opf / helm-charts Goto Github PK

Admin user is not created after deploy from helm.

Tried to execute the rake:seed command, but also to no avail.

On the database, there's an entry on table users with lastname 'System', but no login, and the user_passwords table is empty.

This is my version of minikube

I use minikube helm, according to the open project documentation, https://charts.openproject.org/, has carried on the installation

I use kubectl get pod -A to view my pod contents

The CrashLoopBackOff message is displayed

When puma crashes in the openproject container of the openproject-web-* pod the container is being restarted, likely due to the liveness probe failing. On restart puma does not boot up properly due to the (pre)existance of the server.pid as can be seen in the logs:

=> Booting Puma
=> Rails 7.1.3.2 application starting in production 
=> Run `bin/rails server --help` for more startup options
A server is already running. Check /app/tmp/pids/server.pid.
Exiting

This is likely due to its existence in the container-wide tmp file mount

Hi,

Can you publish this Helm chart into ArtifactHub?

Thanks

Hi all,

Using both the local storage PV and a cephfs PV, opf fails to start with the following error in the log:

-----> Setting PGVERSION=13 PGBIN=/usr/lib/postgresql/13/bin PGCONF_FILE=/etc/postgresql/13/main/postgresql.confchown: changing ownership of '/var/openproject/assets': Operation not permitted
chown: changing ownership of '/var/openproject/assets/files': Operation not permitted
chown: changing ownership of '/var/openproject/assets/git': Operation not permitted
chown: changing ownership of '/var/openproject/assets/svn': Operation not permitted

I can see the files in the PV from the host machines, and they appear to be owned by root. What UID is the chart trying to change the files to? That way I can change it before the pod launches and hopefully get over the error.

The seeder job is created without specifying the pull secrets configured in the global sections, thereby preventing deployments/updates from succeeding when using images from private registries.

Abbreviated config fed to helm install/upgrade with -f

postgresql:
  bundled: false
  connection:
    host: hostname
    port: 5432
  auth:
    username: postgres
    database: openproject
    password: "This is a password with spaces."

Error from the pod

-----> Setting PGVERSION=13 PGBIN=/usr/lib/postgresql/13/bin PGCONF_FILE=/etc/postgresql/13/main/postgresql.conf
-----> Starting the all-in-one OpenProject setup at /app/docker/prod/supervisord...
/usr/local/lib/ruby/3.1.0/uri/rfc3986_parser.rb:67:in `split': bad URI(is not URI?): "postgresql://postgres:This is a password with [email protected]:5432/openproject" (URI::InvalidURIError)
	from /usr/local/lib/ruby/3.1.0/uri/rfc3986_parser.rb:72:in `parse'
	from /usr/local/lib/ruby/3.1.0/uri/common.rb:188:in `parse'
	from /usr/local/lib/ruby/3.1.0/uri/common.rb:692:in `URI'
	from -e:1:in `<main>'

I'm pretty sure this password value in the template needs to be piped to quote: https://github.com/opf/helm-charts/blob/main/charts/openproject/templates/secrets.yaml#L12

I found no hint on whether or not I can adjust the storageClass for the postgreSQL PVC. I found the entry for the openproject PVC:
https://github.com/opf/helm-charts/blob/main/charts/openproject/values.yaml#L263

Is it currently not possible to adjust this?

Hi,

I've a problem with the seeder job due to the random name:

And in ArgoCD my application is always OutOfSync. Also the seeder job doesn't support annotation.
This random name is mandatory?

Else can you implement seeder.annotations: {} option?

Thanks

When using a custom root CA for egress (egress.tls.rootCA) the volumes are created correctly for web and worker deployments but are missing in the seeder-job causing SSL errors: Excon::Error::Socket: SSL_CTX_load_verify_locations: system lib (OpenSSL::SSL::SSLError) (Excon::Error::Socket)

I found no use of the .Values.memcached.auth.* settings in any of the OpenProject related files. It might be used by the memcached chart, but what use is setting credentials only on one side of the connection?

Hence I guess those can be removed? Or if this charts assumes the default credentials (username and password both memcached, then this needs to be fixed.

Hello,

I have noticed that you have done recently refactoring of secrets handling and improving secret management.
Thank you for that! I am referring for example to these: #46 #17

So this current "issue" might not be considered issue/bug but rather security enhancement suggestion if I may.

If possible, can you please enable use of existingSecret as well for oidc secret just as you have done with PG for example.

Thank you very much for your time and help!

k8s: version 1.28.2 containerd :1.6.27-1 helm :v3.14.0
install steps:
1、download openproject-4.4.0.tgz.
2、tar xzvf openproject-4.4.0.tgz.
3、 cd openproject
4、 helm upgrade --create-namespace --namespace openproject --install my-openproject .
the echos:
Release "my-openproject" does not exist. Installing it now.
coalesce.go:289: warning: destination for memcached.service.sessionAffinity is a table. Ignoring non-table value ()
NAME: my-openproject
LAST DEPLOYED: Fri Jan 19 12:29:43 2024
NAMESPACE: openproject
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing OpenProject 🎉
You can access it via https://openproject.example.com/

Summary:

OpenProject: 13-slim
PostgreSQL: 15.4.0-debian-11-r45
Memcached: 1.6.23-debian-11-r0

10 mins later:

memcached and postgresql pod running.

but the worker and web pod Init:Error.

the worker logs:
Defaulted container "openproject" out of: openproject, wait-for-db (init)
Error from server (BadRequest): container "openproject" in pod "openproject-worker-7666d94b85-jmnvv" is waiting to start: PodInitializing

the postgres logs:
2024-01-19 02:58:43.826 GMT [1] LOG: pgaudit extension initialized
2024-01-19 02:58:43.891 GMT [1] LOG: starting PostgreSQL 15.4 on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
2024-01-19 02:58:43.892 GMT [1] LOG: listening on IPv4 address "0.0.0.0", port 5432
2024-01-19 02:58:43.892 GMT [1] LOG: listening on IPv6 address "::", port 5432
2024-01-19 02:58:43.938 GMT [1] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"
2024-01-19 02:58:44.236 GMT [91] LOG: database system was shut down at 2024-01-19 02:58:20 GMT
2024-01-19 02:58:45.166 GMT [1] LOG: database system is ready to accept connections
2024-01-19 02:58:50.597 GMT [101] FATAL: password authentication failed for user "openproject"
2024-01-19 02:58:50.597 GMT [101] DETAIL: Role "openproject" does not exist.
Connection matched pg_hba.conf line 1: "host all all 0.0.0.0/0 md5"
2024-01-19 02:58:50.897 GMT [102] FATAL: password authentication failed for user "openproject"
2024-01-19 02:58:50.897 GMT [102] DETAIL: Role "openproject" does not exist.

the rest logs are same as 3 lines above.

I have enter the worker pod by:
kubectl exec -n openproject my-openproject-postgresql-0 -it bash

I have no name!@my-openproject-postgresql-0:/opt/bitnami/postgresql/bin$ psql -U openproject
Password for user openproject:
psql: error: connection to server on socket "/tmp/.s.PGSQL.5432" failed: FATAL: password authentication failed for user "openproject"

I use the secret my-openproject-postgresql password. but can't login.

I try the command : psql -U postgres ,but fail too.

OpenProject 13.3.0 running helm chart 4.5.0, upgrading from 13.0.7 and unknown helm chart version prior.

We have a bare metal kubernetes cluster and it seems #38 changed the way tmp and its new volumes are mounted. It looks like there is a "sort of" workaround where develop: true changes the way those volumes are mounted, and it does seem to work, albeit we have errors about HTTPS since that also is bundled together.

The logging error is below, while attempting to upload a logo in the admin/design page.

# /usr/local/lib/ruby/3.2.0/tmpdir.rb:34:in `block in tmpdir': system temporary path is world-writable: /tmp (StructuredWarnings::StandardWarning)
# /usr/local/lib/ruby/3.2.0/tmpdir.rb:34:in `block in tmpdir': /tmp is world-writable: /tmp (StructuredWarnings::StandardWarning)
# 2024-02-16 18:18:26 +0000 Rack app ("POST /admin/design" - (ipaddress)): #<Errno::EROFS: Read-only file system @ rb_sysopen - /app/RackMultipart20240216-12-lup1dp.svg>

A further note, it's misleading to have tmp volumes while persistence.enabled: false. I went back to read the values comments and it does say "data directory" but I did not immediately make any connections here.

A secondary note, we have s3 turned on with direct upload, why does this even need to go to a tmp dir? Maybe the real fix here is to convert the rest of the custom design stuff to also use direct upload.

Thanks!

Hei,

I think it would be better to use the cluster default ingress by default. Many kubernetes clusters don't use nginx.

The current chart releases appear to be unable to deploy any OpenProject release I have tried so far, since there appears to be no release that actually supports omitting the password in the DATABASE_URL environment variable.

When the postgres password is not included in DATABASE_URL as is the case with current chart versions, the web container fails to start because the supervisord script used for running the web container only uses DATABASE_URL and ignores any values that might be set in OPENPROJECT_DB_PASSWORD.

I'd suggest rolling back to the old behavior until the OpenProject image officially supports this alternate approach.

Many other charts are not allowing usernames/passwords in the values.yaml file due to security considerations. Think of a GitOps approach where the values.yaml file is stored in Git. In this case it would be nice to have an alternative way.

Those charts use environment variables from secrets or are mounting the secrets into the pod, so the pod has access to the credentials. Then the values.yaml only needs to contain the references to those secrets, i.e. the secret names.

Example from the Bitnami-postgresql chart:
https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml#L35

Are there any plans to allow this for the openproject chart?

Hello,

We are currently testing configuration of environment vars via values.yaml and on initial run everything is working as expected.

Changes do take effect of course when initial deployment is made and they do take effect once when "openproject-staging-web" is redeployed (actual pod deleted).

These are for example super simple changes that I am trying to make just as a test:

$ git diff --cached
...
   environment:
-    OPENPROJECT_APP__TITLE: "OpenProject TEST Project"
-    OPENPROJECT_ATTACHMENT__MAX__SIZE: 10240
+    OPENPROJECT_APP__TITLE: "OpenProject Tool for TEST"
+    OPENPROJECT_ATTACHMENT__MAX__SIZE: 5120
...

accessModes is set to "ReadWriteMany" and strategy is set to "RollingUpdate".

I was able to achieve this without downtime with setting of number of OpenProject web process replicas to 2 and deleting one pod, and second one afterwards.

Is it possible to achieve environment vars configuration reload without downtime for single openproject-staging-web replica?

Might it be related to *web-*-tmp and *web-*-app-tmp volumeClaimTemplate accessModes that we are currently not able to override to ReadWriteMany because they are set by default to ReadWriteOnce?

Any insight is really appreciated! Thank you very much for your time!

Hi, I believe there is a typo here:
https://github.com/opf/helm-charts/blob/main/charts/openproject/templates/persistentvolumeclaim.yaml#L10

PVC should not use {{- with .Values.ingress.annotations }} - it also fails if these are used.