diff --git a/docs/_constants.mdx b/docs/_constants.mdx
index dd167ee4..cf6b106b 100644
--- a/docs/_constants.mdx
+++ b/docs/_constants.mdx
@@ -9,5 +9,4 @@ export const versions = {
export const defaultCredentials = {
username: "admin@openchoreo.dev",
- password: "Admin@123",
};
diff --git a/docs/ai/mcp-servers.mdx b/docs/ai/mcp-servers.mdx
index b4014b58..3e92a90f 100644
--- a/docs/ai/mcp-servers.mdx
+++ b/docs/ai/mcp-servers.mdx
@@ -144,12 +144,21 @@ On first use, a browser window opens for authentication. Log in with the default
Client credentials authentication uses the `service_mcp_client` OAuth application (confidential client, client_credentials grant), which is pre-created in the default ThunderID IdP. This method works with any AI agent that supports custom HTTP headers.
-**Step 1: Obtain an Access Token**
+**Step 1: Retrieve the MCP Client Secret**
+
+The `service_mcp_client` secret was randomly generated during installation. Retrieve it:
+
+```bash
+SERVICE_MCP_CLIENT_SECRET=$(kubectl get secret openchoreo-initial-credentials \
+ -n thunder -o jsonpath='{.data.service-mcp-client-secret}' | openssl base64 -d -A; echo)
+```
+
+**Step 2: Obtain an Access Token**
```bash
curl -s -X POST "http://thunder.openchoreo.localhost:8080/oauth2/token" \
-H 'Content-Type: application/x-www-form-urlencoded' \
- -u 'service_mcp_client:service_mcp_client_secret' \
+ -u "service_mcp_client:${SERVICE_MCP_CLIENT_SECRET}" \
-d 'grant_type=client_credentials'
```
diff --git a/docs/getting-started/quick-start-guide.mdx b/docs/getting-started/quick-start-guide.mdx
index cf3da967..f5523f56 100644
--- a/docs/getting-started/quick-start-guide.mdx
+++ b/docs/getting-started/quick-start-guide.mdx
@@ -133,7 +133,15 @@ The setup uses a preconfigured Dev Container that includes all required dependen
Default login credentials:
- Username: {defaultCredentials.username}
- - Password: {defaultCredentials.password}
+ - Password: Randomly generated during installation. Retrieve it with:
+
+ ```bash
+ kubectl get secret openchoreo-initial-credentials -n thunder -o jsonpath='{.data.admin-password}' | openssl base64 -d -A; echo
+ ```
+
+ :::tip
+ After logging in, change your password or delete the `openchoreo-initial-credentials` secret.
+ :::
.default})
-The values file runs a postStart script that configures Kubernetes auth, creates reader/writer policies, and seeds the following secrets into the store:
-
-| Secret | Value | Used By |
-| ------------------------------ | ------------------------------ | ------------------------------ |
-| `backstage-backend-secret` | `local-dev-backend-secret` | Backstage session signing |
-| `backstage-client-secret` | `backstage-portal-secret` | Backstage OAuth with ThunderID |
-| `backstage-jenkins-api-key` | `placeholder-not-in-use` | Placeholder |
-| `observer-oauth-client-secret` | `openchoreo-observer-secret` | Observer OAuth with ThunderID |
-| `rca-oauth-client-secret` | `openchoreo-rca-agent-secret` | SRE Agent OAuth with ThunderID |
-| `opensearch-username` | `admin` | OpenSearch access |
-| `opensearch-password` | `ThisIsTheOpenSearchPassword1` | OpenSearch access |
+The `values-openbao.yaml` postStart script configures Kubernetes auth, creates reader/writer policies, and seeds the Backstage backend secret into OpenBao. The remaining secrets are generated by `generate-thunder-secrets.sh` which runs before ThunderID install and writes to the following paths:
+
+| OpenBao Path | Source | Use | ExternalSecret |
+| ---------------------------------- | ----------------------------- | --------------------------------- | ------------------- |
+| `backstage-backend-secret` | postStart (random) | Backstage session signing | `backstage-secrets` |
+| `backstage-client-secret` | `generate-thunder-secrets.sh` | Backstage OAuth with ThunderID | `backstage-secrets` |
+| `observer-oauth-client-secret` | `generate-thunder-secrets.sh` | Observer OAuth with ThunderID | `observer-secret` |
+| `rca-oauth-client-secret` | `generate-thunder-secrets.sh` | RCA Agent OAuth with ThunderID | (created on demand) |
+| `finops-agent-oauth-client-secret` | `generate-thunder-secrets.sh` | FinOps Agent OAuth with ThunderID | (created on demand) |
#### Create the ClusterSecretStore
@@ -225,6 +223,13 @@ The control plane is the brain of OpenChoreo. It runs the API server, the web co
[ThunderID](https://github.com/thunder-id/thunderid) handles authentication and OAuth flows. The values file includes bootstrap scripts that run on first startup and configure the organization, users, groups, and OAuth applications automatically.
