Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrading from 2023.10.7 to 2024.2.3 with argocd, failed with redis template #271

Open
thinkhead opened this issue Jun 15, 2024 · 1 comment
Open

Upgrading from 2023.10.7 to 2024.2.3 with argocd, failed with redis template #271

thinkhead opened this issue Jun 15, 2024 · 1 comment

Comments

@thinkhead
Copy link

Describe the bug
Upgrading from 2023.10.7 to 2024.2.3 with argocd, failed with redis template.

Relevant info
Kube version: v1.26.13+rke2r1
ArgoCD: v2.10.12+cb6f5ac
Authentik Helm Chart Version: 2024.2.3
Deployment: [helm]

Logs
Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = helm template . --name-template authentik-rke-dev --namespace authentik-rke-dev --kube-version 1.26 --values /tmp/23a262ae-25f2-47e6-92dc-b9f146fb464e --include-crds failed exit status 1: Error: YAML parse error on authentik/charts/redis/templates/master/application.yaml: error converting YAML to JSON: yaml: line 40: mapping values are not allowed in this context Use --debug flag to render out invalid YAML

To Reproduce
Upgrading from 2023.10.7 with this argocd application:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  name: authentik
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: tools
  destination:
    namespace: authentik-rke-dev
    name: rke-dev
  source:
    repoURL: 'https://charts.goauthentik.io'
    targetRevision: 2023.10.7
    chart: authentik
    helm:
      values: |
        redis:
          enabled: true
        replicas: 3
        server:
          replicas: 3
        ingress:
          enabled: true
          annotations:
            kubernetes.io/ingress.class: nginx
          hosts:
            - host: xxxx
              paths:
                - path: "/"
                  pathType: Prefix
          tls:
            - secretName: xxxxx-tls
              hosts:
                - xxxxx
        image:
          pullSecrets:
            - name: 'image-pull-secret'
        worker:
          replicas: 3
        geoip:
          enabled: true
          accountId: "xxxxx"
          licenseKey: "xxxx"
        authentik:
          secret_key: "xxxx"
          error_reporting:
            enabled: false
          postgresql:
            password: "xxxxx"
        prometheus:
          rules:
            create: true
          serviceMonitor:
            create: true
        postgresql:
          enabled: true
          postgresqlPassword: "xxxxxx"
  syncPolicy:
    automated: 
      prune: true 
      selfHeal: true 
      allowEmpty: false 
    syncOptions: 
    - CreateNamespace=true
    retry:
      limit: 0

To 2024.2.3

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  name: authentik
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: tools
  destination:
    namespace: authentik-rke-dev
    name: rke-dev
  source:
    repoURL: 'https://charts.goauthentik.io'
    targetRevision: 2024.2.3
    chart: authentik
    helm:
      values: |
        redis:
          enabled: true
        server:
          serviceMonitor:
            enabled: true
          replicas: 3
          ingress:
            enabled: true
            annotations:
              kubernetes.io/ingress.class: nginx
            hosts:
              - xxxxxx
            paths:
              - /
            pathType: Prefix
            tls:
              - secretName: xxxxx-tls
                hosts:
                  - xxxxx
        global:
          imagePullSecrets:
            - name: 'image-pull-secret'
          revisionHistoryLimit: 3
        worker:
          replicas: 3
        geoip:
          enabled: true
          accountId: "****"
          licenseKey: "***"
        authentik:
          secret_key: "********"
          postgresql:
            password: "********"
        prometheus:
          rules:
            enabled: true
        postgresql:
          enabled: true
          auth:
            password: "**********"
          primary:
            persistence:
              enabled: true
              storageClass: longhorn
              accessModes:
                - ReadWriteOnce
  syncPolicy:
    automated: 
      prune: true 
      selfHeal: true 
      allowEmpty: false 
    syncOptions: 
    - CreateNamespace=true
    retry:
      limit: 0

This gave me the following error in argocd and prevent further upgrade:

Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = `helm template . --name-template authentik-rke-dev --namespace authentik-rke-dev --kube-version 1.26 --values /tmp/23a262ae-25f2-47e6-92dc-b9f146fb464e <api versions removed> --include-crds` failed exit status 1: Error: YAML parse error on authentik/charts/redis/templates/master/application.yaml: error converting YAML to JSON: yaml: line 40: mapping values are not allowed in this context Use --debug flag to render out invalid YAML

It's seem to pushing this template, but i didn't find any useful information

< apiVersion: apps/v1
< kind: StatefulSet
< metadata:
<   annotations:
<     kubectl.kubernetes.io/last-applied-configuration: |
<       {"apiVersion":"apps/v1","kind":"StatefulSet","metadata":{"annotations":{},"labels":{"app.kubernetes.io/component":"master","app.kubernetes.io/instance":"authentik-rke-dev","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"redis","helm.sh/chart":"redis-15.7.6"},"name":"authentik-rke-dev-redis-master","namespace":"authentik-rke-dev"},"spec":{"replicas":1,"selector":{"matchLabels":{"app.kubernetes.io/component":"master","app.kubernetes.io/instance":"authentik-rke-dev","app.kubernetes.io/name":"redis"}},"serviceName":"authentik-rke-dev-redis-headless","template":{"metadata":{"annotations":{"checksum/configmap":"e3d798c2426b7e8af3b7ff62bc75c42fa2b2ce0b9697f80b0541425cf93515d2","checksum/health":"d1c98f37a2bd9bdeca53a6d909e0a29fb5fd21aea4f49db97fafcfdfce7260c4","checksum/scripts":"1fabf9e118ae712e8080d52a3043b52b069a64171519025774fff78f0bfeda30","checksum/secret":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"},"labels":{"app.kubernetes.io/component":"master","app.kubernetes.io/instance":"authentik-rke-dev","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"redis","helm.sh/chart":"redis-15.7.6"}},"spec":{"affinity":{"nodeAffinity":null,"podAffinity":null,"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchLabels":{"app.kubernetes.io/component":"master","app.kubernetes.io/instance":"authentik-rke-dev","app.kubernetes.io/name":"redis"}},"namespaces":["authentik-rke-dev"],"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"containers":[{"args":["-c","/opt/bitnami/scripts/start-scripts/start-master.sh"],"command":["/bin/bash"],"env":[{"name":"BITNAMI_DEBUG","value":"false"},{"name":"REDIS_REPLICATION_MODE","value":"master"},{"name":"ALLOW_EMPTY_PASSWORD","value":"yes"},{"name":"REDIS_TLS_ENABLED","value":"no"},{"name":"REDIS_PORT","value":"6379"}],"image":"docker.io/bitnami/redis:6.2.10-debian-11-r13","imagePullPolicy":"IfNotPresent","livenessProbe":{"exec":{"command":["sh","-c","/health/ping_liveness_local.sh 5"]},"failureThreshold":5,"initialDelaySeconds":20,"periodSeconds":5,"successThreshold":1,"timeoutSeconds":6},"name":"redis","ports":[{"containerPort":6379,"name":"redis"}],"readinessProbe":{"exec":{"command":["sh","-c","/health/ping_readiness_local.sh 1"]},"failureThreshold":5,"initialDelaySeconds":20,"periodSeconds":5,"successThreshold":1,"timeoutSeconds":2},"resources":{"limits":{},"requests":{}},"securityContext":{"runAsUser":1001},"volumeMounts":[{"mountPath":"/opt/bitnami/scripts/start-scripts","name":"start-scripts"},{"mountPath":"/health","name":"health"},{"mountPath":"/data","name":"redis-data","subPath":null},{"mountPath":"/opt/bitnami/redis/mounted-etc","name":"config"},{"mountPath":"/opt/bitnami/redis/etc/","name":"redis-tmp-conf"},{"mountPath":"/tmp","name":"tmp"}]}],"securityContext":{"fsGroup":1001},"serviceAccountName":"authentik-rke-dev-redis","terminationGracePeriodSeconds":30,"volumes":[{"configMap":{"defaultMode":493,"name":"authentik-rke-dev-redis-scripts"},"name":"start-scripts"},{"configMap":{"defaultMode":493,"name":"authentik-rke-dev-redis-health"},"name":"health"},{"configMap":{"name":"authentik-rke-dev-redis-configuration"},"name":"config"},{"emptyDir":{},"name":"redis-tmp-conf"},{"emptyDir":{},"name":"tmp"}]}},"updateStrategy":{"rollingUpdate":{},"type":"RollingUpdate"},"volumeClaimTemplates":[{"metadata":{"labels":{"app.kubernetes.io/component":"master","app.kubernetes.io/instance":"authentik-rke-dev","app.kubernetes.io/name":"redis"},"name":"redis-data"},"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"8Gi"}}}}]}}
<   generation: 3
<   labels:
<     app.kubernetes.io/component: master
<     app.kubernetes.io/instance: authentik-rke-dev
<     app.kubernetes.io/managed-by: Helm
<     app.kubernetes.io/name: redis
