CRAY System Management - Guides and References > operations > security and authentication > Change the Keycloak Admin Password

Change the Keycloak Admin Password

Update the default password for the admin Keycloak account using the Keycloak user interface (UI). After updating the password in Keycloak, encrypt it on the system and verify that the change was made successfully.

This procedure uses SYSTEM_DOMAIN_NAME as an example for the DNS name of the non-compute node (NCN). Replace this name with the actual NCN’s DNS name while executing this procedure.

Procedure

Log in to Keycloak with the default admin credentials.

Point a browser at https://auth.SYSTEM_DOMAIN_NAME/keycloak/admin, replacing SYSTEM_DOMAIN_NAME with the actual NCN’s DNS name.

The following is an example URL for a system:
```
 auth.system1.us.cray.com/keycloak/admin
```
Use the following admin login credentials:
- Username: admin
- The password can be obtained with the following command:
```
ncn-w001# kubectl get secret -n services keycloak-master-admin-auth \
--template={{.data.password}} | base64 --decode
```
Click the Admin drop-down menu in the upper-right corner of the page.
Select Manage Account.
Click the Password tab on the left side of the page.
Enter the existing password, new password and confirmation, and then click Save.
Log on to ncn-w001.
git clone https://github.com/Cray-HPE/csm.git.

Save a local copy of the customizations.yaml file.

kubectl get secrets -n loftsman site-init -o jsonpath='{.data.customizations\.yaml}' | base64 -d > customizations.yaml

Change the password in the customizations.yaml file.

The Keycloak master admin password is also stored in the keycloak-master-admin-auth Secret in the services namespace. This needs to be updated so that clients that need to make requests as the master admin can authenticate with the new password.

In the customizations.yaml file, set the values for the keycloak_master_admin_auth keys in the spec.kubernetes.sealed_secrets field. The value in the data element where the name is password needs to be changed to the new Keycloak master admin password. The section below will replace the existing sealed secret data in the customizations.yaml.

For example:

      keycloak_master_admin_auth:
        generate:
          name: keycloak-master-admin-auth
          data:
          - type: static
            args:
              name: client-id
              value: admin-cli
          - type: static
            args:
              name: user
              value: admin
          - type: static
            args:
              name: password
              value: my_secret_password
          - type: static
            args:
              name: internal_token_url
              value: https://api-gw-service-nmn.local/keycloak/realms/master/protocol/openid-connect/token

Encrypt the values after changing the customizations.yaml file.
```
./utils/secrets-seed-customizations.sh customizations.yaml
```
If the above command complains that it cannot find certs/sealed_secrets.crt then you can run the following commands to create it
```
mkdir -p certs
./utils/bin/linux/kubeseal --controller-name sealed-secrets --fetch-cert > certs/sealed_secrets.crt
```

Create a local copy of the platform.yaml file.

kubectl get cm -n loftsman loftsman-platform -o jsonpath='{.data.manifest\.yaml}'  > platform.yaml

Edit the platform.yaml to only include the cray-keycloak chart and all its current data.

Example:

apiVersion: manifests/v1beta1
  metadata:
    name: platform
  spec:
    charts:
    - name: cray-keycloak
      namespace: services
      source: csm-algol60
      values:
        internalTokenUrl: https://api-gw-service-nmn.local/keycloak/realms/master/protocol/openid-connect/token
        sealedSecrets:
        - apiVersion: bitnami.com/v1alpha1
          kind: SealedSecret
          metadata:
            annotations:
              sealedsecrets.bitnami.com/cluster-wide: 'true'
...

Generate the manifest that will be used to redeploy the chart with the modified resources.
```
manifestgen -c customizations.yaml -i platform.yaml -o manifest.yaml
```
Re-apply the cray-keycloak Helm chart with the updated customizations.yaml file.

This will update the keycloak-master-admin-auth SealedSecret which will cause the SealedSecret controller to update the Secret.
```
loftsman ship --charts-path ${PATH_TO_RELEASE}/helm --manifest-path ${PWD}/manifest.yaml
```
Verify that the Secret has been updated.

Give the SealedSecret controller a few seconds to update the Secret, then run the following command to see the current value of the Secret:
```
kubectl get secret -n services keycloak-master-admin-auth \
--template={{.data.password}} | base64 --decode
```

Save an updated copy of customizations.yaml to the site-init secret in the loftsman kubernetes namespace.

CUSTOMIZATIONS=$(base64 < customizations.yaml  | tr -d '\n')
kubectl get secrets -n loftsman site-init -o json | \
jq ".data.\"customizations.yaml\" |= \"$CUSTOMIZATIONS\"" | kubectl apply -f -