Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run authentik using ArgoCD finished wih error about missing provided secret key #206

Open
lukasz18dg opened this issue Oct 24, 2023 · 1 comment

Comments

@lukasz18dg
Copy link

Scenario:

  1. Exist private repository where Argo will be read information about aplication. Argo intalled on Oracle VPS => Kubernetes.
    In my case I had one aplicaiton, which read other aplication in specific folder => apps
    Definition:
project: default
source:
  repoURL: '[email protected]:<censored>'
  path: apps
  targetRevision: HEAD
  directory:
    recurse: true
    jsonnet: {}
destination:
  server: 'https://kubernetes.default.svc'
  namespace: argocd
syncPolicy:
  automated:
    prune: true
    selfHeal: true
  syncOptions:
    - CreateNamespace=true
    - Validate=true
    - PruneLast=true
    - RespectIgnoreDifferences=false
    - ApplyOutOfSyncOnly=false
    - ServerSideApply=true
    - Replace=false
  retry:
    limit: 3
    backoff:
      duration: 60s
      factor: 2
      maxDuration: 3m0s
  1. In apss I had folder with: authentik
    That folder have several files like:
    Chart.yaml
apiVersion: v2
name: goauthentik
description: An Umbrella Helm chart
type: application
version: 0.1.0
appVersion: "1.0"

dependencies:
- name: authentik
  version: 2023.*
  repository: https://charts.goauthentik.io/

aplication.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: authentik
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: authentik
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  destination:
    name: ''
    namespace: authentik
    server: 'https://kubernetes.default.svc'
  source:
    path: apps/authentik
    repoURL: '[email protected]:<censored>'
    targetRevision: HEAD
    helm:
      valueFiles:
      - values.yaml
  sources: []
  project: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - PrunePropagationPolicy=foreground

values.yaml

replicas: 1
priorityClassName:
securityContext: {}

worker:
  replicas: 1
  priorityClassName:
  securityContext: {}

image:
  repository: ghcr.io/goauthentik/server
  digest: ""
  pullPolicy: IfNotPresent
  pullSecrets: []

initContainers: {}

additionalContainers: {}

ingress:
  enabled: false
  ingressClassName: "traefik-ingress"
  annotations: {
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
  }
  labels: {}
  hosts:
    - host: <censored my domain>
      paths:
        - path: "/"
          pathType: Prefix
  tls: []

annotations: {}

podAnnotations: {}

authentik:
  log_level: error
  secret_key: "<censored some value>"
  geoip: /geoip/GeoLite2-City.mmdb
  email:
    host: ""
    port: 587
    username: ""
    password: ""
    use_tls: false
    use_ssl: false
    timeout: 30
    from: ""
  outposts:
    container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
  error_reporting:
    enabled: false
    environment: "k8s"
    send_pii: false
  redis:
    host: "{{ .Release.Name }}-redis-master"
    password: ""
  geoip:
    enabled: false

blueprints: []

#secret to avoid add information about DB
envFrom:
  - secretRef:
       name: authentik-secret

envValueFrom: {}

service:
  enabled: true
  type: ClusterIP
  port: 80
  name: http
  protocol: TCP
  labels: {}
  annotations: {}

volumes: []

volumeMounts: []

affinity: {}

tolerations: []

nodeSelector: {}

resources:
  server: {}
  worker: {}

autoscaling:
  server:
    enabled: false
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 50
  worker:
    enabled: false
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 80

livenessProbe:
  enabled: true
  httpGet:
    path: /-/health/live/
    port: http
  initialDelaySeconds: 5
  periodSeconds: 10

startupProbe:
  enabled: true
  httpGet:
    path: /-/health/live/
    port: http
  failureThreshold: 60
  periodSeconds: 5

readinessProbe:
  enabled: true
  httpGet:
    path: /-/health/ready/
    port: http
  periodSeconds: 10

serviceAccount:
  create: true
  annotations: {}
  serviceAccountSecret:
    enabled: false

prometheus:
  serviceMonitor:
    create: false
    interval: 30s
    scrapeTimeout: 3s
    labels: {}
  rules:
    create: false
    labels: {}

postgresql:
  enabled: false

redis:
  enabled: true

sealed-psql-secret.yml

apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: authentik-secret
  namespace: authentik
spec:
  encryptedData:
    AUTHENTIK_POSTGRESQL__HOST: <censored>
    AUTHENTIK_POSTGRESQL__NAME: <censored>
    AUTHENTIK_POSTGRESQL__PASSWORD: <censored>
    AUTHENTIK_POSTGRESQL__USER: <censored>
    AUTHENTIK_SECRET_KEY: <censored>
  template:
    metadata:
      creationTimestamp: null
      name: authentik-secret
      namespace: authentik
    type: stringData
---

  1. Commit changes and look if argo correctly run authenik.

Reality: No, finished with error on pods:
authentik-server-
authentik-worker-



{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1698178364.4328628, "file": "/authentik/lib/default.yml"}

{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1698178364.4334147, "count": 28}

{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.4335992}

{"event": "----------------------------------------------------------------------", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.4336236}

{"event": "Secret key missing, check https://goauthentik.io/docs/installation/.", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.433638}

{"event": "----------------------------------------------------------------------", "level": "info", "logger": "authentik.lib.config", "timestamp": 1698178364.4336486}

however like you see, I provided secret key in secret or in values?
Then why run aplication using ArgoCD finished with failed status and complains about missing secret key?

@MrUsefull
Copy link

I have the same issue without argo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants