Changing the cluster administrator access credentials

You can update the cluster administrator username and password.

Required user type or access level: Cluster administrator

Changing the cluster administrator username

Log on to the master node of your IBM® Cloud Private cluster.
Use the IBM Cloud Private CLI (cloudctl) to change your username and to restart deployments. For example:
```
cloudctl pm update-secret kube-system platform-auth-idp-credentials -d admin_username=<username>
```
For more information, see IBM Cloud Private CLI pm commands (pm).
Install kubectl. For more information, see Installing the Kubernetes CLI (kubectl).

Update the clusterrolebinding role-based access control (RBAC) object with the new username.

kubectl edit clusterrolebinding oidc-admin-binding

Following is a sample clusterrolebinding RBAC object:

Please edit the following object. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures. 
#
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 creationTimestamp: 2019-02-04T18:44:34Z
 name: oidc-admin-binding
 resourceVersion: "3162"
 selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/oidc-admin-binding      
 uid: eab9c9c9-28ac-11e9-aca2-0050569a1e29
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
 kind: User
 name: https://mycluster.icp:8443/oidc/endpoint/OP#admin        <===========
- apiGroup: rbac.authorization.k8s.io
 kind: User
 name: admin                                                    <===========

Replace the admin name in https://mycluster.icp:8443/oidc/endpoint/OP#admin with the new name: change OP#admin to OP#<new admin user name>.
Replace the admin name in name: admin with the new name: change name: admin to name: <new admin user name>.
Save the file.
Log in to the boot node.
Install cloudctl on the boot node. For more information, see Installing cloudctl.
Run the cloudctl login command. This step generates new Helm certificates. The certificates are usually saved in the /root folder.

Back up the Helm certificates that are in the <installation-directory>/cluster/cfc-certs/helm/ folder.

mv <installation-directory>/cluster/cfc-certs/helm/admin.crt <installation-directory>/cluster/cfc-certs/helm/admin.crt.backup
mv <installation-directory>/cluster/cfc-certs/helm/admin.key <installation-directory>/cluster/cfc-certs/helm/admin.key.backup

Copy the new Helm certificates to the <installation-directory>/cluster/cfc-certs/helm/ folder. The <helm-home> is where the new certificates are located.

cp <helm-home>/cert.pem <installation-directory>/cluster/cfc-certs/helm/admin.crt
cp <helm-home>/key.pem <installation-directory>/cluster/cfc-certs/helm/admin.key

Complete the steps in the Updating the config.json file on each master node section.

Changing the cluster administrator password

Log on to the master node of your IBM Cloud Private cluster.
Use the IBM Cloud Private CLI (cloudctl) to, change your password and restart deployments. The secret name is platform-auth-idp-credentials and the namespace is kube-system. The new password must meet either the default password enforcement rule or the rules that are specified for the password_rules parameters in the config.yaml file. For example:
```
cloudctl pm update-secret kube-system platform-auth-idp-credentials -d admin_password=<password>
```
For more information, see Customizing the cluster with the config.yaml file and Installing the IBM Cloud Private CLI.
Update the default_admin_password in the config.yaml file.
1. Open the /<installation_directory>/cluster/config.yaml file.
2. Update the default_admin_password.
3. Save and exit the file.

Optional: You can update the password rules by running the following command:

  cloudctl pm password-rule-set <namespace> <rule_name> <rule_regex> <rule_desc>

Complete the steps in the Updating the config.json file on each master node section.

Updating the config.json file on each master node

After you change the cluster administrator username or password, you must complete the following steps on each master node:

Update the auth credentials in the /root/.docker/config.json file.
1. Encode the new username or password in base64. You must use the -n option to ensure that trailing new line characters (\n) are not appended to the string.
```
echo -n "MyNewUsernameOrPassword" | base64
```
  When you update the password, the output resembles the following code:
```
TXlOZXdQYXNzMHdyZA==
```
  When you update the username, the output resembles the following code:
```
YWRtaW4xMjM0
```
2. Open the config.json file for editing.
```
vi /root/.docker/config.json
```
  The file content resembles the following code:
```
{
       "auths": {
               "hyc-cloud-private-edge-docker-local.artifactory.swg-devops.com": {
                       "auth": "dG5lbWl2YW5AaW4uaWJtLmNvbTpBS0NwNWJ1VTJTOEw4UmhTeU1qTTQ2MjNLZjdTSG1RNDVoWVNneUVDaGpCRVRTNkJGR3Z1SGZ2bjZkVWhONkJHb1puVkxwc3RQ"
               }
       }
}
```
3. Replace the old username or password with the new base64-encoded username or password.
4. Save the file.

Stop and start the kubelet and docker services.

systemctl stop kubelet
systemctl stop docker
systemctl start docker
systemctl start kubelet

Ensure that all pods in the kube-system namespace are running. It might take up to 5 minutes for all pods to restart.
```
kubectl get pods -n kube-system | grep -v Running
```
Only after all the kube-system pods are running on this master node, proceed with updating the config.json file on another master node. It is important that at any point in time, there are at least two healthy master nodes available in the cluster.