No update password when doing helm upgrade


After a first install of neo4j-4.1.1 with helm and automatic generated password , I'm doing an upgrade with

helm upgrade --install --atomic --cleanup-on-fail --values neo4j_values.yml db

and values.yml contains

acceptLicenseAgreement: "yes"
neo4jPassword: test1
plugins: "[\"apoc\", \"n10s\"]"
  standalone: true
    size: 10Gi # might be needed later to get more space
    type: NodePort # expose service to Internet. default: ClusterIP

The issue is that the password is not updated.

The secret is updated
The variable NEO4J_AUTH used by the seems to be ok.
Even if I open a shell in the running neo4j container and run neo4j-admin set-initial-password test1, then kill the pod, the new password is not taken into account.

Any reason for this behavior or is that a bug ?

Best regards,

It isn't a bug, it's a misunderstanding about what happens.

When you install the helm chart for the first time, it creates the user with this setting. That user in turn gets persisted to the system database within neo4j. Subsequently to that, you can't change the password because you already have that user with an established password.

The way to change the password after system install, is to use cypher and the regular built-in procedures for modifying a user's password. The password option in the helm chart is just a cold-start "first time" affordance for deploys

Ran into this after a bit of debugging - might be worth mentioning this in the helm docs and values.yaml comments?

Especially since the chart lets you hook up to a k8s secret, we figured we might be able to pipe in a rotated secret via our SecretManager.