search

christianhuth / helm-charts

Helm Charts for various Applications
https://charts.christianhuth.de
MIT License
44 stars 23 forks source link

umami - 403 error on password change + 401 on team creation #1097

Closed mrvnklm closed 3 months ago

mrvnklm commented 7 months ago

I installed the chart without any customizations and I am getting an 403 error if I want to change the default users password and 401 error if I want to create a team. I also tried CLOUD_MODE: 0 and use DISABLE_LOGIN: 0.

christianhuth commented 5 months ago

Thanks for reporting this bug. Can you provide the version of the Helm Chart and the used values.yaml please.

ERPedersen commented 4 months ago

TL;DR: If you want to disable an environment variable, you can set it to an empty string.

I ran into the same error, and spent some time debugging this.

If we look at the function canCreateWebsite, it checks for the following:

if (cloudMode) { 
  return !!grant?.find(a => a === PERMISSIONS.websiteCreate);
}

Meaning that if you set cloudMode to "0", this will happen:

if ("0") { // true 
  return !!grant?.find(a => a === PERMISSIONS.websiteCreate);
}

But if you set cloudMode to "", this will happen:

if ("") { // false 
  return !!grant?.find(a => a === PERMISSIONS.websiteCreate);
}

So to fix this issue, you can set the variables to "" if you want to make them effectively falsey in the code.

To me it doesn't seem like these boolean environment variables should be quoted, and it gives the opposite behaviour:

{{- if .Values.umami.cloudMode }}
 - name: CLOUD_MODE
   value: {{ .Values.umami.cloudMode | quote }}
{{- end }}
mrvnklm commented 4 months ago

Thank you @ERPedersen.

Got it working now.

mrvnklm commented 4 months ago

actually no, only by using CLOUD_MODE="" the error does not appear. my values.yaml:

affinity: {}
autoscaling:
  enabled: false
  maxReplicas: 100
  minReplicas: 1
  targetCPUUtilizationPercentage: 80
  targetMemoryUtilizationPercentage: 80
database:
  databaseUrlKey: ""
  existingSecret: ""
externalDatabase:
  auth:
    database: umami
    password: umami
    username: umami
  hostname: 123.123.123.123
  port: 3306
  type: mysql
extraEnv: []
fullnameOverride: ""
image:
  pullPolicy: Always
  registry: ghcr.io
  repository: umami-software/umami
  tag: mysql-latest
imagePullSecrets: []
ingress:
  annotations: {}
  className: ""
  enabled: true
  hosts:
  - host: umami.mydomain.de
    paths:
    - path: /
      pathType: ImplementationSpecific
  tls:
  - hosts:
    - umami.mydomain.de
    secretName: umami.mydomain.de-tls
mysql:
  auth:
    database: mychart
    password: mychart
    username: mychart
  enabled: false
nameOverride: ""
nodeSelector: {}
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
postgresql:
  auth:
    database: mychart
    password: mychart
    username: mychart
  enabled: false
replicaCount: 1
resources: {}
revisionHistoryLimit: 10
securityContext:
  runAsGroup: 65533
  runAsNonRoot: true
  runAsUser: 1001
service:
  port: 3000
  type: ClusterIP
serviceAccount:
  annotations: {}
  create: true
  name: ""
tolerations: []
umami:
  appSecret:
    existingSecret: ""
    secret: ""
  clientIpHeader: ""
  cloudMode: "1"
  collectApiEndpoint: ""
  corsMaxAge: "86400"
  debug: ""
  disableBotCheck: "1"
  disableLogin: ""
  disableTelemetry: "1"
  disableUpdates: "1"
  enableTestConsole: "1"
  forceSSL: "0"
  hostname: 0.0.0.0
  ignoreHostname: ""
  ignoredIpAddresses: ""
  logQuery: "1"
  migration:
    v1v2:
      enabled: false
  removeDisableLoginEnv: true
  removeTrailingSlash: "1"
  trackerScriptName: umami
christianhuth commented 3 months ago

To me it doesn't seem like these boolean environment variables should be quoted, and it gives the opposite behaviour:

{{- if .Values.umami.cloudMode }}
 - name: CLOUD_MODE
   value: {{ .Values.umami.cloudMode | quote }}
{{- end }}

You have to quote boolean values in environment variables. Else you will get validation errors.

christianhuth commented 3 months ago

@mrvnklm maybe you first ask over at https://github.com/umami-software/umami for a valid combination of the environment variables CLOUD_MODE and DISABLE_LOGIN and then I can check what would be a solution for the Helm Chart?

christianhuth commented 3 months ago

I can reproduce setting umami.cloudMode = "" solves the 401 Authorization error when trying to create a team in the backend.

christianhuth commented 3 months ago

I cannot reproduce the 403 error at all. The values.yaml I have used:

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
  hosts:
    - host: myhost.de
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
    - secretName: myhost.de-tls
      hosts:
        - myhost.de

postgresql:
  enabled: true
  auth:
    database: umami
    existingSecret: umami-postgresql
    username: umami

revisionHistoryLimit: 0

umami:
  appSecret:
    existingSecret: umami-app-secret
  cloudMode: ""
  removeDisableLoginEnv: true

database:
  existingSecret: umami-postgresql
mrvnklm commented 3 months ago

thank you for your help, when I change cloudMode, the error occurs but I don't mind anymore. that is the current configuration I am currently, which works fine:

umami:
  appSecret:
    existingSecret: ""
    secret: ""
  clientIpHeader: ""
  cloudMode: ""
  collectApiEndpoint: ""
  corsMaxAge: "86400"
  debug: ""
  disableBotCheck: "1"
  disableLogin: ""
  disableTelemetry: "1"
  disableUpdates: "1"
  enableTestConsole: "1"
  forceSSL: "0"
  hostname: 0.0.0.0
  ignoreHostname: ""
  ignoredIpAddresses: ""
  logQuery: "1"
  migration:
    v1v2:
      enabled: false
  removeDisableLoginEnv: true
  removeTrailingSlash: "1"
  trackerScriptName: umami
pat-s commented 2 months ago

I also had this issue on a fresh install of chart version 3.3.1. The proposed fix works, thanks!