Issue during Passbolt kubernetes deployment

[x ] I have read intro post: About the Installation Issues category
[ x] I have read the tutorials, help and searched for similar issues
[x ] I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
[x ] I describe the steps I have taken to trouble shoot the problem
[ x] I describe the steps on how to reproduce the issue


I’ve been trying to deploy passbolt on my kubernetes cluster for several days now. It’s just been set up and has three nodes (one master and three workers). To deploy the passbolt version of kubernetes, i’ve used the following commands:

helm repo add passbolt “
helm install mypassbolt passbolt/passbolt

After waiting several minutes, during which time I was unable to perform any action, I received the following error message:

Error: INSTALLATION FAILED: failed pre-install: 1 error occurred:
* timed out waiting for the condition

The “kubectl get event” command returns the following output:

9m40s Normal Scheduled pod/mypassbolt8-job-create-gpg-keys-lspf9 Successfully assigned default/mypassbolt88-job-create-gpg-keys-lspf9 to sv-csl-008-b
4m58s Normal Pulled pod/mypassbolt8-job-create-gpg-keys-lspf9 Container image “passbolt/passbolt:4.4.2-1-ce” already present on machine
4m58s Normal Created pod/mypassbolt8-job-create-gpg-keys-lspf9 Created container mypassbolt88-job-create-gpg-keys
4m58s Normal Started pod/mypassbolt8-job-create-gpg-keys-lspf9 Started container mypassbolt88-job-create-gpg-keys
3m31s Warning BackOff pod/mypassbolt8-job-create-gpg-keys-lspf9 Back-off restarting failed container mypassbolt8-job-create-gpg-keys in pod mypassbolt88-job-create-gpg-keys-lspf9_default(c4ec3d9d-0126-4d34-b9e7-32a

I’m an absolute beginner in container management, I’m trying to set up an infrastructure because my company is planning to buy a Passbolt CE license. Do you have any ideas for solving my problem?

Thanks in advance!

Just a reminder that Helm is more of an advanced install method and if you are a beginner with containers it might be a better idea to go with a different install choice. Particularly as you mention you are doing this for a trial and not just for educational purposes.

However if you do want to continue with Helm we’ll need a bit more information here. Could you run a describe on that pod when it is trying to start?

Also are you running this on EKS, GKE, your own hardware, something like kind or minikube, or a different option?

Thank you for your answer.

I’m interrested if you have a more simple way to install passbolt on kubernetes cluster: my main goal is to make it work :slight_smile:

I have set a kubernetes cluster on my own hardware (three servers under Rocky Linux 9). I have installed Kubernetes from scratch.

Here is the result of the describe:

Name:             mypassbolt-job-create-gpg-keys-ggxnp
Namespace:        default
Priority:         0
Service Account:  mypassbolt-sa-create-gpg-keys
Node:             sv-csl-008-b/
Start Time:       Mon, 15 Jan 2024 15:29:09 +0100
Annotations: 998ff3b748b58c7100d1b79b8f8f88544adeca18161626733d07339e289958aa
Status:           Running
Controlled By:  Job/mypassbolt-job-create-gpg-keys
    Container ID:  containerd://21cf1509f0fe674eced44ab54f754037c2e75aa18bb3ef8e75ab84dfd035c238
    Image:         passbolt/passbolt:4.4.2-1-ce
    Image ID:
    Port:          <none>
    Host Port:     <none>
      set -e
      key_name="${PASSBOLT_KEY_NAME:-Passbolt default user}"
      su -c "gpg --homedir $GNUPGHOME --batch --no-tty --gen-key <<EOF
        Key-Type: default
        Key-Length: $key_length
        Subkey-Type: default
        Subkey-Length: $subkey_length
        Name-Real: $key_name
        Name-Email: $key_email
        Expire-Date: $expiration
      EOF" -ls /bin/bash www-data || \
      gpg --homedir $GNUPGHOME --batch --no-tty --gen-key <<EOF
        Key-Type: default
        Key-Length: $key_length
        Subkey-Type: default
        Subkey-Length: $subkey_length
        Name-Real: $key_name
        Name-Email: $key_email
        Expire-Date: $expiration

