Change passwords
This guide covers how to change the passwords for the admin and database user.
Requirements
-
commodore -
kubectl -
pwgen -
vault
Preparation
Configure tenant and cluster IDs.
export TENANT_ID=...
export CLUSTER_ID=...| You can retrieve those IDs from Lieutenant. |
Keycloak Admin user
The value in parameters.keycloak.admin.password is only affecting the initial installation.
Changing it in Vault doesn’t automatically change the password in Keycloak.
However, we should keep the password in the secret in sync with the value in the Keycloak database.
-
Login to Keycloak Administration Console with the admin user
-
Choose a new password
admin_pass=$(pwgen -s 32 1) -
Change the admin password in the Keycloak console.
-
Update the secret in Vault
instance=keycloak parent="clusters/kv/${TENANT_ID}/${CLUSTER_ID}" vault kv patch "${parent}/${instance}" admin-password="${admin_pass}" -
Compile and push the cluster catalog
Database user
The value in parameters.keycloak.database.password is only affecting the initial installation (when using built-in database).
Changing it in Vault doesn’t automatically change the password in PostgreSQL.
-
Update the secret in Vault
instance=keycloak parent="clusters/kv/${TENANT_ID}/${CLUSTER_ID}" db_pass=$(pwgen -s 32 1) old_pass=$(vault kv get -field=db-password "${parent}/${instance}") vault kv patch "${parent}/${instance}" db-password="${db_pass}" -
Compile and push the cluster catalog
-
Wait until changes are applied
-
Change the password in database
Built-in database# Adjust to your environment namespace=syn-${instance} kubectl -n ${namespace} exec -it keycloak-postgresql-0 -c keycloak-postgresql -- sh -c \ 'PGDATABASE="$POSTGRES_DATABASE" PGUSER="$POSTGRES_USER" PGPASSWORD="'${old_pass}'" '\ 'psql -c "ALTER USER keycloak WITH PASSWORD '${db_pass}';"'External database# First, connect to your database server where `psql` is available. # Then connect to postgres. sudo -u postgres psql # Alter the Keycloak user password ALTER USER keycloak WITH PASSWORD '<db-pass-from-above>';