search

nextcloud / helm

A community maintained helm chart for deploying Nextcloud on Kubernetes.
GNU Affero General Public License v3.0
323 stars 264 forks source link

dbpassword value doesn't match sealed secret #364

Open gizmo15 opened 1 year ago

gizmo15 commented 1 year ago

Hi,

I use the helm chart 3.5.0 with mariadb.

I try to use sealed secret to handle the mysql password with this configuration :

  externalDatabase:
    enabled: true

    ## Supported database engines: mysql or postgresql
    type: mysql

    ## Database host
    host: kubetest-mariadb:3306

    ## Database user
    # user: nextcloud

    ## Database password
    # password: nextcloud

    ## Database name
    database: nextcloud

    ## Use a existing secret
    existingSecret:
      enabled: true
      secretName: nextcloudsecrets
      usernameKey: db_user
      passwordKey: db_password

But when i check the config.php in the pod, i have a dbpassword value completely different.

This is my sealed secret :

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: nextcloudsecrets
  namespace: nextcloud
spec:
  encryptedData:
    db_password: XXXXXXXXXX
    db_user: XXXXXXXXXX
  template:
    data: null
    metadata:
      creationTimestamp: null
      name: nextcloudsecrets
      namespace: nextcloud

I don't understand what i missed. Can you help me on that ?

Thanks!

jessebot commented 1 year ago

Can you post the rest of your values.yaml? Are you setting internalDatabase.enabled to false as per the docs here?

provokateurin commented 1 year ago

The problem very likely is that the password has changed. It's only copied at installation time which I wanted to fix for a long time by mounting another config.php for the database settings.

gizmo15 commented 1 year ago

Hi,

No problem!

  internalDatabase:
    enabled: false

  ##
  ## External database configuration
  ##
  externalDatabase:
    enabled: true

    ## Supported database engines: mysql or postgresql
    type: mysql

    ## Database host
    host: kubetest-mariadb

    ## Database user
    # user: nextcloud

    ## Database password
    # password: nextcloud

    ## Database name
    database: nextcloud

    ## Use a existing secret
    existingSecret:
      enabled: true
      secretName: nextcloudsecrets
      usernameKey: db_user
      passwordKey: db_password

  ##
  ## MariaDB chart configuration
  ##
  mariadb:
    ## Whether to deploy a mariadb server to satisfy the applications database requirements. To use an external database set this to false and configure the externalDatabase parameters
    enabled: false

    auth:
      database: nextcloud
      username: nextcloud
      password: changeme

    architecture: standalone

So in need to delete the configmap config.php to have a new one if i change the password ?

provokateurin commented 1 year ago

Deleting your config.php is a bad idea. You should just copy your new password and write it down in the config.php.

jacksgt commented 1 year ago

Hello, I can confirm this behavior (with chart version 3.5.12). No, the password definitely did not change - it's mounted from a static secret into the container.

$  kubectl  get secret nextcloud-db-credentials -o jsonpath='{.data.password}' | base64 -d
QHu7V0BobqJo7YFX22c4_W96b_

$ kubectl exec nextcloud-789b68bcb6-cfp97 -- env | grep MYSQL_PASSWORD
MYSQL_PASSWORD=QHu7V0BobqJo7YFX22c4_W96b_

$ kubectl exec nextcloud-789b68bcb6-cfp97 -- cat config/config.php | grep dbpassword
  'dbpassword' => '59q0a&J?1Ct|m(I)8Vg{rYXV9EE==f',

I also tried deleting the PVC and Pod (meaning Nextcloud gets an entirely fresh filesystem for initialization), but the error persists:

Initializing nextcloud 25.0.2.3 ...
New nextcloud instance
Installing with MySQL database
Starting nextcloud installation
The username is already being used
Retrying install...
MySQL username and/or password not valid
 -> You need to enter details of an existing account.
Trace: #0 /var/www/html/lib/private/Setup.php(353): OC\Setup\MySQL->setupDatabase('admin')
#1 /var/www/html/core/Command/Maintenance/Install.php(105): OC\Setup->install(Array)
#2 /var/www/html/3rdparty/symfony/console/Command/Command.php(255): OC\Core\Command\Maintenance\Install->execute(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#3 /var/www/html/3rdparty/symfony/console/Application.php(1009): Symfony\Component\Console\Command\Command->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#4 /var/www/html/3rdparty/symfony/console/Application.php(273): Symfony\Component\Console\Application->doRunCommand(Object(OC\Core\Command\Maintenance\Install), Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#5 /var/www/html/3rdparty/symfony/console/Application.php(149): Symfony\Component\Console\Application->doRun(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#6 /var/www/html/lib/private/Console/Application.php(213): Symfony\Component\Console\Application->run(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))
#7 /var/www/html/console.php(100): OC\Console\Application->run()
#8 /var/www/html/occ(11): require_once('/var/www/html/c...')
#9 {main}

Previous: Doctrine\DBAL\Exception: Failed to connect to the database: An exception occurred in the driver: SQLSTATE[HY000] [1045] Access denied for user 'nextcloud_test_nextcloud'@'10.42.5.112' (using password: YES)

For reference, these are the relevant Helm values:

    internalDatabase:
      enabled: false
    externalDatabase:
      enabled: true
      database: "nextcloud_test_nextcloud"
      host: "mariadb.mariadb.svc.cluster.local"
      existingSecret:
        enabled: true
        secretName: nextcloud-db-credentials
        usernameKey: username
        passwordKey: password

The environment variables are correct, but some process seems to generate a random string and put it into config/config.php - any ideas?

jacksgt commented 1 year ago

Looks like the underlying nextcloud container might be causing the problems, similar reports here: https://github.com/nextcloud/docker/issues/593

jacksgt commented 1 year ago

Hmm, now I'm confused: I deleted the entire namespace (including deployment, PVC, etc.) and re-created it with the Helm manifests. This time it worked without issue. Maybe there is some race condition happening during initialization...

jessebot commented 1 year ago

Looks like the underlying nextcloud container might be causing the problems, similar reports here: https://github.com/nextcloud/docker/issues/593

That issue is outdated enough that it may not be relevant anymore.

I deleted the entire namespace (including deployment, PVC, etc.) and re-created it with the Helm manifests. This time it worked without issue. Maybe there is some race condition happening during initialization...

We have also updated the helm chart a few times since this issue was opened. Had you tried to completely wipe out the install previously? 🤔

Belgeron commented 5 months ago

I'm having exact the same issue.

I redeployed a Database Cluster,

But the nextcloud pods still not restarted and still having the old username password in config.php

I did a rollout restart of the nextcloud deployment, config.php still has old db username password.

How to update config.php with the new username/password if this is changed ?

jessebot commented 5 months ago

@Belgeron can you try editing the config.php directly on the pod and restarting the pod? 🤔 The docs talk about config.php in relation to the database a little more (ctrl+f config.php).