Charts: MySQL root password no longer valid after upgrade

Created on 15 Nov 2016 · 16Comments · Source: helm/charts

It's because the password is random generated inside the template of a secret and after each upgrade it is changed.

$ helm install stable/mysql -n foo
# ...
To get your root password run:

    printf $(printf '\%o' `kubectl get secret --namespace default foo-mysql -o jsonpath="{.data.mysql-root-password[*]}"`);echo
# ...
$ printf $(printf '\%o' `kubectl get secret --namespace default foo-mysql -o jsonpath="{.data.mysql-root-password[*]}"`);echo
SpeSUQshnK
$ helm upgrade foo stable/mysql
$ printf $(printf '\%o' `kubectl get secret --namespace default foo-mysql -o jsonpath="{.data.mysql-root-password[*]}"`);echo
EiKA8TDMp9

lifecyclrotten

Source

mstrzele

👍2

Most helpful comment

After a helm upgrade, the root password is lost and now I'm having to recover a root password.

It's probably time to stop using Helm.

arianitu on 11 Dec 2018

👍4

All 16 comments

I opened the issue above which will need to be fixed before we can react to this.

@prydonius @lachie83 any ideas on other workarounds?

viglesiasce on 15 Nov 2016

@viglesiasce currently the only workaround would be to explicitly set the same password as a value when upgrading.

prydonius on 15 Nov 2016

@viglesiasce with the above Issue linked from helm is the intention to wrap the secret yaml in a
{{ if .Release.IsInstall }}

Sensu has this same problem on upgrades as it uses the Redis chart.

sstarcher on 28 Mar 2017

and if we did the above it would delete the secrets object entirely

sstarcher on 6 Apr 2017

Thanks @sstarcher. I wonder if there's a way to tell Helm not to remove the secret on upgrade?

prydonius on 6 Apr 2017

Wouldn't it also be possible to use a job to create the secret and only run that job at install? You could use a hook to run the job before everything else too. I know it's ugly but could work?

mikesplain on 6 Apr 2017

@mikesplain hmm, you can also actually mark Secrets themselves as pre-install hooks, so you might not need a job to do that.

prydonius on 6 Apr 2017

@prydonius right but wouldn't that still have the above problem of overriding each time?

mikesplain on 6 Apr 2017

Per the documentation and a test it looks like pre-install hooks are ran every time even on upgrades.

https://github.com/kubernetes/helm/blob/9665db7d165cc4129bea2456fffa53aaed34af41/docs/charts_hooks.md#the-available-hooks

sstarcher on 6 Apr 2017

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

fejta-bot on 23 Dec 2017

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle rotten
/remove-lifecycle stale

fejta-bot on 22 Jan 2018

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 21 Feb 2018

After a helm upgrade, the root password is lost and now I'm having to recover a root password.

It's probably time to stop using Helm.

arianitu on 11 Dec 2018

👍4

this just happened to us, how do we prevent this?