feat: add debug pod

README.md

@@ -67,6 +67,27 @@ for k8sresourcetype in job configmap secret rolebinding role serviceaccount; do
 done
 ```
 
+## Troubleshooting
+
+### Debug Pod
+
+For troubleshooting, you can deploy a debug pod by setting the `zitadel.debug.enabled` property to `true`.
+You can then use this pod to inspect the ZITADEL configuration and run zitadel commands using the zitadel binary.
+For more information, print the debug pods logs using something like the following command:
+
+```bash 
+kubectl logs rs/my-zitadel-debug
+``` 
+
+### migration already started, will check again in 5 seconds
+
+If you see this error message in the logs of the setup job, you need to reset the last migration step once you resolved the issue.
+To do so, start a [debug pod](#debug-pod) and run something like the following command:
+
+```bash
+kubectl exec -it my-zitadel-debug -- zitadel setup cleanup --config /config/zitadel-config-yaml
+```
+
 ## Contributing
 
 Lint the chart:

charts/zitadel/Chart.yaml

@@ -3,7 +3,7 @@ name: zitadel
 description: A Helm chart for ZITADEL
 type: application
 appVersion: "v2.46.0"
-version: 7.9.2
+version: 7.10.0
 kubeVersion: ">= 1.21.0-0"
 icon: https://zitadel.com/zitadel-logo-dark.svg
 maintainers:

charts/zitadel/templates/_helpers.tpl

@@ -48,6 +48,14 @@ app.kubernetes.io/name: {{ include "zitadel.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+{{/*
+Debug Selector labels
+*/}}
+{{- define "zitadel.debugSelectorLabels" -}}
+app.kubernetes.io/name: {{ include "zitadel.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}-debug
+{{- end }}
+
 {{/*
 Create the name of the service account to use
 */}}

charts/zitadel/templates/debug_replicaset.yaml

@@ -0,0 +1,149 @@
+{{- if .Values.zitadel.debug.enabled }}
+apiVersion: apps/v1
+kind: ReplicaSet
+metadata:
+  name: "{{ include "zitadel.fullname" . }}-debug"
+  labels:
+    app.kubernetes.io/component: debug
+  {{- with .Values.zitadel.debug.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "zitadel.debugSelectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/secret-db-ssl-root-crt: {{ include (print $.Template.BasePath "/secret_db-ssl-root-crt.yaml") . | sha256sum }}
+        checksum/secret-zitadel-secrets: {{ include (print $.Template.BasePath "/secret_zitadel-secrets.yaml") . | sha256sum }}
+      labels:
+        {{- include "zitadel.debugSelectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "zitadel.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      enableServiceLinks: false
+      containers:
+        - name: "{{ .Chart.Name }}-debug"
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 14 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}-debug"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command: [ "/bin/bash", "-c", 'echo "You can now open a shell within this pod by running the following command:"; echo ""; echo "kubectl --namespace {{ .Release.Namespace }} exec -it ${HOSTNAME} -- bash"; echo ""; echo "Check the directories /config and /.secrets for ZITADEL config files"; echo "also check the ZITADEL_ prefixed environment variables"; echo "For zitadel commands that need the masterkey, pass the flag --masterkeyFromEnv"; echo "this pod completes automatically in a day"; echo "Make sure you set zitadel.debug.enabled to false and upgrade the release when you are done"; echo "Also, delete the debug pods replica set by running the following command:"; echo; echo "kubectl --namespace {{ .Release.Namespace }} delete replicaset {{ include "zitadel.fullname" . }}-debug"; sleep 86400' ]
+          env:
+            - name: ZITADEL_MASTERKEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ default "zitadel-masterkey" .Values.zitadel.masterkeySecretName }}
+                  key: masterkey
+            - name: ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH
+              value: "/machinekey/sa.json"
+            {{- $dbEnv := get (include "zitadel.dbkey.json" . | fromJson) "env" }}
+            {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }}
+            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_ROOTCERT
+              value: /.secrets/db-ssl-ca-crt/ca.crt
