From 108d003ea49eb22fdffc49c2950c22a7ecbfb422 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C5=81askawiec?= Date: Wed, 2 Apr 2025 10:28:54 +0200 Subject: [PATCH 01/10] Keycloak password recovery --- .../configuration/Single Sign-On/overview.md | 3 +- .../recoving-lost-credentials.md | 31 +++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md diff --git a/docs/reference/configuration/Single Sign-On/overview.md b/docs/reference/configuration/Single Sign-On/overview.md index 9aee6c12a8..7ed8199bbc 100644 --- a/docs/reference/configuration/Single Sign-On/overview.md +++ b/docs/reference/configuration/Single Sign-On/overview.md @@ -54,4 +54,5 @@ All groups are under the Uds Core parent group. Frequently a group will be refer 4. [Service Account Roles Clients](/reference/configuration/single-sign-on/service-account/) 5. [Client Attribute Validation](/reference/configuration/single-sign-on/sso-client-validation/) 6. [Secret Templating](/reference/configuration/single-sign-on/sso-templating/) -7. [Trusted Certificate Authority](/reference/configuration/single-sign-on/trusted-ca/) \ No newline at end of file +7. [Trusted Certificate Authority](/reference/configuration/single-sign-on/trusted-ca/) +8. [Recovering lost Keycloak credentials](/reference/configuration/single-sign-on/recoving-lost-credentials/) \ No newline at end of file diff --git a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md new file mode 100644 index 0000000000..b8c572b9d1 --- /dev/null +++ b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md @@ -0,0 +1,31 @@ +--- +title: Recovering lost Keycloak credentials +--- + +This procedure describes how to recover lost Keycloak credentials for UDS Core. It leverages the [Admin bootstrap and recovery](https://www.keycloak.org/server/bootstrap-admin-recovery) feature of Keycloak. + +:::caution +This procedure requires at least 1.5G of memory allocated to the Keycloak container. You may need to temporarily increase the memory limit before starting the recovery process. If the `JAVA_OPTS_KC_HEAP` environment variable is used, ensure the -XX:MaxRAM setting corresponds to the container memory limits. +::: + +The procedure involves creating a new user with administrator privileges, logging into that user, and recovering the lost credentials. First, create a new temporary admin user called `temp-admin` with the password `temp-admin`: + +```bash +kubectl exec -it keycloak-0 -n keycloak -- /opt/keycloak/bin/kc.sh bootstrap-admin user +``` + +When prompted, enter the `temp-admin` password: + +```bash +Enter username [temp-admin]: +Enter password: +Enter password again: +``` + +The command will exit with an error indicating that it can't bootstrap the Keycloak server (this is normal as there's already a Keycloak server running in this container). Ensure this line is present in the output: + +```bash + INFO [org.keycloak.services] (main) KC-SERVICES0077: Created temporary admin user with username temp-admin +``` + +Navigate to https://keycloak.admin.uds.dev/ and log in with the `temp-admin` user. Once logged in, create a new user with administrator privileges. Use this user to reset the admin user password by navigating to the `Users` tab, selecting `admin`, going to the `Credentials` tab, and clicking on `Reset Password`. From d47b4f19534d564c4cfb0829bf66fff86aaeaf8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C5=81askawiec?= Date: Wed, 2 Apr 2025 10:43:57 +0200 Subject: [PATCH 02/10] TOC reorder --- .../configuration/Single Sign-On/overview.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/reference/configuration/Single Sign-On/overview.md b/docs/reference/configuration/Single Sign-On/overview.md index 7ed8199bbc..2a50c86b07 100644 --- a/docs/reference/configuration/Single Sign-On/overview.md +++ b/docs/reference/configuration/Single Sign-On/overview.md @@ -51,8 +51,9 @@ All groups are under the Uds Core parent group. Frequently a group will be refer 1. [Authservice Protection](/reference/configuration/single-sign-on/auth-service/) 2. [Device Flow Clients](/reference/configuration/single-sign-on/device-flow/) 3. [Group Based Authorization](/reference/configuration/single-sign-on/group-based-auth/) -4. [Service Account Roles Clients](/reference/configuration/single-sign-on/service-account/) -5. [Client Attribute Validation](/reference/configuration/single-sign-on/sso-client-validation/) -6. [Secret Templating](/reference/configuration/single-sign-on/sso-templating/) -7. [Trusted Certificate Authority](/reference/configuration/single-sign-on/trusted-ca/) -8. [Recovering lost Keycloak credentials](/reference/configuration/single-sign-on/recoving-lost-credentials/) \ No newline at end of file +4. [Keycloak Session Timeout](/reference/configuration/single-sign-on/keycloak-session-timeout/) +5. [Recovering lost Keycloak credentials](/reference/configuration/single-sign-on/recoving-lost-credentials/) +6. [Service Account Roles Clients](/reference/configuration/single-sign-on/service-account/) +7. [Client Attribute Validation](/reference/configuration/single-sign-on/sso-client-validation/) +8. [Secret Templating](/reference/configuration/single-sign-on/sso-templating/) +9. [Trusted Certificate Authority](/reference/configuration/single-sign-on/trusted-ca/) From 1dff4190d041ca02e9b9aabbadebc28dc4172c5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C5=81askawiec?