Admin Credentials¶

Yaook automatically creates an admin user called yaook-sys-maint. This user should then be used for administration of the cloud. Also, Yaook operators use that internally for the management. Credentials are stored in secret keystone-admin:

apiVersion: v1
kind: Secret
metadata:
  name: keystone-admin
  namespace: yaook
stringData:
  OS_PASSWORD: <randomly generated password>
  OS_USERNAME: yaook-sys-maint
  OS_PROJECT_NAME: admin
  OS_USER_DOMAIN_NAME: Default
  OS_PROJECT_DOMAIN_NAME: Default
  OS_AUTH_TYPE: password

Note

This assumes that your KeystoneDeployment is called keystone.

User yaook-sys-maint and also domain, region, project, roles, keystone service and endpoint are created by a process called Identity Bootstrapping. You can observe this process in the k8s job(random suffix will vary), which uses the mentioned keystone-admin secret, e.g.:

$ kubectl -n yaook logs job/keystone-bootstrap-vsbvk
...
"message": "Created project admin",
"message": "Created user yaook-sys-maint",
"message": "Created role admin",
"message": "Granted role admin on project admin to user yaook-sys-maint.",
...

Admin Password Rotation¶

The identity bootstrapping process is idempotent, i.e., you can execute it multiple times with the same result and without side effects. If you change something, it will change only that thing, nothing else. We can make use of it here and easily change the admin password.

The process is as follows:

Back up the keystone-admin secret:

kubectl -n yaook get secret keystone-admin -o yaml | sed -e "s/name: keystone-admin/name: keystone-admin-$(date --date="today" "+%Y-%m-%d--%H-%M-%S")/" -e "/state.yaook.cloud\/component: admin_credentials/d" | kubectl apply -f-

Delete the keystone-admin secret - kubectl -n yaook delete secret keystone-admin
Delete bootstrap job - kubectl -n yaook delete job keystone-bootstrap-vsbvk
- Yaook keystone-operator will reconcile and create a new secret with a newly generated password. During this reconciliation, also a new bootstrap job is created. This new job will update the password. You can observe it in the new job logs:
```
$ kubectl -n yaook logs job/keystone-bootstrap-jdjqk
...
"message": "Reset password for user yaook-sys-maint."
...
```
Get a new password from secret and use it. The old password is no longer valid, and also all existing tokens should be invalidated.