search

immich-app / immich-charts

Helm chart implementation of Immich
https://immich.app
GNU Affero General Public License v3.0
107 stars 45 forks source link

Behaviour of `*-postgresql` secret is undocumented and confusing #8

Closed alexbarcelo closed 1 year ago

alexbarcelo commented 1 year ago

I tried to deploy the chart, and noticed that a secret appeared called immich-postgresql with two fields called password and postgres-password.

With that in mind, I succeeded in doing a deployment with mostly defaults with the following additional configuration:

common_env:
  DB_PASSWORD: 
    valueFrom:
      secretKeyRef:
        name: immich-postgresql
        key: password

However, today I changed the chart deployment (by updating the tag, but I don't think that's rellevant). The immich-server was unable to connect to the database. I suspect that the secret manifest had changed and it broke the connection. My "repair" was to change the DB_PASSWORD environment variable and hardcode the original password. However, that was confusing.

I am a n00b chart user so maybe I missed something obvious. I was somewhat expecting the secret thing to be generated on first deployment and be inmutable from that point onwards. I don't k now if that makes sense, or if that behavior may break more stuff. Unfortunately, I don't really know how to do that (otherwise I would try to do the PR myself).

alexbarcelo commented 1 year ago

I just have written this issue and realized that maybe that behavior is from the dependency chart postgresql? I believe that I have been using the bitnami postgresql charts in other deployments, and it is my first time with this issue. Again, I am quite a noob so maybe I am completely mistaken. If that's the case, sorry for the noise.

bo0tzz commented 1 year ago

I don't know how the bitnami charts handles the secret exactly, but the best bet is to create your own secret manifest and then reference that, as is described in our values.yaml:

You should provide your own secret outside of this helm-chart and use postgresql.global.postgresql.auth.existingSecret to provide credentials to the postgresql instance

alexbarcelo commented 1 year ago

I read that best practice, but I wasn't sure if it was mandatory or an opinionated recommendation.

The secret was created by the chart (I realized its existence after trying to deploy the chart with mostly default values), so I assumed that it had some purpose.

x-real-ip commented 1 year ago

As documented in the Bitnami helm documentation the POSTGRES_POSTGRES_PASSWORD is the Password for the "postgres" admin user and POSTGRESS_PASSWORD is the Password for the custom user to create.