...
Info |
---|
Applicable to on-premise deployments |
Purpose of this article
This article documents each backend component that requires an admin or integration user will have and how to update/change their password change process documented here. Please follow the steps in order to update/change a password accordingly.
Info |
---|
You are expected to have access directly to the Kubernetes or Openshift pods and have the ability to delete/create pods and deployments to progress this this. |
Table of Contents |
---|
...
. This is also considered a DISRUPTIVE change and will cause outage on certain components during the update process. |
1. Keycloak
1.1 Updating Postgres Password
...
Before updating the Postgres password at the secret level, you will need to first update the instance password.
...
Before undertaking this change, please ensure there is no one using the platform or if anyone is using the platform you will need to notify them of a disruption. Changing the password of the instance will cause a cascading effect and the following components will cease to function and go into a CrashLoop:
cerebrum-api-server
cerebrum-batch
cerebrum-scheduler
cerebrum-workerkeycloak
This may also cause a cascading effect that will cause the following to go into a pending state due to health checks:
keycloak-internal-gateway
1.1.1. Changing the Password on the Existing Instance
Log into your Postgres pod and access the psql command line
Code Block | ||
---|---|---|
| ||
### Native Kubernetes kubectl exec -it <postgres<keycloak postgres pod> /bin/bash bash psql -U postgres -d postgres OR### OpenShift oc rsh <keycloak <postgrespostgres pod> bash psql -U postgres -d postgres |
...
It will prompt you for the new password. Once this is complete, proceed to the next section to validate the change.
1.1.2. Updating Deployment Specifications and Re-Deploy
Update the POSTGRES_PASSPASSWORD variable in the secrets yaml for Postgres keycloak-credentials.yaml to the new password.
Apply the secrets change using
Code Block |
---|
### Native Kubernetes kubectl apply -f postgreskeycloak/k8s/credentailskeycloak-credentials.yaml OR### OpenShift oc apply -f postgreskeycloak/k8s/credentailskeycloak-credentials.yaml |
Validate the secrets was updated using
Code Block |
---|
### Native Kubernetes kubectl get secrets OR### OpenShift oc get secrets |
Once the change has been applied you will need to restart all dependant pods on this secret in the next section.
1.1.3. Restart Dependant Pods
You will need to restart the following pods to take on the new Postgres password
cerebrum-api-server
cerebrum-batch
cerebrum-scheduler
cerebrum-worker
keycloak
These pods should no longer be in a CrashLoop state after the restart.
...
The keycloak-internal-gateway should also stabilise.
1.2. Updating
...
Admin Password
This can be done through the console via the keycloak Admin portal which be accessed via
Code Block |
---|
<DOMAIN_URL>/keycloak |
The default password is as prescribed by what’s in the secrets configuration.
Login as the Admin user for Keycloak and head to the top right hand corner to “Manage Account”.
Head to the password section on the left hand side pannel.
Simply update the password here.
Once the password is updated make sure you update the keycloak-credentials.yaml secret file KEYCLOAK_PASSWORD to match and reapply it.
Code Block ### Native Kubernetes kubectl apply -f keycloak-credentials.yaml ### OpenShift oc apply -f keycloak-credentials.yaml
Restart the deployment pod only to ensure the password takes effect.
Code Block ### Native Kubernetes kubectl delete pod <keycloak deployment pod> ### OpenShift oc delete pod <keycloak deployment pod>
1.3. Bulk load keycloak users
Use the loader in --create=true to either create users in keycloak (when using keycloak as a standalone user repository). NB to rerun using --create=true you will need to delete the users from keycloak.
Use the loader in --create=false when updating keycloak users that have been loaded from another source such as AD / LDAP integrations.
Code Block |
---|
cd /opt/server
python batch_load_keycloak.py --keycloak-mapping=/opt/sample/demo/KEYCLOAKMAPPING.csv --default-password=<default password> --create=true
|
1.3. Changing Client Keys for Service Authentication
From https://DOMAIN_URI/keycloak/auth click the Administration Console and login.
On the left hand panel go to Client
Now click client starting with
0b3a...
and head to Credentials, click the Regenerate Secret button and copy the SecretIn cerebrum/k8s/cerebrum-auth-credentials.yaml
Copy the secret value to
OIDC_CLIENT_SECRET
Set
ENABLE_AUTH
to'true'
Code Block apiVersion: v1 kind: Secret metadata: name: cerebrum-auth-credentials type: Opaque stringData: KEYCLOAK_AUTH_URL: http://keycloak-internal-gateway-cluster-ip-service/keycloak/auth OIDC_OPENID_REALM: kada OIDC_CLIENT_SECRET: <COPY SECRET HERE> OIDC_CLIENT_ID: 0b3a... ENABLE_AUTH: 'true'
Repeat the same key generation process [steps 2-4] for the client starting with
f6b2...
.Copy the secret.
In solr/k8s/solr-auth-credentials.yaml
Copy the secret value to
OIDC_CLIENT_SECRET
.Update
KEYCLOAK_AUTH_URL
set<REPLACE WITH PROJECT NAMESPACE>
to the kubernetes project namespace.Save.
Code Block apiVersion: v1 kind: Secret metadata: name: solr-auth-credentials type: Opaque stringData: KEYCLOAK_AUTH_URL: http://keycloak-internal-gateway-cluster-ip-service.<REPLACE WITH PROJECT NAMESPACE>.svc.cluster.local/keycloak/auth OIDC_OPENID_REALM: kada OIDC_CLIENT_SECRET: <COPY SECRET HERE> OIDC_CLIENT_ID: f6b2...
2. Postgres
2.1. Updating Postgres Password
Before updating the Postgres password at the secret level, you will need to first update the instance password.
...
Before undertaking this change, please ensure there is no one using the platform or if anyone is using the platform you will need to notify them of a disruption. Changing the password of the instance will cause a cascading effect and the following components will cease to function and go into a CrashLoop:
keycloak
This may also cause a cascading effect that will cause the following to go into a pending state due to health checks:
keycloak-internal-gatewaycerebrum-api-server
cerebrum-batch
cerebrum-scheduler
cerebrum-worker
2.1.1 Changing the Password on the Existing Instance
Log into your Postgres pod and access the psql command line
Code Block | ||
---|---|---|
| ||
### Native Kubernetes kubectl exec -it <keycloak postgres<postgres pod> /bin/bash bash psql -U postgres -d postgres OR### OpenShift oc rsh <keycloak postgres<postgres pod> bash psql -U postgres -d postgres |
...
It will prompt you for the new password. Once this is complete, proceed to the next section to validate the change.
2.1.2. Updating Deployment Specifications and Re-Deploy
Update the POSTGRES_PASSWORDPASS variable in the secrets yaml for Postgres keycloak-credentials.yaml to the new password.
Apply the secrets change using
Code Block |
---|
### Native Kubernetes kubectl apply -f keycloakpostgres/k8s/keycloak-credentialscredentails.yaml OR### OpenShift oc apply -f keycloakpostgres/k8s/keycloak-credentialscredentails.yaml |
Validate the secrets was updated using
Code Block |
---|
### Native Kubernetes kubectl get secrets OR### OpenShift oc get secrets |
Once the change has been applied you will need to restart all dependant pods on this secret in the next section.
2.1.3. Restart Dependant Pods
You will need to restart the following pods to take on the new Postgres password
keycloakcerebrum-api-server
cerebrum-batch
cerebrum-scheduler
cerebrum-worker
These pods should no longer be in a CrashLoop state after the restart. The keycloak-internal-gateway should also stabilise.