search

passbolt / charts-passbolt

Helm charts to run Passbolt on Kubernetes. No strings attached charts to run the open source password manager for teams!
https://passbolt.com
GNU Affero General Public License v3.0
44 stars 29 forks source link

Chart extra env issues #88

Closed thamudi closed 2 weeks ago

thamudi commented 5 months ago

I have an issue with setting up the chart with the config-maps and secrets separated from the charts values.

To explain, my configuration that are in the configmaps and secrets gets passed to the container and executing a shell into the pod shows the values using printenv command. However, it is not establishing a DB connection with my RDS and after checking the logs in my DB server it shows that wrong credentials where used.

This issue doesn't happen and the chart works when I use the same configuration directly under passboltEnv.plain and passboltEnv.secret in the chart.

Here's my chart and its configurations.

Not working configmap.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: passbolt-cm
data:
  # -- Configure passbolt privacy url
  PASSBOLT_LEGAL_PRIVACYPOLICYURL: https://www.passbolt.com/privacy
  # -- Configure passbolt fullBaseUrl
  APP_FULL_BASE_URL: https://bolt.com
  # -- Configure passbolt to force ssl
  PASSBOLT_SSL_FORCE: "true"
  # -- Toggle passbolt public registration
  PASSBOLT_REGISTRATION_PUBLIC: "true"
  # -- Configure passbolt cake cache server
  CACHE_CAKE_DEFAULT_SERVER: redis-master.databases
  CACHE_CAKE_DEFAULT_PORT: "6380"
  # -- Configure passbolt default email service port
  EMAIL_TRANSPORT_DEFAULT_PORT: "123"
  # -- Toggle passbolt debug mode
  DEBUG: "true"
  # -- Configure email used on gpg key. This is used when automatically creating a new gpg server key and when automatically calculating the fingerprint.
  PASSBOLT_KEY_EMAIL: passbolt@passbolt.ngo
  # -- Toggle passbolt selenium mode
  PASSBOLT_SELENIUM_ACTIVE: "false"
  # -- Configure passbolt license path
  PASSBOLT_PLUGINS_LICENSE_LICENSE: /etc/passbolt/subscription_key.txt
  # -- Configure passbolt default email from
  EMAIL_DEFAULT_FROM: no-reply@passbolt.com
  # -- Configure passbolt default email from name
  EMAIL_DEFAULT_FROM_NAME: PASSBOLT
  # -- Configure passbolt default email host
  EMAIL_TRANSPORT_DEFAULT_HOST: "127.0.0.1"
  # -- Configure passbolt default email timeout
  EMAIL_TRANSPORT_DEFAULT_TIMEOUT: "30"
  # -- Toggle passbolt tls
  EMAIL_TRANSPORT_DEFAULT_TLS: "true"
  # -- Configure passbolt jwt private key path
  PASSBOLT_JWT_SERVER_KEY: /var/www/passbolt/config/jwt/jwt.key
  # -- Configure passbolt jwt public key path
  PASSBOLT_JWT_SERVER_PEM: /var/www/passbolt/config/jwt/jwt.pem
  # -- Toggle passbolt jwt authentication
  PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED: "true"
  # -- Download Command for kubectl
  KUBECTL_DOWNLOAD_CMD: curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
  DATASOURCES_DEFAULT_DRIVER: Postgres
  DATASOURCES_DEFAULT_HOST: private-postgresql-db-rds-do-test-db.ondigitalocean.com
  DATASOURCES_DEFAULT_PORT: "5432"
  DATASOURCES_DEFAULT_SSL_CA: /certificates/do-postgres-ca-certificate.crt # custom CA mount point
  DATASOURCES_DEFAULT_SSL_CERT: ''
  DATASOURCES_DEFAULT_LOG: "true"
  DATASOURCES_DEFAULT_SCHEMA: public

secrets.yaml

apiVersion: v1
kind: Secret
metadata:
  name: passbolt-sec
  namespace: playground
type: Opaque
data:
  # -- Configure passbolt cake cache password
  CACHE_CAKE_DEFAULT_PASSWORD: eW91SGFkVG9EZWNvZGVJdERpZG50WW91Pw==
  # -- Configure passbolt default database password
  DATASOURCES_DEFAULT_PASSWORD: eW91SGFkVG9EZWNvZGVJdERpZG50WW91Pw==
  # PG
  # -- Configure passbolt default database username
  DATASOURCES_DEFAULT_USERNAME: eW91SGFkVG9EZWNvZGVJdERpZG50WW91Pw==
  # -- Configure passbolt default database
  DATASOURCES_DEFAULT_DATABASE: eW91SGFkVG9EZWNvZGVJdERpZG50WW91Pw==
  do-postgres-ca-certificate.crt: |
    eW91SGFkVG9EZWNvZGVJdERpZG50WW91Pw==

