Initial Login and Break Glass Account

Initial login to Pipekit and how to use the Break Glass account

After you first install Pipekit using the Helm Chart, you will need to log in to the application in order to set up the initial Organization. This guide will walk you through the steps to log in to Pipekit for the first time and how to use the Break Glass account in case you lose access to the application through SSO.

We recommend that you use SSO wherever possible to log into Pipekit. However, the first user must be a non-sso account.

When you install the Helm Chart, by default, a break glass account is created for you and the password is randomly generated and stored within your cluster.

Retrieve the Break Glass credentials

Assuming you installed the Pipekit Helm chart into the namespace pipekit, the username should be pipekitbreakglass but can be determined with this kubectl command:

kubectl get secret pipekit-break-glass -n pipekit -o jsonpath="{.data.BREAK_GLASS_USERNAME}" | base64 --decode

The password is either the password you supplied in global.breakGlassPassword or, if you left that field blank you can obtain the randomly generated password using kubectl:

kubectl get secret pipekit-break-glass -n pipekit -o jsonpath="{.data.BREAK_GLASS_PASSWORD}" | base64 --decode

When you log into the web interface for the first time, you will be prompted to set up and Organization. Do this.

Enabling SSO

Modify your helm values file to enable SSO of your choice. e.g. setting login.googleSSO.enabled to true will enable Google SSO. Apply the update to your cluster.

Enter the required secret key for your given SSO provider in the values.yaml file.

Once the UI pod has restarted, you will be able to log in with your SSO account. Do this and then log out again.

Changing the SSO user's role

Log back into the application using your break glass username/password. Use this to elevate the permissions of your newly-added SSO user to an admin role.

Disabling the username/password login boxes

At this point, the username/password login box should not be required in day-to-day operations. You can disable it by setting login.userpass.enabled to false in your values.yaml file and then performing a helm upgrade.

You can now use the SSO login to elevate access for other users, and to continue setting up a cluster.

Using the Break Glass account

If you encounter an emergency whereby you can't access Pipekit with SSO, you can use the Break Glass account to access the application for debugging or recovery purposes. Set login.userpass.enabled to true, perform a helm upgrade, and then log in with the Break Glass account.

Rotating the Break Glass password

This can be changed by setting a global.rotateBreakGlassPassword to true and running a helm upgrade. The password will be rotated and the new password will be stored in the secret pipekit-break-glass in the namespace you chose to install Pipekit. You can choose the password yourself by setting global.breakGlassPassword in your values.yaml file.

Last updated