Skip to content

Commit

Permalink
fix: stop argo-cd secret reseting admin password when updated using c…
Browse files Browse the repository at this point in the history
…li/dashboard (argoproj-labs#1257) (argoproj-labs#1266)

Signed-off-by: Anand Kumar Singh <anandrkskd@gmail.com>
Co-authored-by: Anand Kumar Singh <anandrkskd@gmail.com>
  • Loading branch information
gcp-cherry-pick-bot[bot] and anandrkskd authored Feb 27, 2024
1 parent b510aeb commit 8f65a5e
Show file tree
Hide file tree
Showing 2 changed files with 66 additions and 1 deletion.
3 changes: 2 additions & 1 deletion controllers/argocd/secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -313,9 +313,10 @@ func (r *ReconcileArgoCD) reconcileExistingArgoSecret(cr *argoproj.ArgoCD, secre
secret.Data[common.ArgoCDKeyServerSecretKey] = sessionKey
}

// reset the value to default only when secret.data field is nil
if hasArgoAdminPasswordChanged(secret, clusterSecret) {
pwBytes, ok := clusterSecret.Data[common.ArgoCDKeyAdminPassword]
if ok {
if ok && secret.Data[common.ArgoCDKeyAdminPassword] == nil {
hashedPassword, err := argopass.HashPassword(strings.TrimRight(string(pwBytes), "\n"))
if err != nil {
return err
Expand Down
64 changes: 64 additions & 0 deletions controllers/argocd/secret_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"crypto/sha256"
"fmt"
argopass "github.com/argoproj/argo-cd/v2/util/password"
"reflect"
"sort"
"testing"
Expand Down Expand Up @@ -259,7 +260,70 @@ func Test_ReconcileArgoCD_ReconcileExistingArgoSecret(t *testing.T) {
if testSecret.Data[common.ArgoCDKeyServerSecretKey] == nil {
t.Errorf("Expected data for data.server.secretKey but got nothing")
}
}

func Test_ReconcileArgoCD_ReconcileShouldNotChangeWhenUpdatedAdminPass(t *testing.T) {
argocd := &argoproj.ArgoCD{
ObjectMeta: metav1.ObjectMeta{
Name: "argocd",
Namespace: "argocd-operator",
},
}

clusterSecret := argoutil.NewSecretWithSuffix(argocd, "cluster")
clusterSecret.Data = map[string][]byte{common.ArgoCDKeyAdminPassword: []byte("something")}
tlsSecret := argoutil.NewSecretWithSuffix(argocd, "tls")

resObjs := []client.Object{argocd}
subresObjs := []client.Object{argocd}
runtimeObjs := []runtime.Object{}
sch := makeTestReconcilerScheme(argoproj.AddToScheme)
cl := makeTestReconcilerClient(sch, resObjs, subresObjs, runtimeObjs)
r := makeTestReconciler(cl, sch)

r.Client.Create(context.TODO(), clusterSecret)
r.Client.Create(context.TODO(), tlsSecret)

err := r.reconcileArgoSecret(argocd)

assert.NoError(t, err)

testSecret := &corev1.Secret{}
secretErr := r.Client.Get(context.TODO(), types.NamespacedName{Name: "argocd-secret", Namespace: "argocd-operator"}, testSecret)
assert.NoError(t, secretErr)

// simulating update of argo-cd Admin password from cli or argocd dashboard
hashedPassword, _ := argopass.HashPassword("updated_password")
testSecret.Data[common.ArgoCDKeyAdminPassword] = []byte(hashedPassword)
mTime := nowBytes()
testSecret.Data[common.ArgoCDKeyAdminPasswordMTime] = mTime
r.Client.Update(context.TODO(), testSecret)

_ = r.reconcileExistingArgoSecret(argocd, testSecret, clusterSecret, tlsSecret)
_ = r.Client.Get(context.TODO(), types.NamespacedName{Name: "argocd-secret", Namespace: "argocd-operator"}, testSecret)

// checking if reconciliation updates the ArgoCDKeyAdminPassword and ArgoCDKeyAdminPasswordMTime
if string(testSecret.Data[common.ArgoCDKeyAdminPassword]) != hashedPassword {
t.Errorf("Expected hashedPassword to reamin unchanged but got updated")
}
if string(testSecret.Data[common.ArgoCDKeyAdminPasswordMTime]) != string(mTime) {
t.Errorf("Expected ArgoCDKeyAdminPasswordMTime to reamin unchanged but got updated")
}

// if you remove the secret.Data it should come back, including the secretKey
testSecret.Data = nil
r.Client.Update(context.TODO(), testSecret)

_ = r.reconcileExistingArgoSecret(argocd, testSecret, clusterSecret, tlsSecret)
_ = r.Client.Get(context.TODO(), types.NamespacedName{Name: "argocd-secret", Namespace: "argocd-operator"}, testSecret)

if testSecret.Data == nil {
t.Errorf("Expected data for data.server but got nothing")
}

if testSecret.Data[common.ArgoCDKeyServerSecretKey] == nil {
t.Errorf("Expected data for data.server.secretKey but got nothing")
}
}

func Test_ReconcileArgoCD_ReconcileRedisTLSSecret(t *testing.T) {
Expand Down

0 comments on commit 8f65a5e

Please sign in to comment.