Closed ajay15283 closed 3 months ago
same problem
Hey,
Does this happen when you don't use passbolt in a subpath? For example with - path: /
and adjusting APP_FULL_BASE_URL
?
Hey,
Does this happen when you don't use passbolt in a subpath? For example with
- path: /
and adjustingAPP_FULL_BASE_URL
?
Thats is my values.yaml file:
passbolt:
mariadb:
architecture: replication
auth:
rootPassword: "example-root-pass"
username: "passbolt-adm"
password: "example-passbolt-pass"
database: "passbolt"
replicationPassword: "example-replication-pass"
primary:
persistence:
enabled: true
size: 8Gi
secondary:
persistence:
enabled: true
size: 8Gi
redis:
auth:
password: "example-redis-pass"
passboltEnv:
plain:
APP_FULL_BASE_URL: passbolt.myproject.com
PASSBOLT_KEY_EMAIL: passbolt@myproject.com
EMAIL_DEFAULT_FROM: passbolt@myproject.com
EMAIL_DEFAULT_FROM_NAME: "Passbolt"
EMAIL_TRANSPORT_DEFAULT_HOST: smtp.gmail.com
secret:
CACHE_CAKE_DEFAULT_PASSWORD: "example-redis-pass"
DATASOURCES_DEFAULT_USERNAME: "passbolt-adm"
DATASOURCES_DEFAULT_PASSWORD: "example-myproject-pass"
EMAIL_TRANSPORT_DEFAULT_USERNAME: "passbolt@myproject.com"
#EMAIL_TRANSPORT_DEFAULT_PASSWORD: "SECRET"
extraEnvFrom:
- secretRef:
name: passbolt-credentials
service:
annotations:
external-dns.alpha.kubernetes.io/hostname: "passbolt.myproject.com"
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
className: ingress-nginx-internal
hosts:
- host: passbolt.myproject.com
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: "tls"
hosts:
- passbolt.myproject.com
Hello! I can reproduce it with the values that you have sent. We are going to investigate what is producing that issue and work on a solution. Thank you!
There is an error on the values that @fmeier-nera sent. The APP_FULL_BASE_URL should contain the http[s]:// prefix, otherwise the application is not able to build the full url, since it takes the given value as a path with a missing url:
passboltEnv:
plain:
APP_FULL_BASE_URL: https://passbolt.myproject.com
Let us know if this fixes your error.
There is an error on the values that @fmeier-nera sent. The APP_FULL_BASE_URL should contain the http[s]:// prefix, otherwise the application is not able to build the full url, since it takes the given value as a path with a missing url:
passboltEnv: plain: APP_FULL_BASE_URL: https://passbolt.myproject.com
Let us know if this fixes your error.
Hello, thank you very much for the help. I tried the mentioned (add https://) but the problem persists. If you need more information please let me know. I add some extra data:
EKS version: 1.28
Chart.yaml
apiVersion: v2
name: passbolt
version: "0.7.2"
appVersion: "4.4.2-1-ce"
description: A Helm Chart for deploying Passbolt as a dependency
dependencies:
- name: passbolt
repository: https://download.passbolt.com/charts/passbolt
version: "0.7.2"
Hello, Providing base path with https didn't solve the problem
Kubernetes Version : 1.28 appVersion: "4.4.2-1-ce"
I will need more information on your case. How are you changing the nginx configuration? The values you sent are all of the values you are overriding with your file?
I will need more information on your case. How are you changing the nginx configuration? The values you sent are all of the values you are overriding with your file?
Yes, send the configuration of my nginx ingress that I use. Everything is done with Helm and Chart
apiVersion: v2
name: ingress-nginx
version: 4.8.3
appVersion: 1.9.4
dependencies:
- name: ingress-nginx
repository: https://kubernetes.github.io/ingress-nginx
version: 4.8.3
ingress-nginx:
controller:
ingressClassResource:
name: name-ingress
enabled: true
default: false
controllerValue: "k8s.io/name-ingress-internal"
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: CERTIFICATE-ARN
config:
proxy-real-ip-cidr: 10.8.0.0/16
use-gzip: "true"
enable-modsecurity: "false"
enable-owasp-modsecurity-crs: "false"
The nginx configuration for passbolt is in the values.yaml
service:
annotations:
external-dns.alpha.kubernetes.io/hostname: "passbolt.myproject.com"
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
className: ingress-nginx-internal
hosts:
- host: passbolt.myproject.com
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: "tls"
hosts:
- passbolt.myproject.com
I will need more information on your case. How are you changing the nginx configuration? The values you sent are all of the values you are overriding with your file?
I have created the passbolt.conf as a ConfigMap and I'm using extraVolumes and extraVolumeMounts in the Helm chart to mount it
extraVolumes: |
- name: passbolt-config-volume
configMap:
name: example-passbolt-config
extraVolumeMounts: |
- name: passbolt-config-volume
mountPath: /etc/nginx/sites-enabled/
readOnly: true
apiVersion: v1
data:
passbolt.conf: |
server {
listen 0.0.0.0:80;
client_body_buffer_size 100K;
client_header_buffer_size 1K;
client_max_body_size 5M;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
root /var/www/passbolt/webroot;
index index.php;
error_log /dev/stdout info;
access_log /dev/stdout;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SERVER_NAME $http_host;
fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M";
}
}
server {
listen 443 ssl;
server_name passbolt.local;
client_body_buffer_size 100K;
client_header_buffer_size 1K;
client_max_body_size 5M;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
ssl_certificate /etc/ssl/certs/certificate.crt;
ssl_certificate_key /etc/ssl/certs/certificate.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
ssl_session_tickets off;
root /var/www/passbolt/webroot;
index index.php;
error_log /dev/stdout info;
access_log /dev/stdout;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SERVER_NAME $http_host;
fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M";
}
}
kind: ConfigMap
metadata:
creationTimestamp: null
name: example-passbolt-config
This root of the nginx configuration is wrong, it should point to the passbolt package webroot directory:
root /usr/share/php/passbolt/webroot;
After changing the root directory to /usr/share/php/passbolt/webroot, it showed that it couldn't connect to the upstream server.
2024/04/24 15:36:44 [error] 178#178: *5 connect() failed (111: Connection refused) while connecting to upstream, client: 10.0.0.74, server: apps.example.com, request: "GET /healthcheck/status.json HTTP/1.1", upstream: "fastcgi://127.0.0.1:9001", host: "apps.example.com"
Therefore, I had to modify the passbolt.conf file as follows to make the passbolt pod up and running:
apiVersion: v1
data:
passbolt.conf: |
server {
listen 443 ssl http2;
listen 0.0.0.0:80
server_name apps.example.com;
client_body_buffer_size 100K;
client_header_buffer_size 1K;
client_max_body_size 5M;
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
root /usr/share/php/passbolt/webroot;
index index.php;
error_log /var/log/nginx/passbolt-error.log info;
access_log /var/log/nginx/passbolt-access.log;
ssl_certificate /etc/ssl/certs/passbolt/tls.crt;
ssl_certificate_key /etc/ssl/certs/passbolt/tls.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_split_path_info ^(.+\.php)(.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SERVER_NAME $http_host;
fastcgi_param PHP_VALUE "upload_max_filesize=5M \n post_max_size=5M";
}
}
kind: ConfigMap
metadata:
creationTimestamp: null
name: example-passbolt-config
Thanks for the help
Hello!
This configuration files should be already bundled in the container. Here is the one we use https://github.com/passbolt/passbolt_packaging/blob/main/debian/conf/nginx-passbolt.conf
I'm not sure which changes do you need but it should be minimal (maybe the listen directives if you don't want to use ipv6).
As this looks like a custom configuration issue rather than a bug in the helm chart I'm closing this issue and I encourage you to ask in https://community.passbolt.com
This way the community will benefit from the solution to your issue.
Deployed on Kubernetes : 1,28 and ingress-nginx 4.10.0
Although the ingress has been configured with the necessary annotations and the APP_FULL_BASE_URL points to the correct URL, a 404 error persists
Two entries in passbolt.conf changed to support ipv4:
listen 0.0.0.0:80; ----> updated listen 0.0.0.0:443 ssl; ----> updated ssl on; ----> removed
values.yaml:
passbolt logs:
07/Mar/2024:13:26:58 +0000] "GET /healthcheck/status.json HTTP/1.1" 404 146 "-" "kube-probe/1.29" 2024-03-07 13:26:58,963 WARN received SIGTERM indicating exit request
Ingress controller logs: changed to default passbolt.local
W0307 14:30:02.766214 7 controller.go:1214] Service "passbolt/passbolt" does not have any active Endpoint. W0307 14:30:02.766825 7 controller.go:1450] Unexpected error validating SSL certificate "passbolt/passbolt-sec-tls" for server "passbolt.local": x509: certificate is valid for passbolt.passbolt, passbolt.passbolt.svc, passbolt-library.local, not passbolt.local W0307 14:30:02.766922 7 controller.go:1451] Validating certificate against DNS names. This will be deprecated in a future version W0307 14:30:02.766998 7 controller.go:1456] SSL certificate "passbolt/passbolt-sec-tls" does not contain a Common Name or Subject Alternative Name for server "passbolt.local": x509: certificate is valid for passbolt.passbolt, passbolt.passbolt.svc, passbolt-library.local, not passbolt.local W0307 14:30:02.767138 7 controller.go:1457] Using default certificate