Unable to deploy helm chart - error 500 and waiting for database

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hello,

I’m encountering a weird issue when trying to deploy helm chart of passbolt, I’ve spent hours searching by myself and forums but no chance.
I’ve tried:

  • Deployment with mariaDB deployment from chart
  • Deployment with MariaDB galera from an existing installation (on the same kubernetes cluster)
  • Deployment with postgresql deployment from chart

The only working one is the postgreSQL but only if I leave “CHANGEME” everywhere which we obviously don’t want (and I personally want to use my existing galera cluster anyways)

Problem seems to be located at installation (passbolt-depl-srv).
It’s being stuck at “waiting for database connection …” even though if I connect onto the container I can successfuly connect to mariaDB database passbolt with environment variables stored.

It would pass over this step if I change manifest to :

      initContainers:
        - name: passbolt-depl-srv-init
          image: bitnami/mariadb

But when I do, installation is failing with error 500:

2024-07-08T20:31:47.212474054+02:00 Installing passbolt
2024-07-08T20:31:47.387863093+02:00 <!DOCTYPE html>
2024-07-08T20:31:47.387900671+02:00 <html class="passbolt no-js no-passboltplugin version" lang="en">
2024-07-08T20:31:47.387909850+02:00 <head>
2024-07-08T20:31:47.387918022+02:00     <meta charset="utf-8">
2024-07-08T20:31:47.387925855+02:00     <title>Passbolt | Error</title>
2024-07-08T20:31:47.387932853+02:00     <!--

I’ve also tried to change ‘passbolt/passbolt:4.6.2-1-ce’ to ‘passbolt/passbolt:4.8.0-1-ce’ as it seemed to be the latest from docker repository.

I’ve also checked onto the database and tried to create an empty database and even restore structure from another installation (found elsewhere, not mine) but it’s always the same problem.

Below is the values.yaml I’ve used (removed confidential info).

# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

## Dependencies configuration parameters

## Redis dependency parameters

# -- Install redis as a depending chart
redisDependencyEnabled: true
# -- Install mariadb as a depending chart
mariadbDependencyEnabled: false
# -- Install mariadb as a depending chart
postgresqlDependencyEnabled: false

# Configure postgresql as a dependency chart
#postgresql:
#  auth:
#    # -- Configure postgresql auth username
#    username: CHANGEME
#    # -- Configure postgresql auth password
#    password: CHANGEME
#    # -- Configure postgresql auth database
#    database: passbolt

global:
  imageRegistry: ""
  imagePullSecrets: []

# Configure redis dependency chart
redis:
  auth:
    # -- Enable redis authentication
    enabled: true
    # -- Configure redis password
    password: "placeholder"
  sentinel:
    # -- Enable redis sentinel
    enabled: true

## MariaDB dependency parameters

# Configure mariadb as a dependency chart
mariadb:
  # -- Configure mariadb architecture
  architecture: replication
  auth:
    # -- Configure mariadb auth root password
    rootPassword: placeholder
    # -- Configure mariadb auth username
    username: passbolt
    # -- Configure mariadb auth password
    password: placeholder
    # -- Configure mariadb auth database
    database: passbolt
    # -- Configure mariadb auth replicationPassword
    replicationPassword: placeholder
  # -- Configure parameters for the primary instance.
  primary:
    # -- Configure persistence options.
    persistence:
      # -- Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir
      enabled: true
      # -- Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas. When it's set the rest of persistence parameters are ignored.
      existingClaim: ""
      # -- Subdirectory of the volume to mount at
      subPath: ""
      # -- Primary persistent volume storage Class
      storageClass: ""
      # -- Labels for the PVC
      labels: {}
      # -- Primary persistent volume claim annotations
      annotations: {}
      # -- Primary persistent volume access Modes
      accessModes:
        - ReadWriteOnce
      # -- Primary persistent volume size
      size: 8Gi
      # -- Selector to match an existing Persistent Volume
      selector: {}
  # -- Configure parameters for the secondary instance.
  secondary:
    # -- Configure persistence options.
    persistence:
      # -- Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim`. If false, use emptyDir
      enabled: true
      # -- Subdirectory of the volume to mount at
      subPath: ""
      # -- Secondary persistent volume storage Class
      storageClass: ""
      # -- Labels for the PVC
      labels: {}
      # -- Secondary persistent volume claim annotations
      annotations: {}
      # -- Secondary persistent volume access Modes
      accessModes:
        - ReadWriteOnce
      # -- Secondary persistent volume size
      size: 8Gi
      # -- Selector to match an existing Persistent Volume
      selector: {}

## Passbolt configuration

## Passbolt container and sidecar parameters
app:
  # -- Configure pasbolt deployment init container that waits for database
  databaseInitContainer:
    # -- Toggle pasbolt deployment init container that waits for database
    enabled: true
  #initImage:
  #  # -- Configure pasbolt deployment init container image client for database
  #  client: mariadb
  #  registry: ""
  #  # -- Configure pasbolt deployment image repsitory
  #  repository: mariadb
  #  # -- Configure pasbolt deployment image pullPolicy
  #  pullPolicy: IfNotPresent
  #  # -- Overrides the image tag whose default is the chart appVersion.
  #  tag: latest
  image:
    # -- Configure pasbolt deployment image repsitory
    registry: ""
    repository: passbolt/passbolt
    # -- Configure pasbolt deployment image pullPolicy
    pullPolicy: IfNotPresent
    # -- Overrides the image tag whose default is the chart appVersion.
    tag: 4.6.2-1-ce
  # Allowed options: mariadb, mysql or postgresql
  database:
    kind: mariadb
  cache:
    # Use CACHE_CAKE_DEFAULT_* variables to configure the connection to redis instance
    # on the passboltEnv configuration section
    redis:
      # -- By enabling redis the chart will mount a configuration file on /etc/passbolt/app.php
      # That instructs passbolt to store sessions on redis and to use it as a general cache.
      enabled: true
      sentinelProxy:
        # -- Inject a haproxy sidecar container configured as a proxy to redis sentinel
        # Make sure that CACHE_CAKE_DEFAULT_SERVER is set to '127.0.0.1' to use the proxy
        enabled: true
        # -- Configure redis sentinel proxy image
        image:
          registry: ""
          # -- Configure redis sentinel image repository
          repository: haproxy
          # -- Configure redis sentinel image tag
          tag: "latest"
        # -- Configure redis sentinel container resources
        resources: {}
        # -- Configure the passbolt deployment resources
  extraPodLabels: {}
  resources: {}
  tls:
    # -- If autogenerate is true, the chart will generate a secret with a certificate for APP_FULL_BASE_URL hostname
    # -- if autogenerate is false, existingSecret should be filled with an existing tls kind secret name
    # @ignored
    autogenerate: true
    #existingSecret: ""

# -- Enable email cron
cronJobEmail:
  enabled: true
  schedule: "* * * * *"
  extraPodLabels: {}

## Passbolt environment parameters

# -- Pro subscription key in base64 only if you are using pro version
# subscriptionKey:
# -- Configure passbolt subscription key path
# subscription_keyPath: /etc/passbolt/subscription_key.txt

# -- Configure passbolt gpg directory
gpgPath: /etc/passbolt/gpg
# -- Gpg server private key in base64
gpgServerKeyPrivate: ""
# -- Gpg server public key in base64
gpgServerKeyPublic: ""
# -- Name of the existing secret for the GPG server keypair. The secret must contain the `serverkey.asc` and `serverkey_private.asc` keys.
gpgExistingSecret: ""

# -- Name of the existing secret for the JWT server keypair. The secret must contain the `jwt.key` and `jwt.pem` keys.
jwtExistingSecret: ""
# -- Configure passbolt jwt directory
jwtPath: /etc/passbolt/jwt
# -- JWT server private key in base64
jwtServerPrivate: ""
# -- JWT server public key in base64
jwtServerPublic: ""
# -- Forces overwrite JWT keys
jwtCreateKeysForced: false
jobCreateJwtKeys:
  extraPodLabels: {}

jobCreateGpgKeys:
  extraPodLabels: {}

passboltEnv:
  plain:
    # -- Configure passbolt privacy url
    PASSBOLT_LEGAL_PRIVACYPOLICYURL: https://www.passbolt.com/privacy
    # -- Configure passbolt fullBaseUrl
    APP_FULL_BASE_URL: https://passbolt.placeholder
    # -- Configure passbolt to force ssl
    PASSBOLT_SSL_FORCE: true
    # -- Toggle passbolt public registration
    PASSBOLT_REGISTRATION_PUBLIC: true
    # -- Configure passbolt cake cache server
    CACHE_CAKE_DEFAULT_SERVER: 127.0.0.1
    # -- Configure passbolt default email service port
    EMAIL_TRANSPORT_DEFAULT_PORT: 587
    # -- Toggle passbolt debug mode
    DEBUG: false
    # -- Configure email used on gpg key. This is used when automatically creating a new gpg server key and when automatically calculating the fingerprint.
    PASSBOLT_KEY_EMAIL: passbolt@placeholder
    # -- Toggle passbolt selenium mode
    PASSBOLT_SELENIUM_ACTIVE: false
    # -- Configure passbolt license path
    PASSBOLT_PLUGINS_LICENSE_LICENSE: /etc/passbolt/subscription_key.txt
    # -- Configure passbolt default email from
    EMAIL_DEFAULT_FROM: no-reply@placeholder
    # -- Configure passbolt default email from name
    EMAIL_DEFAULT_FROM_NAME: Passbolt
    # -- Configure passbolt default email host
    EMAIL_TRANSPORT_DEFAULT_HOST: 127.0.0.1
    # -- Configure passbolt default email timeout
    EMAIL_TRANSPORT_DEFAULT_TIMEOUT: 30
    # -- Toggle passbolt tls
    EMAIL_TRANSPORT_DEFAULT_TLS: true
    # -- Configure passbolt jwt private key path
    PASSBOLT_JWT_SERVER_KEY: /var/www/passbolt/config/jwt/jwt.key
    # -- Configure passbolt jwt public key path
    PASSBOLT_JWT_SERVER_PEM: /var/www/passbolt/config/jwt/jwt.pem
    # -- Toggle passbolt jwt authentication
    PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED: true
    # -- Download Command for kubectl
    KUBECTL_DOWNLOAD_CMD: curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
    # -- Configure passbolt default database host
    DATASOURCES_DEFAULT_HOST: mariadb-galera.mariadb-galera
    # -- Configure passbolt default database port
    DATASOURCES_DEFAULT_PORT: 3306
  secret:
    # -- Configure passbolt cake cache password
    CACHE_CAKE_DEFAULT_PASSWORD: placeholder
    # -- Configure passbolt default database password
    DATASOURCES_DEFAULT_PASSWORD: placeholder
    # -- Configure passbolt default database username
    DATASOURCES_DEFAULT_USERNAME: passbolt
    # -- Configure passbolt default database
    DATASOURCES_DEFAULT_DATABASE: passbolt
    # -- Configure passbolt default email service username
    EMAIL_TRANSPORT_DEFAULT_USERNAME: CHANGEME
    # -- Configure passbolt default email service password
    EMAIL_TRANSPORT_DEFAULT_PASSWORD: CHANGEME
    # -- Configure passbolt server gpg key fingerprint
    # PASSBOLT_GPG_SERVER_KEY_FINGERPRINT:
    # -- Configure passbolt security salt.
    # SECURITY_SALT:
  # -- Environment variables to add to the passbolt pods
  extraEnv: []
  # -- Environment variables from secrets or configmaps to add to the passbolt pods
  extraEnvFrom:
    []
    # - secretRef:
    #     name: passbolt-secret
## Passbolt deployment parameters

# -- If autoscaling is disabled this will define the number of pods to run
replicaCount: 2

# Configure autoscaling on passbolt deployment
autoscaling:
  # -- Enable autoscaling on passbolt deployment
  enabled: false
  # -- Configure autoscaling minimum replicas
  minReplicas: 1
  # -- Configure autoscaling maximum replicas
  maxReplicas: 100
  # -- Configure autoscaling target CPU uptilization percentage
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

# -- Enable role based access control
rbacEnabled: true

# -- Configure passbolt container livenessProbe
livenessProbe:
  # @ignore
  httpGet:
    port: https
    scheme: HTTPS
    path: /healthcheck/status.json
    httpHeaders:
      - name: Host
        value: passbolt.placeholder
  initialDelaySeconds: 20
  periodSeconds: 10
# -- Configure passbolt container RadinessProbe
readinessProbe:
  # @ignore
  httpGet:
    port: https
    scheme: HTTPS
    httpHeaders:
      - name: Host
        value: passbolt.placeholder
    path: /healthcheck/status.json
  initialDelaySeconds: 5
  periodSeconds: 10