+Before installing ThunderID, generate the required secrets:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/openchoreo/openchoreo/${versions.githubRef}/install/prerequisites/thunder/generate-thunder-secrets.sh \
+ | BAO_TOKEN=root bash
+```
+
{`helm upgrade --install thunder oci://ghcr.io/asgardeo/helm-charts/thunder \\
--namespace thunder \\
@@ -306,7 +311,14 @@ In the `thunder` namespace:
- **thunder** handles authentication and OAuth flows
:::tip[ThunderID Admin Console]
-You can browse and modify the bootstrapped identity configuration (users, groups, OAuth applications) in the ThunderID console at [http://thunder.openchoreo.localhost:8080/console](http://thunder.openchoreo.localhost:8080/console) using `admin` / `admin`. For details on what the bootstrap configured, see the [On Your Environment](on-your-environment.mdx) guide.
+You can browse and modify the bootstrapped identity configuration (users, groups, OAuth applications) in the ThunderID console at [http://thunder.openchoreo.localhost:8080/console](http://thunder.openchoreo.localhost:8080/console). Log in with username `admin` and retrieve the password using:
+
+```bash
+kubectl get secret openchoreo-initial-credentials -n thunder \
+ -o jsonpath='{.data.thunder-console-admin-password}' | openssl base64 -d -A; echo
+```
+
+For details on what the bootstrap configured, see the [On Your Environment](on-your-environment.mdx) guide.
:::
## Step 4: Install Default Resources
diff --git a/docs/getting-started/try-it-out/on-your-environment.mdx b/docs/getting-started/try-it-out/on-your-environment.mdx
index c40e6150..9c1b3339 100644
--- a/docs/getting-started/try-it-out/on-your-environment.mdx
+++ b/docs/getting-started/try-it-out/on-your-environment.mdx
@@ -121,16 +121,15 @@ OpenChoreo uses [External Secrets Operator](https://external-secrets.io/) to man
For production, provide your own values file with `server.dev.enabled=false` and configure proper storage and unsealing. See the [OpenBao Helm chart docs](https://github.com/openbao/openbao-helm).
