Changing internal passwords

EDA uses internal passwords to communicate between its internal services. These passwords are either hard-coded or are set before system installation.

After the system has been installed, administrators with cluster role privileges can update internal passwords for the following services using the applicable UI or scripts:

  • Git passwords, Go Git server (Gogs) passwords
  • Keycloak passwords and secrets
  • PostgreSQL passwords
The following scripts are also available in the EDA toolbox pod:

  • reset-01-gogs-user-pass.sh: resets the Gogs user password

  • reset-02-k8s-secret.sh: resets the Kubernetes secret

  • reset-03-keycloak-admin-user.sh: resets the Keycloak admin user password

  • reset-04-pgdb-password.sh: resets the PostgreSQL database password

Updating the Git server password

You can update the Git server password using one of the following procedures:

Changing the Git server password using the UI

You must have cluster role privileges to perform this procedure.
  1. Log in to the Gogs UI.
    If you are using the git-server provided cluster, you can reach the UI using the following URLs:
    • <eda-url>/core/httpproxy/v1/gogs/`
    • `<eda-url>/core/httpproxy/v1/gogs-replica/`
  2. Click user icon, then from the navigation bar on the right, go to Your Settings > Passwordfrom the nav bar on the right. .
  3. Change your password.
  4. Log out and then log back in.
  5. Update the secret for gogs-admin-user.
  6. Navigate to user/settings/password.
    1. Base64 encode the new password. 
      echo -n "oranges" | base64
    2. Change the secret for the gogs-admin-user user.
      Log in to a system with access to the EDA API.
      kubectl edit -n eda-system secrets gogs-admin-user

      The Gogs init script reads this secret when it boots for the first time (when Gogs has not yet been initialized). The PVC ensures the state of the Gogs server after it has been initialized; restarting the pod does not trigger it.

Change the Git server password using the script

You must have cluster role privileges to perform this procedure.

Use the reset-01-gogs-user-pass.sh script to change the Git server password. For help information, add the -h argument.

If you are using the Git server from an external package, change the password on both the eda-git and eda-git-replica servers; ConfigEngine uses the same secret to authorize with both these servers.

  1. Generate a token for the admin user.
    1. Log in to the Gogs UI.
    2. Navigate to Your Settings.
    3. From the right sidebar, select Applications > Generate New Token.
      This token is required to access some admin-level REST endpoints.
  2. Change the user password.

    The following example resets the user password for eda-git and eda-git-replica.

    ./reset-01-gogs-user-pass.sh \
-u lemon \
-p oranges \
-g http://eda-git:3000 \
-t 79b6e0ada8dc74bf60751a0e56683d6377792070

./reset-01-gogs-user-pass.sh \
-u eda-git-user \
-p oranges \
-g http://eda-git-replica:3000 \
-t 70dd66f925678f35eb02d5073ce3b051b1bb640d
    Where:
    • -u <username> is the username of the account
    • -p <password> is the new password for the user
    • -g <git server url> is the URL to reach the Gogs server
    • -t <access token> is the access token from an admin user
  3. Update the secret used by ConfigEngine. 
    kubectl edit -n eda-system secrets git-secret
reset-02-k8s-secret.sh -n eda-system -s git-secret -p oranges
  4. Restart the ConfigEngine from the toolbox. 
    edactl platform stop
edactl platform start
  5. Ensure that the Git servers are in a reachable state.
    kubectl -n eda-system get engineconfigs.core.eda.nokia.com engine-config -o yaml | yq .status

Updating the Keycloak password

An administrator with cluster role privileges can update the Keycloak password using one of the following procedures:

Changing the Keycloak password using the UI

Use this procedure to update the Keycloak password for the cluster.
The following kpt setters specify control the login credential to the Keycloak admin panel.
  • SECRET_KC_ADMIN_USERNAME
  • SECRET_KC_ADMIN_PASSWORDT
After the system is booted the first time, the EDA realm is created and the user in that realm for the EDA UI is created with the following credentials:
  • user: admin
  • password: admin
You can use the EDA UI Login view to change the password at this point.
  1. Go to the admin panel at https://<domain:ip>/core/httpproxy/v1/keycloak.
  2. Ensure that the Keycloak realm is selected from the upper left.
  3. Click Users from the left navigation bar
  4. Click the admin account.
  5. Click the Credentials tab, then click Reset password.
    Follow the prompts to update the password.
    Figure 1. Reset the Keycloak password
  6. Update the secret in the cluster.
    Log in to a system with access to the API server and enter the following command:
    kubectl -n eda-system edit keycloak-admin-secret

Changing the Keycloak password using the script

You must have cluster role privileges.
Use this procedure to change the Keycloak password using the reset-03-keycloak-admin-user.sh command. To display help information, use reset-03-keycloak-admin-user.sh -h.
  1. Log in to the Keycloak server.
  2. Set a temporary password. 
    reset-03-keycloak-admin-user.sh -e https://eda-api -r jules -t oranges -a jules -p verne
  3. Log in to Keycloak using the new password.
  4. Update the Kubernetes secret in k8s. 
    /reset-02-k8s-secret.sh -n eda-system -s keycloak-admin-secret -p <new-password>

Updating PostgreSQL database

An administrator with cluster role privileges can update the Postreg database secret using the following procedures:

You must update both the Kubernetes secret and the secret on the running database.

Updating the PostgreSQL database password manually

  1. Use SSH to log in to a pod. 
    kubectl exec -it -n eda-system eda-postgres-<podhash> -- bash -l
  2. Change the password.
    The database username is postgres. Use the following commands:
    sudo -u postgres psql
postgres=# \password postgres
  3. Encode the password. 
    echo -n "whataperil" |base64
  4. Update the secret. 
    kubectl edit -n eda-system secrets postgres-db-secret
  5. Restart the deployments. 
    kubectl rollout restart deployment eda-postgres eda-keycloak

Update the PostgreSQL database using the script

Perform this procedure using the reset-04-pgdb-password.sh script from the toolbox pod.
  1. Update the database password. 
    ./reset-04-pgdb-password.sh -n eda-system -p pineapples
  2. Update the Kubernetes secret password. 
    reset-02-k8s-secret.sh -n eda-system -s postgres-db-secret -p pineapples
  3. Restart the deployments. 
    kubectl rollout restart deployment eda-postgres eda-keycloak