<     helm.sh/chart: redis-15.7.6
<   managedFields:
<   - apiVersion: apps/v1
<     fieldsType: FieldsV1
<     fieldsV1:
<       f:metadata:
<         f:annotations:
<           .: {}
<           f:kubectl.kubernetes.io/last-applied-configuration: {}
<         f:labels:
<           .: {}
<           f:app.kubernetes.io/component: {}
<           f:app.kubernetes.io/instance: {}
<           f:app.kubernetes.io/managed-by: {}
<           f:app.kubernetes.io/name: {}
<           f:helm.sh/chart: {}
<       f:spec:
<         f:podManagementPolicy: {}
<         f:revisionHistoryLimit: {}
<         f:selector: {}
<         f:serviceName: {}
<         f:template:
<           f:metadata:
<             f:annotations:
<               .: {}
<               f:checksum/configmap: {}
<               f:checksum/health: {}
<               f:checksum/scripts: {}
<               f:checksum/secret: {}
<             f:labels:
<               .: {}
<               f:app.kubernetes.io/component: {}
<               f:app.kubernetes.io/instance: {}
<               f:app.kubernetes.io/managed-by: {}
<               f:app.kubernetes.io/name: {}
<               f:helm.sh/chart: {}
<           f:spec:
<             f:affinity:
<               .: {}
<               f:podAntiAffinity:
<                 .: {}
<                 f:preferredDuringSchedulingIgnoredDuringExecution: {}
<             f:containers:
<               k:{"name":"redis"}:
<                 .: {}
<                 f:args: {}
<                 f:command: {}
<                 f:env:
<                   .: {}
<                   k:{"name":"ALLOW_EMPTY_PASSWORD"}:
<                     .: {}
<                     f:name: {}
<                     f:value: {}
<                   k:{"name":"BITNAMI_DEBUG"}:
<                     .: {}
<                     f:name: {}
<                     f:value: {}
<                   k:{"name":"REDIS_PORT"}:
<                     .: {}
<                     f:name: {}
<                     f:value: {}
<                   k:{"name":"REDIS_REPLICATION_MODE"}:
<                     .: {}
<                     f:name: {}
<                     f:value: {}
<                   k:{"name":"REDIS_TLS_ENABLED"}:
<                     .: {}
<                     f:name: {}
<                     f:value: {}
<                 f:image: {}
<                 f:imagePullPolicy: {}
<                 f:livenessProbe:
<                   .: {}
<                   f:exec:
<                     .: {}
<                     f:command: {}
<                   f:failureThreshold: {}
<                   f:initialDelaySeconds: {}
<                   f:periodSeconds: {}
<                   f:successThreshold: {}
<                   f:timeoutSeconds: {}
<                 f:name: {}
<                 f:ports:
<                   .: {}
<                   k:{"containerPort":6379,"protocol":"TCP"}:
<                     .: {}
<                     f:containerPort: {}
<                     f:name: {}
<                     f:protocol: {}
<                 f:readinessProbe:
<                   .: {}
<                   f:exec:
<                     .: {}
<                     f:command: {}
<                   f:failureThreshold: {}
<                   f:initialDelaySeconds: {}
<                   f:periodSeconds: {}
<                   f:successThreshold: {}
<                   f:timeoutSeconds: {}
<                 f:resources: {}
<                 f:securityContext:
<                   .: {}
<                   f:runAsUser: {}
<                 f:terminationMessagePath: {}
<                 f:terminationMessagePolicy: {}
<                 f:volumeMounts:
<                   .: {}
<                   k:{"mountPath":"/data"}:
<                     .: {}
<                     f:mountPath: {}
<                     f:name: {}
<                   k:{"mountPath":"/health"}:
<                     .: {}
<                     f:mountPath: {}
<                     f:name: {}
<                   k:{"mountPath":"/opt/bitnami/redis/etc/"}:
<                     .: {}
<                     f:mountPath: {}
<                     f:name: {}
<                   k:{"mountPath":"/opt/bitnami/redis/mounted-etc"}:
<                     .: {}
<                     f:mountPath: {}
<                     f:name: {}
<                   k:{"mountPath":"/opt/bitnami/scripts/start-scripts"}:
<                     .: {}
<                     f:mountPath: {}
<                     f:name: {}
<                   k:{"mountPath":"/tmp"}:
<                     .: {}
<                     f:mountPath: {}
<                     f:name: {}
<             f:dnsPolicy: {}
<             f:restartPolicy: {}
<             f:schedulerName: {}
<             f:securityContext:
<               .: {}
<               f:fsGroup: {}
<             f:serviceAccount: {}
<             f:serviceAccountName: {}
<             f:terminationGracePeriodSeconds: {}
<             f:volumes:
<               .: {}
<               k:{"name":"config"}:
<                 .: {}
<                 f:configMap:
<                   .: {}
<                   f:defaultMode: {}
<                   f:name: {}
<                 f:name: {}
<               k:{"name":"health"}:
<                 .: {}
<                 f:configMap:
<                   .: {}
<                   f:defaultMode: {}
<                   f:name: {}
<                 f:name: {}
<               k:{"name":"redis-tmp-conf"}:
<                 .: {}
<                 f:emptyDir: {}
<                 f:name: {}
<               k:{"name":"start-scripts"}:
<                 .: {}
<                 f:configMap:
<                   .: {}
<                   f:defaultMode: {}
<                   f:name: {}
<                 f:name: {}
<               k:{"name":"tmp"}:
<                 .: {}
<                 f:emptyDir: {}
<                 f:name: {}
<         f:updateStrategy:
<           f:rollingUpdate:
<             .: {}
<             f:partition: {}
<           f:type: {}
<         f:volumeClaimTemplates: {}
<     manager: argocd-controller
<     operation: Update
<     time: "2024-06-14T19:25:28Z"
<   - apiVersion: apps/v1
<     fieldsType: FieldsV1
<     fieldsV1:
<       f:status:
<         f:availableReplicas: {}
<         f:collisionCount: {}
<         f:currentReplicas: {}
<         f:currentRevision: {}
<         f:observedGeneration: {}
<         f:readyReplicas: {}
<         f:replicas: {}
<         f:updateRevision: {}
<         f:updatedReplicas: {}
<     manager: kube-controller-manager
<     operation: Update
<     subresource: status
<     time: "2024-06-14T21:02:20Z"
<   name: authentik-rke-dev-redis-master
<   namespace: authentik-rke-dev
<   resourceVersion: "378141239"
<   uid: 0d784fc1-b9f8-4dcb-a0f7-66cd4ea1051f
< spec:
<   podManagementPolicy: OrderedReady
<   replicas: 1
<   revisionHistoryLimit: 10
<   selector:
<     matchLabels:
<       app.kubernetes.io/component: master
<       app.kubernetes.io/instance: authentik-rke-dev
<       app.kubernetes.io/name: redis
<   serviceName: authentik-rke-dev-redis-headless
<   template:
<     metadata:
<       annotations:
<         checksum/configmap: e3d798c2426b7e8af3b7ff62bc75c42fa2b2ce0b9697f80b0541425cf93515d2
<         checksum/health: d1c98f37a2bd9bdeca53a6d909e0a29fb5fd21aea4f49db97fafcfdfce7260c4
<         checksum/scripts: 1fabf9e118ae712e8080d52a3043b52b069a64171519025774fff78f0bfeda30
<         checksum/secret: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
<       creationTimestamp: null
<       labels:
<         app.kubernetes.io/component: master
<         app.kubernetes.io/instance: authentik-rke-dev
<         app.kubernetes.io/managed-by: Helm
<         app.kubernetes.io/name: redis
<         helm.sh/chart: redis-15.7.6
<     spec:
<       affinity:
<         podAntiAffinity:
<           preferredDuringSchedulingIgnoredDuringExecution:
<           - podAffinityTerm:
<               labelSelector:
<                 matchLabels:
<                   app.kubernetes.io/component: master
<                   app.kubernetes.io/instance: authentik-rke-dev
<                   app.kubernetes.io/name: redis
<               namespaces:
<               - authentik-rke-dev
<               topologyKey: kubernetes.io/hostname
<             weight: 1
<       containers:
<       - args:
<         - -c
<         - /opt/bitnami/scripts/start-scripts/start-master.sh
<         command:
<         - /bin/bash
<         env:
<         - name: BITNAMI_DEBUG
<           value: "false"
<         - name: REDIS_REPLICATION_MODE
<           value: master
<         - name: ALLOW_EMPTY_PASSWORD
<           value: "yes"
<         - name: REDIS_TLS_ENABLED
<           value: "no"
<         - name: REDIS_PORT
<           value: "6379"
<         image: docker.io/bitnami/redis:6.2.10-debian-11-r13
<         imagePullPolicy: IfNotPresent
<         livenessProbe:
<           exec:
<             command:
<             - sh
<             - -c
<             - /health/ping_liveness_local.sh 5
<           failureThreshold: 5
<           initialDelaySeconds: 20
<           periodSeconds: 5
<           successThreshold: 1
<           timeoutSeconds: 6
<         name: redis
<         ports:
<         - containerPort: 6379
<           name: redis
<           protocol: TCP
<         readinessProbe:
<           exec:
<             command:
<             - sh
<             - -c
<             - /health/ping_readiness_local.sh 1
<           failureThreshold: 5
<           initialDelaySeconds: 20
<           periodSeconds: 5
<           successThreshold: 1
<           timeoutSeconds: 2
<         resources: {}
<         securityContext:
<           runAsUser: 1001
<         terminationMessagePath: /dev/termination-log
<         terminationMessagePolicy: File
<         volumeMounts:
<         - mountPath: /opt/bitnami/scripts/start-scripts
<           name: start-scripts
<         - mountPath: /health
<           name: health
<         - mountPath: /data
<           name: redis-data
<         - mountPath: /opt/bitnami/redis/mounted-etc
<           name: config
<         - mountPath: /opt/bitnami/redis/etc/
<           name: redis-tmp-conf
<         - mountPath: /tmp
<           name: tmp
<       dnsPolicy: ClusterFirst
<       restartPolicy: Always
<       schedulerName: default-scheduler
<       securityContext:
<         fsGroup: 1001
<       serviceAccount: authentik-rke-dev-redis
<       serviceAccountName: authentik-rke-dev-redis
<       terminationGracePeriodSeconds: 30
<       volumes:
<       - configMap:
<           defaultMode: 493
<           name: authentik-rke-dev-redis-scripts
<         name: start-scripts
<       - configMap:
<           defaultMode: 493
<           name: authentik-rke-dev-redis-health
<         name: health
<       - configMap:
<           defaultMode: 420
<           name: authentik-rke-dev-redis-configuration
<         name: config
<       - emptyDir: {}
<         name: redis-tmp-conf
<       - emptyDir: {}
<         name: tmp
<   updateStrategy:
<     rollingUpdate:
<       partition: 0
<     type: RollingUpdate
<   volumeClaimTemplates:
<   - apiVersion: v1
<     kind: PersistentVolumeClaim
<     metadata:
<       creationTimestamp: null
<       labels:
<         app.kubernetes.io/component: master
<         app.kubernetes.io/instance: authentik-rke-dev
<         app.kubernetes.io/name: redis
<       name: redis-data
<     spec:
<       accessModes:
<       - ReadWriteOnce
<       resources:
<         requests:
<           storage: 8Gi
<       volumeMode: Filesystem
<     status:
<       phase: Pending
< status:
<   availableReplicas: 1
<   collisionCount: 0
<   currentReplicas: 1
<   currentRevision: authentik-rke-dev-redis-master-856b54c949
<   observedGeneration: 3
<   readyReplicas: 1
<   replicas: 1
<   updateRevision: authentik-rke-dev-redis-master-856b54c949
<   updatedReplicas: 1

