helm install with default values fails

If you don't override the default values, more specifically, if you don't specify wpSalts.WP_CRON_CONTROL_SECRET, the helm install command fails.

It give you this very helpful error message:

Error: template: wordpress/templates/statefulset.yaml:25:28: executing "wordpress/templates/statefulset.yaml" at <include (print $.Template.BasePath "/secrets.yaml") .>: error calling include: template: wordpress/templates/secrets.yaml:12:23: executing "wordpress/templates/secrets.yaml" at <tpl .Values.ansibleSecrets .>: error calling tpl: error during tpl function execution for "BACKUP_NAME: {{ .Release.Name }}\nBACKUP_TARGET: {{ .Values.backup.target }}\nDB_HOST: {{ .Release.Name }}-database\nDB_NAME: {{ .Values.database.db.name }}\nDB_PASS: {{ .Values.database.db.password }}\nDB_PREFIX: {{ .Values.wordpress.config.db.prefix}}\nDB_USER: {{ .Values.database.db.user }}\nLANGUAGES: {{ .Values.wordpress.site.languages }}\nDEFAULT_LANG: {{ .Values.wordpress.site.default_language }}\nWP_CONTENT_MOUNT: {{ .Values.wordpress.wp_content.mount_path }}\nWP_CONTENT_REPO_CONTENT_DIR: {{ .Values.git_repo.wp_content_dir }}\nWP_CONTENT_REPO_ENABLED: {{ .Values.git_repo.enabled }}\nWP_CONTENT_REPO_URL: https://{{ .Values.git_repo.token_user }}:{{ .Values.git_repo.token_key }}@{{ .Values.git_repo.url }}{{ .Values.git_repo.name }}\nWP_OPENID_CONNECT_ROLE_MAPPING_ENABLED: {{ .Values.openid_connect_settings.role_mapping_enabled }}\nWP_CONTENT_REPO_VERSION: {{ .Values.git_repo.version }}\nWP_DEBUG: {{ .Values.wordpress.site.debug }}\nWP_EMAIL: {{ .Values.wordpress.config.adm.email }}\nWP_PASS: {{ .Values.wordpress.config.adm.pssw }}\nWP_REDIS_ENABLED: {{ .Values.redis.enabled }}\nWP_REDIS_HOST: {{ .Release.Name }}-redis-master\nWP_REDIS_PASSWORD: {{ .Values.redis.password | default ( randAlphaNum 15 ) }}\nWP_THEME_ACTIVE: {{ .Values.wordpress.theme_active }}\nWP_THEMES_INSTALL: {{ .Values.wordpress.themes_install }}\nWP_THEME_FALLBACK: {{ .Values.wordpress.theme_fallback }}\nWP_TITLE: {{ .Values.wordpress.site.title }}\nWP_UPLOAD_DIR: {{ .Values.wordpress.wp_upload.mount_path }}\nWP_URL: {{ .Values.wordpress.site.url }}\nWP_USER: {{ .Values.wordpress.config.adm.usid }}\nWP_VERSION: {{ .Values.wordpress.site.version }}\nWP_ALT_ENABLED: {{ .Values.wordpress.site.alt.enabled }}\nWP_ALT_CONFIG: {{ .Values.wordpress.site.alt.config }}\nWP_ALT_PATH: {{ .Values.wordpress.site.alt.path }}\nWP_DIR_MODE: {{ .Values.wordpress.permissions.directory_mode }}\nWP_FILES_MODE: {{ .Values.wordpress.permissions.files_mode }}\nWP_MU_PLUGINS_ENABLED: {{ .Values.wordpress.mu_plugins_enabled }}\nWP_MU_PLUGINS_DIR: {{ .Values.wordpress.mu_plugins_dir }}\nWP_MU_PLUGINS: {{ .Values.wordpress.mu_plugins | toJson }}\nWP_MU_CRON_ENABLED: {{ .Values.wordpress.mu_cron.enabled }}\nWP_MU_CRON_SETTINGS: {{ .Values.wordpress.mu_cron | toJson }}\nWP_MULTILINGUAL_ENABLED: {{ .Values.wordpress.site.multilingual.enabled }}\nWP_MULTILINGUAL_PLUGINS: {{ .Values.wordpress.site.multilingual.plugins }}\nWP_MULTILINGUAL_CONFIG: {{ quote .Values.wordpress.site.multilingual.config }}\nWP_OPENID_CONNECT_ENABLED: {{ .Values.openid_connect_settings.enabled }}\nWP_OPENID_CONNECT_SETTINGS:\n  alternate_redirect_uri: {{ .Values.openid_connect_settings.alternate_redirect_uri }}\n  client_id: {{ .Values.openid_connect_settings.client_id }}\n  client_secret: {{ .Values.openid_connect_settings.client_secret }}\n  displayname_format: {{ .Values.openid_connect_settings.displayname_format }}\n  email_format: {{ .Values.openid_connect_settings.email_format }}\n  enable_logging: {{ .Values.openid_connect_settings.enable_logging }}\n  endpoint_end_session: {{ .Values.openid_connect_settings.endpoint_end_session }}\n  endpoint_login: {{ .Values.openid_connect_settings.endpoint_login }}\n  endpoint_token: {{ .Values.openid_connect_settings.endpoint_token }}\n  endpoint_userinfo: {{ .Values.openid_connect_settings.endpoint_userinfo }}\n  enforce_privacy: {{ .Values.openid_connect_settings.enforce_privacy }}\n  http_request_timeout: {{ .Values.openid_connect_settings.http_request_timeout }}\n  identify_with_username: {{ .Values.openid_connect_settings.identify_with_username }}\n  identity_key: {{ .Values.openid_connect_settings.identity_key }}\n  link_existing_users: {{ .Values.openid_connect_settings.link_existing_users }}\n  login_type: {{ .Values.openid_connect_settings.login_type }}\n  log_limit: {{ .Values.openid_connect_settings.log_limit }}\n  nickname_key: {{ .Values.openid_connect_settings.nickname_key }}\n  no_sslverify: {{ .Values.openid_connect_settings.no_sslverify }}\n  redirect_on_logout: {{ .Values.openid_connect_settings.redirect_on_logout }}\n  redirect_user_back: {{ .Values.openid_connect_settings.redirect_user_back }}\n  scope: {{ .Values.openid_connect_settings.scope }}\n  state_time_limit: {{ .Values.openid_connect_settings.state_time_limit }}\n  role_key: {{ .Values.openid_connect_settings.role_key }}\n\nWP_SALTS:\n  AUTH_KEY: {{ .Values.wpSalts.AUTH_KEY | default ( randAlphaNum 32) }}\n  AUTH_SALT: {{ .Values.wpSalts.AUTH_SALT | default ( randAlphaNum 32) }}\n  LOGGED_IN_KEY: {{ .Values.wpSalts.LOGGED_IN_KEY | default ( randAlphaNum 32) }}\n  LOGGED_IN_SALT: {{ .Values.wpSalts.LOGGED_IN_SALT | default ( randAlphaNum 32) }}\n  NONCE_KEY: {{ .Values.wpSalts.NONCE_KEY | default ( randAlphaNum 32) }}\n  NONCE_SALT: {{ .Values.wpSalts.NONCE_SALT | default ( randAlphaNum 32) }}\n  SECURE_AUTH_KEY: {{ .Values.wpSalts.SECURE_AUTH_KEY | default ( randAlphaNum 32) }}\n  SECURE_AUTH_SALT: {{ .Values.wpSalts.SECURE_AUTH_SALT | default ( randAlphaNum 32) }}\n  WP_CACHE_KEY_SALT: {{ .Values.wpSalts.WP_CACHE_KEY_SALT | default ( randAlphaNum 32) }}\n  WP_CRON_CONTROL_SECRET: {{ .Values.wpSalts.WP_CRON_CONTROL_SECRET | default ( randAlphaNum 32) }}\n": template: wordpress/templates/statefulset.yaml:71:22: executing "wordpress/templates/statefulset.yaml" at <.Values.wpSalts.AUTH_KEY>: nil pointer evaluating interface {}.AUTH_KEY

The culprit is WP_CRON_CONTROL_SECRET, because we need it in templates/cronjob.yaml. It would be nicest if we can find a way of generating the secret and still have it available in templates/cronjob.yaml as well as in the ansibleSecrets variable.

If I recall correctly, setting wpSalts: {} makes helm happy and should generate a random secret. So I think we only need to add such a line to values.yaml.

That would really surprise me. Are you sure you set wpSalts: {} and at the same time activated mu_cron? Because the problem is the fact that wpSalts.WP_CRON_CONTROL_SECRET does not exist. Helm does not generate random strings for variables that don't exist, that would be super weird.

TBH, revisiting this issue a month later I think mu_cron should be disabled by default. Then people won't run into this problem either.

Are you sure you set wpSalts: {} and at the same time activated mu_cron?

If mu_cron is enabled by default, then yes. With these values it works:

wordpress:
  config:
    db:
      prefix: wp_
    adm:
      usid: admin
      pssw: REDACTED
  site:
    default_language: en_US
    url: "http://testkubes.MYDOMAIN"
    title: "Wordpress on testkubes"

database:
  db:
    user: wordpress
    password: REDACTED
  rootUser:
    password: REDACTED
  replication:
    password: REDACTED

ingress:
  enabled: true
  path: /
  hosts:
    - testkubes.MYDOMAIN

wpSalts: {}

And removing the wpSalts: {} breaks it.

Because the problem is the fact that wpSalts.WP_CRON_CONTROL_SECRET does not exist. Helm does not generate random strings for variables that don't exist, that would be super weird.

Not by itself of course, but we instruct helm to do exactly that. From values.yaml:

WP_CRON_CONTROL_SECRET: {{ .Values.wpSalts.`WP_CRON_CONTROL_SECRET` | default ( randAlphaNum 32) }}

So it takes the wpSalts.WP_CRON_CONTROL_SECRET if present, and otherwise generates a random string. The only problem with this is that apparently the default function can handle an unset variable, but the "branches" in the variable name structure still have to exist, in this case wpSalts.

It's all coming back to me

With your suggestion helm doesn't fail during installation, but the cronjobs will fail because they don't have access to the secret that was generated by templates/secrets.yaml when templating the WP_CRON_CONTROL_SECRET template string.

Hm right. So if we want to generate a random value, it should be in the default value definition so both usage sites pick up the same thing. I'm not sure that is even possible: you can't use template functions in values.yaml by default, unless you use tpl in the value's usage sites but then I suspect it will generate a different random secret for every usage site .

Also, searching for information I found this:

There are functions in Helm that allow you to generate random data, cryptographic keys, and so on. These are fine to use. But be aware that during upgrades, templates are re-executed. When a template run generates data that differs from the last run, that will trigger an update of that resource.

Do you think the init container will overwrite the WordPress setting if it's run again with a different salt value? If not, letting Helm generate a random value will fail on upgrade for this reason.

Edit: something like this could work to prevent regenerating passwords/salts on upgrades. I'm not sure if it also fixes the problem of generating two different values in two usage sites, I think it actually might (depends on how helm does variable scoping in template functions) but we'd have to try it to be sure.

Another solutions that's easier for us chart authors is to always require this value to be set explicitly on helm install. For permanent installations that's actually what you'd want anyway, only for ephemeral/testing installs it's somewhat of a burden on the chart user (also mostly us ;-) ).

The value of this secret is actually also super unimportant. mu_cron needs it to be set and the client wanted it to not be the same for each installation, but the endpoint that you need to provide the secret to is only available in the Kubernetes internal network, so you can't do a DoS on it from the outside.

So I'd opt for the easy option of requiring it to be defined. But only if mu_cron is on. And mu_cron should be off by default IMO.

Ran into this again today on a fresh install. I believe the best short-term solution is to add wpSalts: {} to values-local.yaml.example so new users don't have to find this issue before creating their own workaround (such as hardcoding the salts). Here's what I'm adding to my values-local.yaml file when getting started:

# WORKAROUND
# BUG: https://open.greenhost.net/openappstack/wordpress-helm/-/issues/54
wpSalts: {}

I'd prefer if I didn't have to do this.

You can fix this by setting wpSalts: {} but only if you don't use mu_cron. I can't add this to values.yaml because it will break mu_cron.

Instead, I propose moving the WP_CRON_CONTROL_SECRET variable from the wpSalts to the mu_cron settings. That way it is also easier for the user to see that they need to set a WP_CRON_CONTROL_SECRET when they do enable mu_cron.

Background: mu_cron is a plugin that uses the Kubernetes cronjobs to run the WordPress cron endpoint every once in a while. It uses curl to access a cron endpoint and supplies a secret so that not everyone can use the endpoint to start cronjobs. Even though the endpoint is only available on the Kubernetes internal network, it's best to use a random secret. As far as I can see we can't let Helm set a random secret, so the user will have to choose one themself.

You can fix this by setting wpSalts: {} but only if you don't use mu_cron.

Ah, that explains my cron jobs are failing under k3s. I do want mu_cron so I'm glad it was failing loudly, leading me to this issue. I'll work on the proposed refactoring in a fork of my mirror and let you know when I have something reviewable.

BTW another tutorial using this chart. This one a microtutorial: https://habd.as/post/deadsimple-wordpress-kubernetes/

@balibebas please note that I already did the necessary refactoring in !29 (merged), it's under review at the moment.

mentioned in merge request !27 (merged)

mentioned in issue #62 (closed)

created merge request !29 (merged) to address this issue

mentioned in merge request !29 (merged)

closed with merge request !29 (merged)

mentioned in commit d6ffe670