search

passbolt / charts-passbolt

Helm charts to run Passbolt on Kubernetes. No strings attached charts to run the open source password manager for teams!
https://passbolt.com
GNU Affero General Public License v3.0
40 stars 27 forks source link

DATASOURCES_DEFAULT_HOST can't be empty when mariadbDependencyEnabled and postgresqlDependencyEnabled are disabled #84

Open vaaleyard opened 2 months ago

vaaleyard commented 2 months ago

I'm trying to use an external database as the passbolt db, and I want to pass its variables to fetch from a secret I have in the my kubernetes cluster.

I have a secret in kubernetes with four variables, which has the connection settings for the database:

DATASOURCES_DEFAULT_DATABASE:  8 bytes
DATASOURCES_DEFAULT_HOST:      58 bytes
DATASOURCES_DEFAULT_PASSWORD:  28 bytes
DATASOURCES_DEFAULT_USERNAME:  5 bytes

My values file is something like this:

redisDependencyEnabled: false
mariadbDependencyEnabled: false

passboltEnv:
  plain:
    EMAIL_TRANSPORT_DEFAULT_TLS: false
    PASSBOLT_SSL_FORCE: false
    APP_FULL_BASE_URL: "https://passbolt.tld"

  # with extraenvfrom it also doesn't work
  # extraEnvFrom:
  #   - secretRef:
  #       name: passbolt-config-secret

  extraEnv:
  - name: DATASOURCES_DEFAULT_HOST
    valueFrom:
      secretKeyRef:
        name: passbolt-config-secret
        key: DATASOURCES_DEFAULT_HOST
  - name: DATASOURCES_DEFAULT_DATABASE
    valueFrom:
      secretKeyRef:
        name: passbolt-config-secret
        key: DATASOURCES_DEFAULT_DATABASE
  - name: DATASOURCES_DEFAULT_USERNAME
    valueFrom:
      secretKeyRef:
        name: passbolt-config-secret
        key: DATASOURCES_DEFAULT_USERNAME
  - name: DATASOURCES_DEFAULT_DATABASE
    valueFrom:
      secretKeyRef:
        name: passbolt-config-secret
        key: DATASOURCES_DEFAULT_DATABASE

Troubleshooting the error message:

Error: UPGRADE FAILED: execution error at (passbolt/templates/deployment.yaml:122:24): DATASOURCES_DEFAULT_HOST can't be empty when mariadbDependencyEnabled and postgresqlDependencyEnabled are disabled

and going to _helpers.tpl#L67 it looks like I have to obligatory pass the HOST variable as plain... Wouldn't it be better to also allow it to pass as a secret variable? Because it doesn't make sense to also leave this var in plain text.

dlen commented 2 months ago

Hey @vaaleyard,

Yes this is intentional as we considered that for the database hostname it would be enough to store it as a configmap. There are no plans in the short term to change that. I'm leaving this issue open in case your suggestion shows community traction in order to implement it.

vaaleyard commented 2 months ago

And is it possible to pass the other DATASOURCES_DEFAULT_* variables as a secret? Like in the example above Because in secret-env.yaml#L22 it uses the passboltEnv.secret directly...

dlen commented 2 months ago

I think you would have problems with this function https://github.com/passbolt/charts-passbolt/blob/main/templates/_helpers.tpl#L67 that doesn't consider that the host could be stored in a secret.

emouawad commented 1 month ago

+1 to using existing database and load necessary envs from secret

vaaleyard commented 1 month ago

The only "important" vars I could set this way was these ones:

  extraEnv:
  - name: DATASOURCES_DEFAULT_PASSWORD
    valueFrom:
      secretKeyRef:
        name: &secret passbolt-config-db-secret
        key: password
  - name: DATASOURCES_DEFAULT_USERNAME
    valueFrom:
      secretKeyRef:
        name: *secret
        key: username
  - name: DATASOURCES_DEFAULT_DATABASE
    valueFrom:
      secretKeyRef:
        name: *secret
        key: username
  - name: CACHE_CAKE_DEFAULT_PASSWORD
    valueFrom:
      secretKeyRef:
        name: &secret passbolt-config-secret
        key: CACHE_CAKE_DEFAULT_PASSWORD

At least these ones works.

Tecnobutrul commented 1 month ago

Hello.

Thank you for your contribution. We are working on a fix for this issue and it will be included in the next release, which will be available in a few days.