[artifactory] Database credentials are not updated correctly when artifactory is recreated.

[hetii]

Hi.

I play with a helmfile that setup for me artifactory-oss. As soon as I run it second time the password for the database is change and artifactory is not able to use it again. This lead to readiness failure and the only way to fix it is to delete pvc of artifactory-volume-artifactory-artifactory-0 :< This issue is related to https://github.com/jfrog/charts/issues/63

Version of Helm and Kubernetes: version.BuildInfo{Version:"v3.2.0", GitCommit:"e11b7ce3b12db2941e90399e874513fbd24bcb71", GitTreeState:"clean", GoVersion:"go1.13.10"} Kubernetes: v1.15.10

Which chart: 2.2.0

What happened: Database password is upgraded and other component are no aware about this fact.

What you expected to happen: All components used PostgreSQL db should be aware of db password changes.

How to reproduce it (as minimally and precisely as possible): Install few times char in version 2.2.0.

[chukka]

@hetii Can you share the helm command used to install the chart initially (is postgresql password passed as part of values) so that i reproduce the issue

BTW - after the first install, for upgrades you need to pass the database password so a new one will not be generated that might conflict with previous one.

[chukka]

@hetii is this still an issue ? waiting for your update

[kataliyst]

I have this same issue. I deploy the chart with Rancher. Any upgrades stall and fail. rollback doesn't work. logs show this password problem is the issue - passwords are auto-generated. First deployment is fine - but as I say any upgrade or rollback results in this issue. This is artifactory-oss 2.2.2 -> 2.2.3:

DETAIL: Password does not match for user "artifactory". Connection matched pg_hba.conf line 1: "host all all 0.0.0.0/0 md5" FATAL: password authentication failed for user "artifactory" DETAIL: Password does not match for user "artifactory".

[chukka]

@hetii @kataliyst can you share your values.yaml file and steps to reproduce ?

[kataliyst]

As I mentioned, I use Rancher. Simply add the Jfrog charts to Rancher's catalogs. Go into the application screen to deploy an app. Launch. Select Artifactory-oss and deploy. If it's a new install, it will be up in a minute. If you attempt to upgrade this to a new version, it will fail and you will get complaints about the password.

[Siegfriedk]

We face the same issue.

We use artifactory as a subchart to keep the maintenance as minimal as possible and deploy it with argocd.

When artifactory restarts, it is no longer able to connect to postgresql.

[chukka]

@hetii @kataliyst @Siegfriedk Thanks for reporting ! we are looking into it in the integration with Rancher, will update soon

[peters95]

@chukka I don't believe this issue is specific to Rancher as I have also encountered it on Openshift using our helm charts. Rancher just provides a GUI around our values.yaml I believe but @vinayagg can confirm this is the case.

[Siegfriedk]

Its not an Ranger issue. We are using GKE and argocd.

[vinayagg]

@chukka I don't believe this issue is specific to Rancher as I have also encountered it on Openshift using our helm charts. Rancher just provides a GUI around our values.yaml I believe but @vinayagg can confirm this is the case.

yes, rancher charts only add one file to present a UI to ask for values to be passed to helm charts and then trigger helm charts with those values. There are no additions or modifications to our helm charts.

[vinayagg]

@chukka in rancher, since UI is controlled by a separate file, I can force users to specify a password. Then as long as they enter same password on re-install, it should work. Is this acceptable solution?

[chukka]

@vinayagg yes, that should work for rancher , Please update here once you do that change

@Siegfriedk can you please provide info- how argocd works with GKE ? does it have any UI ?

[Siegfriedk]

@chukka argocd basically keeps the helm chart from the git repository in sync with the state inside the cluster.

argocd https://argoproj.github.io/argo-cd/ shouldn't touch the secret. I assume that this is an issue due to the secret only being used for initalization and ignored otherwise.

[vinayagg]

@vinayagg yes, that should work for rancher , Please update here once you do that change

@Siegfriedk can you please provide info- how argocd works with GKE ? does it have any UI ?

@chukka Rancher has been updated to force user to specify a postgres password

[woodcockjosh]

I have same problem on minikube and metal k8s. There is a problem with the helm chart.

[woodcockjosh]

For some reason there is an option to delete db.properties in an init container. I have solved this by setting artifactory-oss.artifactory.artifactory.deleteDBPropertiesOnStartup to false. However, if I do a helm upgrade then it is broken again.

Maybe yall will want to make an init container that will query the k8s API to update the k8s system yaml secret so that the db.properties can be deleted for security improvement.

[woodcockjosh]

@chukka any update on this?

[Elyytscha]

we have the same problem on openshift

[sssilver]

same issue on microk8s

[lanycrost]

as workaround you can add this declarations to your values file:

artifactory:
  postgresql:
    enabled: true

    pgHbaConfiguration: |-
      host all all all trust
...