh
3. Update Password in MongoDB
After gaining shell access to the Twistlock Console pod, perform the following steps:
a. Start MongoDB CLI:
mongo
b. Switch to the Twistlock Database:
use twistlock
c. Update the Admin Password:
db.users.update({username: "admin"}, {$set: {password: "{{ some_password_hash }}"}})
d. Exit MongoDB CLI:
exit
This updates the admin user's password with the securely hashed password. Make sure to replace {{ some_password }} and {{ some_password_hash }} with your desired password and its corresponding hash, respectively.
Kibana
The AWS CLI can be used to reset the Elasticsearch master password using the following syntax:
aws es update-elasticsearch-domain-config --advanced-security-options MasterUserOptions={MasterUserPassword=string}
For more information on the MasterUserOptions parameter, see the official AWS docs.
SonarQube: Retrieving and Modifying Database Credentials
For managing SonarQube's database credentials, it is important to know where and how to retrieve them, especially when hosted within Kubernetes.
1. Retrieve Database Credentials
To obtain the database name, username, and hostname stored in the gitlab-sonarqube-values secret, execute the following commands:
a. Retrieve Database Admin Username:
kubectl get secrets -n bigbang bigbang-sonarqube-values -ojsonpath="{.data.defaults}" | base64 -d | grep -i postgresqlUsername | awk '{print $2}'
b. Retrieve PostgreSQL Hostname:
kubectl get secrets -n bigbang bigbang-sonarqube-values -ojsonpath="{.data.defaults}" | base64 -d | grep -i postgresqlServer | awk '{print $2}'
2. Access the Database Password
For the database password, refer to the postgres.enc.yaml file:
Replace environment with the actual environment name, e.g., structsure-dev2, for the environment.
sops -d infra-iac/envs/environment/postgres.enc.yaml | grep -i SonarQube: -A 3 | grep -i data
3. Connect to the Database
To access the SonarQube database, initiate a connection from the gitlab-task-runner pod, which has the psql utility installed:
a. Get a Shell inside the Pod:
kubectl exec -it $(kubectl get pods -n gitlab | grep gitlab-task-runner | awk '{print $1}' | head -n1) -n gitlab -c task-runner -- /bin/sh
b. Access the Database with psql:
Replace USER and HOSTNAME with values retrieved from the secrets above. Enter the password when prompted:
psql -U USER -h HOSTNAME
c. Reset the Password to Default:
Following the guidelines in the SonarQube documentation, reset the password back to the default (i.e., "admin") with the following command:
update users set crypted_password = '<password>', salt=null, hash_method='BCRYPT' where login = 'admin'
Argo CD: Retrieving Default Username and Password
The initial username and password for Argo CD are securely stored in a Kubernetes secret, named argocd-initial-admin-secret. You can retrieve these credentials using the kubectl command-line tool with the following command.
Command to Retrieve Initial Password
Execute the following command to retrieve the initial password:
kubectl get secret -n argocd argocd-initial-admin-secret -o json | jq -r .data.password | base64 -d
The default username and password are applicable only during the initial setup. If you update the password after the initial provisioning, the argocd-initial-admin-secret will not reflect the changes. In such cases, you can view the secrets.enc.yaml file for the updated password.