Removing redis unblock the upgrade, but the server is looking for redis in loop and failed to start

{"event": "Redis Connection failed, retrying... (Error -3 connecting to authentik-rke-dev-redis-master:6379. Temporary failure in name resolution.)", "level": "info", "logger": "authentik.lib.config", "timestamp": 1718336817.1424649, "redis_url": "redis://:@authentik-rke-dev-redis-master:6379/0"}
{"event": "Redis Connection failed, retrying... (Error -3 connecting to authentik-rke-dev-redis-master:6379. Temporary failure in name resolution.)", "level": "info", "logger": "authentik.lib.config", "timestamp": 1718336818.1951334, "redis_url": "redis://:@authentik-rke-dev-redis-master:6379/0"}
@thinkhead
Copy link
Author

Just tested a new version with a cluster at v1.27.16+rke2r1, the same error. but I think I found the problem

helm repo add authentik https://charts.goauthentik.io
helm repo update
helm template  --values values.yaml -n authentik-rke-dev  --version 2024.4.2   authentik authentik/authentik --debug
Error: YAML parse error on authentik/charts/redis/templates/master/application.yaml: error converting YAML to JSON: yaml: line 40: mapping values are not allowed in this context
helm.go:84: [debug] error converting YAML to JSON: yaml: line 40: mapping values are not allowed in this context
YAML parse error on authentik/charts/redis/templates/master/application.yaml
helm.sh/helm/v3/pkg/releaseutil.(*manifestFile).sort
        helm.sh/helm/v3/pkg/releaseutil/manifest_sorter.go:146
helm.sh/helm/v3/pkg/releaseutil.SortManifests
        helm.sh/helm/v3/pkg/releaseutil/manifest_sorter.go:106
helm.sh/helm/v3/pkg/action.(*Configuration).renderResources
        helm.sh/helm/v3/pkg/action/action.go:170
helm.sh/helm/v3/pkg/action.(*Install).RunWithContext
        helm.sh/helm/v3/pkg/action/install.go:262
main.runInstall
        helm.sh/helm/v3/cmd/helm/install.go:280
main.newTemplateCmd.func2
        helm.sh/helm/v3/cmd/helm/template.go:82
github.com/spf13/cobra.(*Command).execute
        github.com/spf13/[email protected]/command.go:916
github.com/spf13/cobra.(*Command).ExecuteC
        github.com/spf13/[email protected]/command.go:1044
github.com/spf13/cobra.(*Command).Execute
        github.com/spf13/[email protected]/command.go:968
main.main
        helm.sh/helm/v3/cmd/helm/helm.go:83
runtime.main
        runtime/proc.go:250
runtime.goexit
        runtime/asm_amd64.s:1571

A look at the file in question and we can see a few empty line after spec and helm dosen't see to like it:

