Setup Application Credentials
After you have deployed your applications, refer to this guide to set up default credentials for various applications.
The following command will generate a random password to use for setting up these default credentials:
LC_ALL=C </dev/urandom tr -dc 'A-Za-z0-9+/@.~' | head -c 48
Updating Administrative (Admin) Passwords
Neuvector: Resetting the Admin Password in a Kubernetes Environment
Before logging into NeuVector, you will be required to accept the End User Agreement. The default username for NeuVector is admin. The password is a randomly generated string held within the neuvector-init secret inside of the neuvector namespace under the userinitcfg.yaml.users.password field for the admin user. The default password can be changed by setting the password value stored inside the neuvector-overrides secret within the structsure-system namespace for the admin user field. Doing it this way should automatically restart the pod to take affect.
Example of the neuvector-overrides within structsure-system namespace to change admin password:
apiVersion: v1
stringData:
values.yaml: |
neuvector:
values:
controller:
secret:
enabled: true
data:
userinitcfg.yaml:
users:
- username: admin
password: <admin-password-that-fits-requirements>
role: admin
fullname: admin
kind: Secret
metadata:
annotations:
meta.helm.sh/release-name: structsure-enterprise
meta.helm.sh/release-namespace: structsure-system
name: neuvector-overrides
namespace: structsure-system
type: Opaque
The credentials to the read-only metrics user that is utilized by the neuvector-prometheus-exporter-pod is held within the neuvector-prometheus-exporter-pod-secret secret. It is also a randomly generated string. All of the users created on initialization can be found within the neuvector controller pod at /etc/config/userinitcfg.yaml.
The default password requirement is minimum 8 characters length, 1 uppercase letter, 1 lowercase letter, 1 numeric character. These and other requirements can be changed by an admin in Settings -> Users under Authentication and Security Policies.
Grafana: Resetting the Admin Password in a Kubernetes Environment
In a Kubernetes-based Grafana deployment, the default username for Grafana is admin, and the default password is a randomly generated string stored inside the monitoring-grafana secret within the monitoring namespace. The default password should be changed by setting the adminPassword value stored inside the grafana-overrides secret within the structsure-system namespace. Doing it this way should automatically restart the pod to take affect.
Example of the grafana-overrides within structsure-system namespace to change admin password:
apiVersion: v1
stringData:
values.yaml: |
grafana:
values:
adminUser: "admin"
adminPassword: <your-admin-password>
kind: Secret
metadata:
annotations:
meta.helm.sh/release-name: structsure-enterprise
meta.helm.sh/release-namespace: structsure-system
name: grafana-overrides
namespace: structsure-system
type: Opaque
If restarting the pod isn't desirable you can also follow the steps described below to change the password through CLI.
1. Prepare the New Password
Before proceeding, prepare a new password to set for the Grafana admin user, and store it in an environment variable. Replace $NEW_GRAFANA_ADMIN_PASSWORD with your desired password.
export GRAFANA_ADMIN_PASSWORD=$NEW_GRAFANA_ADMIN_PASSWORD
2. Execute Password Reset Command
To reset the Grafana admin password, run the following command:
kubectl exec -n monitoring $(kubectl get po -n monitoring -l app.kubernetes.io/name=grafana -o name) -c grafana -- \
grafana-cli --homepath "/usr/share/grafana" admin reset-admin-password $GRAFANA_ADMIN_PASSWORD
This command performs the following actions:
-n monitoring: Specifies the namespace where Grafana is deployed.$(kubectl get po -n monitoring -l app.kubernetes.io/name=grafana -o name): Dynamically fetches the name of the Grafana pod.-c grafana: Specifies the Grafana container within the pod.grafana-cli --homepath "/usr/share/grafana" admin reset-admin-password $GRAFANA_ADMIN_PASSWORD: Invokes the Grafana command-line interface (CLI) to reset the admin password.
Executing this command will overwrite the existing admin password. Ensure you store the new password in a secure location and only share it with authorized personnel.
GitLab: Managing Root User Password and Web Authentication
In a GitLab Kubernetes deployment, you may need to modify the root user password and toggle password authentication settings.
