Installation stuck at "waiting on database connection"

[HelLViS69]

Hello, as title says the installation remains stuck at "waiting on database connection".

After entering the pod "passbolt-depl-srv" and open a shell in the init container "passbolt-depl-srv-init", I tried the connection to MariaDB and this is the result:

root@passbolt-depl-srv-5cf966745f-vblgt:/# mariadb -h ${DATASOURCES_DEFAULT_HOST} -u ${DATASOURCES_DEFAULT_USERNAME} -p${DATASOURCES_DEFAULT_PASSWORD}
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

I also tried to pass PASSBOLT_SSL_FORCE to false but didn't help

[dlen]

Looks like your database server requires SSL to connect, right?

If that is the case you'll need to configure passbolt to use the SSL certificates to communicate with your database. Check the following env vars: https://github.com/passbolt/passbolt_api/blob/727e938c35dbbd43f798f36bbfba25898d8ae7b5/config/app.default.php#L343C13-L345C63

You'll have to mount the certificates in your passbolt container using the extraVolumes and extraVolumeMounts. Then passbolt should be able to connect.

If you want to use the mariadb cli you'll have to pass certain parameters to use SSL https://mariadb.com/kb/en/securing-connections-for-client-and-server/

[HelLViS69]

Yes, it requires SSL, but I don't find any configuration in values.yml to pass. The database btw is the one installed by passbolt chart using default bitnami/mariadb

[dlen]

Please share your values.yaml

[HelLViS69]

I'm using K3s, so the values.yaml is wrapped in the following CRD:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  namespace: kube-system
  name: passbolt
spec:
  valuesContent: |-
    redis:
      auth:
        password: "xxx"
    mariadb:
      auth:
        username: "passbolt"
        password: "yyy"
        replicationPassword: "zzz"
    passboltEnv:
      plain:
        APP_FULL_BASE_URL: "https://passbolt.local"
        PASSBOLT_KEY_EMAIL: "passbolt@yourdomain.com"
        PASSBOLT_SSL_FORCE: false
        EMAIL_DEFAULT_FROM: "no-reply@passbolt.local"
      secret:
        CACHE_CAKE_DEFAULT_PASSWORD: "xxx"
        DATASOURCES_DEFAULT_USERNAME: "passbolt"
        DATASOURCES_DEFAULT_PASSWORD: "yyy"

I just saw that there's an additional configuration I didn't try yet:

    app:
      tls:
        autogenerate: false
        existingSecret: ""

This could be af any help?

[schulmar]

I did also see this with a vanilla setup with MariaDB from the chart. Anyways, I got it to work in the pod shell with mariadb --skip-ssl .... It seems the default switched from ssl=off to on some time ago.

Looks like your database server requires SSL to connect, right?

No, the message actually says that the server does not support SSL but the client wants to use SSL.

I managed to get passbolt-depl-srv's init script to go through by patching the deployment to change the config file that is written to /tmp/defaultsfile.cnf to contain ssl = off:

cat <<-EOF > /tmp/defaultsfile.cnf

          [client]

          ssl = off

          user=${DATASOURCES_DEFAULT_USERNAME}

          password=${DATASOURCES_DEFAULT_PASSWORD}

          host=${DATASOURCES_DEFAULT_HOST}

          connect-timeout=2

          EOF

Switching over to PostgreSQL was much smoother...

[abnerrizzi]

on templates/deployment.yaml, on line 64, add --skip-ssl change from: while ! ${client} --defaults-file=/tmp/defaultsfile.cnf -e "SELECT 1" --skip-ssl > /dev/null 2>&1; do to: while ! ${client} --defaults-file=/tmp/defaultsfile.cnf -e "SELECT 1" > /dev/null 2>&1; do

I think the correct should be enable SSL on mariadb, someone could help on this ?

[ktx-kirtan]

I'm also stuck on the same thing

[KmZ78]

Same thing