Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
Hello,
I’m encountering a weird issue when trying to deploy helm chart of passbolt, I’ve spent hours searching by myself and forums but no chance.
I’ve tried:
- Deployment with mariaDB deployment from chart
- Deployment with MariaDB galera from an existing installation (on the same kubernetes cluster)
- Deployment with postgresql deployment from chart
The only working one is the postgreSQL but only if I leave “CHANGEME” everywhere which we obviously don’t want (and I personally want to use my existing galera cluster anyways)
Problem seems to be located at installation (passbolt-depl-srv).
It’s being stuck at “waiting for database connection …” even though if I connect onto the container I can successfuly connect to mariaDB database passbolt with environment variables stored.
It would pass over this step if I change manifest to :
initContainers:
- name: passbolt-depl-srv-init
image: bitnami/mariadb
But when I do, installation is failing with error 500:
2024-07-08T20:31:47.212474054+02:00 Installing passbolt
2024-07-08T20:31:47.387863093+02:00 <!DOCTYPE html>
2024-07-08T20:31:47.387900671+02:00 <html class="passbolt no-js no-passboltplugin version" lang="en">
2024-07-08T20:31:47.387909850+02:00 <head>
2024-07-08T20:31:47.387918022+02:00 <meta charset="utf-8">
2024-07-08T20:31:47.387925855+02:00 <title>Passbolt | Error</title>
2024-07-08T20:31:47.387932853+02:00 <!--
I’ve also tried to change ‘passbolt/passbolt:4.6.2-1-ce’ to ‘passbolt/passbolt:4.8.0-1-ce’ as it seemed to be the latest from docker repository.
I’ve also checked onto the database and tried to create an empty database and even restore structure from another installation (found elsewhere, not mine) but it’s always the same problem.
Below is the values.yaml I’ve used (removed confidential info).
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
## Dependencies configuration parameters
## Redis dependency parameters
# -- Install redis as a depending chart
redisDependencyEnabled: true
# -- Install mariadb as a depending chart
mariadbDependencyEnabled: false
# -- Install mariadb as a depending chart
postgresqlDependencyEnabled: false
# Configure postgresql as a dependency chart
#postgresql:
# auth:
# # -- Configure postgresql auth username
# username: CHANGEME
# # -- Configure postgresql auth password
# password: CHANGEME
# # -- Configure postgresql auth database
# database: passbolt
global:
imageRegistry: ""
imagePullSecrets: []
# Configure redis dependency chart
redis:
auth:
# -- Enable redis authentication
enabled: true
# -- Configure redis password
password: "placeholder"
sentinel:
# -- Enable redis sentinel
enabled: true
## MariaDB dependency parameters
# Configure mariadb as a dependency chart
mariadb:
# -- Configure mariadb architecture
architecture: replication
auth:
# -- Configure mariadb auth root password
rootPassword: placeholder
# -- Configure mariadb auth username
username: passbolt
# -- Configure mariadb auth password
password: placeholder
# -- Configure mariadb auth database
database: passbolt
# -- Configure mariadb auth replicationPassword
replicationPassword: placeholder
# -- Configure parameters for the primary instance.
primary:
# -- Configure persistence options.
persistence:
# -- Enable persistence on MariaDB primary replicas using a `PersistentVolumeClaim`. If false, use emptyDir
enabled: true
# -- Name of an existing `PersistentVolumeClaim` for MariaDB primary replicas. When it's set the rest of persistence parameters are ignored.
existingClaim: ""
# -- Subdirectory of the volume to mount at
subPath: ""
# -- Primary persistent volume storage Class
storageClass: ""
# -- Labels for the PVC
labels: {}
# -- Primary persistent volume claim annotations
annotations: {}
# -- Primary persistent volume access Modes
accessModes:
- ReadWriteOnce
# -- Primary persistent volume size
size: 8Gi
# -- Selector to match an existing Persistent Volume
selector: {}
# -- Configure parameters for the secondary instance.
secondary:
# -- Configure persistence options.
persistence:
# -- Enable persistence on MariaDB secondary replicas using a `PersistentVolumeClaim`. If false, use emptyDir
enabled: true
# -- Subdirectory of the volume to mount at
subPath: ""
# -- Secondary persistent volume storage Class
storageClass: ""
# -- Labels for the PVC
labels: {}
# -- Secondary persistent volume claim annotations
annotations: {}
# -- Secondary persistent volume access Modes
accessModes:
- ReadWriteOnce
# -- Secondary persistent volume size
size: 8Gi
# -- Selector to match an existing Persistent Volume
selector: {}
## Passbolt configuration
## Passbolt container and sidecar parameters
app:
# -- Configure pasbolt deployment init container that waits for database
databaseInitContainer:
# -- Toggle pasbolt deployment init container that waits for database
enabled: true
#initImage:
# # -- Configure pasbolt deployment init container image client for database
# client: mariadb
# registry: ""
# # -- Configure pasbolt deployment image repsitory
# repository: mariadb
# # -- Configure pasbolt deployment image pullPolicy
# pullPolicy: IfNotPresent
# # -- Overrides the image tag whose default is the chart appVersion.
# tag: latest
image:
# -- Configure pasbolt deployment image repsitory
registry: ""
repository: passbolt/passbolt
# -- Configure pasbolt deployment image pullPolicy
pullPolicy: IfNotPresent
# -- Overrides the image tag whose default is the chart appVersion.
tag: 4.6.2-1-ce
# Allowed options: mariadb, mysql or postgresql
database:
kind: mariadb
cache:
# Use CACHE_CAKE_DEFAULT_* variables to configure the connection to redis instance
# on the passboltEnv configuration section
redis:
# -- By enabling redis the chart will mount a configuration file on /etc/passbolt/app.php
# That instructs passbolt to store sessions on redis and to use it as a general cache.
enabled: true
sentinelProxy:
# -- Inject a haproxy sidecar container configured as a proxy to redis sentinel
# Make sure that CACHE_CAKE_DEFAULT_SERVER is set to '127.0.0.1' to use the proxy
enabled: true
# -- Configure redis sentinel proxy image
image:
registry: ""
# -- Configure redis sentinel image repository
repository: haproxy
# -- Configure redis sentinel image tag
tag: "latest"
# -- Configure redis sentinel container resources
resources: {}
# -- Configure the passbolt deployment resources
extraPodLabels: {}
resources: {}
tls:
# -- If autogenerate is true, the chart will generate a secret with a certificate for APP_FULL_BASE_URL hostname
# -- if autogenerate is false, existingSecret should be filled with an existing tls kind secret name
# @ignored
autogenerate: true
#existingSecret: ""
# -- Enable email cron
cronJobEmail:
enabled: true
schedule: "* * * * *"
extraPodLabels: {}
## Passbolt environment parameters
# -- Pro subscription key in base64 only if you are using pro version
# subscriptionKey:
# -- Configure passbolt subscription key path
# subscription_keyPath: /etc/passbolt/subscription_key.txt
# -- Configure passbolt gpg directory
gpgPath: /etc/passbolt/gpg
# -- Gpg server private key in base64
gpgServerKeyPrivate: ""
# -- Gpg server public key in base64
gpgServerKeyPublic: ""
# -- Name of the existing secret for the GPG server keypair. The secret must contain the `serverkey.asc` and `serverkey_private.asc` keys.
gpgExistingSecret: ""
