Initial Login and Break Glass Account

After you first install Pipekit using the Helm Chart, you will need to log in to the application in order to set up the initial Organization. This guide will walk you through the steps to log in to Pipekit for the first time and how to use the Break Glass account in case you lose access to the application through SSO.

We recommend that you use SSO wherever possible to log into Pipekit. However, the first user must be a non-sso account.

When you install the Helm Chart, by default, a break glass account is created for you and the password is randomly generated and stored within your cluster.

Retrieve the Break Glass credentials

Assuming you installed the Pipekit Helm chart into the namespace pipekit, the username should be pipekitbreakglass but can be determined with this kubectl command:

kubectl get secret pipekit-break-glass -n pipekit -o jsonpath="{.data.BREAK_GLASS_USERNAME}" | base64 --decode

The password is either the password you supplied in global.breakGlassPassword or, if you left that field blank you can obtain the randomly generated password using kubectl:

kubectl get secret pipekit-break-glass -n pipekit -o jsonpath="{.data.BREAK_GLASS_PASSWORD}" | base64 --decode

When you log into the web interface for the first time, set up an Organization.

Enabling SSO

Modify your helm values file to enable SSO of your choice. e.g. setting login.googleSSO.enabled to true will enable Google SSO. Apply the update to your cluster.

Where required, enter the secret key for your given SSO provider in the values.yaml file.

Once the UI pod has restarted, log in with your SSO account. Your SSO user (and all subsequent SSO users) will be automatically added as a read-only user to the first Organization you created. Once logged in, log out.

Okta and Entra SSO (SAML and SCIM)

Okta and Entra SSO need to be set up via the Pipekit UI. For more information on setting up Okta and Entra SSO, refer to the Okta SSO documentation and Entra SSO documentation. The org settings UI to do this is enabled by default. You can disable the org settings UI by setting login.oktaSSO.enabled and login.entraSSO.enabled to false in your values.yaml file and performing a helm upgrade.

You must also expose some specific API endpoints to the internet for SCIM integration with Okta or Entra. This can be done by enabling and configuring the ingress.ssoIngress section in your values.yaml file.

Changing the SSO user's role

Log back into the application using your break glass username/password. Use this to elevate the permissions of your newly-added SSO user to an admin role.

Disabling the username/password login boxes

At this point, the username/password login box should not be required in day-to-day operations. You can disable it by setting login.userpass.enabled to false in your values.yaml file and then performing a helm upgrade.

You can now use the SSO login to elevate access for other users, and to continue setting up a cluster.

Using the Break Glass account

If you encounter an emergency whereby you can't access Pipekit with SSO, you can use the Break Glass account to access the application for debugging or recovery purposes. Set login.userpass.enabled to true, perform a helm upgrade, and then log in with the Break Glass account.

Rotating the Break Glass password

This can be changed by setting a global.rotateBreakGlassPassword to true and running a helm upgrade. The password will be rotated and the new password will be stored in the secret pipekit-break-glass in the namespace you chose to install Pipekit. You can choose the password yourself by setting global.breakGlassPassword in your values.yaml file.