Charts: [stable/grafana] export password broken
Is this a request for help?:
Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT
Version of Helm and Kubernetes: Helm 2.9.1 / Kubernetes 1.9 & 1.10 on GKE
Which chart:
stable/grafana version 1.11.1
What happened:
Installation succeeded without problems but the password export hint from the notest.txt does not work as it shows a not working password.
I've did not set a password in the values.yaml so a random password was generated.
I've used:
kubectl get secret --namespace default grafana -o jsonpath="{.data.admin-password}" | base64 --decode ; echo
I got a password like: cTYhH2fxBaAJnGYXinJG3SwuNDu3rEtaOjB5fRde
What you expected to happen:
Login to Grafana is possible.
How to reproduce it (as minimally and precisely as possible):
- Install Grafana
- don't set a username or password
- extract password like described in the notes after installing
- login with username "admin" and exported passwort
Anything else we need to know:
monotek
All 11 comments
Using hardcoded password did not help.
monotek
on 18 Jun 2018
/assign zanhsieh
/assign rtluckie
monotek
on 18 Jun 2018
@monotek: GitHub didn't allow me to assign the following users: zanhsieh, rtluckie.
Note that only kubernetes members and repo collaborators can be assigned.
In response to this:
/assign zanhsieh
/assign rtluckie
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
k8s-ci-robot
on 18 Jun 2018
I'm having the same issue
chainlink
on 23 Jun 2018
This PR Addresses @monotek https://github.com/kubernetes/charts/pull/5895 you need to use adminPassword (changed from server.adminPassword)
chainlink
on 26 Jun 2018
I don't use any passwort value so a random password should be set.
Exporting the random password and loging in does not work.
monotek
on 26 Jun 2018
We hard set the password because of the bug where a random password is assigned on every release. If you re-release it updates the secret to a new (wrong) password, while leaving the one in the grafana db as the old one.
chainlink
on 30 Jun 2018
Even renewing the setting of the password by updating the chart should not export a wrong one.
Nevertheless i also have this problem when installing the first time.
Imho something was changed as this worked before.
monotek
on 30 Jun 2018
works for me again with chart version 1.12.0
monotek
on 3 Jul 2018
After running into this again i did some debugging. It seems part of the problem is, that the persistence is used and a pod restart recreates the password and updates it in the sqlite db (/var/lib/grafana/grafana.db).
The kubernetes secret seems not to be updated.
As a workaround you can get password from containers env var:
- kubectl exec -it grafana-79766578b9-hzbrb env | grep GF_SECURITY_ADMIN_PASSWORD
Or set a new password inside the container:
- kubectl exec -it grafana-79766578b9-hzbrb bash
- cd /usr/share/grafana/
- grafana-cli admin reset-admin-password NEW-PASSWORD
Imho we have 2 options to :
- set persistence to false so every pod restart you should get a new but working passwort
- set a fixed password in the values file
Final fix should get sure the secret is updated
monotek
on 23 Jul 2018
Setting the password via sidecarcontainer is not an option, as the grafana server has to run to use the admin reset via grafana-cli.
Setting a static user password seems to be the best option at moment.
closing...
monotek
on 24 Jul 2018
Related issues
musabmasood
路
3Comments
dene14
路
3Comments
mickengland
路
3Comments
tyg03485
路
3Comments
kminehart
路
3Comments
Most helpful comment
After running into this again i did some debugging. It seems part of the problem is, that the persistence is used and a pod restart recreates the password and updates it in the sqlite db (/var/lib/grafana/grafana.db).
The kubernetes secret seems not to be updated.
As a workaround you can get password from containers env var:
Or set a new password inside the container:
Imho we have 2 options to :
Final fix should get sure the secret is updated