# Configure network policies to allow ingress access passbolt pods
# networkPolicy defines which labels are allowed to reach to passbolt
# and which namespaces
networkPolicy:
  # -- Enable network policies to allow ingress access passbolt pods
  enabled: false
  # -- Configure network policies label for ingress deployment
  label: app.kubernetes.io/name
  # -- Configure network policies podLabel for podSelector
  podLabel: ingress-nginx
  # -- Configure network policies namespaceLabel for namespaceSelector
  namespaceLabel: ingress-nginx

# -- Configure image pull secrets
imagePullSecrets: []
# -- Value to override the chart name on default
nameOverride: ""
# -- Value to override the whole fullName
fullnameOverride: ""

serviceAccount:
  # -- Specifies whether a service account should be created
  create: true
  # -- Annotations to add to the service account
  annotations: {}

# -- Map of annotation for passbolt server pod
podAnnotations: {}

# -- Security Context configuration for passbolt server pod
podSecurityContext:
  {}
  # fsGroup: 2000

service:
  # -- Configure passbolt service type
  type: ClusterIP
  # -- Annotations to add to the service
  annotations: {}
  # -- Configure the service ports
  ports:
    # -- Configure the HTTPS port
    https:
      # -- Configure passbolt HTTPS service port
      port: 443
      # -- Configure passbolt HTTPS service targetPort
      targetPort: 443
      # -- Configure passbolt HTTPS service port name
      name: https
    http:
      # -- Configure passbolt HTTP service port
      port: 80
      # -- Configure passbolt HTTP service targetPort
      targetPort: 80
      # -- Configure passbolt HTTP service port name
      name: http

ingress:
  # -- Enable passbolt ingress
  enabled: true
  # -- Configure passbolt ingress annotations
  annotations: {}
  # -- Configure passbolt ingress hosts
  hosts:
    # @ignored
    - host: passbolt.placeholder
      paths:
        - path: /
          port: https
          pathType: ImplementationSpecific
  # -- Configure passbolt ingress tls
  tls:
    # If autogenerate is true, the chart will generate a secret for the given hosts
    # if autogenerate is false, existingSecret should be filled with an existing tls kind secret name
    # @ignored
    - autogenerate: true
      # existingSecret: ""
      hosts:
        - passbolt.placeholder
# -- Configure passbolt deployment nodeSelector
nodeSelector: {}

# -- Configure passbolt deployment tolerations
tolerations: []

# -- Configure passbolt deployment affinity
affinity: {}

# -- Add additional volumes, e.g. for overwriting config files
extraVolumes: []

# -- Add additional volume mounts, e.g. for overwriting config files
extraVolumeMounts: []

Do you have any ideas ? Does the helm chart is working correctly ? I’ve searched everywhere but I don’t find any information and error isn’t very well understandable…

Note: I cannot connect onto the container as it’s erroring so not able to give a healthcheck output

Edit:
I’ve found some more logs that might lead to something (which I’m not able to resolve/understand). Already tried to disable healthcheck but still erroring:

2024-07-08T22:59:53.005595080+02:00 172.15.0.83 - - [08/Jul/2024:20:59:53 +0000] 
 "GET /healthcheck/status.json HTTP/2.0" 500 5198 "-" "kube-probe/1.25"
2024-07-08T22:59:53.005835336+02:00 2024-07-08 20:59:53,005 WARN received SIGTERM indicating exit request
2024-07-08T22:59:53.007906513+02:00 2024-07-08 20:59:53,005 INFO waiting for php-fpm, nginx to die
2024-07-08T22:59:53.012931790+02:00 2024-07-08 20:59:53,012 INFO stopped: nginx (exit status 0)
2024-07-08T22:59:53.013235519+02:00 [08-Jul-2024 20:59:53] NOTICE: Terminating ...
2024-07-08T22:59:53.017834199+02:00 [08-Jul-2024 20:59:53] NOTICE: exiting, bye-bye!
2024-07-08T22:59:53.023515551+02:00 2024-07-08 20:59:53,023 INFO stopped: php-fpm (exit status 0)

Thanks