Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Admin password not changed after modifying the ...-cluster secret #1483

Open
johanneskastl opened this issue Jul 27, 2024 · 6 comments · May be fixed by #1601
Open

Admin password not changed after modifying the ...-cluster secret #1483

johanneskastl opened this issue Jul 27, 2024 · 6 comments · May be fixed by #1601
Labels
documentation Improvements or additions to documentation good first issue Good for newcomers

Comments

@johanneskastl
Copy link
Contributor

Describe the bug
Although the argocd-operator pod log mentions the admin password as changed multiple times, the argocd-secret secret stayed untouched after modifications to the argocd-example-cluster secret were made. This led to the authentication failing...

Manually patching the argocd-secret with a bcrypt hash of the new password worked and I could log in.

To Reproduce

Following the docs: https://argocd-operator.readthedocs.io/en/latest/usage/basics/#secrets

Steps to reproduce the behavior:

  1. Install argocd operator and create a new argocd instance.
  2. Check the argocd-example-cluster and the argocd-secret secret
  3. Patch the argocd-secret secret to contain a new password
  4. Check the argocd operator pod logs and wait until nothing happens anymore
  5. Try to log in using the new password
  6. Authentication fails
  7. The argocd-secret secret contents are still untouched and on the state before step 3.

Expected behavior
According to the documentation this should have worked and I should be able to log in.

Information

  • Cluster TalosLinux with Kubernetes 1.30.1
  • Operator installed using OLM
  • argocd operator version v0.10.1 (the Catalogsource was taken from https://raw.githubusercontent.com/argoproj-labs/argocd-operator/v0.10.1/deploy/catalog_source.yaml

If there are more details you would like to know, feel free to reach out.

Kind Regards
Johannes

@svghadi
Copy link
Collaborator

svghadi commented Jul 29, 2024

We made a behavioral change in #1257 to resolve the password reset issue from the Argo CD UI and CLI. As a result, the argocd-example-cluster secret is now treated as the initial password. We are planning to deprecate argocd-example-cluster secret so the preferred way to reset the password is as described in the upstream documentation.

We missed documenting this new change in the docs: here. Thanks for bringing this to our attention.

@johanneskastl
Copy link
Contributor Author

Thanks for the explanation, aligning things between operator and non-operator based installations is a very good idea, to not confuse people finding documentation not fitting their way of installation.

@svghadi
Copy link
Collaborator

svghadi commented Jul 29, 2024

Yes, that is our plan. I will keep this issue open to address the documentation gap.

@svghadi svghadi added documentation Improvements or additions to documentation good first issue Good for newcomers labels Jul 29, 2024
@johanneskastl
Copy link
Contributor Author

johanneskastl commented Aug 4, 2024

Hmmm, I cannot reliably change the password upon deployment.

The steps I am currently taking are:

  • deploy the argocd-operator
  • wait until everything has settled
  • deploy the argocd instance
  • wait until everything has settled
  • wait for the argocd-secret secret to be present
  • wait for the argocd-XXX-cluster secret to be present
  • change the bcrypt hash in the argocd-secret secret
    • if the bcrypt hash has changed, also change the passwordMtime in the argocd-secret secret
  • change the password in the argocd-XXX-cluster secret (for the sake of consistency)
  • delete the argocd-XXX-server pod
  • wait until the pod is running and ready
  • open the UI and try the login

I am confused by the operator pod spitting out lots of admin password has changed lines, even if the password has not changed.

  • As soon as I change the bcrypt hash I get one log message
  • modifying the passwordMtime yields another log message
  • deleting the argocd-XXX-server pod makes the operator emit the line 7 times

Funny thing is that I somehow got this working manually before, but now all I get is a failed login...

@johanneskastl
Copy link
Contributor Author

OK, I noticed my mistake. I failed to remove the admin: from the bcrypt output.

But still I get a invalid session: account password has changed since token issued error when trying to log in.

@anandrkskd anandrkskd linked a pull request Nov 12, 2024 that will close this issue
2 tasks
@anandrkskd
Copy link
Contributor

If you are trying to reset the password when using the argocd-operator, the easiest way would be to delete the argocd-secret, that will trigger the controller to create the argocd-secret again.

If you want to update the password, use the argocd-cli to update it.

I have created a PR to update the documentation to reflect the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation good first issue Good for newcomers
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants