influxdata/helm-charts

Incorrect admin token when installing influxdb2 helm chart

francotiveron opened this issue ยท 5 comments

francotiveron commented

Cannot reopen #470, so I create e new issue

@alespour I don't think the issue has been fully understood

There is no existing secret. I am relying on helm automatically created secret.
And the secret is correctly created as expected.
The problem is that the influxdb instance DOES NOT use it, but a different one.

alespour commented

I see, my bad. I cannot reproduce it though.

Admin password and token are set only during the initial installation, when InfluxDB is set up (onboarding). In the subsequent upgrades, secret is created every time, but if previously created secret is found, values from it are used to populate the new one. So, unless the chart was uninstalled and then installed again, password and token in the secret should match what's been set up in InfluxDB the first time. I can't think of other scenario that could lead to mismatch.
Could you describe your steps?

alespour commented

/stale

lebaptiste commented

Thanks @alespour for the pointer! ๐Ÿ‘

I had the same issue and managed to solve it thanks to your comment.
I reference InfluxDB v2 part of my service chart and I set it up with the persistence.enabled: true in my values.yaml, but adminUser.password, adminUser.token and adminUser.existingSecret left empty to generate random secret values.
Therefore the helm chart is creating the PersistentVolumeClaim (PVC) and new secrets accordingly. I was on a dev environment and later wanted to start afresh by uninstalling the release and creating a new one.
That's when my service started to get "401 unauthorized access" despite properly referencing:

env:
  - name: INFLUXDB_AUTH_TOKEN
    valueFrom:
      secretKeyRef:
        name: <release-name>-influxdb2-auth
        key: admin-token

You made me realised that the volume was not wiped when uninstalling the previous release, and despite the new <release-name>-influxdb2-auth secret being recreated, influxdb was possibly continuing to use the older admin-token (by still fetching it from the PVC I presume?).
Because I was on dev and did not care about the data, deleting the PVC and then installing the chart again solved the problem. ๐Ÿ’ฅ

As a note, if it were on production and I had uninstalled the release / reinstall the chart, it would have been more tricky since the old secret resource holding the still valid admin token had been deleted.

I would maybe suggest @alespour that helm.sh/resource-policy: "keep" annotation should be on the secret resource as well if the persistence is enabled but no adminUser.existingSecret has been provided, in order to prevent such scenario?

Many thanks!

  • ๐Ÿ‘1
  • ๐Ÿ‘€1
PauloJFCabral commented

I didn't understood how i can generate the token for the initial setup.
Anyone can help me please?