Skip to main content
logoTetrate Service BridgeVersion: 1.10.x

Add a Local User

Even without an external Identity Provider (IdP), multiple local users can be created to access TSB. This document describes how to add a user to the local Identity Provider.

Create a User

First, a User resource must be created. The following example creates a User named alice under the tetrate organization.

apiVersion: api.tsb.tetrate.io/v2
kind: User
metadata:
  organization: tetrate
  name: alice
spec:
  displayName: TSB alice user
  loginName: alice
  sourceType: MANUAL

To provide the user with roles and permissions, you can refer to Users, Roles and Permissions.

Create the secret

Local user credentials are expected to be stored in the local-user-credentials Kubernetes secret in the Management Plane namespace (tsb by default).

The following snippet shows how to generate the secret containing the SHA-256 hash of the desired password for the just created alice user:

new_user="alice"
new_password="Tetrate1"
new_password_shasum=$(echo -n $new_password | shasum -a 256 | awk '{print $1}')
kubectl -n tsb create secret generic local-user-credentials --from-literal=$new_user=$new_password_shasum --dry-run=client -o yaml

This will output the YAML for the secret with the newly created user, and it can be applied normally with kubectl.

Once the secret has been created, you can wait for the periodical lookup of the secret performed by iam, or you can restart the iam deployment pods to force the changes to be loaded:

kubectl -n tsb rollout restart deployment/iam

The user is now created, and its credentials are loaded into iam. It is now possible to login to TSB.

Update the secret

If you want to add more users, or tweaking existing ones, you can rely on kubectl patch to update the local-user-credentials secret. For example, after having created the corresponding User resource, you can add a new user to the secret as follows:

new_user="bob"
new_password="Tetrate2"
new_password_shasum=$(echo -n $new_password | shasum -a 256 | awk '{print $1}')

kubectl patch secret local-user-credentials -n tsb -p="{\"stringData\":{\"$new_user\": \"$new_password_shasum\"}}"

or update an existing user's password:

user="alice"
new_password="Tetrate3"
new_password_shasum=$(echo -n $new_password | shasum -a 256 | awk '{print $1}')
kubectl patch secret local-user-credentials -n tsb -p="{\"stringData\":{\"$user\": \"$new_password_shasum\"}}"

As previously mentioned, you can now wait for the periodical lookup of the secret performed by iam, or you can restart the iam deployment pods to force the changes to be loaded.