Admin password not changed after modifying the ...-cluster secret

[johanneskastl]

Describe the bug Although the argocd-operator pod log mentions the admin password as changed multiple times, the argocd-secret secret stayed untouched after modifications to the argocd-example-cluster secret were made. This led to the authentication failing...

Manually patching the argocd-secret with a bcrypt hash of the new password worked and I could log in.

To Reproduce

Following the docs: https://argocd-operator.readthedocs.io/en/latest/usage/basics/#secrets

Steps to reproduce the behavior:

1. Install argocd operator and create a new argocd instance.
2. Check the argocd-example-cluster and the argocd-secret secret
3. Patch the argocd-secret secret to contain a new password
4. Check the argocd operator pod logs and wait until nothing happens anymore
5. Try to log in using the new password
6. Authentication fails
7. The argocd-secret secret contents are still untouched and on the state before step 3.

Expected behavior According to the documentation this should have worked and I should be able to log in.

Information

• Cluster TalosLinux with Kubernetes 1.30.1
• Operator installed using OLM
• argocd operator version v0.10.1 (the Catalogsource was taken from https://raw.githubusercontent.com/argoproj-labs/argocd-operator/v0.10.1/deploy/catalog_source.yaml

If there are more details you would like to know, feel free to reach out.

Kind Regards Johannes

[svghadi]

We made a behavioral change in #1257 to resolve the password reset issue from the Argo CD UI and CLI. As a result, the argocd-example-cluster secret is now treated as the initial password. We are planning to deprecate argocd-example-cluster secret so the preferred way to reset the password is as described in the upstream documentation.

We missed documenting this new change in the docs: here. Thanks for bringing this to our attention.

[johanneskastl]

Thanks for the explanation, aligning things between operator and non-operator based installations is a very good idea, to not confuse people finding documentation not fitting their way of installation.

[svghadi]

Yes, that is our plan. I will keep this issue open to address the documentation gap.

[johanneskastl]

Hmmm, I cannot reliably change the password upon deployment.

The steps I am currently taking are:

• deploy the argocd-operator
• wait until everything has settled
• deploy the argocd instance
• wait until everything has settled
• wait for the argocd-secret secret to be present
• wait for the argocd-XXX-cluster secret to be present
• change the bcrypt hash in the argocd-secret secret
  • if the bcrypt hash has changed, also change the passwordMtime in the argocd-secret secret
• change the password in the argocd-XXX-cluster secret (for the sake of consistency)
• delete the argocd-XXX-server pod
• wait until the pod is running and ready
• open the UI and try the login

I am confused by the operator pod spitting out lots of admin password has changed lines, even if the password has not changed.

• As soon as I change the bcrypt hash I get one log message
• modifying the passwordMtime yields another log message
• deleting the argocd-XXX-server pod makes the operator emit the line 7 times

Funny thing is that I somehow got this working manually before, but now all I get is a failed login...

[johanneskastl]

OK, I noticed my mistake. I failed to remove the admin: from the bcrypt output.

But still I get a invalid session: account password has changed since token issued error when trying to log in.