= Date: Wed, 2 Apr 2025 10:50:36 +0200 Subject: [PATCH 03/10] changed to use uds cli --- .../configuration/Single Sign-On/recoving-lost-credentials.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md index b8c572b9d1..57578b35f3 100644 --- a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md +++ b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md @@ -11,7 +11,7 @@ This procedure requires at least 1.5G of memory allocated to the Keycloak contai The procedure involves creating a new user with administrator privileges, logging into that user, and recovering the lost credentials. First, create a new temporary admin user called `temp-admin` with the password `temp-admin`: ```bash -kubectl exec -it keycloak-0 -n keycloak -- /opt/keycloak/bin/kc.sh bootstrap-admin user +uds zarf tools kubectl exec -it keycloak-0 -n keycloak -- /opt/keycloak/bin/kc.sh bootstrap-admin user ``` When prompted, enter the `temp-admin` password: From 7b179b0c7178a030d931c4e9e2a7239f7d9d796b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C5=81askawiec?= Date: Thu, 3 Apr 2025 09:54:52 +0200 Subject: [PATCH 04/10] Update docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md Co-authored-by: Micah Nagel --- .../configuration/Single Sign-On/recoving-lost-credentials.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md index 57578b35f3..5e9a73c7be 100644 --- a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md +++ b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md @@ -28,4 +28,4 @@ The command will exit with an error indicating that it can't bootstrap the Keycl INFO [org.keycloak.services] (main) KC-SERVICES0077: Created temporary admin user with username temp-admin ``` -Navigate to https://keycloak.admin.uds.dev/ and log in with the `temp-admin` user. Once logged in, create a new user with administrator privileges. Use this user to reset the admin user password by navigating to the `Users` tab, selecting `admin`, going to the `Credentials` tab, and clicking on `Reset Password`. +Navigate to https://keycloak.admin.uds.dev/ and log in with the `temp-admin` user. Once logged in, reset the admin user password by navigating to the `Users` tab, selecting `admin`, going to the `Credentials` tab, and clicking on `Reset Password`. From 1869fa3cbb51527ef8a4ea7c90bfb314602be792 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C5=81askawiec?= Date: Thu, 3 Apr 2025 11:53:10 +0200 Subject: [PATCH 05/10] Comments addressed --- .../Single Sign-On/recoving-lost-credentials.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md index 5e9a73c7be..f917bbd0b3 100644 --- a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md +++ b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md @@ -5,10 +5,10 @@ title: Recovering lost Keycloak credentials This procedure describes how to recover lost Keycloak credentials for UDS Core. It leverages the [Admin bootstrap and recovery](https://www.keycloak.org/server/bootstrap-admin-recovery) feature of Keycloak. :::caution -This procedure requires at least 1.5G of memory allocated to the Keycloak container. You may need to temporarily increase the memory limit before starting the recovery process. If the `JAVA_OPTS_KC_HEAP` environment variable is used, ensure the -XX:MaxRAM setting corresponds to the container memory limits. +This procedure requires at least 1.5G of memory allocated to the Keycloak container. You may need to temporarily increase the memory limit before starting the recovery process. If the `JAVA_OPTS_KC_HEAP` environment variable is used, ensure the -XX:MaxRAM setting corresponds to the container memory limits. More information might be found at [UDS Prerequisites manual](reference/uds-core/prerequisites/#:~:text=these%20required%20changes.-,Keycloak,-It%20has%20been). ::: -The procedure involves creating a new user with administrator privileges, logging into that user, and recovering the lost credentials. First, create a new temporary admin user called `temp-admin` with the password `temp-admin`: +The procedure involves creating a new user with administrator privileges, logging into that user, and recovering the lost credentials. First, create a new temporary admin user called `temp-admin` with a strong password: ```bash uds zarf tools kubectl exec -it keycloak-0 -n keycloak -- /opt/keycloak/bin/kc.sh bootstrap-admin user @@ -19,7 +19,7 @@ When prompted, enter the `temp-admin` password: ```bash Enter username [temp-admin]: Enter password: -Enter password again: +Enter password again: ``` The command will exit with an error indicating that it can't bootstrap the Keycloak server (this is normal as there's already a Keycloak server running in this container). Ensure this line is present in the output: From 127df9aad418febaa70ec3347830e3c45b92dbed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C5=81askawiec?= Date: Thu, 3 Apr 2025 12:06:54 +0200 Subject: [PATCH 06/10] Fixed links --- docs/reference/configuration/Single Sign-On/overview.md | 2 +- .../configuration/Single Sign-On/recoving-lost-credentials.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/reference/configuration/Single Sign-On/overview.md b/docs/reference/configuration/Single Sign-On/overview.md index 2a50c86b07..ae864c9524 100644 --- a/docs/reference/configuration/Single Sign-On/overview.md +++ b/docs/reference/configuration/Single Sign-On/overview.md @@ -51,7 +51,7 @@ All groups are under the Uds Core parent group. Frequently a group will be refer 1. [Authservice Protection](/reference/configuration/single-sign-on/auth-service/) 2. [Device Flow Clients](/reference/configuration/single-sign-on/device-flow/) 3. [Group Based Authorization](/reference/configuration/single-sign-on/group-based-auth/) -4. [Keycloak Session Timeout](/reference/configuration/single-sign-on/keycloak-session-timeout/) +4. [Keycloak Session Timeout](/reference/configuration/single-sign-on/keycloak-session-timeouts/) 5. [Recovering lost Keycloak credentials](/reference/configuration/single-sign-on/recoving-lost-credentials/) 6. [Service Account Roles Clients](/reference/configuration/single-sign-on/service-account/) 7. [Client Attribute Validation](/reference/configuration/single-sign-on/sso-client-validation/) diff --git a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md index f917bbd0b3..32fdc1c26b 100644 --- a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md +++ b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md @@ -5,7 +5,7 @@ title: Recovering lost Keycloak credentials This procedure describes how to recover lost Keycloak credentials for UDS Core. It leverages the [Admin bootstrap and recovery](https://www.keycloak.org/server/bootstrap-admin-recovery) feature of Keycloak. :::caution -This procedure requires at least 1.5G of memory allocated to the Keycloak container. You may need to temporarily increase the memory limit before starting the recovery process. If the `JAVA_OPTS_KC_HEAP` environment variable is used, ensure the -XX:MaxRAM setting corresponds to the container memory limits. More information might be found at [UDS Prerequisites manual](reference/uds-core/prerequisites/#:~:text=these%20required%20changes.-,Keycloak,-It%20has%20been). +This procedure requires at least 1.5G of memory allocated to the Keycloak container. You may need to temporarily increase the memory limit before starting the recovery process. If the `JAVA_OPTS_KC_HEAP` environment variable is used, ensure the -XX:MaxRAM setting corresponds to the container memory limits. More information might be found at [UDS Prerequisites manual](/reference/uds-core/prerequisites/#:~:text=these%20required%20changes.-,Keycloak,-It%20has%20been). ::: The procedure involves creating a new user with administrator privileges, logging into that user, and recovering the lost credentials. First, create a new temporary admin user called `temp-admin` with a strong password: From 336db0c8d13fb82f4677d96149f2f2013f09e4bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C5=81askawiec?= Date: Thu, 3 Apr 2025 12:09:21 +0200 Subject: [PATCH 07/10] Fixed link --- .../configuration/Single Sign-On/recoving-lost-credentials.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md index 32fdc1c26b..26e4f7d144 100644 --- a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md +++ b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md @@ -5,7 +5,7 @@ title: Recovering lost Keycloak credentials This procedure describes how to recover lost Keycloak credentials for UDS Core. It leverages the [Admin bootstrap and recovery](https://www.keycloak.org/server/bootstrap-admin-recovery) feature of Keycloak. :::caution -This procedure requires at least 1.5G of memory allocated to the Keycloak container. You may need to temporarily increase the memory limit before starting the recovery process. If the `JAVA_OPTS_KC_HEAP` environment variable is used, ensure the -XX:MaxRAM setting corresponds to the container memory limits. More information might be found at [UDS Prerequisites manual](/reference/uds-core/prerequisites/#:~:text=these%20required%20changes.