Rotating Kops and Hephy Credentials
Sometimes you need to rotate all credentials in long-running Kubernetes clusters which are usually created automatically by your deployment tool of choice. This happens as certificates and other automatically created secrets could expire. In my case, this happened because the etcd internal TLS certificate expired.
In the TeamHephy cluster we use kops as the deployment tool for AWS and there is a great guide written by the kops maintainers for rotating all the k8s control plane secrets:
Link: Rotate Kops Secrets and Credentials Guide
Resetting your passwords in Hephy Workflow:
(hephy-controller and deis-controller are used interchangeably here)
Case 1: You are not an admin in hephy-controller:
Ask your administrator to exec: deis auth:passwd --user {your_account}
$ deis auth:passwd --help
Changes the password for the current user.
Usage: deis auth:passwd [options]
Options:
--password=the current password for the account.
--new-password=the new password for the account.
--username=the account's username.
Case 2: You are the one and only administrator in hephy-controller:
Find your deis-controller pod:
$ kubectl get pods -n deis | grep -i "deis-controller"
deis-controller-762839819f-a6fzn 1/1 Running 0 15d
Execute the command to get into Django managment shell:
$ kubectl exec --namespace=deis -it deis-controller-762839819f-a6fzn ./manage.py shell
Python 3.6.9 (default, Apr 18 2020, 01:56:04)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>>
Now in the interactive management console:
>>> from django.contrib.auth.models import User
>>> u = User.objects.get(username__exact='{your_account_name}')
>>> u.set_password('{new_password_plain_text}')
>>> u.save()You can then exit by typing exit() or pressing Ctrl-D
Notes:
deis-controller-762839819f-a6fzn is the pod name of the deis-controller.
Modify {your_account_name} and {new_password_plain_text} as you like.