search

passbolt / charts-passbolt

Helm charts to run Passbolt on Kubernetes. No strings attached charts to run the open source password manager for teams!
https://passbolt.com
GNU Affero General Public License v3.0
40 stars 27 forks source link

Custom ENV not overriding defaults #64

Closed polaris940 closed 3 months ago

polaris940 commented 8 months ago

Background

Trying to use External Secrets in order to configure settings via default environment variables so that sensitive information isn't exposed if shared through a GitOps repository.

Problem

It seems that in order to change the secrets, the values have to be explicitly set in the Values file under passboltEnv.[plain|secret] and environment variables pulled in through passboltEnv.extraEnvFrom do not override these defaults.

passbolt-credentials secret showing values pulled in from an external source successfully image

passbolt-sec-env still holds the default values image

environment variables on the pods show duplicates of the defaults (red) and the desired overrides (green) image

Desired

Expectation would be that final pod environment variables get overridden with any custom variables without duplication. Would be great if this applied to any of the reference environment variables so that passboltEnv.[plain|secret] could be skipped completely in favor of a more secure form of secrets management (i.e. AWS/Google/Azure Secrets Manager)

dlen commented 8 months ago

Hey @polaris940, thanks for your feedback, we'll try to include this in the next release

RobertInAms commented 6 months ago

This might be a different effect of the above, the helm chart is using this image "tag: 4.4.0-1-ce"

We did a fresh install using helm and discovered when we tried to change the passwords "passbolt-depl-srv" was crashing and that an html error page with the message "Internal Error" was displayed in the log of the pod. The init container "passbolt-depl-srv-init" however ran with success.

We then stopped setting the passwords, effectively changing all passwords to "CHANGEME".

We left it (for now) because we needed to move on.

This was causing the crash:

passboltEnv: secret: CACHE_CAKE_DEFAULT_PASSWORD: iiii DATASOURCES_DEFAULT_PASSWORD: jjjj DATASOURCES_DEFAULT_USERNAME: kkkk DATASOURCES_DEFAULT_DATABASE: passbolt EMAIL_TRANSPORT_DEFAULT_USERNAME: llll EMAIL_TRANSPORT_DEFAULT_PASSWORD: mmmm

Tecnobutrul commented 3 months ago

Hello, sorry for the late response. I have checked the behaviour on this and I think it is working as expected. When you create a secret with duplicated entries to passboltEnv ones and you set this secret as extraEnvFrom, the final values on the pod environment will be the "external secret" ones.

What I did to test it:

apiVersion: v1
data:
  CACHE_CAKE_DEFAULT_PASSWORD: b3ZlcnJpZGVuIHNlY3JldHMK
  DATASOURCES_DEFAULT_DATABASE: b3ZlcnJpZGVuIHNlY3JldHMK
  DATASOURCES_DEFAULT_PASSWORD: b3ZlcnJpZGVuIHNlY3JldHMK
  DATASOURCES_DEFAULT_USERNAME: b3ZlcnJpZGVuIHNlY3JldHMK
kind: Secret
metadata:
  name: passbolt-sec-env-override
  namespace: default
type: Opaque

And set it on the values extraEnvFrom:

extraEnvFrom:
  - secretRef:
      name: passbolt-sec-env-override

I changed the command on the initContainer to ouput the environment variables related to datasources and this is what I see on the logs:

DATASOURCES_DEFAULT_USERNAME=overriden secrets
DATASOURCES_DEFAULT_PASSWORD=overriden secrets
DATASOURCES_DEFAULT_DATABASE=overriden secrets

So the resulting environment is the overriden values on the secret. Can you try to output the environment from within the pod executing the env command and check the output values?

Tecnobutrul commented 3 months ago

@RobertInAms your issue is not related. The DATASOURCES env variables should match the values defined on the database configuration. If you need help on that, please open a thread on community.passbolt.com with your issue.