-,Keycloak,-It%20has%20been). +This procedure requires at least 1.5G of memory allocated to the Keycloak container. You may need to temporarily increase the memory limit before starting the recovery process. If the `JAVA_OPTS_KC_HEAP` environment variable is used, ensure the -XX:MaxRAM setting corresponds to the container memory limits. More information might be found at Keycloak's part of the [UDS Prerequisites manual](/reference/uds-core/prerequisites/). ::: The procedure involves creating a new user with administrator privileges, logging into that user, and recovering the lost credentials. First, create a new temporary admin user called `temp-admin` with a strong password: From 9e0e33ede03fad65bcd0b3e2426c8b3f7b067fef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C5=81askawiec?= Date: Mon, 7 Apr 2025 11:36:56 +0200 Subject: [PATCH 08/10] Update docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md Co-authored-by: Micah Nagel --- .../configuration/Single Sign-On/recoving-lost-credentials.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md index 26e4f7d144..f745e75ae5 100644 --- a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md +++ b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md @@ -18,7 +18,7 @@ When prompted, enter the `temp-admin` password: ```bash Enter username [temp-admin]: -Enter password: +Enter password: Enter password again: ``` From 90f0e44eb2a3787400ed536245dfeca51d89a7e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C5=81askawiec?= Date: Mon, 7 Apr 2025 11:37:31 +0200 Subject: [PATCH 09/10] Update docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md Co-authored-by: Micah Nagel --- .../configuration/Single Sign-On/recoving-lost-credentials.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md index f745e75ae5..a365cc25fd 100644 --- a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md +++ b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md @@ -28,4 +28,4 @@ The command will exit with an error indicating that it can't bootstrap the Keycl INFO [org.keycloak.services] (main) KC-SERVICES0077: Created temporary admin user with username temp-admin ``` -Navigate to https://keycloak.admin.uds.dev/ and log in with the `temp-admin` user. Once logged in, reset the admin user password by navigating to the `Users` tab, selecting `admin`, going to the `Credentials` tab, and clicking on `Reset Password`. +Navigate to https://keycloak.admin.uds.dev/ and log in with the `temp-admin` user. Once logged in, reset the admin user password by navigating to the `Users` tab, selecting `admin`, going to the `Credentials` tab, and clicking on `Reset Password`. Make sure to remove your `temp-admin` user after creating this new user. From 68029ba7c83689376953c1924b30cc278662e162 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20=C5=81askawiec?= Date: Mon, 7 Apr 2025 11:43:13 +0200 Subject: [PATCH 10/10] Comments addressed --- .../configuration/Single Sign-On/recoving-lost-credentials.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md index a365cc25fd..86887a8fb1 100644 --- a/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md +++ b/docs/reference/configuration/Single Sign-On/recoving-lost-credentials.md @@ -8,7 +8,7 @@ This procedure describes how to recover lost Keycloak credentials for UDS Core. This procedure requires at least 1.5G of memory allocated to the Keycloak container. You may need to temporarily increase the memory limit before starting the recovery process. If the `JAVA_OPTS_KC_HEAP` environment variable is used, ensure the -XX:MaxRAM setting corresponds to the container memory limits. More information might be found at Keycloak's part of the [UDS Prerequisites manual](/reference/uds-core/prerequisites/). ::: -The procedure involves creating a new user with administrator privileges, logging into that user, and recovering the lost credentials. First, create a new temporary admin user called `temp-admin` with a strong password: +The procedure involves creating a new user with administrator privileges, logging into that user, recovering the lost credentials and deleting it. First, create a new temporary admin user called `temp-admin` with a strong password: ```bash uds zarf tools kubectl exec -it keycloak-0 -n keycloak -- /opt/keycloak/bin/kc.sh bootstrap-admin user @@ -28,4 +28,4 @@ The command will exit with an error indicating that it can't bootstrap the Keycl INFO [org.keycloak.services] (main) KC-SERVICES0077: Created temporary admin user with username temp-admin ``` -Navigate to https://keycloak.admin.uds.dev/ and log in with the `temp-admin` user. Once logged in, reset the admin user password by navigating to the `Users` tab, selecting `admin`, going to the `Credentials` tab, and clicking on `Reset Password`. Make sure to remove your `temp-admin` user after creating this new user. +Navigate to https://keycloak.admin.uds.dev/ and log in with the `temp-admin` user. Once logged in, reset the admin user password by navigating to the `Users` tab, selecting `admin`, going to the `Credentials` tab, and clicking on `Reset Password`. Once the `admin` password has been updated, delete the `temp-admin` user.