I deployed OpenZiti (1.1.15)on Kubernetes using Helm, and I need to reset the admin password for the controller.
What is the correct procedure to reset the admin password in this setup?
Also, after resetting the password, do I need to manually update the Kubernetes Secret that stores the admin credentials? If I don’t update the secret, will the password revert or cause issues after pod restart?
What is the recommended best practice for handling admin password reset when running OpenZiti in Kubernetes?
@qrkourier hi can u help me update admin password on kubernetes?
After administratively changing the password in Ziti, you must also update the Kubernetes secret if you wish to store that credential in Kubernetes for some reason. It's placed there by default during the initial installation for your reference, since it is generated when a password is required but does not already exist.
The Ziti controller deployment does not autonomously use this admin password, but it does expose that secret inside the Ziti controller container as an environment variable so that you may convently authenticate with the default admin password in an interactive shell, like so:
❯ kubectl exec -n openziti deployments/ziti-controller1 -c ziti-controller -- bash -x zitiLogin
+ ziti edge login ziti-controller1-client.openziti.svc.cluster.local:443 --username admin --password NPHB9QwSE2rAXyDnv7e2yLDUuGBj4s2j --ca /etc/ziti/ctrl-plane-cas/ctrl-plane-cas.crt
Token: b7d09103-b684-4e9f-8cb6-fff53dd7ec25
Saving identity 'default' to /home/ziggy/.config/ziti/ziti-cli.json
The best practice for security is to create an identity with the admin property set true and use this new identity for client certificate authentication. To obtain the client certificate, enroll that identity with the temporary token to obtain a standard Ziti identity JSON file, which you may use to log in to the management API or Ziti console, as long as you have published the Ziti console with TLS passed through to the Ziti controller to allow client certificate authentication.
The Ziti identity JSON file contains the current client certificate for that identity and a copy of the CA trust bundle, which together provide everything you need for client certificate authentication to the management API.
Here's an example of Ziti CLI login using the Ziti identity JSON file.
❯ kubectl exec -n openziti deployments/ziti-controller1 -c ziti-controller -- ziti edge create identity "admin2" -o /tmp/admin2.jwt --admin
New identity admin2 created with id: R.cc1ehcn
Enrollment expires at 2026-03-08T00:59:59.584Z
❯ kubectl exec -n openziti deployments/ziti-controller1 -c ziti-controller -- cat /tmp/admin2.jwt | tee /tmp/admin2.jwt
eyJhbGciOiJSUzI1NiIsImtpZCI6ImQ2NjMxMjE4MWI0OTY3NGZkYWQwMGI0ZThjMjRhMmZkMmYwNDE5MjIiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL21pbml6aXRpLWNvbnRyb2xsZXIuMTkyLjE2OC42Ny4yNDAuc3NsaXAuaW86NDQzIiwic3ViIjoiUi5jYzFlaGNuIiwiYXVkIjpbIiJdLCJleHAiOjE3NzI5MzE1OTksImp0aSI6ImE3Y2ZiMjk0LTM0NmItNGM5Mi1hMTFmLWI0ZDc5YTYwZTE1NSIsImVtIjoib3R0IiwiY3RybHMiOlsidGxzOm1pbml6aXRpLWNvbnRyb2xsZXIuMTkyLjE2OC42Ny4yNDAuc3NsaXAuaW86NDQzIl19.axeJ-r6DfUSfMTqpz0ckbDAcXUbvX9qOUEg2hiV0lsLxlsjtftv8q_3ikYK7PXv0P3gsHEGW_70ub0KzqXgWBEoOdXJZP-abEfWskNLeN5qJ8geD_w92-X0cDBnUIT9Mt3VlpPNkzvOyDXbM6YHnT1-CPJDE6yAlLelpg_1qDt9mpSgRSqG8JHzkBvmd6_Ay9oSNvor9W1tPdcdksiJpsTmLB9RXXxkmBptJ7RwlCJHZTtFj6X4Ipz3TX-ef1K5AtaP0SS-wRz2fDHss7wBZd-0PiohuR34gppymDkQxYwp2JnVVoQlpX7t7wPXdkWzmsMy_LBJbc7OZtDjwfjLikJ5u-A7ATyC7cAtfeZ9XRVJJy8EHjUcn8KuWzokJuge6CMjgYIdyGb1e3i2BH5NL_jQaaAv_HJHN2u88bw3478I4TC01Wut0ClrWJczQAFsfsxr8S-i5sthq3keQhHKVgajb51RMWsilAUIeUTcpKk1qnlOyizUBM55k8DrCQlj_qwc3HM0AcFvVhS6Xq7ATLbAb2LIioI81H07oDcFiXnw8WLRuxz16zkjHjiHZFnoDzUJ3Xu-WuthFljqqmPClW3Ah_eBryh-nFbN7xBW2T7L6KgUYUgA-_ZZrcejcA4wwx7w6JjbLnbvLz_2QBcqdbN0sW1L7B8chj3qfb_pttPs%
❯ ziti edge enroll /tmp/admin2.jwt
INFO generating 4096 bit RSA key
INFO enrolled successfully. identity file written to: /tmp/admin2.json
❯ ziti edge login --file /tmp/admin2.json
Untrusted certificate authority retrieved from server
Verified that server supplied certificates are trusted by server
Server supplied 2 certificates
Trust server provided certificate authority [Y/N]: y
Server certificate chain written to /home/user/.config/ziti/certs/openziti-controller.192.168.67.240.sslip.io_443
Saving identity 'mz-21046' to /home/user/.config/ziti/ziti-cli.json