NOTE: you will notice at the passboltenv section I used the same values I have in the configmap. Reason is that when I try to install it, it tells me that these values are missing and I need to add them even though I have the applied in the configmaps and secrets files.

values.yaml

# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

## Dependencies configuration parameters

## Redis dependency parameters

# -- Install redis as a depending chart
redisDependencyEnabled: false
# -- Install mariadb as a depending chart
mariadbDependencyEnabled: false
# -- Install mariadb as a depending chart
postgresqlDependencyEnabled: false

# Configure postgresql as a dependency chart
#postgresql:
#  auth:
#    # -- Configure postgresql auth username
#    username: CHANGEME
#    # -- Configure postgresql auth password
#    password: CHANGEME
#    # -- Configure postgresql auth database
#    database: passbolt

global:
  imageRegistry: ""
  imagePullSecrets: []

# Configure redis dependency chart
redis:
  auth:
    # -- Enable redis authentication
    enabled: false
    # -- Configure redis password
    password: "CHANGEME"
  sentinel:
    # -- Enable redis sentinel
    enabled: false

## MariaDB dependency parameters

# Configure mariadb as a dependency chart
mariadb:
  # -- Configure mariadb architecture
  architecture: replication
  auth:
    # -- Configure mariadb auth root password
    rootPassword: root
    # -- Configure mariadb auth username
    username: CHANGEME
    # -- Configure mariadb auth password
    password: CHANGEME
    # -- Configure mariadb auth database
    database: passbolt
    # -- Configure mariadb auth replicationPassword
    replicationPassword: CHANGEME
  # -- Configure parameters for the primary instance.
  primary:
    # -- Configure persistence options.
    persistence:
      # -- Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir
      enabled: true
      # -- Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas. When it's set the rest of persistence parameters are ignored.
      existingClaim: ""
      # -- Subdirectory of the volume to mount at
      subPath: ""
      # -- Primary persistent volume storage Class
      storageClass: ""
      # -- Labels for the PVC
      labels: {}
      # -- Primary persistent volume claim annotations
      annotations: {}
      # -- Primary persistent volume access Modes
      accessModes:
        - ReadWriteOnce
      # -- Primary persistent volume size
      size: 8Gi
      # -- Selector to match an existing Persistent Volume
      selector: {}
  # -- Configure parameters for the secondary instance.
  secondary:
    # -- Configure persistence options.
    persistence:
      # -- Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim`. If false, use emptyDir
      enabled: true
      # -- Subdirectory of the volume to mount at
      subPath: ""
      # -- Secondary persistent volume storage Class
      storageClass: ""
      # -- Labels for the PVC
      labels: {}
      # -- Secondary persistent volume claim annotations
      annotations: {}
      # -- Secondary persistent volume access Modes
      accessModes:
        - ReadWriteOnce
      # -- Secondary persistent volume size
      size: 8Gi
      # -- Selector to match an existing Persistent Volume
      selector: {}

## Passbolt configuration

## Passbolt container and sidecar parameters
app:
  # -- Configure pasbolt deployment init container that waits for database
  databaseInitContainer:
    # -- Toggle pasbolt deployment init container that waits for database
    enabled: false
  #initImage:
  #  # -- Configure pasbolt deployment init container image client for database
  #  client: mariadb
  #  registry: ""
  #  # -- Configure pasbolt deployment image repsitory
  #  repository: mariadb
  #  # -- Configure pasbolt deployment image pullPolicy
  #  pullPolicy: IfNotPresent
  #  # -- Overrides the image tag whose default is the chart appVersion.
  #  tag: latest
  image:
    # -- Configure pasbolt deployment image repsitory
    registry: ""
    repository: passbolt/passbolt
    # -- Configure pasbolt deployment image pullPolicy
    pullPolicy: IfNotPresent
    # -- Overrides the image tag whose default is the chart appVersion.
    tag: 4.6.2-1-ce
  # Allowed options: mariadb, mysql or postgresql
  database:
    kind: postgresql
  cache:
    # Use CACHE_CAKE_DEFAULT_* variables to configure the connection to redis instance
    # on the passboltEnv configuration section
    redis:
      # -- By enabling redis the chart will mount a configuration file on /etc/passbolt/app.php
      # That instructs passbolt to store sessions on redis and to use it as a general cache.
      enabled: true
      sentinelProxy:
        # -- Inject a haproxy sidecar container configured as a proxy to redis sentinel
        # Make sure that CACHE_CAKE_DEFAULT_SERVER is set to '127.0.0.1' to use the proxy
        enabled: false
        # -- Configure redis sentinel proxy image
        image:
          registry: ""
          # -- Configure redis sentinel image repository
          repository: haproxy
          # -- Configure redis sentinel image tag
          tag: "latest"
        # -- Configure redis sentinel container resources
        resources: {}
        # -- Configure the passbolt deployment resources
  extraPodLabels: {}
  resources: {}
  tls:
    # -- If autogenerate is true, the chart will generate a secret with a certificate for APP_FULL_BASE_URL hostname
    # -- if autogenerate is false, existingSecret should be filled with an existing tls kind secret name
    # @ignored
    autogenerate: true
    #existingSecret: ""

