Admin Credentials ----------------- Yaook automatically creates an admin user called ``yaook-sys-maint``. This user should then be used for administration of the cloud. Also, Yaook operators use that internally for the management. Credentials are stored in secret ``keystone-admin``: .. code-block:: yaml apiVersion: v1 kind: Secret metadata: name: keystone-admin namespace: yaook stringData: OS_PASSWORD: OS_USERNAME: yaook-sys-maint OS_PROJECT_NAME: admin OS_USER_DOMAIN_NAME: Default OS_PROJECT_DOMAIN_NAME: Default OS_AUTH_TYPE: password .. note:: This assumes that your ``KeystoneDeployment`` is called ``keystone``. User ``yaook-sys-maint`` and also domain, region, project, roles, keystone service and endpoint are created by a process called `Identity Bootstrapping `_. You can observe this process in the k8s job(random suffix will vary), which uses the mentioned ``keystone-admin`` secret, e.g.: .. code-block:: console $ kubectl -n yaook logs job/keystone-bootstrap-vsbvk ... "message": "Created project admin", "message": "Created user yaook-sys-maint", "message": "Created role admin", "message": "Granted role admin on project admin to user yaook-sys-maint.", ... Admin Password Rotation ^^^^^^^^^^^^^^^^^^^^^^^ The identity bootstrapping process is idempotent, i.e., you can execute it multiple times with the same result and without side effects. If you change something, it will change only that thing, nothing else. We can make use of it here and easily change the admin password. The process is as follows: 1. Back up the ``keystone-admin`` secret: .. code-block:: bash kubectl -n yaook get secret keystone-admin -o yaml | sed -e "s/name: keystone-admin/name: keystone-admin-$(date --date="today" "+%Y-%m-%d--%H-%M-%S")/" -e "/state.yaook.cloud\/component: admin_credentials/d" | kubectl apply -f- 2. Delete the ``keystone-admin`` secret - ``kubectl -n yaook delete secret keystone-admin`` 3. Delete bootstrap job - ``kubectl -n yaook delete job keystone-bootstrap-vsbvk`` - Yaook ``keystone-operator`` will reconcile and create a new secret with a newly generated password. During this reconciliation, also a new bootstrap job is created. This new job will update the password. You can observe it in the new job logs: .. code-block:: console $ kubectl -n yaook logs job/keystone-bootstrap-jdjqk ... "message": "Reset password for user yaook-sys-maint." ... 4. Get a new password from secret and use it. The old password is no longer valid, and also all existing tokens should be invalidated.