charts icon indicating copy to clipboard operation
charts copied to clipboard
verified publisher icon KongZ

Wrong password generation

Open razvanphp opened this issue 1 year ago • 0 comments

Describe the bug After I installed the chart, with no password set, the generated one + sha2 seems to be wrong.

I got those values:

graylog-password-secret: oLGXJGuHZevgQMeV
graylog-password-sha2: e075335e93a518f65b6683423b585a750914c5b9883aee893568b00bafb8ad5f
admin: graylog-root-username

But still, I cannot login with this password. The password and the hash do not match:

# kubectl get secret --namespace graylog graylog -o "jsonpath={.data['graylog-password-secret']}" | base64 --decode
oLGXJGuHZevgQMeV
graylog@graylog-0:~$ echo $GRAYLOG_PASSWORD_SECRET
oLGXJGuHZevgQMeV
graylog@graylog-0:~$ echo $GRAYLOG_PASSWORD_SECRET |sha256sum 
4943ddccf4307252235b9ed281c37fe0c5a1d621a521dbfdf26308e7411aeecb  -
graylog@graylog-0:~$ env |grep SHA
GRAYLOG_ROOT_PASSWORD_SHA2=e075335e93a518f65b6683423b585a750914c5b9883aee893568b00bafb8ad5f
graylog@graylog-0:~$

Also, I think it's a missunderstanding, the secret is not the password itself, it's just a value to protect the login cookie. The real password should be encrypted with sha256. Here is the official response on graylog community:

I think maybe your steps are out of order.

Generate a password secret
pwgen -N 1 -s 96
Place that secret in the configuration for password_secret (GRAYLOG_PASSWORD_SECRET)
Pick an admin password. (e.g. hunter2)
Hash that password using the command
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1
Place the password hash (from step 4) in the configuration for root_password_sha2 (GRAYLOG_ROOT_PASSWORD_SHA2)
Log in with username admin and the non-hashed password (from step 3)

After changing the password hashes in the config manually, login works.

Version of Helm and Kubernetes:

Helm Version: v3.12.1 Kubernetes Version: 1.26.6+k3s-e18037a7-dirty

Which version of the chart: 2.3.4

What happened: No idea 🙂

What you expected to happen: Login works with password automatic generation.

How to reproduce it (as minimally and precisely as possible): Just install the chart with no password specified in the values.yaml and try to login.

razvanphp avatar Jan 21 '24 19:01 razvanphp