-
Notifications
You must be signed in to change notification settings - Fork 891
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jenkins initial admin password secret gets overwritten on every Kustomize build, losing the real login credential - this breaks the login shortly after deployment in GitOps CD systems like ArgoCD #1026
Comments
Related to helm/helm-www#1259 (comment) The problem there is that Kustomize materialized Helm in such a way without the chart being able to check for an existing secret to reuse it. Found from this relevant bit of code showing the logic: charts/jenkins-4.12.1/jenkins/templates/_helpers.tpl :
|
We upgraded from |
I am not able to successfully use the suggestion unfortunately. I get the error below:
What is odd on the top of that is there is already a secret called |
Is it in the right namespace? |
I have a My observation is if I do not apply the work-around then my admin user password becomes The only other alternate for me is to update my Jenkins container (image) which has vulnerabilities patched and keep the helm chart version |
Only if
|
Yup I have not defined that. Running the upgrade with |
Describe the bug
When installing the Jenkins helm chart via Kustomize it generates a new admin password each time a
kustomize build
is run.This overwrites the
jenkins
secret with a new randomjenkins-admin-password
, losing the real initial admin login password.Version of Helm and Kubernetes
Chart version
4.12.1
What happened?
What you expected to happen?
I expected the Jenkins password to be idempotent
Perhaps the initial admin password should just be the hash of the entire config so that it is the same value on each run, at least for a while until the config is changed so that at least it's not overwriting the initial admin password so quickly when it is deployed via GitOps style CD systems like ArgoCD?
How to reproduce it
see the admin password:
Then do another run of kustomize build like ArgoCD does every few minutes
See it will change the jenkins admin password:
kustomize build --enable-helm | kubectl diff -f -
apply:
kustomize build --enable-helm | kubectl apply -f -
see you have now lost the real jenkins admin password as the secret has been overwritten but this new password will not work to log in:
It looks like a restart of the Jenkins pod overwrites the admin password with whatever the latest in the jenkins secret is, likely due to JCasC.
This appears to be a tricky transitory problem between mismatching secret and jenkins controller where there is no restart of the pod, made worse by using a GitOps system like ArgoCD which is reapplying so frequently rotating the secret password key but not restarting the pod (not that you'd want your jenkins controller going down frequently either).
Anything else we need to know?
I've disabled the Jenkins helm chart from recreating the secret by setting this in the chart
values.yaml
:The text was updated successfully, but these errors were encountered: