charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon bitnami

[bitnami/keycloak] Keycloak chart is incorrectly setting the database existing password key in `KEYCLOAK_DATABASE_PASSWORD` env var.

Open hamza-m-masood opened this issue 10 months ago • 3 comments

Name and Version

bitnami/keycloak 21.0.2

What architecture are you using?

GKE

What steps will reproduce the bug?

  1. Run: helm install keycloak oci://registry-1.docker.io/bitnamicharts/keycloak -n keycloak -f ./keycloak.yaml The ./keycloak.yaml is the values.yaml. It's contents are pasted below.
  2. Error:
COMMAND:
kubectl events keycloak -n keycloak

OUTPUT:
...
2m51s (x11 over 4m45s)   Warning   Failed      Pod/keycloak-0     Error: couldn't find key password in Secret keycloak/camunda-secrets

Are you using any custom parameters or values?

Here is my values.yaml:

auth:
  existingSecret: camunda-secrets
  passwordSecretKey: keycloak-secret
postgresql:
  auth:
    existingSecret: camunda-secrets
    secretKeys:
      userPasswordKey: postgresql-secret
      adminPasswordKey: postgresql-secret
      replicationPasswordKey: postgresql-secret

What is the expected behavior?

The chart should correctly reference the auth.passwordSecretKey and start up the keycloak pod in a healthy state.

What do you see instead?

Currently, the KEYCLOAK_DATABASE_PASSWORD sets the incorrect secret key. It uses password instead of referencing the secret key from auth.passwordSecretKey Here is the full environment variable:

    - name: KEYCLOAK_DATABASE_PASSWORD
      valueFrom:
        secretKeyRef:
          key: password
          name: camunda-secrets

The key should have this value: keycloak-secret

Additional information

This is probably because of the templates/_helpers.tpl file. Here is a snippet:

{{/*
Add environment variables to configure database values
*/}}
{{- define "keycloak.databaseSecretPasswordKey" -}}
{{- if .Values.postgresql.enabled -}}
    {{- print "password" -}}
{{- else -}}
    {{- if .Values.externalDatabase.existingSecret -}}
        {{- if .Values.externalDatabase.existingSecretPasswordKey -}}
            {{- printf "%s" .Values.externalDatabase.existingSecretPasswordKey -}}
        {{- else -}}
            {{- print "db-password" -}}
        {{- end -}}
    {{- else -}}
        {{- print "db-password" -}}
    {{- end -}}
{{- end -}}
{{- end -}}

The value password is hardcoded instead of first checking and referencing the auth.passwordSecretKey value.

hamza-m-masood avatar Apr 18 '24 23:04 hamza-m-masood

Thank you for all the information you provided. Would you like to send a PR addressing the issue? We will be glad to review and merge it. Thank you!!

dgomezleon avatar Apr 23 '24 11:04 dgomezleon

@dgomezleon I will try to make some progress on this in the next week. If no progress is made by me after next week then please take over.

hamza-m-masood avatar Apr 23 '24 11:04 hamza-m-masood

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] avatar May 09 '24 01:05 github-actions[bot]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

github-actions[bot] avatar May 14 '24 01:05 github-actions[bot]

For reference, this issue has been fixed in https://github.com/bitnami/charts/pull/29008

aabouzaid avatar Oct 12 '24 14:10 aabouzaid