# -- Name of the existing secret for the JWT server keypair. The secret must contain the `jwt.key` and `jwt.pem` keys.
jwtExistingSecret: ""
# -- Configure passbolt jwt directory
jwtPath: /etc/passbolt/jwt
# -- JWT server private key in base64
jwtServerPrivate: ""
# -- JWT server public key in base64
jwtServerPublic: ""
# -- Forces overwrite JWT keys
jwtCreateKeysForced: false
jobCreateJwtKeys:
extraPodLabels: {}
jobCreateGpgKeys:
extraPodLabels: {}
passboltEnv:
plain:
# -- Configure passbolt privacy url
PASSBOLT_LEGAL_PRIVACYPOLICYURL: https://www.passbolt.com/privacy
# -- Configure passbolt fullBaseUrl
APP_FULL_BASE_URL: https://passbolt.placeholder
# -- Configure passbolt to force ssl
PASSBOLT_SSL_FORCE: true
# -- Toggle passbolt public registration
PASSBOLT_REGISTRATION_PUBLIC: true
# -- Configure passbolt cake cache server
CACHE_CAKE_DEFAULT_SERVER: 127.0.0.1
# -- Configure passbolt default email service port
EMAIL_TRANSPORT_DEFAULT_PORT: 587
# -- Toggle passbolt debug mode
DEBUG: false
# -- Configure email used on gpg key. This is used when automatically creating a new gpg server key and when automatically calculating the fingerprint.
PASSBOLT_KEY_EMAIL: passbolt@placeholder
# -- Toggle passbolt selenium mode
PASSBOLT_SELENIUM_ACTIVE: false
# -- Configure passbolt license path
PASSBOLT_PLUGINS_LICENSE_LICENSE: /etc/passbolt/subscription_key.txt
# -- Configure passbolt default email from
EMAIL_DEFAULT_FROM: no-reply@placeholder
# -- Configure passbolt default email from name
EMAIL_DEFAULT_FROM_NAME: Passbolt
# -- Configure passbolt default email host
EMAIL_TRANSPORT_DEFAULT_HOST: 127.0.0.1
# -- Configure passbolt default email timeout
EMAIL_TRANSPORT_DEFAULT_TIMEOUT: 30
# -- Toggle passbolt tls
EMAIL_TRANSPORT_DEFAULT_TLS: true
# -- Configure passbolt jwt private key path
PASSBOLT_JWT_SERVER_KEY: /var/www/passbolt/config/jwt/jwt.key
# -- Configure passbolt jwt public key path
PASSBOLT_JWT_SERVER_PEM: /var/www/passbolt/config/jwt/jwt.pem
# -- Toggle passbolt jwt authentication
PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED: true
# -- Download Command for kubectl
KUBECTL_DOWNLOAD_CMD: curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
# -- Configure passbolt default database host
DATASOURCES_DEFAULT_HOST: mariadb-galera.mariadb-galera
# -- Configure passbolt default database port
DATASOURCES_DEFAULT_PORT: 3306
secret:
