Skip to content

Password Reset

This guide covers procedures for resetting passwords for the Traceable Operator (TI) and Platform users.

Overview

Password reset may be required when:

  • Admin password is forgotten
  • Security policy requires password rotation
  • User account needs to be recovered

TI Password Reset

Method 1: Via UI

  1. Navigate to Administration Login to the Traceable Operator and go to the Administration section.

  2. Update Password

    • Enter the current username and password
    • Set the new password
    • Click Submit to update the password

Method 2: Via CLI

Step 1: Retrieve Initial Password (if needed)

Fetch the initial password from the cluster secret:

kubectl get secret ti-init-cluster -n traceable -o yaml \
  | yq .data | cut -d":" -f2 | tr -d " " \
  | base64 -d | yq ". | .tfi.userEmail, .tfi.userPassword"

Step 2: Create SHA256 Hash of New Password

Use an online SHA256 tool or command line to create the hash.

Validate SHA256 is working:

Input:

welcome123@855

Expected Output:

31654aaf0cdb82946c59619677533ee9d981b7960cbbcddabb2a5dc3d073b1c1

Create hash for your new password:

Using command line:

echo -n "mynewpassword@123" | sha256sum | cut -d' ' -f1

Or use an online tool like: https://emn178.github.io/online-tools/sha256.html

Example:

  • Input: mynewpassword@123
  • Output: f8010a78348c929b0e0c778f1d6df1318756f9dfd341b788dff8754c4ab51ae0

Step 3: Update Users File

Open the users file in the TI pod:

kubectl exec -ti -n traceable traceable-installer-0 -- vi /app/data/ti-data/users

Step 4: Update Password Hash

Update the pwdSha256 field with the new hash:

admin@sslip.io:
  builtIn: true
  jwtLogin: true
  passwordLogin: true
  pwdSha256: f8010a78348c929b0e0c778f1d6df1318756f9dfd341b788dff8754c4ab51ae0
  role: owner

Step 5: Backup the Secret

kubectl get secret ti-credentials -o yaml -n traceable \
  | sed 's/ti-credentials/ti-credentials-bkp/g' \
  | kubectl apply -f -

Step 6: Update the Secret

# Get original password entry
original=$(kubectl get secret ti-credentials -o yaml -n traceable \
            | yq .data.users | base64 -d)

# Extract the part before the colon
prefix="${original%%:*}"

# Set new password hash
newPassword=f8010a78348c929b0e0c778f1d6df1318756f9dfd341b788dff8754c4ab51ae0

# Concatenate the prefix and the new value
result="${prefix}: ${newPassword}"

# Verify the result
echo "$result"

# Update the secret
kubectl patch secret ti-credentials -n traceable \
  --patch "{\"data\":{\"users\":\"$(echo $result|base64 -w0)\"}}"

Step 7: Verify Login

Login to the TI using the new password.


Platform Password Reset

Retrieve Initial Password (if needed)

By default, the same password is used for TI and the Platform.

Via UI:

Check the Global Variables section in the Traceable Operator.

Via CLI:

kubectl get secret ti-init-cluster -n traceable -o yaml \
  | yq .data | cut -d":" -f2 | tr -d " " \
  | base64 -d | yq ". | .tfi.userEmail, .tfi.userPassword"

Reset Password via Keycloak

Step 1: Get Keycloak Password

Option 1: Via TI UI
  • Go to Global Variables in the Traceable Operator
  • Find and copy the keycloakPassword
Option 2: Via CLI
kubectl get secret traceable-keycloak-admin-password -o yaml \
  | yq .data."keycloak-admin-password" | base64 -d

Step 2: Login to Keycloak

Navigate to:

https://<DNS_Name>/auth

Credentials:

  • Username: keycloak
  • Password: (from Step 1)

Step 3: Switch to Traceable Realm

In the Keycloak admin console, select Traceable from the realm dropdown.

Step 4: Reset User Password

  1. Go to the Users tab
  2. Click on the user whose password you want to reset
  3. Select Credentials tab
  4. Click Reset Password
  5. Enter the new password
  6. Toggle off "Temporary" if you don't want the user to change it on first login
  7. Click Reset Password to confirm

Step 5: Login with New Password

The user can now login with the new password. If "Temporary" was enabled, they will be prompted to set a new password on first login.


Security Best Practices

  1. Strong Passwords: Use passwords with at least 12 characters, including uppercase, lowercase, numbers, and special characters
  2. Regular Rotation: Rotate passwords according to your security policy
  3. Unique Passwords: Don't reuse passwords across different systems
  4. Secure Storage: Never store passwords in plain text or version control
  5. Audit Access: Monitor and log password reset activities
  6. MFA: Consider enabling multi-factor authentication via SAML integration

Troubleshooting

Cannot Access TI After Password Reset

Symptoms: Login fails after CLI password reset.

Solutions:

  1. Verify the SHA256 hash was generated correctly
  2. Check the users file format is valid YAML
  3. Verify the secret was updated correctly:
kubectl get secret ti-credentials -n traceable -o yaml | yq .data.users | base64 -d
  1. Restore from backup if needed:
kubectl get secret ti-credentials-bkp -n traceable -o yaml \
  | sed 's/ti-credentials-bkp/ti-credentials/g' \
  | kubectl apply -f -

Keycloak Login Fails

Symptoms: Cannot login to Keycloak admin console.

Solutions:

  1. Verify the password from the secret is correct
  2. Check Keycloak pod is running:
kubectl get pods -n traceable -l app=keycloak
  1. Check Keycloak logs:
kubectl logs -n traceable -l app=keycloak

User Cannot Login After Password Reset

Symptoms: User receives authentication error after password reset.

Solutions:

  1. Verify the password was set correctly in Keycloak
  2. Check if "Temporary" password flag requires password change
  3. Clear browser cache and cookies
  4. Check IAM service logs:
kubectl logs -n traceable -l app=iamv2


Support

For password reset assistance, contact: support@harness.io

Provide the following information:

  • Account type (TI admin, Platform user)
  • Error messages encountered
  • Steps already attempted