PassboltPro Kubernetes deployment issue

erlchamp · May 28, 2019, 10:37am

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
    name: passbolt-mysqldb
    namespace: passbolt
spec:
  accessModes: [ "ReadWriteOnce" ]
  storageClassName: medium
  resources:
    requests:
      storage: 20Gi
---

apiVersion: v1
kind: Service
metadata:
  name: mysql
  namespace: passbolt
spec:
  ports:
  - port: 3306
  selector:
    app: mysql
  type: ClusterIP
---

apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
  name: mysql
  namespace: passbolt
spec:
  selector:
    matchLabels:
      app: mysql
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: mysql
    spec:
      containers:
      - image: mysql:5.6
        name: mysql
        env:
          # Use secret in real usage
        - name: MYSQL_ROOT_PASSWORD
          value: testpurposes
        - name: MYSQL_DATABASE
          value: pboltdb
        ports:
        - containerPort: 3306
          name: mysql
        volumeMounts:
        - name: passbolt-mysqldb
          mountPath: /var/lib/mysql
      volumes:
      - name: passbolt-mysqldb
        persistentVolumeClaim:
          claimName: passbolt-mysqldb

=============================================

kind: Deployment
metadata:
  name: passbolt
  namespace: passbolt
  labels:
    app: passbolt
spec:
  replicas: 1
  selector:
    matchLabels:
      app: passbolt
  template:
    metadata:
      labels:
        app: passbolt
    spec:
      containers:
      - name: passbolt
        image: passbolt:latest-pro
        env:
        - name: DATASOURCES_DEFAULT_HOST
          value: 10.159.8.50
        - name: DATASOURCES_DEFAULT_PASSWORD
          value: testpurposes
        - name: DATASOURCES_DEFAULT_USERNAME
          value: root
        - name: DATASOURCES_DEFAULT_DATABASE
          value: pboltdb
        - name: APP_FULL_BASE_URL
          value: https://pass.kubernetes
        - name: EMAIL_TRANSPORT_DEFAULT_CLASS_NAME
          value: Smtp
        - name: EMAIL_DEFAULT_FROM
          value: noreply@nttsecurity.net
        - name: EMAIL_DEFAULT_TRANSPORT
          value: default
        - name: EMAIL_TRANSPORT_DEFAULT_HOST
          value: cluster1.eu.messagelabs.com
        ports:
        - containerPort: 443
        volumeMounts:
        - name: passboltpro-dir
          mountPath: /var/www/passbolt/config/license
      volumes:
      - name: passboltpro-dir
        hostPath:
          path: /root/passboltpro

---

apiVersion: v1
kind: Service
metadata:
  name: passbolt-svc
  namespace: passbolt
  labels:
    app: passbolt
spec:
  type: LoadBalancer
  ports:
  - name: https
    targetPort: 443
    port: 443
    protocol: TCP
  selector:
    app: passbolt

The pod just keep on restarting and crashing

[root@ip-10-163-2-5 passboltpro]# kubectl get pod -n passbolt
NAME                            READY   STATUS             RESTARTS   AGE
mysql-6fbfc77d9f-g74wr          1/1     Running            0          29m
passbolt-app-699c7cf8d6-r8mwv   0/1     **CrashLoopBackOff**   6          10m

Anyone can advise please?

remy · May 28, 2019, 2:26pm

Summoning @diego to have a look.

diego · May 29, 2019, 8:25am

Hi @erlchamp,

Sorry to hear you are having problems running our container images. It is a bit hard to help you without any more information from the events from the cluster, or the logs from the container. However, taking a quick look on your passbolt deployment file I would say your problem is the subscription key mount.

/var/www/passbolt/config/license must be a file. Taking a look at your volumeMounts section looks like that what the container will find in /var/www/passbolt/config/license will be a directory.

I would suggest you to setup your subscription key as a configmap and use subPath to mount the subscription key as a file. Something like this (not tested, bear with me if there are syntax errrors):

Assuming you have a configmap called my-configmap or secret which has the following data:

data:
  my-configmap-key: <DATA>

Where <DATA> would be your subscription key in base64. Then you could specify kubernetes to mount that specific chunk of data:

volumeMounts:
 - name: my-configmap
   mountPath: /var/www/passbolt/config/license
   subPath: my-configmap-key

This is a bit of a wild guess as you are not providing any data from your logs that would provide us with more information on the exact reason why your container is restarting. But the mount was the first thing that caught my eye. Please next time provide more relevant information!!

Hope this helps.

erlchamp · May 29, 2019, 10:31am

Hi @diego

for <DATA> should it be my license file? See below

data:
   my-configmap-key: Pro-license.key

Thanks

diego · May 29, 2019, 1:12pm

it should be your license file base64 encoded like you do something like:

data:
  key: "mylicensekeyfilebase64enc"

You can encode it using:

base64 -w0 licensefile

erlchamp · June 3, 2019, 9:10am

@diego
kubectl logs passbolt-app-9bd85c85-r74s5 -f
==================================================================================
Your entropy pool is low. This situation could lead GnuPG to not
be able to create the gpg serverkey so the container start process will hang
until enough entropy is obtained.
Please consider installing rng-tools and/or virtio-rng on your host as the
preferred method to generate random numbers using a TRNG.
If rngd (rng-tools) does not provide enough or fast enough randomness you could
consider installing haveged as a helper to speed up this process.
Using haveged as a replacement for rngd is not recommended. You can read more
about this topic here: https://lwn.net/Articles/525459/
==================================================================================
gpg: directory ‘/home/www-data/.gnupg’ created
gpg: keybox ‘/home/www-data/.gnupg/pubring.kbx’ created

am getting this error now, any advise please?

diego · June 3, 2019, 9:27am

Hi @erlchamp,

You can follow the suggestions from the warning message. You need fill the entropy pool faster and, in order to do so, your host requires to have rng-tools or haveged installed.

diego · June 3, 2019, 9:28am

You could also run haveged as a separate daemonset but that would require the daemonset to run in privileged mode which is not ideal…

Depending on your cloud provider/kubernetes provider you might have some other options to provide entropy to your containers.

erlchamp · June 4, 2019, 4:38am

hi @diego

Now its a license error, could it be because my license is expired? My licence is only valid til May 30.

cedric · June 4, 2019, 4:51am

Hello @erlchamp,

Yes it is due to your license that had expired.

If you didn’t have received an email yet from our sales to renew the license, please send us and email at sales@passbolt.com.

Best regards,
Cedric

system · June 9, 2019, 4:51am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.