# -- Configure passbolt cake cache password
CACHE_CAKE_DEFAULT_PASSWORD: placeholder
# -- Configure passbolt default database password
DATASOURCES_DEFAULT_PASSWORD: placeholder
# -- Configure passbolt default database username
DATASOURCES_DEFAULT_USERNAME: passbolt
# -- Configure passbolt default database
DATASOURCES_DEFAULT_DATABASE: passbolt
# -- Configure passbolt default email service username
EMAIL_TRANSPORT_DEFAULT_USERNAME: CHANGEME
# -- Configure passbolt default email service password
EMAIL_TRANSPORT_DEFAULT_PASSWORD: CHANGEME
# -- Configure passbolt server gpg key fingerprint
# PASSBOLT_GPG_SERVER_KEY_FINGERPRINT:
# -- Configure passbolt security salt.
# SECURITY_SALT:
# -- Environment variables to add to the passbolt pods
extraEnv: []
# -- Environment variables from secrets or configmaps to add to the passbolt pods
extraEnvFrom:
[]
# - secretRef:
# name: passbolt-secret
## Passbolt deployment parameters
# -- If autoscaling is disabled this will define the number of pods to run
replicaCount: 2
# Configure autoscaling on passbolt deployment
autoscaling:
# -- Enable autoscaling on passbolt deployment
enabled: false
# -- Configure autoscaling minimum replicas
minReplicas: 1
# -- Configure autoscaling maximum replicas
maxReplicas: 100
# -- Configure autoscaling target CPU uptilization percentage
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# -- Enable role based access control
rbacEnabled: true
# -- Configure passbolt container livenessProbe
livenessProbe:
# @ignore
httpGet:
port: https
scheme: HTTPS
path: /healthcheck/status.json
httpHeaders:
- name: Host
value: passbolt.placeholder
initialDelaySeconds: 20
periodSeconds: 10
# -- Configure passbolt container RadinessProbe
readinessProbe:
# @ignore
httpGet:
port: https
scheme: HTTPS
httpHeaders:
- name: Host
value: passbolt.placeholder
path: /healthcheck/status.json
initialDelaySeconds: 5
periodSeconds: 10
# Configure network policies to allow ingress access passbolt pods
# networkPolicy defines which labels are allowed to reach to passbolt
# and which namespaces
networkPolicy:
# -- Enable network policies to allow ingress access passbolt pods
enabled: false
# -- Configure network policies label for ingress deployment
label: app.kubernetes.io/name
# -- Configure network policies podLabel for podSelector
podLabel: ingress-nginx
# -- Configure network policies namespaceLabel for namespaceSelector
namespaceLabel: ingress-nginx
# -- Configure image pull secrets
imagePullSecrets: []
# -- Value to override the chart name on default
nameOverride: ""
# -- Value to override the whole fullName
fullnameOverride: ""
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations: {}
# -- Map of annotation for passbolt server pod
podAnnotations: {}
# -- Security Context configuration for passbolt server pod
podSecurityContext:
{}
# fsGroup: 2000
service:
# -- Configure passbolt service type
type: ClusterIP
# -- Annotations to add to the service
annotations: {}
# -- Configure the service ports
ports:
# -- Configure the HTTPS port
https:
# -- Configure passbolt HTTPS service port
port: 443
# -- Configure passbolt HTTPS service targetPort
targetPort: 443
# -- Configure passbolt HTTPS service port name
name: https
http:
# -- Configure passbolt HTTP service port
port: 80
# -- Configure passbolt HTTP service targetPort
targetPort: 80
# -- Configure passbolt HTTP service port name
name: http
ingress:
# -- Enable passbolt ingress
enabled: true
# -- Configure passbolt ingress annotations
annotations: {}
# -- Configure passbolt ingress hosts
hosts:
# @ignored
- host: passbolt.placeholder
paths:
- path: /
port: https
pathType: ImplementationSpecific
# -- Configure passbolt ingress tls
tls:
# If autogenerate is true, the chart will generate a secret for the given hosts
# if autogenerate is false, existingSecret should be filled with an existing tls kind secret name
# @ignored
- autogenerate: true
# existingSecret: ""
hosts:
- passbolt.placeholder
# -- Configure passbolt deployment nodeSelector
nodeSelector: {}
# -- Configure passbolt deployment tolerations
tolerations: []
# -- Configure passbolt deployment affinity
affinity: {}
# -- Add additional volumes, e.g. for overwriting config files
extraVolumes: []
# -- Add additional volume mounts, e.g. for overwriting config files
extraVolumeMounts: []
Do you have any ideas ? Does the helm chart is working correctly ? I’ve searched everywhere but I don’t find any information and error isn’t very well understandable…
Note: I cannot connect onto the container as it’s erroring so not able to give a healthcheck output
Edit:
I’ve found some more logs that might lead to something (which I’m not able to resolve/understand). Already tried to disable healthcheck but still erroring:
2024-07-08T22:59:53.005595080+02:00 172.15.0.83 - - [08/Jul/2024:20:59:53 +0000]
"GET /healthcheck/status.json HTTP/2.0" 500 5198 "-" "kube-probe/1.25"
2024-07-08T22:59:53.005835336+02:00 2024-07-08 20:59:53,005 WARN received SIGTERM indicating exit request
2024-07-08T22:59:53.007906513+02:00 2024-07-08 20:59:53,005 INFO waiting for php-fpm, nginx to die
2024-07-08T22:59:53.012931790+02:00 2024-07-08 20:59:53,012 INFO stopped: nginx (exit status 0)
2024-07-08T22:59:53.013235519+02:00 [08-Jul-2024 20:59:53] NOTICE: Terminating ...
2024-07-08T22:59:53.017834199+02:00 [08-Jul-2024 20:59:53] NOTICE: exiting, bye-bye!
2024-07-08T22:59:53.023515551+02:00 2024-07-08 20:59:53,023 INFO stopped: php-fpm (exit status 0)
Thanks