1. Enable Password Authentication (Optional)
Before setting the root password, you may have to enable password authentication. Run the following command to access the GitLab Rails console and enable this setting:
kubectl exec -it $(kubectl get po -n gitlab -l app=toolbox -o name) -n gitlab -c toolbox -- /srv/gitlab/bin/rails console
Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: true)
2. Reset Root User Password
Once password authentication is enabled, you can set or reset the root user password with the following command:
kubectl exec -it $(kubectl get po -n gitlab -l app=toolbox -o name) -n gitlab -c toolbox -- gitlab-rake "gitlab:password:reset[root]"
3. Disable Password Authentication (Optional)
After setting the root password, you have the option to disable password authentication for web access. This can be completed either through the GitLab User Interface (UI) or by executing the following command:
kubectl exec -it $(kubectl get po -n gitlab -l app=toolbox -o name) -n gitlab -c toolbox -- /srv/gitlab/bin/rails console
Gitlab::CurrentSettings.update!(password_authentication_enabled_for_web: false)
Use caution when modifying the password and authentication settings in order to maintain the security of your GitLab instance. These commands give you direct access to GitLab's internal configurations.
Mattermost: Initial User and Admin Access
Upon your first login to Mattermost, you will be prompted to create the initial user account. This initial user is granted full admin privileges by default, allowing complete control over the Mattermost settings and configurations.
The user created during the first login is automatically designated as the original admin with comprehensive access to all admin functionalities.
Confluence: Default Credentials and Admin Access
When you first log into Confluence, the tool prompts you to create a default username and password while entering licensing information. Similar to Mattermost, the first user created is given full admin permissions.
The initial user account generated during the setup phase is automatically granted admin rights, providing complete control over Confluence's features and settings.
Jira: Default Credentials and Admin Access
Jira follows a similar pattern to Confluence in terms of initial setup. During the initial login process, you will be asked to create a default username and password while entering the licensing details. This user is automatically assigned admin roles.
Similar to Mattermost and Confluence, the initial user created in Jira becomes the original admin user and is provided full admin access to manage all aspects of the Jira environment.
By understanding the access levels of initial user accounts in these platforms, you can better manage your security policies and configurations.
Keycloak: Managing Default Credentials and Updating Admin Password
In a Kubernetes-based Keycloak deployment, the default username for Keycloak is admin, and the default password is a randomly generated string stored inside the keycloak-env secret within the keycloak namespace under the KEYCLOAK_ADMIN_PASSWORD environment variable. The recommended way to change the default password is by through the admin console using the initial admin credentials to login. If you can't reach the admin console, you can change the the admin password through the pod by following the directions below.
Since the password is kept within the keycloak PV, simply changing the secret and restarting the pod will not change the admin password.
1. Retrieve Initial Credentials
The initial username and password for Keycloak are stored in a Kubernetes secret, named keycloak-env. To retrieve the initial password, execute the following command:
kubectl get secret -n keycloak keycloak-env -o template='{{ .data.KEYCLOAK_ADMIN_PASSWORD | base64decode }}'
The default username and password are only applicable for the initial setup. If you modify the password post-creation, the keycloak-env secret will not be updated automatically.
2. Update Admin Password Using Shell Script
The admin password can be updated directly within the Keycloak pod, using the kcadm.sh shell script. The following steps outline the process:
a. Authenticate Admin User:
Run this command to authenticate and configure the admin credentials:
kubectl exec --tty --stdin keycloak-0 -n keycloak -- /opt/keycloak/bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
You will be prompted to enter the current admin password.
b. Update Admin Password:
To change the admin password, execute the following command:
kubectl exec --tty --stdin keycloak-0 -n keycloak -- /opt/keycloak/bin/kcadm.sh set-password --username admin -p <new_admin_password>
Both of these commands automatically pick up Java Tool Options and Memory Percentage for optimized resource management within the container.
Twistlock - Prisma Cloud Compute: Password Management
Securely managing passwords is crucial when using Prisma Cloud Compute (previously known as Twistlock). This guide outlines the steps to update the admin password for the Twistlock Console, generating a secure hash, and updating the database.
