[vaultwarden] Error upgrading from 1.24.0 to 1.25.0

[pieveee]

Helm chart name

k8s-at-home/vaultwarden

Helm chart version

vaultwarden-5.0.0

Container name

docker.io/vaultwarden/server:1.25.0

Container tag

1.25.0

Description

Hey there, I get the following error when upgrading Vaultwarden:

Error: UPGRADE FAILED: execution error at (vaultwarden/charts/postgresql/templates/secrets.yaml:17:24): 
PASSWORDS ERROR: The secret "vaultwarden-postgresql" does not contain the key "postgres-password"

To fix this silly problem was quite easy with editing the secret vaultwarden-postgresql and adding postgres-password:

data:
  postgres-password: BASE64_SECRET
kind: Secret

But running the Helm upgrade command again resulted in the following error:

Error: UPGRADE FAILED: cannot patch "vaultwarden-postgresql" with kind StatefulSet: StatefulSet.apps "vaultwarden-postgresql" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'template', 'updateStrategy' and 'minReadySeconds' are forbidden

Expected result

Helm installs the newer version without any error. At the moment the Status is failed:

NAME            NAMESPACE       REVISION        UPDATED                                 STATUS  CHART                   APP VERSION
vaultwarden     vaultwarden     5               2022-07-10 18:58:41.34240906 +0200 CEST failed  vaultwarden-5.0.0       1.25.0

Helm values to reproduce

# My helm command:

helm repo update && \
    helm get values vaultwarden --output yaml --namespace=vaultwarden > vaultwarden_val.yaml && \
    helm upgrade vaultwarden k8s-at-home/vaultwarden --namespace=vaultwarden -f vaultwarden_val.yaml

Additional Information

No response

Repo link

No response

[bjw-s]

The upgrade to v5.0.0 of the vaultwarden chart was a breaking change because of the changes to the underlying database dependency charts.

Without seeing your actual Helm values it is impossible to know what you need to change. Your best bet would be to look at the upgrade notes for the underlying postgres chart: https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/

[pieveee]

@bjw-s Thank you for your input. I didn't read anything about breaking changes respectively about how to upgrade to a newer version of k8s-at-home/vaultwarden.

Vaultwarden was installed with the following values:

helm install --create-namespace -n vaultwarden vaultwarden k8s-at-home/vaultwarden \
    --set env.INVITATION_ORG_NAME='My Vault' \
    --set env.DOMAIN='https://my.example.com' \
    --set env.TZ='Europe/Zurich' \
    --set env.SIGNUPS_ALLOWED=false \
    --set env.ORG_CREATION_USERS='[email protected]' \
    --set env.TRASH_AUTO_DELETE_DAYS=180 \
    --set env.SMTP_HOST='smtp.example.com' \
    --set env.SMTP_FROM='[email protected]' \
    --set env.SMTP_FROM_NAME='My Passwords' \
    --set env.SMTP_PORT=587 \
    --set env.SMTP_USERNAME='[email protected]' \
    --set env.SMTP_PASSWORD='PASSWORD' \
    --set env.SMTP_AUTH_MECHANISM='Login' \
    --set persistence.config.enabled=true \
    --set persistence.config.storageClass='rook-ceph-block' \
    --set persistence.config.size='5Gi' \
    --set postgresql.enabled=true \
    --set postgresql.persistence.storageClass='rook-ceph-prd-block' \
    --set postgresql.postgresqlUsername='vaultwarden-admin' \
    --set postgresql.postgresqlPassword='PASSWORD'

[bjw-s]

I didn't read anything about breaking changes respectively about how to upgrade to a newer version of k8s-at-home/vaultwarden.

The vaultwarden version hasn't changed recently. The last image bump was roughly 2 months ago.
We have released a new major chart version ~10 days ago. Since we adhere to semantic versioning, every major version bump is indicative of breaking changes.

   --set postgresql.postgresqlUsername='vaultwarden-admin' \
   --set postgresql.postgresqlPassword='PASSWORD'

Your problem is in there. That is one of the values that has changed in the database dependency. They have been moved (and renamed) to the postgresql.auth subkey

[pieveee]

So the configuration changes to:

   --set auth.username='vaultwarden-admin' \
   --set auth.password='PASSWORD'

Right? But how am I supposed to upgrade only the database, as per instructions, when this chart isn't deployed directly? There is only the vaultwarden release.

[pieveee]

I was able to upgrade to the newest chart version (vaultwarden-5.0.0) with the following commands:

# Delete Statefulset
kubectl -n vaultwarden delete statefulset.apps/vaultwarden-postgresql
kubectl -n vaultwarden delete secret vaultwarden-postgresql

# Upgrade Vaultwarden
helm upgrade vaultwarden k8s-at-home/vaultwarden --namespace=vaultwarden \
  --set auth.username='PASSWORD' \
  --set auth.postgresPassword='PASSWORD' \
  --set global.postgresql.auth.username='vaultwarden-admin' \
  --set global.postgresql.auth.password='PASSWORD' \
  --set global.postgresql.auth.postgresPassword='PASSWORD' \
  --set postgresql.image.tag=11.14.0-debian-10-r28 \
  -f vaultwarden_val.yaml

I don't think this is a clean way to upgrade it, is it? The point was. that helm automatically changed the Postgres image tag to postgresql:14.4.0-debian-11-r4 instead of leaving it at postgresql:11.14.0-debian-10-r28 and that led to a failure in starting up the postgres container. I think this is related to the Chart version 11.6.12. But according to artifacthub, the newest version is 14.4.0. Presumably, I am mixing up some versions here.