Open ad-zsolt-imre opened 1 month ago
Hi @ad-zsolt-imre, would you confirm me the scope of this issue? Are you using Zitadel helm chart or any other way to try to use the environment variable?
Hi @doncicuto . I'm not using the Zitadel helm chart. I wanted to put a simple deployment manifest together for Zitadel and that's how I noticed the behaviour in the description of the issue.
Basically what I'm doing is that I'm passing the ZITADEL_MASTERKEY
env var to the Zitadel container. Snippet from the deployment manifest:
env:
- name: ZITADEL_MASTERKEY
value: deadbeefdeadbeefdeadbeefdeadbeef
Thanks @ad-zsolt-imre. Are you passing the following flag
--masterkeyFromEnv read masterkey for en/decryption keys from environment variable (ZITADEL_MASTERKEY)
to the zitadel setup/start command?
@doncicuto Ah, no, I did not. Sorry, it seems I missed that completely. Thanks a lot for pointing out. I will update and test once I have time again.
Regarding the password policy issue, do you have any suggestions?
Perfect for the first part of the issue :smile:. I'll try to test the password policy issue and let you know @ad-zsolt-imre
Hi again @ad-zsolt-imre. Can you paste another snippet from your deployment manifest or the Zitadel config yaml part that sets your admin password and also the one that sets the custom password complexity policy to have a min lenght of 12?
For the error message you've provided and checked against the source code, either the password is not being passed correctly (from an env?) and assumed to be empty or there's an issue with the password complexity setting.
The MinLength of the password complexity policy is below:
PasswordComplexityPolicy:
MinLength: 12 # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_MINLENGTH
A snippet from the configmap I used:
Human:
# In case that UserLoginMustBeDomain is false (default) and if you don't overwrite the username with an email,
# it will be suffixed by the org domain (org-name + domain from config).
# for example zitadel-admin in org `My Org` on domain.tld -> zitadel-admin@my-org.domain.tld
UserName: zitadel-admin # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_USERNAME
FirstName: ZITADEL # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_FIRSTNAME
LastName: Admin # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_LASTNAME
NickName: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_NICKNAME
DisplayName: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_DISPLAYNAME
Email:
Address: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_EMAIL_ADDRESS
Verified: false # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_EMAIL_VERIFIED
PreferredLanguage: en # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PREFERREDLANGUAGE
Gender: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_GENDER
Phone:
Number: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PHONE_NUMBER
Verified: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PHONE_VERIFIED
Password: {{ .Values.services.zitadel.defaultAdminPassword }}
I can confirm {{ .Values.services.zitadel.defaultAdminPassword }}
yielded the deadbeefdeadbeef
.
Preflight Checklist
Environment
Self-hosted
Version
v2.52.0
Database
PostgreSQL
Database Version
15.4.0
Describe the problem caused by this bug
Not possible to provide the master key using environment variable. There are various options to provide the master key to Zitadel. Out of these options the environment variable one which is not working. Passing the master key as a command line argument works though, but we would prefer using the environment variable.
When changing the password policy to require at least
12
chars long password instead of the default8
and setting the initial admin password to e.g.deadbeefdeadbeef
for thezitadel-admin
user the following error is received on init:The initial password provided clearly meets the
MinLength
requirement set, though.To reproduce
See problem description.
Screenshots
No response
Expected behavior
Operating System
Single pod, single container with container image
ghcr.io/zitadel/zitadel:v2.52.0
running on latestk3s
cluster.Relevant Configuration
No response
Additional Context
No response