argocd-operator icon indicating copy to clipboard operation
argocd-operator copied to clipboard
verified publisher icon argoproj-labs

Admin password not changed after modifying the ...-cluster secret

Open johanneskastl opened this issue 1 year ago • 8 comments

Describe the bug Although the argocd-operator pod log mentions the admin password as changed multiple times, the argocd-secret secret stayed untouched after modifications to the argocd-example-cluster secret were made. This led to the authentication failing...

Manually patching the argocd-secret with a bcrypt hash of the new password worked and I could log in.

To Reproduce

Following the docs: https://argocd-operator.readthedocs.io/en/latest/usage/basics/#secrets

Steps to reproduce the behavior:

  1. Install argocd operator and create a new argocd instance.
  2. Check the argocd-example-cluster and the argocd-secret secret
  3. Patch the argocd-secret secret to contain a new password
  4. Check the argocd operator pod logs and wait until nothing happens anymore
  5. Try to log in using the new password
  6. Authentication fails
  7. The argocd-secret secret contents are still untouched and on the state before step 3.

Expected behavior According to the documentation this should have worked and I should be able to log in.

Information

  • Cluster TalosLinux with Kubernetes 1.30.1
  • Operator installed using OLM
  • argocd operator version v0.10.1 (the Catalogsource was taken from https://raw.githubusercontent.com/argoproj-labs/argocd-operator/v0.10.1/deploy/catalog_source.yaml

If there are more details you would like to know, feel free to reach out.

Kind Regards Johannes

johanneskastl avatar Jul 27 '24 18:07 johanneskastl

We made a behavioral change in #1257 to resolve the password reset issue from the Argo CD UI and CLI. As a result, the argocd-example-cluster secret is now treated as the initial password. We are planning to deprecate argocd-example-cluster secret so the preferred way to reset the password is as described in the upstream documentation.

We missed documenting this new change in the docs: here. Thanks for bringing this to our attention.

svghadi avatar Jul 29 '24 06:07 svghadi

Thanks for the explanation, aligning things between operator and non-operator based installations is a very good idea, to not confuse people finding documentation not fitting their way of installation.

johanneskastl avatar Jul 29 '24 07:07 johanneskastl

Yes, that is our plan. I will keep this issue open to address the documentation gap.

svghadi avatar Jul 29 '24 07:07 svghadi

Hmmm, I cannot reliably change the password upon deployment.

The steps I am currently taking are:

  • deploy the argocd-operator
  • wait until everything has settled
  • deploy the argocd instance
  • wait until everything has settled
  • wait for the argocd-secret secret to be present
  • wait for the argocd-XXX-cluster secret to be present
  • change the bcrypt hash in the argocd-secret secret
    • if the bcrypt hash has changed, also change the passwordMtime in the argocd-secret secret
  • change the password in the argocd-XXX-cluster secret (for the sake of consistency)
  • delete the argocd-XXX-server pod
  • wait until the pod is running and ready
  • open the UI and try the login

I am confused by the operator pod spitting out lots of admin password has changed lines, even if the password has not changed.

  • As soon as I change the bcrypt hash I get one log message
  • modifying the passwordMtime yields another log message
  • deleting the argocd-XXX-server pod makes the operator emit the line 7 times

Funny thing is that I somehow got this working manually before, but now all I get is a failed login...

johanneskastl avatar Aug 04 '24 09:08 johanneskastl

OK, I noticed my mistake. I failed to remove the admin: from the bcrypt output.

But still I get a invalid session: account password has changed since token issued error when trying to log in.

johanneskastl avatar Aug 04 '24 09:08 johanneskastl

If you are trying to reset the password when using the argocd-operator, the easiest way would be to delete the argocd-secret, that will trigger the controller to create the argocd-secret again.

If you want to update the password, use the argocd-cli to update it.

I have created a PR to update the documentation to reflect the same.

anandrkskd avatar Nov 12 '24 06:11 anandrkskd

If you want to update the password, use the argocd-cli to update it.

Sorry for the late reply. Using the CLI is a no-go, I want this to be handle by automation, not by a human... :-)

kastl-ars avatar Jan 07 '25 07:01 kastl-ars

This can help...

https://argo-cd.readthedocs.io/en/stable/faq/#i-forgot-the-admin-password-how-do-i-reset-it

You can use some tool to generate bcrypt hash and patch the argocd-secret directly to update password.

svghadi avatar Jan 07 '25 11:01 svghadi