# -- Enable email cron
cronJobEmail:
  enabled: true
  schedule: "* * * * *"
  extraPodLabels: {}

## Passbolt environment parameters

# -- Pro subscription key in base64 only if you are using pro version
# subscriptionKey:
# -- Configure passbolt subscription key path
# subscription_keyPath: /etc/passbolt/subscription_key.txt

# -- Configure passbolt gpg directory
gpgPath: /etc/passbolt/gpg
# -- Gpg server private key in base64
gpgServerKeyPrivate: ""
# -- Gpg server public key in base64
gpgServerKeyPublic: ""
# -- Name of the existing secret for the GPG server keypair. The secret must contain the `serverkey.asc` and `serverkey_private.asc` keys.
gpgExistingSecret: ""

# -- Name of the existing secret for the JWT server keypair. The secret must contain the `jwt.key` and `jwt.pem` keys.
jwtExistingSecret: ""
# -- Configure passbolt jwt directory
jwtPath: /etc/passbolt/jwt
# -- JWT server private key in base64
jwtServerPrivate: ""
# -- JWT server public key in base64
jwtServerPublic: ""
# -- Forces overwrite JWT keys
jwtCreateKeysForced: false
jobCreateJwtKeys:
  extraPodLabels: {}

jobCreateGpgKeys:
  extraPodLabels: {}

### 
### Even  though they are defined in the config maps, it still requests them  to be present in the chart ## when I try to install it
###  
passboltEnv:
  plain:
    DATASOURCES_DEFAULT_HOST: private-postgresql-db-rds-do-test-db.ondigitalocean.com
    DATASOURCES_DEFAULT_PORT: "5432"
    DATASOURCES_DEFAULT_SSL_CA: /certificates/do-postgres-ca-certificate.crt
    DATASOURCES_DEFAULT_SSL_CERT: ''
  secret:
    DATASOURCES_DEFAULT_DATABASE: CHANGEME
  # -- Environment variables to add to the passbolt pods
  extraEnv: []
  # -- Environment variables from secrets or configmaps to add to the passbolt pods
  extraEnvFrom:
    - configMapRef:
        name: passbolt-cm
    - secretRef:
        name: passbolt-sec
## Passbolt deployment parameters

# -- If autoscaling is disabled this will define the number of pods to run
replicaCount: 1

# Configure autoscaling on passbolt deployment
autoscaling:
  # -- Enable autoscaling on passbolt deployment
  enabled: false
  # -- Configure autoscaling minimum replicas
  minReplicas: 1
  # -- Configure autoscaling maximum replicas
  maxReplicas: 100
  # -- Configure autoscaling target CPU uptilization percentage
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

# -- Enable role based access control
rbacEnabled: true

# -- Configure passbolt container livenessProbe
livenessProbe:
  # @ignore
  httpGet:
    port: http  
    scheme: HTTP
    # path: /healthcheck/status.json
    path: /
    httpHeaders:
      - name: Host
        value: passbolt.local
  initialDelaySeconds: 240
  periodSeconds: 10
# -- Configure passbolt container RadinessProbe
readinessProbe:
  # @ignore
  httpGet:
    port: https
    scheme: HTTPS
    httpHeaders:
      - name: Host
        value: passbolt.local
    # path: /healthcheck/status.json
    path: /
  initialDelaySeconds: 240
  periodSeconds: 10

# Configure network policies to allow ingress access passbolt pods
# networkPolicy defines which labels are allowed to reach to passbolt
# and which namespaces
networkPolicy:
  # -- Enable network policies to allow ingress access passbolt pods
  enabled: false
  # -- Configure network policies label for ingress deployment
  label: app.kubernetes.io/name
  # -- Configure network policies podLabel for podSelector
  podLabel: ingress-nginx
  # -- Configure network policies namespaceLabel for namespaceSelector
  namespaceLabel: ingress-nginx

# -- Configure image pull secrets
imagePullSecrets: []
# -- Value to override the chart name on default
nameOverride: ""
# -- Value to override the whole fullName
fullnameOverride: ""

serviceAccount:
  # -- Specifies whether a service account should be created
  create: true
  # -- Annotations to add to the service account
  annotations: {}

# -- Map of annotation for passbolt server pod
podAnnotations: {}

# -- Security Context configuration for passbolt server pod
podSecurityContext:
  {}
  # fsGroup: 2000

service:
  # -- Configure passbolt service type
  type: ClusterIP
  # -- Annotations to add to the service
  annotations: {}
  # -- Configure the service ports
  ports:
    # -- Configure the HTTPS port
    https:
      # -- Configure passbolt HTTPS service port
      port: 443
      # -- Configure passbolt HTTPS service targetPort
      targetPort: 443
      # -- Configure passbolt HTTPS service port name
      name: https
    http:
      # -- Configure passbolt HTTP service port
      port: 80
      # -- Configure passbolt HTTP service targetPort
      targetPort: 80
      # -- Configure passbolt HTTP service port name
      name: http

ingress:
  # -- Enable passbolt ingress
  enabled: true
  # -- Configure passbolt ingress annotations
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-staging"
    external-dns.alpha.kubernetes.io/target: nginx.ingress.cloud.test.com
    external-dns.alpha.kubernetes.io/ingress-hostname-source: defined-hosts-only
  # -- Configure passbolt ingress hosts
  hosts:
    # @ignored
    - host: passbolt.local
      paths:
        - path: /
          port: https
          pathType: ImplementationSpecific
  # -- Configure passbolt ingress tls
  tls:
    # If autogenerate is true, the chart will generate a secret for the given hosts
    # if autogenerate is false, existingSecret should be filled with an existing tls kind secret name
    # @ignored
    - autogenerate: true
      # existingSecret: ""
      hosts:
        - bolt.com
# -- Configure passbolt deployment nodeSelector
nodeSelector: {}

# -- Configure passbolt deployment tolerations
tolerations: []

# -- Configure passbolt deployment affinity
affinity: {}

# -- Add additional volumes, e.g. for overwriting config files
extraVolumes:
  - name: certificates
    secret:
      secretName: passbolt-sec
      items:
        - key: do-postgres-ca-certificate.crt
          path: do-postgres-ca-certificate.crt
# -- Add additional volume mounts, e.g. for overwriting config files
extraVolumeMounts:
  - name: certificates
    mountPath: /certificates
    readOnly: true

So, like I mentioned above in order to make the chart work I just need to move the values from the config maps and secrets and have them directly in the chart.

Any insight on how to fix this? Am I missing something?

Tecnobutrul commented 5 months ago

Hello @thamudi

In order to bring some light about the "DATASOURCES_DEFAULT_HOST can't be empty when mariadbDependencyEnabled and postgresqlDependencyEnabled are disabled" error message, I am going to try to explaing what moved us to introduce it.

This helm chart can install two different databases engines (mariadb and postgresql) both of them using bitnami charts, and also connect passbolt already created databases. We put a lot of effort on creating a "batteries included" chart so people can test passbolt (with mysql or postgresql) without configuring many things. This means that we "calculate" automatically some configurations at render time, and the host is the one that needs more logic because of the different possible scenarios (eg. default mariadb, default postgresql, mysql with replicas, external database, and so and forth...). So, Did you install it with postgresql subchart? It will work seemlessly. Did you install it with the mariadb subchart using the replication feature? Same. Did you pass the host using the passboltEnv.plain.DATASOURCES_DEFAULT_HOST to use an external database? It is also ok. But, to do so, we need to be sure that we have one out of those 3 configurations. Either we need directly the host, or we need to know which subchart you are using. And, to ensure this, we created the error message.

Long story short, this issue can be solved in two different ways:

We would like to hear your insights on this particular feature.

thamudi commented 4 months ago

Thanks for the detailed explanation.

I am thinking that keeping the error message and adding a flag to disable the check for those who have more advanced configuration would be a more suitable approach in this scenario.

EDIT: @Tecnobutrul I would like to clarify that I did add the DATASOURCES_DEFAULT_HOST in the chart and I am connecting to it using TLS ,however, the only way to make the chart work is by also providing the remaining config in the plain and secrets in the secrets sections of the chart. Providing them from via a config map and a secrets then passing mapping them under extraEnvFrom doesnt seem to work. Note, when executing a shell into the pod and using printenv seems to show the values correctly passed using the extraEnvFrom method but are not reflected on PHP configuration level.

thamudi commented 1 month ago

I found the issue with the chart. It was due to an override caused by -sec-env and -cm-env in the deployment, jobs and the cronjob templates.

Here's the PR link for review.