Reset Admin Password

note

If you don't see any authentication methods on the login page, you most likely don't have access to your SSO authentication anymore. To reenable password login you need to edit the loft configuration.

Run the following command to get a new hashed loft configuration wit password login enabled:

 kubectl get secrets/loft-manager-config  -o jsonpath="{.data.config}" | base64 -d | yq "del(.auth.password.disabled)" | base64

Then, copy the output, kubectl edit get secrets/loft-manager-config and replace .data.config with the new config. Make sure to restart your loft pods afterwards for the new configuration to take effect.

Loftctl

If you are still authenticated via the loft CLI you can easily reset the admin password:

loft reset password --user=admin

Kubectl

In order to find the kubernetes secret where the password hash for the admin account, run the following command:

$ kubectl get user admin -o yaml
apiVersion: management.loft.sh/v1
kind: User
metadata:
  ...
spec:
  passwordRef:
    key: password
    secretName: loft-user-secret-admin
    secretNamespace: loft
...

The important part of the yaml is the password ref, which holds the reference for the secret where the password is stored.

Reset the password

The next step is to create a sha256 hash of your new password:

echo -n my-new-password | sha256sum

which should print something like:

d7ff0c3cf3be79e0ecd30971c163b6be693fcb26578f18f1b9a3926eaf7b339d  -

Now copy the hash without the - and patch the secret with the new password hash:

kubectl get secret loft-user-secret-admin -n loft -o json | jq --arg password "$(echo d7ff0c3cf3be79e0ecd30971c163b6be693fcb26578f18f1b9a3926eaf7b339d | base64)" '.data["password"]=$password' | kubectl apply -f -

After that you should be able to login with the user admin and your new password into loft.