Search code examples
argocd

Unable to create new password for ArgoCD user

I have installed ArgoCD in my minikube cluster and expose it using istio ingress controller to the host argocd.k8s.local.

The problem is that I created a new user using ArgoCD CLI but I cannot change the password of this user.

Here are the commands I used and some configuration files.

Login to ArgoCD using ArgoCD CLI:

argocd login argocd.k8s.local --username admin --password <admin-password> --core

argocd-cm.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-cm
  namespace: argocd
data:
  accounts.testuser: login

Get the existing ArgoCD accounts:

argocd account list

Output:

PS C:\ArgoCD> argocd account list
NAME      ENABLED  CAPABILITIES
admin     true     login
testuser  true     login

Try to set a new password for the new User:

argocd account update-password --account testuser --current-password <admin-password> --new-password <new-user-password>

Error:

time="2024-08-26T18:24:44+03:00" level=error msg="finished unary call with code Unknown" error="unable to extract token claims" grpc.code=Unknown grpc.method=UpdatePassword grpc.service=account.AccountService grpc.start_time="2024-08-26T18:24:44+03:00" grpc.time_ms=0 span.kind=server system=grpc
time="2024-08-26T18:24:44+03:00" level=fatal msg="rpc error: code = Unknown desc = unable to extract token claims"

Is there any way to resolve this issue or another way to create users in ArgoCD?

Solution

  • A temporary solution I found after investigation is to connect to argocd-server pod and do the same.

    Execute the following commands:

    In a terminal:

    kubectl exec -it -n argocd <argocd-server-pod-name> bash

    In the argocd-server pod:

    argocd login localhost:8080 --insecure --username admin --password <admin-password>

argocd account update-password --account <new-account-name> --new-password <new-user-password> --current-password <admin-password>

    NOTE

    The service account argocd-server might need access to read and create resources in argocd namespace so you can create a Role and RoleBinding to give this access.

    contributor-cluster-role.yaml

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: contributor
rules:
- apiGroups: [""]
  resources: ["*"]
  verbs: ["get", "watch", "list", "create"]

    argocd-server-contributor-cluster-role-binding.yaml

    apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
  name: argocd-server-contributor-role-binding
subjects:
- kind: ServiceAccount
  name: argocd-server # Name is case sensitive
  namespace: argocd
roleRef:
  kind: ClusterRole
  name: contributor
  apiGroup: rbac.authorization.k8s.io