Change passwords

This guide covers how to change the passwords for the admin and database user.

Requirements

  • commodore

  • kubectl

  • pwgen

  • vault

Preparation

Configure tenant and cluster IDs.

export TENANT_ID=...
export CLUSTER_ID=...
You can retrieve those IDs from Lieutenant.

Keycloak Admin user

The value in parameters.keycloak.admin.password is only affecting the initial installation. Changing it in Vault doesn’t automatically change the password in Keycloak.

However, we should keep the password in the secret in sync with the value in the Keycloak database.

  1. Login to Keycloak Administration Console with the admin user

  2. Choose a new password

    admin_pass=$(pwgen -s 32 1)
  3. Change the admin password in the Keycloak console.

  4. Update the secret in Vault

    instance=keycloak
    parent="clusters/kv/${TENANT_ID}/${CLUSTER_ID}"
    vault kv patch "${parent}/${instance}" admin-password="${admin_pass}"
  5. Compile and push the cluster catalog

Database user

The value in parameters.keycloak.database.password is only affecting the initial installation (when using built-in database). Changing it in Vault doesn’t automatically change the password in PostgreSQL.

  1. Update the secret in Vault

    instance=keycloak
    parent="clusters/kv/${TENANT_ID}/${CLUSTER_ID}"
    db_pass=$(pwgen -s 32 1)
    old_pass=$(vault kv get -field=db-password "${parent}/${instance}")
    vault kv patch "${parent}/${instance}" db-password="${db_pass}"
  2. Compile and push the cluster catalog

  3. Wait until changes are applied

  4. Change the password in database

    Built-in database
    # Adjust to your environment
    namespace=syn-${instance}
    
    kubectl -n ${namespace} exec -it keycloak-postgresql-0 -c keycloak-postgresql -- sh -c \
    'PGDATABASE="$POSTGRES_DB" PGUSER="$POSTGRES_USER" PGPASSWORD="'${old_pass}'" '\
    'psql -c "ALTER USER keycloak WITH PASSWORD '${db_pass}';"'
    External database
    # First, connect to your database server where `psql` is available.
    # Then connect to postgres.
    sudo -u postgres psql
    
    # Alter the Keycloak user password
    ALTER USER keycloak WITH PASSWORD '<db-pass-from-above>';