:::
-The values file runs a postStart script that configures Kubernetes auth, creates reader/writer policies, and seeds the following secrets into the store:
+The `values-openbao.yaml` postStart script configures Kubernetes auth, creates reader/writer policies, and seeds the Backstage backend secret into OpenBao. The remaining secrets are generated by `generate-thunder-secrets.sh` which runs before ThunderID install and writes to the following paths:
-| Secret | Value | Used By |
-| ------------------------------ | --------------------------------------------------- | ------------------------------ |
-| `backstage-backend-secret` | `local-dev-backend-secret` | Backstage session signing |
-| `backstage-client-secret` | `backstage-portal-secret` | Backstage OAuth with ThunderID |
-| `backstage-jenkins-api-key` | `placeholder-not-in-use` | Placeholder |
-| `opensearch-username` | `admin` | OpenSearch access |
-| `opensearch-password` | `ThisIsTheOpenSearchPassword1` | OpenSearch access |
-| `observer-oauth-client-secret` | `openchoreo-observer-resource-reader-client-secret` | Observer OAuth (UID resolver) |
+| OpenBao Path | Source | Use | ExternalSecret |
+| ---------------------------------- | ----------------------------- | --------------------------------- | ------------------- |
+| `backstage-backend-secret` | postStart (random) | Backstage session signing | `backstage-secrets` |
+| `backstage-client-secret` | `generate-thunder-secrets.sh` | Backstage OAuth with ThunderID | `backstage-secrets` |
+| `observer-oauth-client-secret` | `generate-thunder-secrets.sh` | Observer OAuth with ThunderID | `observer-secret` |
+| `rca-oauth-client-secret` | `generate-thunder-secrets.sh` | RCA Agent OAuth with ThunderID | (created on demand) |
+| `finops-agent-oauth-client-secret` | `generate-thunder-secrets.sh` | FinOps Agent OAuth with ThunderID | (created on demand) |
#### Create the ClusterSecretStore
@@ -310,6 +309,15 @@ kubectl wait --for=condition=Ready certificate/cp-gateway-tls \
-n openchoreo-control-plane --timeout=60s
```
+### Generate ThunderID Secrets
+
+Before installing ThunderID, generate random passwords and client secrets. This creates the `openchoreo-initial-credentials` secret in the `thunder` namespace that ThunderID reads at startup:
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/openchoreo/openchoreo/${versions.githubRef}/install/prerequisites/thunder/generate-thunder-secrets.sh \
+ | BAO_TOKEN=root bash
+```
+
### Install ThunderID (Identity Provider)
[ThunderID](https://github.com/thunder-id/thunderid) handles authentication and OAuth flows. The setup job is a **pre-install helm hook** that bootstraps users, groups, and OAuth applications on the very first `helm install`. To change these later, uninstall ThunderID, delete the PVC, and reinstall.
@@ -341,9 +349,9 @@ You can browse and modify the ThunderID configuration at:
echo "https://thunder.${CP_BASE_DOMAIN}/console"
```
-| Username | Password |
-| -------- | -------- |
-| `admin` | `admin` |
+| Username | Password Retrieval Command |
+| -------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `admin` | `kubectl get secret openchoreo-initial-credentials -n thunder -o jsonpath='{.data.thunder-console-admin-password}' \| openssl base64 -d -A; echo` |
#### Backstage Secrets
@@ -639,9 +647,16 @@ Open the OpenChoreo console in your browser:
echo "https://console.${CP_BASE_DOMAIN}"
```
-| Username | Password |
-| ------------------------------------------ | ------------------------------------------ |
-| {defaultCredentials.username} | {defaultCredentials.password} |
+| Username | Password |
+| ------------------------------------------ | ------------------------------------------------ |
+| {defaultCredentials.username} | Randomly generated. See retrieval command below. |
+
+Retrieve your admin password:
+
+```bash
+kubectl get secret openchoreo-initial-credentials -n thunder \
+ -o jsonpath='{.data.admin-password}' | openssl base64 -d -A; echo
+```
You should see the OpenChoreo console. Deploy a sample web app:
diff --git a/docs/platform-engineer-guide/identity-configuration.mdx b/docs/platform-engineer-guide/identity-configuration.mdx
index 8a8d59a4..d2d847c4 100644
--- a/docs/platform-engineer-guide/identity-configuration.mdx
+++ b/docs/platform-engineer-guide/identity-configuration.mdx
@@ -42,9 +42,13 @@ ThunderID includes a console where you can manage users, applications, and OAuth
**Access ThunderID console:**
- URL: `/console`
-- Default credentials:
- - Username: `admin`
- - Password: `admin`
+- Username: `admin`
+- Password: Retrieve from the Kubernetes secret:
+
+```bash
+kubectl get secret openchoreo-initial-credentials -n thunder \
+ -o jsonpath='{.data.thunder-console-admin-password}' | openssl base64 -d -A; echo
+```
:::note
The default ThunderID deployment is intended for development and testing. For production deployments, configure your own OAuth2/OIDC-compliant identity provider as described in the next section.