search

zitadel / zitadel

ZITADEL - Identity infrastructure, simplified for you.
https://zitadel.com
Apache License 2.0
7.61k stars 460 forks source link

[Bug]: Multiple Setup/Init Issues #8012

Open ad-zsolt-imre opened 1 month ago

ad-zsolt-imre commented 1 month ago

Preflight Checklist

Environment

Self-hosted

Version

v2.52.0

Database

PostgreSQL

Database Version

15.4.0

Describe the problem caused by this bug

  1. Not possible to provide the master key using environment variable. There are various options to provide the master key to Zitadel. Out of these options the environment variable one which is not working. Passing the master key as a command line argument works though, but we would prefer using the environment variable.

  2. When changing the password policy to require at least 12 chars long password instead of the default 8 and setting the initial admin password to e.g. deadbeefdeadbeef for the zitadel-admin user the following error is received on init:

time="2024-05-26T06:06:27Z" level=error msg="migration failed" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:68" error="ID=COMMA-HuJf6 Message=Errors.User.PasswordComplexityPolicy.MinLength" name=03_default_instance
time="2024-05-26T06:06:27Z" level=fatal msg="migration failed" caller="/home/runner/work/zitadel/zitadel/cmd/setup/setup.go:210" error="ID=COMMA-HuJf6 Message=Errors.User.PasswordComplexityPolicy.MinLength" name=03_default_instance

The initial password provided clearly meets the MinLength requirement set, though.

To reproduce

See problem description.

Screenshots

No response

Expected behavior

  1. Setting the master key using the environment variable works.
  2. When using a custom password policy and providing a compliant initial admin password the init does not fail and login is possible.

Operating System

Single pod, single container with container image ghcr.io/zitadel/zitadel:v2.52.0 running on latest k3s cluster.

Relevant Configuration

No response

Additional Context

No response

doncicuto commented 4 days ago

Hi @ad-zsolt-imre, would you confirm me the scope of this issue? Are you using Zitadel helm chart or any other way to try to use the environment variable?

ad-zsolt-imre commented 4 days ago

Hi @doncicuto . I'm not using the Zitadel helm chart. I wanted to put a simple deployment manifest together for Zitadel and that's how I noticed the behaviour in the description of the issue.

Basically what I'm doing is that I'm passing the ZITADEL_MASTERKEY env var to the Zitadel container. Snippet from the deployment manifest:

          env:
            - name: ZITADEL_MASTERKEY
               value: deadbeefdeadbeefdeadbeefdeadbeef
doncicuto commented 4 days ago

Thanks @ad-zsolt-imre. Are you passing the following flag

--masterkeyFromEnv read masterkey for en/decryption keys from environment variable (ZITADEL_MASTERKEY)

to the zitadel setup/start command?

ad-zsolt-imre commented 4 days ago

@doncicuto Ah, no, I did not. Sorry, it seems I missed that completely. Thanks a lot for pointing out. I will update and test once I have time again.

Regarding the password policy issue, do you have any suggestions?

doncicuto commented 4 days ago

Perfect for the first part of the issue :smile:. I'll try to test the password policy issue and let you know @ad-zsolt-imre

doncicuto commented 4 days ago

Hi again @ad-zsolt-imre. Can you paste another snippet from your deployment manifest or the Zitadel config yaml part that sets your admin password and also the one that sets the custom password complexity policy to have a min lenght of 12?

For the error message you've provided and checked against the source code, either the password is not being passed correctly (from an env?) and assumed to be empty or there's an issue with the password complexity setting.

ad-zsolt-imre commented 4 days ago

The MinLength of the password complexity policy is below:

  PasswordComplexityPolicy:
    MinLength: 12 # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_MINLENGTH

A snippet from the configmap I used:

        Human:
          # In case that UserLoginMustBeDomain is false (default) and if you don't overwrite the username with an email,
          # it will be suffixed by the org domain (org-name + domain from config).
          # for example zitadel-admin in org `My Org` on domain.tld -> zitadel-admin@my-org.domain.tld
          UserName: zitadel-admin # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_USERNAME
          FirstName: ZITADEL # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_FIRSTNAME
          LastName: Admin # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_LASTNAME
          NickName: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_NICKNAME
          DisplayName: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_DISPLAYNAME
          Email:
            Address: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_EMAIL_ADDRESS
            Verified: false # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_EMAIL_VERIFIED
          PreferredLanguage: en # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PREFERREDLANGUAGE
          Gender: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_GENDER
          Phone:
            Number: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PHONE_NUMBER
            Verified: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PHONE_VERIFIED
          Password: {{ .Values.services.zitadel.defaultAdminPassword }}

I can confirm {{ .Values.services.zitadel.defaultAdminPassword }} yielded the deadbeefdeadbeef.