Error upgrading from v4.0 to v4.7 on kubernetes

Hi,

We have deployed Passbolt CE on Kubernetes cluster from yaml (not helm charts) and it’s working fine and we could upgrade till v4.0.1 fine just changing version on manifest
Now we want to upgrade again from 4.0.1-1-ce to 4.7.0-1-ce but after deploy new version web remains empty after login and get error trying to search a password on plugin.
Try to clear browser cache and reinstall plugin no efect, we could see multiple pid errors on container logs

Revert to v4.0 works fine, you could check healthcheck output for both versions below

Output from v4.7

root@passbolt-75888d497c-xgbgt:/usr/share/php/passbolt# su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell.....
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.2.18.
 [PASS] PHP version is 8.1 or above.
 [PASS] PCRE compiled with unicode support.
 [PASS] Mbstring extension is installed.
 [PASS] Intl extension is installed.
 [PASS] GD or Imagick extension is installed.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Cache is working.
 [PASS] Debug mode is off.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.XXXXXXXXXXXXXXXXX
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates.
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate.

 SMTP settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [WARN] The SMTP Settings source is: env variables.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled.
 [FAIL] The /etc/passbolt/jwt/ directory should not be writable.
 [HELP] You can try:
 [HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
 [HELP] sudo chmod 750 /etc/passbolt/jwt/
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
 [PASS] A valid JWT key pair was found.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [FAIL] The server OpenPGP key is not set.
 [HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
 [HELP] Double check the key fingerprint, example:
 [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
 [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
 [FAIL] The server key does not have a valid email id.
 [HELP] Edit or generate another key with a valid email id.
 [FAIL] The private key cannot be used to decrypt a message
 [FAIL] The private key cannot be used to decrypt and verify a message
 [FAIL] The public key cannot be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (4.7.0).
 [FAIL] Passbolt is not configured to force SSL use.
 [HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.
 [FAIL] The database schema is not up to date.
 [HELP] Run the migration scripts:
 [HELP] sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake migrations migrate --no-lock" www-data
 [HELP] See https://www.passbolt.com/help/tech/update

 Database

 [PASS] The application is able to connect to the database
 [PASS] 30 tables found.
 [PASS] Some default content is present.

 [FAIL] 10 error(s) found. Hang in there!

root@passbolt-75888d497c-xgbgt:/usr/share/php/passbolt#

Output from v4.0

root@passbolt-5858fd76b5-v24dk:/usr/share/php/passbolt# su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck" www-data

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.33.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.XXXXXXXXXXXXXXXXX
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 30 tables found
 [PASS] Some default content is present
 [FAIL] The database schema is not up to date.
 [HELP] Run the migration scripts:
 [HELP] sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake migrations migrate --no-lock" www-data
 [HELP] See. https://www.passbolt.com/help/tech/update

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [FAIL] The server OpenPGP key is not set
 [HELP] Create a key, export it and add the fingerprint to /etc/passbolt/passbolt.php
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in /etc/passbolt/passbolt.php.
 [HELP] Double check the key fingerprint, example:
 [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /var/lib/passbolt/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
 [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
 [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is not in the keyring
 [HELP] Import the private server key in the keyring of the webserver user.
 [HELP] you can try:
 [HELP] sudo su -s /bin/bash -c "gpg --home /var/lib/passbolt/.gnupg --import /etc/passbolt/gpg/serverkey_private.asc" www-data
 [FAIL] The server key does not have a valid email id.
 [HELP] Edit or generate another key with a valid email id.

 Application configuration

 [FAIL] This installation is not up to date. Currently using 4.0.1 and it should be v4.7.0.
 [HELP] See. https://www.passbolt.com/help/tech/update
 [FAIL] Passbolt is not configured to force SSL use.
 [HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [WARN] The SMTP Settings source is: env variables.
 [HELP] It is recommended to set the SMTP Settings in the database through the administration section.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [FAIL] 7 error(s) found. Hang in there!

root@passbolt-5858fd76b5-v24dk:/usr/share/php/passbolt#

Maybe something we missed out about php version upgrade??

License and key mounted due PV on kubernetes deployment

Changes modified on deployment to upgrade

apiVersion: apps/v1
kind: Deployment
metadata:
  name: passbolt
  namespace: security
  labels:
    app: passbolt
spec:
  replicas: 1
  selector:
    matchLabels:
      app: passbolt
  template:
    metadata:
      labels:
        app: passbolt
    spec:
      containers:
        - name: passbolt
          image: passbolt/passbolt:4.0.1-1-ce
          #image: passbolt/passbolt:4.7.0-1-ce
          ...
          volumeMounts:
          - mountPath: /etc/passbolt/gpg
            name: XXXXXXXXXXXXXXXXX-passbolt-security-1-claim
          - mountPath: /usr/share/php/passbolt/webroot/img/public
            name: XXXXXXXXXXXXXXXXX-passbolt-images-volume-security-1-claim
          - mountPath: /etc/passbolt/license
            name: XXXXXXXXXXXXXXXXX-passbolt-license-security-1-claim
      volumes:
      - name: XXXXXXXXXXXXXXXXX-passbolt-license-security-1-claim
        persistentVolumeClaim:
          claimName: XXXXXXXXXXXXXXXXX-passbolt-license-security-1-claim
      - name: XXXXXXXXXXXXXXXXX-passbolt-images-volume-security-1-claim
        persistentVolumeClaim:
          claimName: XXXXXXXXXXXXXXXXX-passbolt-images-volume-security-1-claim
      - name: XXXXXXXXXXXXXXXXX-passbolt-security-1-claim
        persistentVolumeClaim:
          claimName: XXXXXXXXXXXXXXXXX-passbolt-security-1-claim

Errors showns on deploy logs after upgrade

passbolt INFO reaped unknown pid 630 (exit status 0)

Checklist
[x ] I have read intro post: About the Installation Issues category
[ x] I have read the tutorials, help and searched for similar issues
[ x] I provide relevant information about my server (component names and versions, etc.)
[ x] I provide a copy of my logs and healthcheck
[ x] I describe the steps I have taken to trouble shoot the problem
[x ] I describe the steps on how to reproduce the issue

hey @valentinfl welcome to the forum!

The bigger issue here looks to be with the gpg key. What do you have set in the values file related to that? I’m guessing you are missing the part where that is to be specified

Hi,
GPG key are stored on persistent volumes on CephFS through persistent volume claims so it should be avaliable on same path after upgrade.
Maybe ENV options not match after upgrade?? We setup ENV options on deployment file
Thanks and regards

Those env options are what I was getting at with the question.

There are a few to take a look at in the values file that you’ll want to set

Hi,
Only JWT path are not setup on ENV values on manifest, checked and files was created fine and are avaliable because i could get SUCESSFULL when check /auth/jwt/rsa.json path on server using v4.0
Reading doc I could not locate any reference about JWT folder should be persisted between updates
I think problem it’s related to upgrade PHP from 7.4 to v8 but i didn’t get reason…

Also running checks get new errors on v4.7 about could not decrypt/verify


But keys are persisted fine on CephFS trough persistent volumes on kubernetes and are valid as rollback works fine again with same keys

Just to be completely clear, you did in fact set all of these?

gpgPath: /etc/passbolt/gpg
# -- Gpg server private key in base64
gpgServerKeyPrivate: ""
# -- Gpg server public key in base64
gpgServerKeyPublic: ""
# -- Name of the existing secret for the GPG server keypair. The secret must contain the `serverkey.asc` and `serverkey_private.asc` keys.
gpgExistingSecret: ""

If you have a key to use here it has to be explicitly mentioned otherwise a new one is generated when it starts up and then you can get this issue with the encryption/decryption.

This shouldn’t be an issue with the php version

Nope,
Just setup gpg folder path as mount point but no server keys were passed as env variables, I assumed passbolt will reuse existing keys on that folder…

Let me try new update with keys as env values and we let you know next week

Thanks and regards