Passbolt Kubernetes: Experiencing "You need an account to login" during fresh installation

Checklist
[X] I have read intro post: About the Installation Issues category
[X] I have read the tutorials, help and searched for similar issues
[X] I provide relevant information about my server (component names and versions, etc.)
[X] I provide a copy of my logs and healthcheck
[ ] I describe the steps I have taken to trouble shoot the problem
[X] I describe the steps on how to reproduce the issue

Hi Experts,

I ran into a problem when installing Passbolt Kubernetes executed via helm. It installs perfectly but I am stuck when trying to access to the Web UI to complete the installation. It writes “You need an account to login”. This is a fresh installation and it is reproducible.

OS: Debian
Passbolt Version: 2.13.5
DB: MariaDB (coupled in the Helm repo)
Platform: Kubernetes
Method: Helm
Repo: passbolt 1.0.2 · cnieg/cnieg

Healthcheck:

root@passbolt-546496f577-jvmcs:/var/www/passbolt/bin# su -s /bin/bash -c "/var/www/passbolt/bin/cake passbolt healthcheck" www-data
Warning Error: SplFileInfo::openFile(/var/www/passbolt/tmp/cache/persistent/myapp_cake_core_translations_cake_console_en__u_s): failed to open stream: Permission denied in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 406]

Warning Error: SplFileInfo::openFile(/var/www/passbolt/tmp/cache/persistent/myapp_cake_core_translations_cake_console_en__u_s): failed to open stream: Permission denied in [/var/www/passbolt/vendor/cakephp/cakephp/src/Cache/Engine/FileEngine.php, line 406]


     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell       
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.3.24.
 [PASS] PCRE compiled with unicode support.
 [FAIL] The temporary directory and its content are not writable.
  [HELP] Ensure the temporary directory and its content are writable by the webserver user.
  [HELP] you can try:
  [HELP] sudo chown -R www-data:www-data /var/www/passbolt/tmp/
  [HELP] sudo chmod 775 $(find /var/www/passbolt/tmp/ -type d)
  [HELP] sudo chmod 664 $(find /var/www/passbolt/tmp/ -type f)
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /var/www/passbolt/config/
  [HELP] Copy /var/www/passbolt/config/passbolt.php.default to /var/www/passbolt/config/passbolt.php
  [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://central.prestomall.com
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
  [HELP] Check that the domain name is correct in config/passbolt.php
  [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
  [HELP] cURL Error (6) Could not resolve host: central.prestomall.com

 Database

 [PASS] The application is able to connect to the database
 [PASS] 23 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
 [PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
 [FAIL] The server gpg key is not set
  [HELP] Create a key, export it and add the fingerprint to config/passbolt.php
  [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [FAIL] The server key fingerprint doesn't match the one defined in config/passbolt.php.
  [HELP] Double check the key fingerprint, example: 
  [HELP] sudo su -s /bin/bash -c "gpg --list-keys --fingerprint --home /home/www-data/.gnupg" www-data | grep -i -B 2 'SERVER_KEY_EMAIL'
  [HELP] SERVER_KEY_EMAIL: The email you used when you generated the server key.
  [HELP] See. https://www.passbolt.com/help/tech/install#toc_gpg
 [FAIL] The server public key defined in the config/passbolt.php (or environment variables) is not in the keyring
  [HELP] Import the private server key in the keyring of the webserver user.
  [HELP] you can try:
  [HELP] sudo su -s /bin/bash -c "gpg --home /home/www-data/.gnupg --import /var/www/passbolt/config/gpg/serverkey_private.asc" www-data
 [FAIL] The server key does not have a valid email id.
  [HELP] Edit or generate another key with a valid email id.

 Application configuration

 [FAIL] This installation is not up to date. Currently using 2.13.5 and it should be v3.2.1.
  [HELP] See. https://www.passbolt.com/help/tech/update
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [WARN] Some email notifications are disabled by the administrator.

  9 error(s) found. Hang in there!

Hi!

Here Dani from Passbolt. I reproduced it using your helm chart. This is the expected behaviour since you didn’t create any user so far. You can check how to create the first Passbolt user using the docker container in this doc. Since you are running the container in a pod inside a k8s cluster, you could execute that command running the following:

kubectl exec -it <pod_name> -n <namespace> -- su -c "bin/cake passbolt register_user -u <user_mail> -f <first_name> -l <last_name> -r admin" -s /bin/bash www-data

After running it, you can get the url from the command output to finish the user creation.

Apart from that, I encourage you to not using that Passbolt image version by default (2.13.5-debian) since we are currently in v3.2.2. You can check our docker hub page.

I hope that helps you to finally get Passbolt running in kubernetes.

Regards,
Dani

Hi @Dani

Good day,
Ahh I was under the impression the Kubernetes installation would be similar to a Passbolt server installation. Apologies, I should have checked the docker guide properly.

In any case, the command worked like charm.
There are some config issue but I will sort it on my own.

Thanks again,
Sam