# Source: authentik/charts/redis/templates/master/application.yaml

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: authentik-redis-master
  namespace: "authentik-rke-dev"
  labels:
    app.kubernetes.io/instance: authentik
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: redis
    app.kubernetes.io/version: 7.2.3
    helm.sh/chart: redis-18.6.1
    app.kubernetes.io/component: master
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: authentik
      app.kubernetes.io/name: redis
      app.kubernetes.io/component: master
  serviceName: authentik-redis-headless
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: authentik
        app.kubernetes.io/managed-by: Helm
        app.kubernetes.io/name: redis
        app.kubernetes.io/version: 7.2.3
        helm.sh/chart: redis-18.6.1
        app.kubernetes.io/component: master
      annotations:
        checksum/configmap: 86bcc953bb473748a3d3dc60b7c11f34e60c93519234d4c37f42e22ada559d47
        checksum/health: aff24913d801436ea469d8d374b2ddb3ec4c43ee7ab24663d5f8ff1a1b6991a9
        checksum/scripts: 43cdf68c28f3abe25ce017a82f74dbf2437d1900fd69df51a55a3edf6193d141
        checksum/secret: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
    spec:
<--- Here
      imagePullSecrets:
        - name: name: image-pull-secret
      securityContext:
        fsGroup: 1001
      serviceAccountName: authentik-redis
      automountServiceAccountToken: true
      affinity:
        podAffinity:
<--- Here
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app.kubernetes.io/instance: authentik
                    app.kubernetes.io/name: redis
                    app.kubernetes.io/component: master
                topologyKey: kubernetes.io/hostname
              weight: 1
        nodeAffinity:
<--- Here
      enableServiceLinks: true
      terminationGracePeriodSeconds: 30
      containers:
        - name: redis
          image: registry-1.docker.io/bitnami/redis:7.2.3-debian-11-r2
          imagePullPolicy: "IfNotPresent"
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            runAsGroup: 0
            runAsNonRoot: true
            runAsUser: 1001
            seccompProfile:
              type: RuntimeDefault
          command:
            - /bin/bash
          args:
            - -c
            - /opt/bitnami/scripts/start-scripts/start-master.sh
          env:
            - name: BITNAMI_DEBUG
              value: "false"
            - name: REDIS_REPLICATION_MODE
              value: master
            - name: ALLOW_EMPTY_PASSWORD
              value: "yes"
            - name: REDIS_TLS_ENABLED
              value: "no"
            - name: REDIS_PORT
              value: "6379"
          ports:
            - name: redis
              containerPort: 6379
          livenessProbe:
            initialDelaySeconds: 20
            periodSeconds: 5
            # One second longer than command timeout should prevent generation of zombie processes.
            timeoutSeconds: 6
            successThreshold: 1
            failureThreshold: 5
            exec:
              command:
                - sh
                - -c
                - /health/ping_liveness_local.sh 5
          readinessProbe:
            initialDelaySeconds: 20
            periodSeconds: 5
            timeoutSeconds: 2
            successThreshold: 1
            failureThreshold: 5
            exec:
              command:
                - sh
                - -c
                - /health/ping_readiness_local.sh 1
          resources:
            limits: {}
            requests: {}
          volumeMounts:
            - name: start-scripts
              mountPath: /opt/bitnami/scripts/start-scripts
            - name: health
              mountPath: /health
            - name: redis-data
              mountPath: /data
            - name: config
              mountPath: /opt/bitnami/redis/mounted-etc
            - name: redis-tmp-conf
              mountPath: /opt/bitnami/redis/etc/
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: start-scripts
          configMap:
            name: authentik-redis-scripts
            defaultMode: 0755
        - name: health
          configMap:
            name: authentik-redis-health
            defaultMode: 0755
        - name: config
          configMap:
            name: authentik-redis-configuration
        - name: redis-tmp-conf
          emptyDir: {}
        - name: tmp
          emptyDir: {}
  volumeClaimTemplates:
    - apiVersion: v1
      kind: PersistentVolumeClaim
      metadata:
        name: redis-data
        labels:
          app.kubernetes.io/instance: authentik
          app.kubernetes.io/name: redis
          app.kubernetes.io/component: master
      spec:
        accessModes:
          - "ReadWriteOnce"
        resources:
          requests:
            storage: "8Gi"

After a few tweek and not using the global imagePullSecrets it work:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  name: authentik
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: tools
  destination:
    namespace: authentik-rke-dev
    name: rke-dev
  source:
    repoURL: 'https://charts.goauthentik.io'
    targetRevision: 2024.2.3
    chart: authentik
    helm:
      values: |
        redis:
          enabled: true
        server:
          imagePullSecrets:
            - name: 'image-pull-secret'
          serviceMonitor:
            enabled: true
          replicas: 3
          ingress:
            enabled: true
            annotations:
              kubernetes.io/ingress.class: nginx
            hosts:
              - xxxxxx
            paths:
              - /
            pathType: Prefix
            tls:
              - secretName: xxxxx-tls
                hosts:
                  - xxxxx
          revisionHistoryLimit: 3
        worker:
          replicas: 3
          imagePullSecrets:
            - name: 'image-pull-secret'
        geoip:
          enabled: true
          accountId: "****"
          licenseKey: "***"
        authentik:
          secret_key: "********"
          postgresql:
            password: "********"
        prometheus:
          rules:
            enabled: true
        postgresql:
          enabled: true
          auth:
            password: "**********"
          primary:
            persistence:
              enabled: true
              storageClass: longhorn
              accessModes:
                - ReadWriteOnce
  syncPolicy:
    automated: 
      prune: true 
      selfHeal: true 
      allowEmpty: false 
    syncOptions: 
    - CreateNamespace=true
    retry:
      limit: 0

The problem is with the global imagePullSecrets, but I can't figured out were the error is in the templating.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@thinkhead