Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to change the user's password via argocd CLI #4096

Closed
3 tasks done
golance-mightydevops opened this issue Aug 14, 2020 · 14 comments · Fixed by #7258
Closed
3 tasks done

Unable to change the user's password via argocd CLI #4096

golance-mightydevops opened this issue Aug 14, 2020 · 14 comments · Fixed by #7258
Labels
component:api API bugs and enhancements enhancement New feature or request

Comments

@golance-mightydevops
Copy link

If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a
question in argocd slack channel.

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

I am unable to change a password for the new user via CLI

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  # add an additional local user with apiKey and login capabilities
  #   apiKey - allows generating API keys
  #   login - allows to login using UI
  accounts.grigory: apiKey, login
  # disables user. User is enabled by default
  accounts.grigory.enabled: "true"

After applying this I see a list of accounts

➜ argocd account list                                                                              
NAME     ENABLED  CAPABILITIES
admin    true     login
alice    true     
grigory  true     apiKey, login

➜ argocd account update-password --account grigory --new-password xxx

*** Enter current password: 
FATA[0002] rpc error: code = InvalidArgument desc = current password does not match

I tried to get the default password using this call

➜ kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
argocd-server-55685944cb-rsjll

But when I paste, I always get the following error
*** Enter current password:
FATA[0002] rpc error: code = InvalidArgument desc = current password does not match

SO right now I am stuck. And based on other answers the pod name has changed. How do I reset the user's password programmatically without knowing it's default password?

Expected behavior

Ability to update password for the user.

Version

➜ argocd version     
argocd: v1.6.1+159674e
  BuildDate: 2020-06-19T00:39:46Z
  GitCommit: 159674ee844a378fb98fe297006bf7b83a6e32d2
  GitTreeState: clean
  GoVersion: go1.14.1
  Compiler: gc
  Platform: linux/amd64
argocd-server: v1.6.1+159674e
  BuildDate: 2020-06-19T00:41:05Z
  GitCommit: 159674ee844a378fb98fe297006bf7b83a6e32d2
  GitTreeState: clean
  GoVersion: go1.14.1
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: {Version:kustomize/v3.6.1 GitCommit:c97fa946d576eb6ed559f17f2ac43b3b5a8d5dbd BuildDate:2020-05-27T20:47:35Z GoOs:linux GoArch:amd64}
  Helm Version: version.BuildInfo{Version:"v3.2.0", GitCommit:"e11b7ce3b12db2941e90399e874513fbd24bcb71", GitTreeState:"clean", GoVersion:"go1.13.10"}
  Kubectl Version: v1.14.0
@golance-mightydevops golance-mightydevops added the bug Something isn't working label Aug 14, 2020
@golance-mightydevops
Copy link
Author

And if I login into UI with admin account /settings/accounts
I see this:

Something went wrong!

Consider submitting an issue here.


Stacktrace:

TypeError: Cannot read property 'join' of undefined
    at https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:13:329934
    at Array.map (<anonymous>)
    at Object.children (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:13:329539)
    at t.render (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:13:86283)
    at Oi (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:354:63228)
    at Ai (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:354:63023)
    at Yi (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:354:66858)
    at Ka (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:354:90782)
    at Xa (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:354:91166)
    at Ps (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:354:98191)

@enderson-pan
Copy link

Hi,
I've got the same issue as you.
#4090

@enderson-pan
Copy link

Hi, @golance-mightydevops
Finally I figoured it out.
Firstly, I reset my admin password to null.

kubectl -n argocd patch secret argocd-secret \
  -p '{"stringData": {
    "admin.password": "",
    "admin.passwordMtime": ""
  }}'

Secondly, I delete the argoservice pod:

kubectl delete pod argocd-server-xxx-xxx -n=argocd

And then waiting for argocd-server pod to recover, the new argocd-server pod's name is the password of the admin account.

Thirdly, I add the new local accout xxx, and then use the argocd account update-password --account xxx --new-password to up date the new account's password, the init password of the new added user xxx is the same as admin password.
image

@jessesuen jessesuen added component:api API bugs and enhancements enhancement New feature or request and removed bug Something isn't working labels Aug 17, 2020
@jessesuen
Copy link
Member

We actually don't support password reset via the API server, only password change.

@serain
Copy link

serain commented Oct 2, 2020

@jessesuen the issue here is that the OP has created a new local user and can't set the new local user's password.

there is nowhere in the documentation that states what a new local users password is, or how to fetch it.

@Chabane
Copy link

Chabane commented Nov 23, 2020

the admin user must be enabled during the password change of a new local user
the default password of a new user can be retrieved from kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2

@goooogs
Copy link

goooogs commented Dec 29, 2020

the admin user must be enabled during the password change of a new local user
the default password of a new user can be retrieved from kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2

i tried this (user1 is new local user, and the admin password has been changed before):

OLD_PWD=$(kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2)

argocd account update-password --account user1 --current-password "$OLD_PWD" --new-password '123456'

then i got this error:
FATA[0001] rpc error: code = InvalidArgument desc = current password does not match

finally, i duplicate admin password from Secret named argocd-secret:

apiVersion: v1
kind: Secret
name: argocd-secret
data:
  accounts.user1.password: <encrypt>
  accounts.user1.passwordMtime: <encrypt>
  admin.password: <encrypt>
  admin.passwordMtime: <encrypt>
  ...

after that, i can update the new user's password, its current-password is the same as admin's current password:

argocd account update-password --account user1 --current-password <admin password> --new-password '123456'

@andrei-dascalu
Copy link

The workaround of copying worked for me too, but it's terrible. IMHO The admin should be able to set passwords without the old one.
Also, the fact that the initial password is the first pod's name is also terrible for other users, mostly because it's always the first pod's name. If you make any updates or anything that gets the pod deleted and you haven't save the password somewhere, good luck.

@winmillwill
Copy link

password reset is documented now https://github.com/argoproj/argo-cd/blob/master/docs/faq.md#i-forgot-the-admin-password-how-do-i-reset-it

here's the one-liner I used to set the password to admin:

kubectl --namespace=argocd patch secret argocd-secret -p "$(cat <<EOF{"stringData": {
  "admin.password": "$(htpasswd -nbBC 10 USER admin | cut -d : -f 2)",
  "admin.passwordMtime": "'$(date +%FT%T%Z)'"
}}
EOF
)"

@edeediong
Copy link

@winmillwill Thank you so much for dropping that... Just saved me 1 hour of debugging and reporting.

@margani007
Copy link

After hours of struggle i figured out that admin user password is the current-password to reset.
Make sure to enter admin password as current-password and then enter new password of your choice to reset.

Hope this helps.

alexmt pushed a commit that referenced this issue Sep 21, 2021
It is not immediately clear what the `<current-user-password>` should be as shown by this issue: #4096.
This comment should make it more clear that when users are setting passwords as the default `admin` user, they should be using the `admin` password here.

Signed-off-by: John Chen <[email protected]>
plakyda-codefresh pushed a commit to plakyda-codefresh/argo-cd that referenced this issue Sep 28, 2021
It is not immediately clear what the `<current-user-password>` should be as shown by this issue: argoproj#4096.
This comment should make it more clear that when users are setting passwords as the default `admin` user, they should be using the `admin` password here.

Signed-off-by: John Chen <[email protected]>
Signed-off-by: viktorplakida <[email protected]>
@bat79a
Copy link

bat79a commented Jan 20, 2022

Hi all.

I have the admin user enabled, I can login on the UI with this admin user, and have created 2 users with a configmap.

I can list and see this 2 users with :

  • argocd account list --port-forward service/argocd-server --insecure

But when I want to create password for this 2 new local users like the docs explain, it's impossible :

  • argocd account update-password --account baptiste --current-password the_admin_password --new-password the_new_password --port-forward service/argocd-server --insecure

return to me :

This command can be used to update the password of the currently logged on
user, or an arbitrary local user account when the currently logged on user
has appropriate RBAC permissions to change other accounts.

Usage:
  argocd account update-password [flags]

Examples:
... etc...

EDIT : Tested with the v2.2.2 and the v2.2.3 version of argo-cd.

Thx a lot if someone know what I'm doing wrong ;p
Baptiste.

@bat79a
Copy link

bat79a commented Feb 15, 2022

Up tested with helm chart v2.2.5

Can't find where is the problem !

@ozbillwang
Copy link

ozbillwang commented Jan 24, 2023

Thanks, @enderson-pan

In my case, I just want to reset it and use the init password, which I can easily get it via command (official)

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

So follow up your comments, I only run these commands, then can login argocd now.

kubectl -n argocd patch secret argocd-secret \
  -p '{"stringData": {
    "admin.password": "",
    "admin.passwordMtime": ""
  }}'

export POD_NAME=$(kubectl get pods -n argocd -l "app.kubernetes.io/name=argocd-server" -o jsonpath="{.items[0].metadata.name}")

echo $POD_NAME

kubectl -n argocd delete pod $POD_NAME

sleep 10

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

Now you can see admin's new init password and can login with it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component:api API bugs and enhancements enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.