      PRIVATE_SERVERKEY="$(gpg --homedir $GNUPGHOME --armor --export-secret-keys $key_email | base64 -w0)"
      PUBLIC_SERVERKEY="$(gpg --homedir $GNUPGHOME --armor --export $key_email | base64 -w0)"

      cd /tmp
      cpuArch=${CPU_ARCH:-$(eval "case `uname -m` in 'x86_64') echo 'amd64';;'aarch64') echo 'arm64';;esac")}
      kubectlDownload=${KUBECTL_DOWNLOAD_CMD:-'curl -LO "$(curl -L -s${cpuArch}/kubectl"'}
      eval $kubectlDownload
      chmod +x kubectl
      ./kubectl patch secret mypassbolt-sec-gpg --type='json' -p='[{"op": "replace", "path" : "/data/serverkey_private.asc", "value" : '"${PRIVATE_SERVERKEY}"'}]'
      ./kubectl patch secret mypassbolt-sec-gpg --type='json' -p='[{"op": "replace", "path" : "/data/serverkey.asc", "value" : '"${PUBLIC_SERVERKEY}"'}]'
      touch /tmp/pod/success
      echo "Success"

    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    6
      Started:      Mon, 15 Jan 2024 15:34:08 +0100
      Finished:     Mon, 15 Jan 2024 15:34:51 +0100
    Ready:          False
    Restart Count:  4
    Environment Variables from:
      mypassbolt-cm-env   ConfigMap  Optional: false
      mypassbolt-sec-env  Secret     Optional: false
      DATASOURCES_DEFAULT_HOST:  mypassbolt-mariadb-primary
      /tmp/pod from mypassbolt-job-create-gpg-keys-vol-success (rw)
      /var/run/secrets/ from kube-api-access-2lrsr (ro)
  Type                        Status
  PodReadyToStartContainers   True
  Initialized                 True
  Ready                       False
  ContainersReady             False
  PodScheduled                True
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    SizeLimit:  <unset>
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:        op=Exists for 300s
                    op=Exists for 300s
  Type     Reason     Age                  From               Message
  ----     ------     ----                 ----               -------
  Normal   Scheduled  6m15s                default-scheduler  Successfully assigned default/mypassbolt-job-create-gpg-keys-ggxnp to sv-csl-008-b
  Normal   Pulling    6m14s                kubelet            Pulling image "passbolt/passbolt:4.4.2-1-ce"
  Normal   Pulled     5m42s                kubelet            Successfully pulled image "passbolt/passbolt:4.4.2-1-ce" in 32.495s (32.495s including waiting)
  Normal   Created    77s (x5 over 5m42s)  kubelet            Created container mypassbolt-job-create-gpg-keys
  Normal   Pulled     77s (x4 over 4m53s)  kubelet            Container image "passbolt/passbolt:4.4.2-1-ce" already present on machine
  Normal   Started    76s (x5 over 5m42s)  kubelet            Started container mypassbolt-job-create-gpg-keys
  Warning  BackOff    7s (x9 over 4m7s)    kubelet            Back-off restarting failed container mypassbolt-job-create-gpg-keys in pod mypassbolt-job-create-gpg-keys-ggxnp_default(ad1dd605-f413-4d96-975d-aab369dd9370)

I’d suggest not using kubernetes, it isn’t really an easy or beginner friendly way to install. Since you have Rocky we do offer an RPM package which would likely get you up and running quickest here.

Can you grab the logs from this?

Also a thing I have seen before on some set ups is an issue with the pvc so I would check there

Hello and thank you ! I’m sorry for my late answer but i was away from office because of health issue…

I know that kubernetes isn’t the easyest way to install passbolt, but my company want to buy it and to ensure that the front of passbolt will be highly avaible. We already have highly avaiable databases, so my objective is to build an infrastructure that can make the frontend of pasbolt highly avaiable.

Did you find issues with pvc? Or do you know others solutions that can allow me to make pasbolt frontend highly avaible?

Kind regards

Hey, apologies for the delay in getting back to you here. For some kubernetes set ups there can be some issues with PVCs. For example when running a testing cluster I had to enable local path storage

As for other solutions what is your HA requirement? A lot of people say HA but really they mean a DR set up where a few minutes of downtime is fine while failing over to another instance

Hello and thank you for your reply!

I’m writing a new topic on the forum to better describe my project. I want my passbolt instance to be redundant, i.e. with at least two web front-ends and a database cluster.

I’ve abandoned the idea of using Kubernetes for this project because it’s too complex.