Skip to main content
Version: 2.4

k3d - Users Management

User Access

The kubefirst platform has two types of user access: administrators and developers. As you may guess, administrators have full access, but developers have limited access. Here is a list of limitations for developers:

  • Argo CD
    • delete applications
  • Vault
    • access all secrets
    • reset other users' passwords

Adding New Users

In this tutorial we will show how to add users to your platform through Atlantis, which will allow a preview of how changes made will be expressed through Terraform before branches are merged into your repository.

Navigate to the gitops repository in your GitHub org, clone the contents, and create a new branch:

cd gitops
git checkout -b new-user

The folder k3d-github/terraform/users/admins contains two separate files that represent admin users: admin-one.tf (commented-out), and the kbot user in the kbot.tf file. Here's the module from admin-one.tf:

module "admin_one" {
source = "./modules/user/github"

acl_policies = ["admin"]
email = "[email protected]"
first_name = "Admin"
github_username = "admin-one-github-username"
last_name = "One"
team_id = data.github_team.admins.id
username = "aone"
user_disabled = false
userpass_accessor = data.vault_auth_backend.userpass.accessor
}

Uncomment and edit this code to replace the values for the email, first_name, github_username, last_name, and username before pushing to your branch.

Note: If you are doing using this walkthrough simply to test Atlantis, you do not need to update these fields to be accurate.

git add .
git commit -m feat: add new user
git push --set-upstream origin new-user

Create a pull request. This will kick off the Atlantis workflow. Within a minute or so of submitting the pull request, a comment will appear on the pull request that shows the Terraform plan with the changes it will be making to your infrastructure.

Atlantis Plan Comment Example

To apply these changes, you or someone in the organization can submit a comment on that pull request with the following comment text:

atlantis apply

Doing so will instruct Atlantis to apply the plan. It will report back with the results of the apply within a minute or so.

NOTE: Atlantis merges your pull request automatically once an apply is successfully executed. Don't merge Terraform pull requests yourself.

Atlantis will always run plans automatically for you when a pull request is opened that changes files mapped in atlantis.yaml.

Any new users you have created through this process will have their temporary initial passwords stored in your Vault cluster. You can access Vault using the root login credentials provided to you during your kubefirst installation. Only the root Vault token can access these secrets. You will find your users' initial passwords in the Vault secret store /secrets/users/<username>.

Vault token login

Once you've provided them their initial password, they can update their own password throughout the platform by updating their user password entity in Vault. Anyone can change their own password, and Admins can reset anyone's password. These rules, just like everything else on kubefirst, can be configured in your new gitops repository.

default user creation

The admins and developers that you add through IaC will automatically propagate to all tools due to the Vault OIDC provider that's preconfigured throughout the kubefirst platform tools.