1. Generate Secure Password Hash
To create an SHA-256 hash of your desired password, execute the following command:
echo -n "{{ some_password }}" | openssl dgst -binary -sha256 | openssl base64
2. Access the Twistlock Console Pod
Navigate to the Twistlock namespace and access the Twistlock Console pod:
kubectl exec -it -n twistlock $(sudo /var/lib/rancher/rke2/bin/kubectl --kubeconfig=/etc/rancher/rke2/rke2.yaml get pods -n twistlock -l name=twistlock-console | tail -1 | awk '{print $1}') -- sh
3. Update Password in MongoDB
After gaining shell access to the Twistlock Console pod, perform the following steps:
a. Start MongoDB CLI:
mongo
b. Switch to the Twistlock Database:
use twistlock
c. Update the Admin Password:
db.users.update({username: "admin"}, {$set: {password: "{{ some_password_hash }}"}})
d. Exit MongoDB CLI:
exit
This updates the admin user's password with the securely hashed password. Make sure to replace {{ some_password }} and {{ some_password_hash }} with your desired password and its corresponding hash, respectively.
Kibana
The AWS CLI can be used to reset the Elasticsearch master password using the following syntax:
aws es update-elasticsearch-domain-config --advanced-security-options MasterUserOptions={MasterUserPassword=string}
For more information on the MasterUserOptions parameter, see the official AWS docs.
Sonarqube
The default username for Sonarqube is admin and the password is a randomly generated string stored inside the sonarqube-sonarqube-admin-password secret within the sonarqube namespace.
SonarQube: Retrieving and Modifying Database Credentials
For managing SonarQube's database credentials, it is important to know where and how to retrieve them, especially when hosted within Kubernetes.
1. Retrieve Database Credentials
To obtain the database name, username, and hostname stored in the gitlab-sonarqube-values secret, execute the following commands:
a. Retrieve Database Admin Username:
kubectl get secrets -n bigbang bigbang-sonarqube-values -ojsonpath="{.data.defaults}" | base64 -d | grep -i postgresqlUsername | awk '{print $2}'
b. Retrieve PostgreSQL Hostname:
kubectl get secrets -n bigbang bigbang-sonarqube-values -ojsonpath="{.data.defaults}" | base64 -d | grep -i postgresqlServer | awk '{print $2}'
2. Access the Database Password
For the database password, refer to the postgres.enc.yaml file:
Replace environment with the actual environment name, e.g., structsure-dev2, for the environment.
sops -d infra-iac/envs/environment/postgres.enc.yaml | grep -i SonarQube: -A 3 | grep -i data
3. Connect to the Database
To access the SonarQube database, initiate a connection from the gitlab-task-runner pod, which has the psql utility installed:
a. Get a Shell inside the Pod:
kubectl exec -it $(kubectl get pods -n gitlab | grep gitlab-task-runner | awk '{print $1}' | head -n1) -n gitlab -c task-runner -- /bin/sh
b. Access the Database with psql:
Replace USER and HOSTNAME with values retrieved from the secrets above. Enter the password when prompted:
psql -U USER -h HOSTNAME
c. Reset the Password to Default:
Following the guidelines in the SonarQube documentation, reset the password back to the default (i.e., "admin") with the following command:
update users set crypted_password = '<password>', salt=null, hash_method='BCRYPT' where login = 'admin'
Argo CD: Retrieving Default Username and Password
The initial username and password for Argo CD are securely stored in a Kubernetes secret, named argocd-initial-admin-secret. You can retrieve these credentials using the kubectl command-line tool with the following command.
Command to Retrieve Initial Password
Execute the following command to retrieve the initial password:
kubectl get secret -n argocd argocd-initial-admin-secret -o json | jq -r .data.password | base64 -d
The default username and password are applicable only during the initial setup. If you update the password after the initial provisioning, the argocd-initial-admin-secret will not reflect the changes. In such cases, you can view the secrets.enc.yaml file for the updated password.