opf / helm-charts Goto Github PK
View Code? Open in Web Editor NEWOPF helm chart repository
Home Page: https://charts.openproject.org
License: GNU General Public License v3.0
OPF helm chart repository
Home Page: https://charts.openproject.org
License: GNU General Public License v3.0
Admin user is not created after deploy from helm.
Tried to execute the rake:seed command, but also to no avail.
On the database, there's an entry on table users with lastname 'System', but no login, and the user_passwords table is empty.
This is my version of minikube
I use minikube helm, according to the open project documentation, https://charts.openproject.org/, has carried on the installation
I use kubectl get pod -A
to view my pod contents
The CrashLoopBackOff message is displayed
When puma crashes in the openproject container of the openproject-web-* pod the container is being restarted, likely due to the liveness probe failing. On restart puma does not boot up properly due to the (pre)existance of the server.pid as can be seen in the logs:
=> Booting Puma
=> Rails 7.1.3.2 application starting in production
=> Run `bin/rails server --help` for more startup options
A server is already running. Check /app/tmp/pids/server.pid.
Exiting
This is likely due to its existence in the container-wide tmp file mount
Hi all,
Using both the local storage PV and a cephfs PV, opf fails to start with the following error in the log:
-----> Setting PGVERSION=13 PGBIN=/usr/lib/postgresql/13/bin PGCONF_FILE=/etc/postgresql/13/main/postgresql.confchown: changing ownership of '/var/openproject/assets': Operation not permitted
chown: changing ownership of '/var/openproject/assets/files': Operation not permitted
chown: changing ownership of '/var/openproject/assets/git': Operation not permitted
chown: changing ownership of '/var/openproject/assets/svn': Operation not permitted
I can see the files in the PV from the host machines, and they appear to be owned by root. What UID is the chart trying to change the files to? That way I can change it before the pod launches and hopefully get over the error.
The seeder job is created without specifying the pull secrets configured in the global sections, thereby preventing deployments/updates from succeeding when using images from private registries.
Abbreviated config fed to helm install/upgrade with -f
postgresql:
bundled: false
connection:
host: hostname
port: 5432
auth:
username: postgres
database: openproject
password: "This is a password with spaces."
Error from the pod
-----> Setting PGVERSION=13 PGBIN=/usr/lib/postgresql/13/bin PGCONF_FILE=/etc/postgresql/13/main/postgresql.conf
-----> Starting the all-in-one OpenProject setup at /app/docker/prod/supervisord...
/usr/local/lib/ruby/3.1.0/uri/rfc3986_parser.rb:67:in `split': bad URI(is not URI?): "postgresql://postgres:This is a password with [email protected]:5432/openproject" (URI::InvalidURIError)
from /usr/local/lib/ruby/3.1.0/uri/rfc3986_parser.rb:72:in `parse'
from /usr/local/lib/ruby/3.1.0/uri/common.rb:188:in `parse'
from /usr/local/lib/ruby/3.1.0/uri/common.rb:692:in `URI'
from -e:1:in `<main>'
I'm pretty sure this password value in the template needs to be piped to quote
: https://github.com/opf/helm-charts/blob/main/charts/openproject/templates/secrets.yaml#L12
I found no hint on whether or not I can adjust the storageClass
for the postgreSQL PVC. I found the entry for the openproject PVC:
https://github.com/opf/helm-charts/blob/main/charts/openproject/values.yaml#L263
Is it currently not possible to adjust this?
Hi,
I've a problem with the seeder job due to the random name:
And in ArgoCD my application is always OutOfSync. Also the seeder job doesn't support annotation.
This random name is mandatory?
Else can you implement seeder.annotations: {}
option?
Thanks
When using a custom root CA for egress (egress.tls.rootCA) the volumes are created correctly for web and worker deployments but are missing in the seeder-job causing SSL errors: Excon::Error::Socket: SSL_CTX_load_verify_locations: system lib (OpenSSL::SSL::SSLError) (Excon::Error::Socket)
helm-charts/charts/openproject/values.yaml
Line 152 in cd48e06
I found no use of the .Values.memcached.auth.*
settings in any of the OpenProject related files. It might be used by the memcached chart, but what use is setting credentials only on one side of the connection?
Hence I guess those can be removed? Or if this charts assumes the default credentials (username and password both memcached
, then this needs to be fixed.
Hello,
I have noticed that you have done recently refactoring of secrets handling and improving secret management.
Thank you for that! I am referring for example to these: #46 #17
So this current "issue" might not be considered issue/bug but rather security enhancement suggestion if I may.
If possible, can you please enable use of existingSecret
as well for oidc secret just as you have done with PG for example.
Thank you very much for your time and help!
k8s: version 1.28.2 containerd :1.6.27-1 helm :v3.14.0
install steps:
1、download openproject-4.4.0.tgz.
2、tar xzvf openproject-4.4.0.tgz.
3、 cd openproject
4、 helm upgrade --create-namespace --namespace openproject --install my-openproject .
the echos:
Release "my-openproject" does not exist. Installing it now.
coalesce.go:289: warning: destination for memcached.service.sessionAffinity is a table. Ignoring non-table value ()
NAME: my-openproject
LAST DEPLOYED: Fri Jan 19 12:29:43 2024
NAMESPACE: openproject
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing OpenProject 🎉
You can access it via https://openproject.example.com/
OpenProject: 13-slim
PostgreSQL: 15.4.0-debian-11-r45
Memcached: 1.6.23-debian-11-r0
10 mins later:
memcached and postgresql pod running.
but the worker and web pod Init:Error.
the worker logs:
Defaulted container "openproject" out of: openproject, wait-for-db (init)
Error from server (BadRequest): container "openproject" in pod "openproject-worker-7666d94b85-jmnvv" is waiting to start: PodInitializing
the postgres logs:
2024-01-19 02:58:43.826 GMT [1] LOG: pgaudit extension initialized
2024-01-19 02:58:43.891 GMT [1] LOG: starting PostgreSQL 15.4 on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
2024-01-19 02:58:43.892 GMT [1] LOG: listening on IPv4 address "0.0.0.0", port 5432
2024-01-19 02:58:43.892 GMT [1] LOG: listening on IPv6 address "::", port 5432
2024-01-19 02:58:43.938 GMT [1] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"
2024-01-19 02:58:44.236 GMT [91] LOG: database system was shut down at 2024-01-19 02:58:20 GMT
2024-01-19 02:58:45.166 GMT [1] LOG: database system is ready to accept connections
2024-01-19 02:58:50.597 GMT [101] FATAL: password authentication failed for user "openproject"
2024-01-19 02:58:50.597 GMT [101] DETAIL: Role "openproject" does not exist.
Connection matched pg_hba.conf line 1: "host all all 0.0.0.0/0 md5"
2024-01-19 02:58:50.897 GMT [102] FATAL: password authentication failed for user "openproject"
2024-01-19 02:58:50.897 GMT [102] DETAIL: Role "openproject" does not exist.
the rest logs are same as 3 lines above.
I have enter the worker pod by:
kubectl exec -n openproject my-openproject-postgresql-0 -it bash
I have no name!@my-openproject-postgresql-0:/opt/bitnami/postgresql/bin$ psql -U openproject
Password for user openproject:
psql: error: connection to server on socket "/tmp/.s.PGSQL.5432" failed: FATAL: password authentication failed for user "openproject"
I use the secret my-openproject-postgresql password. but can't login.
I try the command : psql -U postgres ,but fail too.
OpenProject 13.3.0 running helm chart 4.5.0, upgrading from 13.0.7 and unknown helm chart version prior.
We have a bare metal kubernetes cluster and it seems #38 changed the way tmp
and its new volumes are mounted. It looks like there is a "sort of" workaround where develop: true
changes the way those volumes are mounted, and it does seem to work, albeit we have errors about HTTPS since that also is bundled together.
The logging error is below, while attempting to upload a logo in the admin/design page.
# /usr/local/lib/ruby/3.2.0/tmpdir.rb:34:in `block in tmpdir': system temporary path is world-writable: /tmp (StructuredWarnings::StandardWarning)
# /usr/local/lib/ruby/3.2.0/tmpdir.rb:34:in `block in tmpdir': /tmp is world-writable: /tmp (StructuredWarnings::StandardWarning)
# 2024-02-16 18:18:26 +0000 Rack app ("POST /admin/design" - (ipaddress)): #<Errno::EROFS: Read-only file system @ rb_sysopen - /app/RackMultipart20240216-12-lup1dp.svg>
A further note, it's misleading to have tmp
volumes while persistence.enabled: false
. I went back to read the values comments and it does say "data directory" but I did not immediately make any connections here.
A secondary note, we have s3 turned on with direct upload, why does this even need to go to a tmp dir? Maybe the real fix here is to convert the rest of the custom design stuff to also use direct upload.
Thanks!
Hei,
I think it would be better to use the cluster default ingress by default. Many kubernetes clusters don't use nginx.
The current chart releases appear to be unable to deploy any OpenProject release I have tried so far, since there appears to be no release that actually supports omitting the password in the DATABASE_URL
environment variable.
When the postgres password is not included in DATABASE_URL
as is the case with current chart versions, the web container fails to start because the supervisord
script used for running the web container only uses DATABASE_URL
and ignores any values that might be set in OPENPROJECT_DB_PASSWORD
.
I'd suggest rolling back to the old behavior until the OpenProject image officially supports this alternate approach.
Many other charts are not allowing usernames/passwords in the values.yaml
file due to security considerations. Think of a GitOps approach where the values.yaml
file is stored in Git. In this case it would be nice to have an alternative way.
Those charts use environment variables from secrets or are mounting the secrets into the pod, so the pod has access to the credentials. Then the values.yaml
only needs to contain the references to those secrets, i.e. the secret names.
Example from the Bitnami-postgresql chart:
https://github.com/bitnami/charts/blob/main/bitnami/postgresql/values.yaml#L35
Are there any plans to allow this for the openproject chart?
Hello,
We are currently testing configuration of environment vars via values.yaml and on initial run everything is working as expected.
Changes do take effect of course when initial deployment is made and they do take effect once when "openproject-staging-web" is redeployed (actual pod deleted).
These are for example super simple changes that I am trying to make just as a test:
$ git diff --cached
...
environment:
- OPENPROJECT_APP__TITLE: "OpenProject TEST Project"
- OPENPROJECT_ATTACHMENT__MAX__SIZE: 10240
+ OPENPROJECT_APP__TITLE: "OpenProject Tool for TEST"
+ OPENPROJECT_ATTACHMENT__MAX__SIZE: 5120
...
accessModes is set to "ReadWriteMany" and strategy is set to "RollingUpdate".
I was able to achieve this without downtime with setting of number of OpenProject web process replicas to 2 and deleting one pod, and second one afterwards.
Is it possible to achieve environment vars configuration reload without downtime for single openproject-staging-web replica?
Might it be related to *web-*-tmp
and *web-*-app-tmp
volumeClaimTemplate accessModes that we are currently not able to override to ReadWriteMany because they are set by default to ReadWriteOnce?
Any insight is really appreciated! Thank you very much for your time!
Hi, I believe there is a typo here:
https://github.com/opf/helm-charts/blob/main/charts/openproject/templates/persistentvolumeclaim.yaml#L10
PVC should not use {{- with .Values.ingress.annotations }}
- it also fails if these are used.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.