-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PostgreSQL and Redis existingSecret
not respected on ArgoCD sync
#450
Comments
Thanks for filing this issue, @salcinad Did you manage to get one deployment working? If not, I'd advocate to uninstall completely the chart and try again in a proper deployment.
That is very surprising, as password management is handled by the chart itself and should keep any previously defined/generated value.
Can you share the secrets as defined in your Kubernetes cluster, before and after an upgrade or a sync? You can, of course, change the actual values before posting in here, but please keep a way to see if the values are the same or different between versions of the secrets. |
Indeed, as that Issue is closed, I did not realize that, sorry for bumping closed issue.
First deployment is always Ok. But any other update, it would like to sync netbox-postgres and netbox-redis secrets, other two secrets (netbox-config, netbox-superuser) are fine. And when testing I am aways deleting Application and the namespace on k8s cluster so everything is clear.
This can ofcourse be an ArgoCD issue on our side, but we also have same bitnami chart for standalone postgres and not having this issue, or for example Harbor is also using redis as sub chart (same bitnami chart) and no issue there. We are still looking, but noting obivisly is popuig up.
Sure, will test tomorrow in different cluster and let provided the info here. Edit # 1
|
existingSecret
not respected on ArgoCD sync
Thanks for your input.
|
This is how we did Initial setup, we let chart deploy without setting existingSecret or setting passwords manually. then exported these secrets to yaml, deleted unneeded data from yaml (see below), deleted application, deleted namespace where it was installed, used then existingSecret to reference to these secrets exported yaml, and added them to values.yaml under
In my comment above the application deployed successfully, the ArgoCD deployed sealed-secrets which are applied to correct namespace in correct k8s cluster and NetBox is available over Ingress and login (superuser - which is also existing secret) its working just fine, all pods up (see below), as well as LDAPs.
But now ArgoCD is showing that this Application is |
Thanks for the details.
If this still does not work, can you confirm the secrets values do not get base64 encoded twice? |
if i read right in first row of secret template ( {{- if not .Values.existingSecret }}) |
@Delta1977 Not all secrets, each secret has its own condition to be rendered. |
@salcinad Have you been able to resolve the issue? |
I did deployed yesterday with helm only and without changing anything just did helm upgrade, when comparing what changed with helm-diff plugin, i see that checksum is different for redis
Edit 1:
Without helm diff upgrade, we do not see this about redis, so we hope this is safe to ignore. Only this warning:
I am checking that with point 3. from your recommendation. |
@salcinad Thanks for your replies, but I'm afraid none of this makes sense. |
Today I did test on production with $ k get secrets -n netbox
NAME TYPE DATA AGE
netbox-config Opaque 3 34d
netbox-config-2 Opaque 3 7h24m
netboxXXXXXXXXXXXX-tls kubernetes.io/tls 2 34d
netbox-postgresql Opaque 2 34d
netbox-postgresql-2 Opaque 2 7h24m
netbox-redis Opaque 1 34d
netbox-redis-2 Opaque 1 7h24m
netbox-superuser kubernetes.io/basic-auth 4 34d
netbox-superuser-2 kubernetes.io/basic-auth 4 7h24m
$ and this is part from values.yaml superuser:
name: admin
email: XXXXXX
existingSecret: "netbox-superuser-2"
existingSecret: "netbox-config-2"
postgresql:
auth:
existingSecret: "netbox-postgresql-2"
secretKeys:
adminPasswordKey: "postgres-password"
userPasswordKey: "password"
redis:
auth:
existingSecret: "netbox-redis-2"
existingSecretPasswordKey: "redis-password" As the postgresql and redis part is just ignored or not formated properly, but the indent is same for supervisor, existingSecret(config), postgresql, redis.. |
Thank you for your reply, @salcinad. |
The Helm chart version
5.0.0-beta.167
Environment Versions
Custom chart values
Current Behavior & Steps to Reproduce
Tested with different option in valuey.yaml for existing secrets but did it just do not work. Once the secret is overwritten, the worker complains that password is incorrect, and the whole netbox pod does not start.
django.db.utils.OperationalError: connection failed: connection to server at "10.95.18.196", port 5432 failed: FATAL: password authentication failed for user "netbox"
Even if we do not use existingSecrets and let ArgoCD create secrets, they are getting regenerated over every ArgoCD sync. No issue with other applications.
Expected Behavior
The existingSecrets should not be overwriten by netbox chart.
NetBox Logs
The text was updated successfully, but these errors were encountered: