search

passbolt / charts-passbolt

Helm charts to run Passbolt on Kubernetes. No strings attached charts to run the open source password manager for teams!
https://passbolt.com
GNU Affero General Public License v3.0
43 stars 29 forks source link

Redis dependency is enabled by default but there is no documentation about how to target it #57

Closed SmartGuyy closed 10 months ago

SmartGuyy commented 11 months ago

If you enable Redis, define auth and everything, Passbolt won't be able to contact it because there is some variables missing in the default values :

Even with those 2 values defined in my secret i still have issues contacting it, so i guess i'm either doing something wrong or i wonder how the default values can work with Redis.

dlen commented 11 months ago

Hello,

If I understand you correctly you want to use the redis provided as a dependency in the chart with a custom password and that is not working correctly?

SmartGuyy commented 11 months ago

Hello @dlen, maybe i don't understand exactly what are the interactions here but with a relatively simple values, my deployments won't work with Redis enabled.

What i noticed is that there is nowhere we specify the REDIS_HOST, neither the REDIS_PASSWORD so the redis clients can actually contact it successfully. Maybe i'm missing something here.

Tecnobutrul commented 11 months ago

Hello,

This chart supports multiple options to configure the redis for passbolt:

Using redis as a chart dependency with the sentinel enabled (default configuration)

The default configuration will deploy a set of passbolt api containers, a mariadb database, and redis sentinel. To configure this redis you can change the default configuration we added on our values under the redis field.

To handle the connection between passoblt and redis, we use a proxy that is installed on the same deployment as passbolt api as a side container which has a volume that mounts a configuration to handle the authentication with the sentinel proxy.

So, on the default configuration the environment value CACHE_CAKE_DEFAULT_SERVER points to 127.0.0.1 to use the connection though the proxy and no password is needed since the authentication is handled by the proxy. On the proxy side, whenever you set redis.auth.password will be reflected on the proxy config file so passbolt will be able to connect to the redis server.

Using your own redis deployment (not managed by the passbolt helm chart)

In this option, the user has to ensure the connection between passbolt containers and the redis server so, the only configuration needed on the passbolt chart is:

redisDependencyEnabled: false #to disable the redis deploment
app:
  cache:
    redis:
      sentinelProxy:
        enabled: false # to avoid [creating](https://github.com/passbolt/charts-passbolt/blob/main/templates/deployment.yaml#L142) the redis proxy side container 
passboltEnv:
  plain:
    CACHE_CAKE_DEFAULT_HOST: <YOUR_SERVER_ADDRESS> 
  secret:
     CACHE_CAKE_DEFAULT_PASSWORD: CHANGEME

So, this configuration disables everything related to managed redis deployemnt and use the default cake envrionemnt values to point to the desided redis server.

Tecnobutrul commented 11 months ago

@SmartGuyy in case you are not able to solve your issue with this little documentation, we need you to send us your values (without the secrets) so we can investigate if you are facing a bug.

SmartGuyy commented 10 months ago

Thanks @Tecnobutrul and sorry for my late response, i'm finally not using Redis for now since we don't have a lot of activity on our Passbolt, maybe we will come back to it later