Charts: [stable/grafana] admin password secret changes on helm upgrade

Created on 21 Sep 2018 · 12Comments · Source: helm/charts

Hi all,
The helm chart for grafana changes admin password on helm upgrade. But it is only updating the secret value rather than actualy changing the admin passowrd. In my opinion for helm upgrade it should not change admin password

lifecyclstale

Source

charlspjohn

👍2

Most helpful comment

FWIW, this is pretty easy to work around by retrieving the "current" password from the kube secrets and then running an exec command to execute the grafana-cli admin reset-admin-password command.

kubectl get secret prometheus-grafana -o jsonpath='{.data.admin-password}' \
| base64 --decode \
| xargs -I {} kubectl exec -it prometheus-grafana-0 -- grafana-cli admin reset-admin-password --homepath /usr/share/grafana {}

rubberduck203 on 30 Nov 2018

👍8

All 12 comments

See https://github.com/helm/charts/issues/5167

scottrigby on 21 Sep 2018

You can always add an annotation that looks like this:
checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
to upgrade the Grafana deployment everytime the secret changes.

giacomoguiulfo on 21 Sep 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] on 21 Oct 2018

Probably just need to upgrade grafana to something like this: https://github.com/helm/charts/issues/5167#issuecomment-428143961

At least until https://github.com/helm/helm/issues/3053#issuecomment-422945888 is implemented. This really sucks, because grafana only loads the admin password once, so after one upgrade, you lose the admin password forever.

dtshepherd on 2 Nov 2018

FWIW, this is pretty easy to work around by retrieving the "current" password from the kube secrets and then running an exec command to execute the grafana-cli admin reset-admin-password command.

kubectl get secret prometheus-grafana -o jsonpath='{.data.admin-password}' \
| base64 --decode \
| xargs -I {} kubectl exec -it prometheus-grafana-0 -- grafana-cli admin reset-admin-password --homepath /usr/share/grafana {}

rubberduck203 on 30 Nov 2018

👍8

stale[bot] on 30 Dec 2018

Still would like to see this fixed...

dtshepherd on 10 Jan 2019

👍2

stale[bot] on 9 Feb 2019

This issue is being automatically closed due to inactivity.

stale[bot] on 23 Feb 2019

You can create your own password in K8s now to avoid issues with helm. A downside is that it won't be deleted when you delete your helm chart, but that's not much of a concern if you are always generating new passwords.

secret="grafana-password"
kubectl --namespace grafana create secret generic "$secret" \
   --from-literal=admin-user=admin --from-literal=admin-password=admin
helm install stable/grafana -f grafana.yaml --namespace grafana \
  --set admin.existingSecret="$secret"

gregwebs on 3 Apr 2019

👍3

I had to change @rubberduck203 comment because the --homepath option had to be used not atfer reset-admin-password but before. In the end this worked for me:

kubectl -n grafana get secret grafana -o jsonpath='{.data.admin-password}' \
| base64 --decode \
| xargs -I {} kubectl -n grafana exec -it grafana-6f9bd94d5d-k225s -- grafana-cli --homepath /usr/share/grafana admin reset-admin-password {}

Where grafana-6f9bd94d5d-k225s is a pod of the grafana deployment

wuestkamp on 7 Dec 2019

👍1

To make it pod name idempotent try to use labels to resolve the pod name.

kubectl get secret grafana -o jsonpath='{.data.admin-password}' \
| base64 --decode \
| xargs -I {} kubectl exec -it $(kubectl get pod -l "app=grafana" -o jsonpath='{.items[0].metadata.name}') -c grafana -- grafana-cli --homepath /usr/share/grafana admin reset-admin-password  {}