-
Notifications
You must be signed in to change notification settings - Fork 9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bitnami/harbor] Setting internalTLS.enabled: true
results in all harbor pods going into a crash loop.
#27321
Comments
internalTLS.enabled: true
results in all harbor pods going into a crash loop.
As you mentioned, the issue is related to the permissions configuration. I think it was introduced when applying these changes To solve this, we will need to implement a new initContainer that takes care of configuring the permissions of that folder. Similar to this other initContainer. Would you like to contribute? The team will be more than happy to review the changes and the whole community will benefit from that. |
How do you see the initContainer approach working with regards to |
I guess a new ephemeral volume would need to be created as part of the deployments and the initContainer would need to copy the contents of |
I've created a pull request here: #27753 |
Name and Version
bitnami/harbor 21.4.4
What architecture are you using?
amd64
What steps will reproduce the bug?
Set
internalTLS.enabled: true
and deploy the chart.Are you using any custom parameters or values?
A redacted values file follows
What is the expected behavior?
Pods should not go into a crash loop.
What do you see instead?
All pods are in a crash loop.
If you look at logs, all of them say the following before exiting:
Additional information
We had the above working with chart version
19.6.0
.From between then and when we upgraded, container SecurityContexts were defined to lock things down.
All the containers now have a read-only filesystem and no longer run as
root
.The permissions on the
/etc/ssl/certs/ca-certificates.crt
are it is owned and grouped byroot
and has permissions of664
.I was able to get things working by slackening off the container SecurityContexts by setting the following for all of the pods:
This is not ideal though as it reduces the security you added by quite a bit.
The text was updated successfully, but these errors were encountered: