Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bitnami/keycloak] The default value of existingSecretHostKey, existingSecretUserKey, etc is not working #25880

Open
xqe2011 opened this issue May 15, 2024 · 6 comments
Open

[bitnami/keycloak] The default value of existingSecretHostKey, existingSecretUserKey, etc is not working #25880

xqe2011 opened this issue May 15, 2024 · 6 comments
Assignees
@juan131
Labels
in-progress keycloak stale 15 days without activity tech-issues The user has a technical issue about an application

Comments

@xqe2011
Copy link

xqe2011 commented May 15, 2024

Name and Version

bitnami/keycloak 21.2.1

What architecture are you using?

amd64

What steps will reproduce the bug?

  • Create a secret including external database username, password, port, host, etc
  • set externalDatabase.existingSecret in values.yaml to this secret name
  • only password passed into the container

Are you using any custom parameters or values?

postgresql:
  enabled: false
externalDatabase:
  existingSecret: "keycloak-database"

What is the expected behavior?

The document says externalDatabase.existingSecret Name of an existing secret resource containing the database credentials. In my opinion, this secret should contain the username, password, port, host, etc. However, after I review the template, only the password is included.

What do you see instead?

The environment variables such as KEYCLOAK_DATABASE_HOST aren't generated.

Additional information

In values.yaml, it defines keycloak.databaseSecretHostKey defaults to db-host. But in configmap-env-vars.yaml, it uses .Values.externalDatabase.existingSecretHostKey for testing whether it should generate the env. Maybe it should be keycloak.databaseSecretHostKey?
If it is an expected behavior, we should add documents describing this, or users will be confused as to why my secret doesn't take effect
@xqe2011 xqe2011 added the tech-issues The user has a technical issue about an application label May 15, 2024
@github-actions github-actions bot added the triage Triage is needed label May 15, 2024
@github-actions github-actions bot removed the triage Triage is needed label May 15, 2024
@github-actions github-actions bot assigned juan131 and unassigned javsalgar May 15, 2024
@juan131
Copy link
Contributor

juan131 commented May 15, 2024

Hi @xqe2011

In my opinion, this secret should contain the username, password, port, host, etc. However, after I review the template, only the password is included.

Are you referring to the secret-external-db.yaml template? Please note this template will be ignored if externalDatabase.existingSecret is set.

In values.yaml, it defines keycloak.databaseSecretHostKey defaults to db-host. But in configmap-env-vars.yaml, it uses .Values.externalDatabase.existingSecretHostKey

Maybe you're using an old values.yaml? There's no keycloak.databaseSecretHostKey parameter in the current values.yaml. Or you might be referring to the function helper defined here.

@xqe2011
Copy link
Author

xqe2011 commented May 15, 2024

Are you referring to the secret-external-db.yaml template? Please note this template will be ignored if externalDatabase.existingSecret is set.

No, I am referring to the statefulset.yaml lines from 160 to 187.

In _helpers.tpl lines from 194 to 221, it defines keycloak.databaseSecretHostKey from default value db-host or .Values.externalDatabase.existingSecretHostKey, but in statefulset.yaml, it uses .Values.externalDatabase.existingSecretHostKey instead which causes the default value doesn't work.

@juan131
Copy link
Contributor

juan131 commented May 16, 2024

Hi @xqe2011

So you're suggesting that we use set KEYCLOAK_DATABASE_HOST, KEYCLOAK_DATABASE_PORT, ... environment variables if a condition such as the one below is met and fallback into the default values defined in keycloak.databaseSecretXXXKey helpers, am I right?

{{- if and (not .Values.postgresql.enabled)  .Values.externalDatabase.existingSecret }}

@xqe2011
Copy link
Author

xqe2011 commented May 16, 2024

Hi @juan131

Yes. This change can reduce the time spent investigating why externalDatabase.existingSecret, named to suggest it includes full database credentials such as port, host, and password, only uses the password.

@juan131
Copy link
Contributor

juan131 commented May 16, 2024

@xqe2011 I've been reviewing the logic and it works like this:

  • postgresql.enabled=true: ignore every externalDatabase.*** parameters and rely on the information retrieved from PostgreSQL subchart.
  • postgresql.enabled=false
    • externalDatabase.existingSecret is set:
      • For password: retrieve from existing secret using key set at externalDatabase.existingSecretPasswordKey.
      • For host, port, user & database: retrieve from existing secret ONLY IF corresponding keycloak.databaseSecretXXXKey are set. Otherwise relay on externalDatabase.host, externalDatabase.port, externalDatabase.user and externalDatabase.database (added to the configmap-env-vars.yaml ConfigMap).
    • externalDatabase.existingSecret is NOT set:
      • Rely on externalDatabase.host, externalDatabase.port, externalDatabase.user, externalDatabase.database (values added to the configmap-env-vars.yaml ConfigMap) and externalDatabase.password (value added to the secret-external-db.yaml Secret).

I agree it's over-complicated. Let me review this with the team.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jun 1, 2024

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

@github-actions github-actions bot added the stale 15 days without activity label Jun 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@juan131 juan131

Labels
in-progress keycloak stale 15 days without activity tech-issues The user has a technical issue about an application
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@javsalgar @juan131 @xqe2011