replicatedhq · paigecalvert · Apr 21, 2025 · Apr 21, 2025
@@ -8,15 +8,15 @@
 .docusaurus
 .cache-loader
 .history
-static/llms.txt
-static/llms-full.txt
-static/intro-kots.md
-static/intro-replicated.md
-static/intro.md
-static/enterprise/*
-static/reference/*
-static/release-notes/*
-static/vendor/*
+# static/llms.txt
+# static/llms-full.txt
+# static/intro-kots.md
+# static/intro-replicated.md
+# static/intro.md
+# static/enterprise/*
+# static/reference/*
+# static/release-notes/*
+# static/vendor/*
 
 # Misc
 .DS_Store

@@ -0,0 +1,28 @@
+# Change an Admin Console Password
+
+When you install for the first time with Replicated kURL, the Replicated KOTS Admin Console is secured with a single shared password that is set automatically for all users. Replicated recommends that you change this to a new, unique password for security purposes as this automated password is displayed to the user in plain text.
+
+The Admin Console password is salted and one-way hashed using bcrypt. The irreversible hash is stored in a Secret named `kotsadm-password`. The password is not retrievable if lost. If you lose your Admin Console password, reset your password to access the Admin Console.
+
+For more information about bcrypt, see [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) on Wikipedia.
+
+:::note
+Users with Identity Provider (IDP) access cannot change their password using this procedure. If an attempt is made, IDP users receive a message in the user interface to contact the identity service provider to change their password. For more information about resetting an IDP user password, see [Resetting Authentication](auth-identity-provider#resetting-authentication) in _Use an Identity Provider for User Access (Beta)_.
+:::
+
+To change your Admin Console password:
+
+1. Log in to the Admin Console using your current password.
+1. In the drop-down in the top right of any page, click **Change password**.
+1. In the Change Admin Console Password dialog, edit the fields.
+
+    - The new password must be at least 6 characters and must not be the same as your current password.
+    - The **New Password** and **Confirm New Password** fields must match each other.
+
+1. Click **Change Password**.
+
+   If there are any issues with changing the password, an error message displays the specific problem.
+
+   When the password change succeeds, the current session closes and you are redirected to the Log In page.
+
+1. Log in with the new password.
@@ -0,0 +1,28 @@
+# Configure Role-based Access Control (Beta)
+
+You can regulate access to the Replicated KOTS Admin Console resources based on the roles of individual users within your organization.
+
+To configure role based access control (RBAC) for the Admin Console:
+1. Go to the **Access** page. Under **Role Based Access Control Group Policy**, click **Add a group**.
+1. Enter a group name that matches one of the group names already established with your identity provider.
+1. Choose one of the pre-defined Admin Console roles to be assigned to that group. For a list of Admin Console roles, see [Admin Console roles](#admin-console-roles) below.
+1. Click **Add group**.
+
+![Role Based Access Control](/images/identity-service-kotsadm-rbac.png)
+
+## Admin Console Roles
+
+The Admin Console comes with pre-defined identity service roles that can be assigned to groups when you configure RBAC for the Admin Console.
+
+- **Read Access:** This role has read permissions to all resources.
+
+- **Write Access:** This role has write permissions to all resources.
+
+## Support Roles
+
+- **Read Access:** This role has read permissions to all resources except the application's file tree.
+
+- **Write Access:** This role has write permissions to the following resources:
+
+    * Support bundles
+    * Preflight checks
@@ -0,0 +1,29 @@
+# Use an Identity Provider for User Access (Beta)
+
+When you install an application for the first time, the Replicated KOTS Admin Console is secured with a single shared password for all users. It is possible to further configure the Admin Console to authenticate users with your organization's user management system. This feature is only available for licenses that have the Replicated identity service feature enabled.
+
+Replicated KOTS leverages the open source project Dex as an intermediary to control access to the Admin Console. Dex implements an array of protocols for querying other user-management systems, known as connectors. For more information, see the [Dex documentation](https://dexidp.io/docs/).
+
+The identity service has the following limitations:
+* Only available for installations in a cluster created by Replicated kURL.
+* Only available through the Admin Console.
+
+## Prerequisite
+
+When you are installing the Admin Console and setting up TLS certificates on the HTTPS page, you must configure the hostname to use to access the Admin Console. The hostname is required whether you are using the identity service with either a self-signed certificate or a custom certificate. For more information about configuring the hostname field, see [Install and Deploy the Application](installing-kurl#install-app) in _Online Installation with kURL_.
+
+## Configuration
+
+To begin, click the **Access** tab at the top of the Admin Console.
+Here you can configure access to the Admin Console, integrating with one of the supported identity providers.
+
+![Configure Identity Provider](/images/access-identity.png)
+
+## Supported Providers
+
+**OpenID Connect:** For more information, see the [OpenID Connect documentation](https://openid.net/connect/).
+
+## Resetting Authentication
+
+When you enable identity provider access to the Admin Console, shared password authentication is disabled.
+If you want to re-enable the shared password authentication, run the `kubectl kots identity-service enable-shared-password --namespace [namespace]` command. For more information, see [identity-service enable-shared-password](/reference/kots-cli-identity-service-enable-shared-password/) in the KOTS CLI documentation.
@@ -0,0 +1,29 @@
+# Add Nodes to kURL Clusters
+
+:::note
+Replicated kURL is available only for existing customers. If you are not an existing kURL user, use Replicated Embedded Cluster instead. For more information, see [Use Embedded Cluster](/vendor/embedded-overview).
+
+kURL is a Generally Available (GA) product for existing customers. For more information about the Replicated product lifecycle phases, see [Support Lifecycle Policy](/vendor/policies-support-lifecycle).
+:::
+
+This topic describes how to add primary and secondary nodes to a Replicated kURL cluster.
+
+## Overview
+
+You can generate commands in the Replicated KOTS Admin Console to join additional primary and secondary nodes to kURL clusters. Primary nodes run services that control the cluster. Secondary nodes run services that control the pods that host the application containers. Adding nodes can help manage resources to ensure that the application runs smoothly.
+
+For high availability clusters, Kubernetes recommends using at least three primary nodes, and that you use an odd number of nodes to help with leader selection if machine or zone failure occurs. For more information, see [Creating Highly Available Clusters with kubeadm](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) in the Kubernetes documentation.
+
+## Join Primary and Secondary Nodes
+
+You can join primary and secondary nodes on the Admin Console **Cluster management** page.
+
+To add primary and secondary nodes:
+
+1. (Air Gap Only) For air gapped environments, download and extract the `.tar.gz` bundle on the remote node before running the join command.
+1. In the Admin Console, click **Cluster Management > Add a node**.
+1. Copy the command that displays in the text box and run it on the node that you are joining to the cluster.
+
+     ![Join node in Admin Console](/images/join-node.png)
+
+     [View a larger image](/images/join-node.png)
@@ -0,0 +1,84 @@
+# Delete the Admin Console and Remove Applications
+
+This topic describes how to remove installed applications and delete the Replicated KOTS Admin Console. The information in this topic applies to existing cluster installations with KOTS.
+
+## Remove an Application
+
+The Replicated KOTS CLI `kots remove` command removes the reference to an installed application from the Admin Console. When you use `kots remove`, the Admin Console no longer manages the application because the record of that application’s installation is removed. This means that you can no longer manage the application through the Admin Console or through the KOTS CLI.
+
+By default, `kots remove` does not delete any of the installed Kubernetes resources for the application from the cluster. To remove both the reference to an application from the Admin Console and remove any resources for the application from the cluster, you can run `kots remove` with the `--undeploy` flag.
+
+It can be useful to remove only the reference to an application from the Admin Console if you want to reinstall the application, but you do not want to recreate the namespace or other Kubernetes resources. For example, if you installed an application using an incorrect license file and need to reinstall with the correct license.
+
+To remove an application:
+
+1. Run the following command to list the installed applications for a namespace:
+   ```
+   kubectl kots get apps -n NAMESPACE
+   ```
+   Replace `NAMESPACE` with the name of the namespace where the Admin Console is installed.
+
+   In the output of this command, note the slug for the application that you want to remove.
+
+1. Run _one_ of the following commands:
+
+   * Remove only the reference to the application from the Admin Console: 
+
+     ```
+     kubectl kots remove APP_SLUG -n NAMESPACE
+     ```
+     Replace:
+     * `APP_SLUG` with the slug for the application that you want to remove.
+     * `NAMESPACE` with the name of the namespace where the Admin Console is installed.
+
+   * Remove the reference to the application from the Admin Console and remove its resources from the cluster:
+
+      ```
+      kubectl kots remove APP_SLUG -n NAMESPACE --undeploy
+      ```
+
+   :::note
+   Optionally, use the `--force` flag to remove the application reference from the Admin Console when the application has already been deployed. The `--force` flag is implied when `--undeploy` is used. For more information, see [remove](/reference/kots-cli-remove) in _KOTS CLI_.
+   :::
+
+
+## Delete the Admin Console
+
+When you install an application, KOTS creates the Kubernetes resources for the Admin Console itself on the cluster. The Admin Console includes Deployments and Services, Secrets, and other resources such as StatefulSets and PersistentVolumeClaims.
+
+By default, KOTS also creates Kubernetes ClusterRole and ClusterRoleBinding resources that grant permissions to the Admin Console on the cluster level. These `kotsadm-role` and `kotsadm-rolebinding` resources are managed outside of the namespace where the Admin Console is installed. Alternatively, when the Admin Console is installed with namespace-scoped access, KOTS creates Role and RoleBinding resources inside the namespace where the Admin Console is installed.
+
+In existing cluster installations, if the Admin Console is not installed in the `default` namespace, then you delete the Admin Console by deleting the namespace where it is installed.
+
+If you installed the Admin Console with namespace-scoped access, then the Admin Console Role and RoleBinding RBAC resources are also deleted when you delete the namespace. Alternatively, if you installed with the default cluster-scoped access, then you manually delete the Admin Console ClusterRole and ClusterRoleBindings resources from the cluster. For more information, see [supportMinimalRBACPrivileges](/reference/custom-resource-application#supportminimalrbacprivileges) and [requireMinimalRBACPrivileges](/reference/custom-resource-application#requireminimalrbacprivileges) in _Application_.
+
+For more information about installing with cluster- or namespace-scoped access, see [RBAC Requirements](/enterprise/installing-general-requirements#rbac-requirements) in _Installation Requirements_.
+
+To completely delete the Admin Console from an existing cluster:
+
+1. Run the following command to delete the namespace where the Admin Console is installed:
+
+   :::important
+   This command deletes everything inside the specified namespace, including the Admin Console Role and RoleBinding resources if you installed with namespace-scoped access.
+   :::
+
+   ```
+   kubectl delete ns NAMESPACE
+   ```
+   Replace `NAMESPACE` with the name of the namespace where the Admin Console is installed.
+
+   :::note
+   You cannot delete the `default` namespace.
+   :::
+
+1. (Cluster-scoped Access Only) If you installed the Admin Console with the default cluster-scoped access, run the following commands to delete the Admin Console ClusterRole and ClusterRoleBinding from the cluster:
+
+   ```
+   kubectl delete clusterrole kotsadm-role
+   ```
+
+   ```
+   kubectl delete clusterrolebinding kotsadm-rolebinding
+   ```
+
+1. (Optional) To uninstall the KOTS CLI, see [Uninstall](https://docs.replicated.com/reference/kots-cli-getting-started#uninstall) in _Installing the KOTS CLI_.