Add configurable admin password via environment variable

- Add ORCHARD_ADMIN_PASSWORD env var to set initial admin password - When set, admin user created without forced password change - Add AWS Secrets Manager support for stage/prod deployments - Add .env file support for local docker development - Add Helm chart auth config (adminPassword, existingSecret, secretsManager) Environments configured: - Local: .env file or defaults to changeme123 - Feature/dev: orchardtest123 (hardcoded in values-dev.yaml) - Stage: AWS Secrets Manager (orchard-stage-creds) - Prod: AWS Secrets Manager (orch-prod-creds)
2026-01-27 17:22:37 +00:00
parent 718e6e7193
commit 2acb0aefb2
14 changed files with 241 additions and 5 deletions
--- a/backend/app/auth.py
+++ b/backend/app/auth.py
@@ -360,21 +360,36 @@ def create_default_admin(db: Session) -> Optional[User]:
    """Create the default admin user if no users exist.

    Returns the created user, or None if users already exist.
+
+    The admin password can be set via ORCHARD_ADMIN_PASSWORD environment variable.
+    If not set, defaults to 'changeme123' and requires password change on first login.
    """
    # Check if any users exist
    user_count = db.query(User).count()
    if user_count > 0:
        return None

+    settings = get_settings()
+
+    # Use configured password or default
+    password = settings.admin_password if settings.admin_password else "changeme123"
+    # Only require password change if using the default password
+    must_change = not settings.admin_password
+
    # Create default admin
    auth_service = AuthService(db)
    admin = auth_service.create_user(
        username="admin",
-        password="changeme123",
+        password=password,
        is_admin=True,
-        must_change_password=True,
+        must_change_password=must_change,
    )

+    if settings.admin_password:
+        logger.info("Created default admin user with configured password")
+    else:
+        logger.info("Created default admin user with default password (changeme123)")
+
    return admin


--- a/backend/app/config.py
+++ b/backend/app/config.py
@@ -53,6 +53,9 @@ class Settings(BaseSettings):
    log_level: str = "INFO"  # DEBUG, INFO, WARNING, ERROR, CRITICAL
    log_format: str = "auto"  # "json", "standard", or "auto" (json in production)

+    # Initial admin user settings
+    admin_password: str = ""  # Initial admin password (if empty, uses 'changeme123')
+
    # JWT Authentication settings (optional, for external identity providers)
    jwt_enabled: bool = False  # Enable JWT token validation
    jwt_secret: str = ""  # Secret key for HS256, or leave empty for RS256 with JWKS