Password Reset¶
This guide covers procedures for resetting passwords for the Traceable Operator (TI) and Platform users.
Overview¶
Password reset may be required when:
- Admin password is forgotten
- Security policy requires password rotation
- User account needs to be recovered
TI Password Reset¶
Method 1: Via UI¶
-
Navigate to Administration Login to the Traceable Operator and go to the Administration section.
-
Update Password
- Enter the current username and password
- Set the new password
- Click Submit to update the password
Method 2: Via CLI¶
Step 1: Retrieve Initial Password (if needed)¶
Fetch the initial password from the cluster secret:
kubectl get secret ti-init-cluster -n traceable -o yaml \
| yq .data | cut -d":" -f2 | tr -d " " \
| base64 -d | yq ". | .tfi.userEmail, .tfi.userPassword"
Step 2: Create SHA256 Hash of New Password¶
Use an online SHA256 tool or command line to create the hash.
Validate SHA256 is working:
Input:
Expected Output:
Create hash for your new password:
Using command line:
Or use an online tool like: https://emn178.github.io/online-tools/sha256.html
Example:
- Input:
mynewpassword@123 - Output:
f8010a78348c929b0e0c778f1d6df1318756f9dfd341b788dff8754c4ab51ae0
Step 3: Update Users File¶
Open the users file in the TI pod:
Step 4: Update Password Hash¶
Update the pwdSha256 field with the new hash:
admin@sslip.io:
builtIn: true
jwtLogin: true
passwordLogin: true
pwdSha256: f8010a78348c929b0e0c778f1d6df1318756f9dfd341b788dff8754c4ab51ae0
role: owner
Step 5: Backup the Secret¶
kubectl get secret ti-credentials -o yaml -n traceable \
| sed 's/ti-credentials/ti-credentials-bkp/g' \
| kubectl apply -f -
Step 6: Update the Secret¶
# Get original password entry
original=$(kubectl get secret ti-credentials -o yaml -n traceable \
| yq .data.users | base64 -d)
# Extract the part before the colon
prefix="${original%%:*}"
# Set new password hash
newPassword=f8010a78348c929b0e0c778f1d6df1318756f9dfd341b788dff8754c4ab51ae0
# Concatenate the prefix and the new value
result="${prefix}: ${newPassword}"
# Verify the result
echo "$result"
# Update the secret
kubectl patch secret ti-credentials -n traceable \
--patch "{\"data\":{\"users\":\"$(echo $result|base64 -w0)\"}}"
Step 7: Verify Login¶
Login to the TI using the new password.
Platform Password Reset¶
Retrieve Initial Password (if needed)¶
By default, the same password is used for TI and the Platform.
Via UI:
Check the Global Variables section in the Traceable Operator.
Via CLI:
kubectl get secret ti-init-cluster -n traceable -o yaml \
| yq .data | cut -d":" -f2 | tr -d " " \
| base64 -d | yq ". | .tfi.userEmail, .tfi.userPassword"
Reset Password via Keycloak¶
Step 1: Get Keycloak Password¶
Option 1: Via TI UI¶
- Go to Global Variables in the Traceable Operator
- Find and copy the
keycloakPassword
Option 2: Via CLI¶
kubectl get secret traceable-keycloak-admin-password -o yaml \
| yq .data."keycloak-admin-password" | base64 -d
Step 2: Login to Keycloak¶
Navigate to:
Credentials:
- Username:
keycloak - Password: (from Step 1)
Step 3: Switch to Traceable Realm¶
In the Keycloak admin console, select Traceable from the realm dropdown.
Step 4: Reset User Password¶
- Go to the Users tab
- Click on the user whose password you want to reset
- Select Credentials tab
- Click Reset Password
- Enter the new password
- Toggle off "Temporary" if you don't want the user to change it on first login
- Click Reset Password to confirm
Step 5: Login with New Password¶
The user can now login with the new password. If "Temporary" was enabled, they will be prompted to set a new password on first login.
Security Best Practices¶
- Strong Passwords: Use passwords with at least 12 characters, including uppercase, lowercase, numbers, and special characters
- Regular Rotation: Rotate passwords according to your security policy
- Unique Passwords: Don't reuse passwords across different systems
- Secure Storage: Never store passwords in plain text or version control
- Audit Access: Monitor and log password reset activities
- MFA: Consider enabling multi-factor authentication via SAML integration
Troubleshooting¶
Cannot Access TI After Password Reset¶
Symptoms: Login fails after CLI password reset.
Solutions:
- Verify the SHA256 hash was generated correctly
- Check the users file format is valid YAML
- Verify the secret was updated correctly:
- Restore from backup if needed:
kubectl get secret ti-credentials-bkp -n traceable -o yaml \
| sed 's/ti-credentials-bkp/ti-credentials/g' \
| kubectl apply -f -
Keycloak Login Fails¶
Symptoms: Cannot login to Keycloak admin console.
Solutions:
- Verify the password from the secret is correct
- Check Keycloak pod is running:
- Check Keycloak logs:
User Cannot Login After Password Reset¶
Symptoms: User receives authentication error after password reset.
Solutions:
- Verify the password was set correctly in Keycloak
- Check if "Temporary" password flag requires password change
- Clear browser cache and cookies
- Check IAM service logs:
Related Documentation¶
- SAML Setup - Configure SSO authentication
- Update DNS - Update platform domain name
Support¶
For password reset assistance, contact: support@harness.io
Provide the following information:
- Account type (TI admin, Platform user)
- Error messages encountered
- Steps already attempted