+            {{- end }}
+            {{- if .Values.zitadel.dbSslUserCrtSecret }}
+            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_CERT
+              value: /.secrets/db-ssl-user-crt/tls.crt
+            - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY
+              value: /.secrets/db-ssl-user-crt/tls.key
+            {{- end}}
+            {{- with .Values.env }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+          volumeMounts:
+          - name: zitadel-config-yaml
+            mountPath: /config
+          - name: chowned-secrets
+            mountPath: /.secrets
+      {{- if or .Values.zitadel.secretConfig .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret .Values.zitadel.dbSslUserCrtSecret .Values.zitadel.configSecretName }}
+      initContainers:
+        - args:
+          - "{{ include "zitadel.joincpcommands" (dict "commands" (list
+              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.secretConfig "path" "/zitadel-secrets-yaml/" ))
+              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" ))
+              (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" ))
+              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" ))
+              )) }} chown -R 1000:1000 /chowned-secrets/ && find /chowned-secrets/ -type f -exec chmod 400 -- {} + "
+          command:
+          - sh
+          - -c
+          image: "{{ .Values.chownImage.repository }}:{{ .Values.chownImage.tag }}"
+          imagePullPolicy: {{ .Values.chownImage.pullPolicy }}
+          name: chown
+          volumeMounts:
+          - name: chowned-secrets
+            mountPath: /chowned-secrets
+          {{- if .Values.zitadel.secretConfig }}
+          - name: zitadel-secrets-yaml
+            mountPath: /zitadel-secrets-yaml
+          {{- end }}
+          {{- if .Values.zitadel.configSecretName }}
+          - name: zitadel-secret-config-yaml
+            mountPath: /zitadel-secret-config-yaml
+          {{- end }}
+          {{- if (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) }}
+          - name: db-ssl-ca-crt
+            mountPath: /db-ssl-ca-crt
+          {{- end }}
+          {{- if .Values.zitadel.dbSslUserCrtSecret }}
+          - name: db-ssl-user-crt
+            mountPath: /db-ssl-user-crt
+          {{- end }}
+          securityContext:
+            runAsNonRoot: false
+            runAsUser: 0
+      {{- end }}
+      volumes:
+      - name: zitadel-config-yaml
+        configMap:
+          name: zitadel-config-yaml
+      {{- if .Values.zitadel.secretConfig }}
+      - name: zitadel-secrets-yaml
+        secret:
+          secretName: zitadel-secrets-yaml
+      {{- end }}
+      {{- if .Values.zitadel.configSecretName }}
+      - name: zitadel-secret-config-yaml
+        secret:
+          secretName: {{ .Values.zitadel.configSecretName }}
+      {{- end }}
+      {{- if .Values.zitadel.dbSslCaCrt }}
+      - name: db-ssl-ca-crt
+        secret:
+          secretName: db-ssl-ca-crt
+      {{- end }}
+      {{- if .Values.zitadel.dbSslCaCrtSecret }}
+      - name: db-ssl-ca-crt
+        secret:
+          secretName: {{ .Values.zitadel.dbSslCaCrtSecret }}
+      {{- end }}
+      {{- if .Values.zitadel.dbSslUserCrtSecret }}
+      - name: db-ssl-user-crt
+        secret:
+          secretName: {{ .Values.zitadel.dbSslUserCrtSecret }}
+      {{- end }}
+      - name: chowned-secrets
+        emptyDir: {}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- end }}

charts/zitadel/values.yaml

@@ -61,6 +61,16 @@ zitadel:
     enabled: false
     additionalDnsName:
 
+  # Enabling this will create a debug pod that can be used to inspect the ZITADEL configuration and run zitadel commands using the zitadel binary.
+  # This is useful for debugging and troubleshooting.
+  # After the debug pod is created, you can open a shell within the pod.
+  # See more instructions by printing the pods logs using kubectl logs [pod name].
+  debug:
+    enabled: false
+    annotations:
+      helm.sh/hook: pre-install,pre-upgrade
+      helm.sh/hook-weight: "1"
+
 replicaCount: 3
 
 image: