helm chart kratos does not implement loading environment variable from file for courier
bkomraz1 opened this issue · 1 comments
bkomraz1 commented
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- This issue affects my Ory Network project.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Describe the bug
If you configured sensitive data in kubernetes secret and enabled loading them by deployment.environmentSecretsName helm chart value, courier crashed because those environment variables are not loaded by kratos-courier pod.
{"audience":"application","file":"/go/pkg/mod/github.com/ory/x@v0.0.531/configx/provider.go:156","files":["/etc/config/kratos.yaml"],"func":"github.com/ory/x/configx.(*Provider).createProviders","level":"debug","msg":"Adding config files.","service_name":"Ory Kratos","service_version":"v0.11.1","time":"2023-04-04T11:29:16.786420913Z"}
The configuration contains values or keys which are invalid:
The configuration contains values or keys which are invalid:
selfservice.methods.oidc.config.providers.0: map[id:okta mapper_url:file:///etc/config/okta.jsonnet provider:generic scope:[email openid]]
^-- doesn't validate with "#/definitions/selfServiceOIDCProvider"
The configuration contains values or keys which are invalid:
selfservice.methods.oidc.config.providers.0: map[id:okta mapper_url:file:///etc/config/okta.jsonnet provider:generic scope:[email openid]]
^-- validation failed
The configuration contains values or keys which are invalid:
selfservice.methods.oidc.config.providers.0: map[id:okta mapper_url:file:///etc/config/okta.jsonnet provider:generic scope:[email openid]]
^-- allOf failed
The configuration contains values or keys which are invalid:
selfservice.methods.oidc.config.providers.0: map[id:okta mapper_url:file:///etc/config/okta.jsonnet provider:generic scope:[email openid]]
^-- if-else failed
The configuration contains values or keys which are invalid:
selfservice.methods.oidc.config.providers.0.client_secret: <nil>
^-- one or more required properties are missing
The configuration contains values or keys which are invalid:
selfservice.methods.oidc.config.providers.0.client_id: <nil>
^-- one or more required properties are missing
The configuration contains values or keys which are invalid:
courier.smtp.connection_uri: <nil>
^-- one or more required properties are missing
{"audience":"application","error":{"message":"I[#] S[#] validation failed\n I[#/selfservice/methods/oidc/config/providers/0] S[#/properties/selfservice/properties/methods/properties/oidc/properties/config/properties/providers/items/$ref] doesn't validate with \"#/definitions/selfServiceOIDCProvider\"\n I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider] validation failed\n I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1] allOf failed\n I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1/else] if-else failed\n I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1/else/required] missing properties: \"client_secret\"\n I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/required] missing properties: \"client_id\"\n I[#/courier/smtp] S[#/properties/courier/properties/smtp/required] missing properties: \"connection_uri\"","stack_trace":"stack trace could not be recovered from error type *jsonschema.ValidationError"},"file":"/project/driver/factory.go:43","func":"github.com/ory/kratos/driver.NewWithoutInit","level":"error","msg":"Unable to instantiate configuration.","service_name":"Ory Kratos","service_version":"v0.11.1","time":"2023-04-04T11:29:16.796286132Z"}
Error: I[#] S[#] validation failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/properties/selfservice/properties/methods/properties/oidc/properties/config/properties/providers/items/$ref] doesn't validate with "#/definitions/selfServiceOIDCProvider"
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider] validation failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1] allOf failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1/else] if-else failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1/else/required] missing properties: "client_secret"
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/required] missing properties: "client_id"
I[#/courier/smtp] S[#/properties/courier/properties/smtp/required] missing properties: "connection_uri"
Usage:
kratos courier watch [flags]
Flags:
--expose-metrics-port int The port to expose the metrics endpoint on (not exposed by default)
-h, --help help for watch
Global Flags:
-c, --config strings Path to one or more .json, .yaml, .yml, .toml config files. Values are loaded in the order provided, meaning that the last config file overwrites values from the previous config file.
I[#] S[#] validation failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/properties/selfservice/properties/methods/properties/oidc/properties/config/properties/providers/items/$ref] doesn't validate with "#/definitions/selfServiceOIDCProvider"
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider] validation failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1] allOf failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1/else] if-else failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1/else/required] missing properties: "client_secret"
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/required] missing properties: "client_id"
I[#/courier/smtp] S[#/properties/courier/properties/smtp/required] missing properties: "connection_uri"
### Reproducing the bug
create secret with sensitive data
kubectl view-secret --all kratos-sec-env
COURIER_SMTP_CONNECTION_URI=smtps://xxxx
SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_0_CLIENT_ID=xxxx
SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_0_CLIENT_SECRET=xxxx
SELFSERVICE_METHODS_OIDC_CONFIG_PROVIDERS_0_ISSUER_URL=https://xxxx.okta.com
Install kratos
helm install ory/kratos kratos --set deployment.environmentSecretsName=kratos-sec-env
kratos pod works but kratos-courier failed on lack of configuration
kubectl get po
NAME READY STATUS RESTARTS AGE
kratos-7f6bb94b5-rczfb 1/1 Running 0 17s
kratos-courier-0 0/1 CrashLoopBackOff 1 (9s ago) 10s
### Relevant log output
```shell
{"audience":"application","file":"/go/pkg/mod/github.com/ory/x@v0.0.531/configx/provider.go:156","files":["/etc/config/kratos.yaml"],"func":"github.com/ory/x/configx.(*Provider).createProviders","level":"debug","msg":"Adding config files.","service_name":"Ory Kratos","service_version":"v0.11.1","time":"2023-04-04T11:29:16.786420913Z"}
The configuration contains values or keys which are invalid:
The configuration contains values or keys which are invalid:
selfservice.methods.oidc.config.providers.0: map[id:okta mapper_url:file:///etc/config/okta.jsonnet provider:generic scope:[email openid]]
^-- doesn't validate with "#/definitions/selfServiceOIDCProvider"
The configuration contains values or keys which are invalid:
selfservice.methods.oidc.config.providers.0: map[id:okta mapper_url:file:///etc/config/okta.jsonnet provider:generic scope:[email openid]]
^-- validation failed
The configuration contains values or keys which are invalid:
selfservice.methods.oidc.config.providers.0: map[id:okta mapper_url:file:///etc/config/okta.jsonnet provider:generic scope:[email openid]]
^-- allOf failed
The configuration contains values or keys which are invalid:
selfservice.methods.oidc.config.providers.0: map[id:okta mapper_url:file:///etc/config/okta.jsonnet provider:generic scope:[email openid]]
^-- if-else failed
The configuration contains values or keys which are invalid:
selfservice.methods.oidc.config.providers.0.client_secret: <nil>
^-- one or more required properties are missing
The configuration contains values or keys which are invalid:
selfservice.methods.oidc.config.providers.0.client_id: <nil>
^-- one or more required properties are missing
The configuration contains values or keys which are invalid:
courier.smtp.connection_uri: <nil>
^-- one or more required properties are missing
{"audience":"application","error":{"message":"I[#] S[#] validation failed\n I[#/selfservice/methods/oidc/config/providers/0] S[#/properties/selfservice/properties/methods/properties/oidc/properties/config/properties/providers/items/$ref] doesn't validate with \"#/definitions/selfServiceOIDCProvider\"\n I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider] validation failed\n I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1] allOf failed\n I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1/else] if-else failed\n I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1/else/required] missing properties: \"client_secret\"\n I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/required] missing properties: \"client_id\"\n I[#/courier/smtp] S[#/properties/courier/properties/smtp/required] missing properties: \"connection_uri\"","stack_trace":"stack trace could not be recovered from error type *jsonschema.ValidationError"},"file":"/project/driver/factory.go:43","func":"github.com/ory/kratos/driver.NewWithoutInit","level":"error","msg":"Unable to instantiate configuration.","service_name":"Ory Kratos","service_version":"v0.11.1","time":"2023-04-04T11:29:16.796286132Z"}
Error: I[#] S[#] validation failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/properties/selfservice/properties/methods/properties/oidc/properties/config/properties/providers/items/$ref] doesn't validate with "#/definitions/selfServiceOIDCProvider"
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider] validation failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1] allOf failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1/else] if-else failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1/else/required] missing properties: "client_secret"
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/required] missing properties: "client_id"
I[#/courier/smtp] S[#/properties/courier/properties/smtp/required] missing properties: "connection_uri"
Usage:
kratos courier watch [flags]
Flags:
--expose-metrics-port int The port to expose the metrics endpoint on (not exposed by default)
-h, --help help for watch
Global Flags:
-c, --config strings Path to one or more .json, .yaml, .yml, .toml config files. Values are loaded in the order provided, meaning that the last config file overwrites values from the previous config file.
I[#] S[#] validation failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/properties/selfservice/properties/methods/properties/oidc/properties/config/properties/providers/items/$ref] doesn't validate with "#/definitions/selfServiceOIDCProvider"
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider] validation failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1] allOf failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1/else] if-else failed
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/allOf/1/else/required] missing properties: "client_secret"
I[#/selfservice/methods/oidc/config/providers/0] S[#/definitions/selfServiceOIDCProvider/required] missing properties: "client_id"
I[#/courier/smtp] S[#/properties/courier/properties/smtp/required] missing properties: "connection_uri"
Relevant configuration
No response
Version
Kratos helm chart 0.28.1
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
No response
Demonsthere commented
Closed by #589