Argo-cd: Unable to change the user's password via argocd CLI

Created on 14 Aug 2020  Â·  7Comments  Â·  Source: argoproj/argo-cd

If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a
question in argocd slack channel.

Checklist:

  • [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • [x] I've included steps to reproduce the bug.
  • [x] I've pasted the output of argocd version.

Describe the bug

I am unable to change a password for the new user via CLI

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  # add an additional local user with apiKey and login capabilities
  #   apiKey - allows generating API keys
  #   login - allows to login using UI
  accounts.grigory: apiKey, login
  # disables user. User is enabled by default
  accounts.grigory.enabled: "true"

After applying this I see a list of accounts

➜ argocd account list                                                                              
NAME     ENABLED  CAPABILITIES
admin    true     login
alice    true     
grigory  true     apiKey, login

➜ argocd account update-password --account grigory --new-password xxx

*** Enter current password: 
FATA[0002] rpc error: code = InvalidArgument desc = current password does not match

I tried to get the default password using this call

➜ kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
argocd-server-55685944cb-rsjll

But when I paste, I always get the following error
* Enter current password:
FATA[0002] rpc error: code = InvalidArgument desc = current password does not match

SO right now I am stuck. And based on other answers the pod name has changed. How do I reset the user's password programmatically without knowing it's default password?

Expected behavior

Ability to update password for the user.

Version

➜ argocd version     
argocd: v1.6.1+159674e
  BuildDate: 2020-06-19T00:39:46Z
  GitCommit: 159674ee844a378fb98fe297006bf7b83a6e32d2
  GitTreeState: clean
  GoVersion: go1.14.1
  Compiler: gc
  Platform: linux/amd64
argocd-server: v1.6.1+159674e
  BuildDate: 2020-06-19T00:41:05Z
  GitCommit: 159674ee844a378fb98fe297006bf7b83a6e32d2
  GitTreeState: clean
  GoVersion: go1.14.1
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: {Version:kustomize/v3.6.1 GitCommit:c97fa946d576eb6ed559f17f2ac43b3b5a8d5dbd BuildDate:2020-05-27T20:47:35Z GoOs:linux GoArch:amd64}
  Helm Version: version.BuildInfo{Version:"v3.2.0", GitCommit:"e11b7ce3b12db2941e90399e874513fbd24bcb71", GitTreeState:"clean", GoVersion:"go1.13.10"}
  Kubectl Version: v1.14.0
api enhancement
Source
picture golance-mightydevops
👍3

Most helpful comment

@jessesuen the issue here is that the OP has created a new local user and can't set the new local user's password.

there is nowhere in the documentation that states what a new local users password is, or how to fetch it.

picture serain on 2 Oct 2020
👍2

All 7 comments

And if I login into UI with admin account /settings/accounts
I see this:

Something went wrong!

Consider submitting an issue here.


Stacktrace:

TypeError: Cannot read property 'join' of undefined
    at https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:13:329934
    at Array.map (<anonymous>)
    at Object.children (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:13:329539)
    at t.render (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:13:86283)
    at Oi (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:354:63228)
    at Ai (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:354:63023)
    at Yi (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:354:66858)
    at Ka (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:354:90782)
    at Xa (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:354:91166)
    at Ps (https://argocd-dev.xxx.com/main.a781d839f0adbf108587.js:354:98191)
golance-mightydevops picture golance-mightydevops on 14 Aug 2020
👍1

Hi,
I've got the same issue as you.

4090

enderson-pan picture enderson-pan on 14 Aug 2020

Hi, @golance-mightydevops
Finally I figoured it out.
Firstly, I reset my admin password to null.

kubectl -n argocd patch secret argocd-secret \
  -p '{"stringData": {
    "admin.password": "",
    "admin.passwordMtime": ""
  }}'

Secondly, I delete the argoservice pod:

kubectl delete pod argocd-server-xxx-xxx -n=argocd

And then waiting for argocd-server pod to recover, the new argocd-server pod's name is the password of the admin account.

Thirdly, I add the new local accout xxx, and then use the argocd account update-password --account xxx --new-password to up date the new account's password, the init password of the new added user xxx is the same as admin password.
image

enderson-pan picture enderson-pan on 14 Aug 2020

We actually don't support password reset via the API server, only password change.

jessesuen picture jessesuen on 17 Aug 2020
👀1

@jessesuen the issue here is that the OP has created a new local user and can't set the new local user's password.

there is nowhere in the documentation that states what a new local users password is, or how to fetch it.

serain picture serain on 2 Oct 2020
👍2

the admin user must be enabled during the password change of a new local user
the default password of a new user can be retrieved from kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2

Chabane picture Chabane on 23 Nov 2020

the admin user must be enabled during the password change of a new local user
the default password of a new user can be retrieved from kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2

i tried this (user1 is new local user, and the admin password has been changed before):

OLD_PWD=$(kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2)

argocd account update-password --account user1 --current-password "$OLD_PWD" --new-password '123456'

then i got this error:
FATA[0001] rpc error: code = InvalidArgument desc = current password does not match

finally, i duplicate admin password from Secret named argocd-secret:

apiVersion: v1
kind: Secret
name: argocd-secret
data:
  accounts.user1.password: <encrypt>
  accounts.user1.passwordMtime: <encrypt>
  admin.password: <encrypt>
  admin.passwordMtime: <encrypt>
  ...

after that, i can update the new user's password, its current-password is the same as admin's current password:

argocd account update-password --account user1 --current-password <admin password> --new-password '123456'
goooogs picture goooogs on 29 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

moensch picture moensch  Â·  3Comments
alexec picture alexec  Â·  3Comments
everesio picture everesio  Â·  3Comments
gregsheremeta picture gregsheremeta  Â·  3Comments
hulu1522 picture hulu1522  Â·  3Comments