Change default KC and Grafana password (#343)

Closes #336
keycloak · May 26, 2023 · a9ed6d3 · a9ed6d3
1 parent 3aa834c
commit a9ed6d3
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 8 deletions.
diff --git a/doc/kubernetes/modules/ROOT/pages/customizing-deployment.adoc b/doc/kubernetes/modules/ROOT/pages/customizing-deployment.adoc
@@ -238,6 +238,14 @@ Available options: 0-26
 +
 NOTE: This option is implemented only for Openshift deployments.
 
+KC_ADMIN_PASSWORD::
+The password for the Keycloak admin user and Grafana admin user.
++
+The default value is obtained from a secret from AWS Secret Manager named `keycloak-master-password` from region `eu-central-1`.
+If `aws` command fails or is not available on the machine, string `admin` is used.
++
+NOTE: This option is implemented only for Openshift deployments.
+
 == Available Benchmark options
 
 The following configuration options are available to configure the helper applications.

diff --git a/provision/minikube/keycloak/templates/keycloak-initial-admin-secret.yaml b/provision/minikube/keycloak/templates/keycloak-initial-admin-secret.yaml
@@ -7,5 +7,5 @@ metadata:
   namespace: {{ .Values.namespace }}
 type: kubernetes.io/basic-auth
 data:
-  password: YWRtaW4= # admin
+  password: {{ .Values.keycloakAdminPassword | b64enc }} # admin by default
   username: YWRtaW4= # admin
diff --git a/provision/minikube/keycloak/values.yaml b/provision/minikube/keycloak/values.yaml
@@ -30,3 +30,4 @@ metaspaceInitMB: 96
 metaspaceMaxMB: 256
 customInfinispanConfig: false
 portOffset: 0
+keycloakAdminPassword: admin
diff --git a/provision/openshift/Taskfile.yaml b/provision/openshift/Taskfile.yaml
@@ -6,6 +6,7 @@ vars:
   KC_HOSTNAME_SUFFIX: '{{default "$(kubectl get route/console -n openshift-console -o jsonpath=\u0027{.spec.host}\u0027 | cut -d . -f 2-)" .KC_HOSTNAME_SUFFIX}}'
   KC_NAMESPACE_PREFIX: '{{default "$(whoami)-" .KC_NAMESPACE_PREFIX}}'
   KC_PORT_OFFSET: '{{default "0" .KC_PORT_OFFSET}}'
+  KC_ADMIN_PASSWORD: '{{default "$(aws secretsmanager get-secret-value --region eu-central-1 --secret-id keycloak-master-password --query SecretString --output text --no-cli-pager || echo admin)" .KC_ADMIN_PASSWORD}}'
 
 output: prefixed
 
@@ -50,13 +51,15 @@ tasks:
       - echo {{.KC_HOSTNAME_SUFFIX}} > .task/var-KC_HOSTNAME_SUFFIX
       - echo {{.KC_NAMESPACE_PREFIX}} > .task/var-KC_NAMESPACE_PREFIX
       - echo {{.KC_PORT_OFFSET}} > .task/var-KC_PORT_OFFSET
+      - echo {{.KC_ADMIN_PASSWORD}} > .task/var-KC_ADMIN_PASSWORD
     run: once
     sources:
       - .task/subtask-{{.TASK}}.yaml
     status:
       - test "{{.KC_HOSTNAME_SUFFIX}}" == "$(cat .task/var-KC_HOSTNAME_SUFFIX)"
       - test "{{.KC_NAMESPACE_PREFIX}}" == "$(cat .task/var-KC_NAMESPACE_PREFIX)"
       - test "{{.KC_PORT_OFFSET}}" == "$(cat .task/var-KC_PORT_OFFSET)"
+      - test "{{.KC_ADMIN_PASSWORD}}" == '$(cat .task/var-KC_ADMIN_PASSWORD)'
 
   dataset-import:
     deps:
@@ -79,7 +82,7 @@ tasks:
       - >
         bash -c '
         if [ "{{.KC_HOSTNAME_SUFFIX}}" != "" ];
-          then ../keycloak-cli/keycloak/bin/kcadm.sh config credentials --server https://keycloak-{{.KC_NAMESPACE_PREFIX}}keycloak.{{.KC_HOSTNAME_SUFFIX}}/ --realm master --user admin --password admin;
+          then ../keycloak-cli/keycloak/bin/kcadm.sh config credentials --server https://keycloak-{{.KC_NAMESPACE_PREFIX}}keycloak.{{.KC_HOSTNAME_SUFFIX}}/ --realm master --user admin --password "{{.KC_ADMIN_PASSWORD}}";
           else echo -e "KC_HOSTNAME_SUFFIX value is not set properly";
         fi'
       - bash -c "../../benchmark/src/main/content/bin/initialize-benchmark-entities.sh -r test-realm -d"
@@ -123,6 +126,7 @@ tasks:
         --set securityContext.runAsUser=$(cat .task/monitoring-uids)
         --set securityContext.runAsGroup=$(cat .task/monitoring-uids)
         --set securityContext.fsGroup=$(cat .task/monitoring-uids)
+        --set adminPassword="{{.KC_ADMIN_PASSWORD}}"
     sources:
       - .task/subtask-{{.TASK}}.yaml
       - .task/monitoring-uids
@@ -186,6 +190,7 @@ tasks:
         --set environment=openshift
         --set namespace={{.KC_NAMESPACE_PREFIX}}keycloak
         --set portOffset={{.KC_PORT_OFFSET}}
+        --set keycloakAdminPassword="{{.KC_ADMIN_PASSWORD}}"
         ../minikube/keycloak
       - >
         bash -c '

diff --git a/provision/openshift/grafana.yaml b/provision/openshift/grafana.yaml
@@ -1,9 +1,5 @@
 # https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml
 grafana.ini:
-  auth.anonymous:
-    enabled: true
-    org_role: Admin
-    org_name: Main Org.
   snapshots:
     external_enabled: false
 sidecar:
@@ -17,7 +13,7 @@ sidecar:
     provider:
       allowUiUpdates: false
 
-adminPassword: keycloak
+adminPassword: admin # is changed via the CLI based on KC_ADMIN_PASSOWORD value
 ingress:
   enabled: true
   hosts:
@@ -40,7 +36,7 @@ datasources:
         isDefault: true
         editable: false
         jsonData:
-          httpHeaderName1: Authorization 
+          httpHeaderName1: Authorization
           tlsSkipVerify: true
           httpMethod: "POST"
         secureJsonData:
@@ -55,6 +51,7 @@ extraSecretMounts:
       - serviceAccountToken:
           expirationSeconds: 86400
           path: token
+
 serviceAccount:
   create: false
   name: grafana