S3: failed to create resource: [...] spec.template.spec.containers[1].env[22].valueFrom.secretKeyRef.key: Required value]

[unbelauscht]

Describe your Issue

Installing Nextcloud with Helm chart version 5.5.2 results in

failed to create resource: Deployment.apps "nextcloud" is invalid: [spec.template.spec.containers[0].env[22].valueFrom.secretKeyRef.key: Required value, spec.template.spec.containers[1].env[22].valueFrom.secretKeyRef.key: Required value]

Logs and Errors

Helm repo:

---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: nextcloud
  namespace: nextcloud
spec:
  interval: 3h0m0s
  url: https://nextcloud.github.io/helm

Describe your Environment

• Kubernetes distribution: k3s v1.28.8+k3s1

• Helm Version (or App that manages helm):

$ flux version
flux: v2.3.0
distribution: flux-v2.3.0
helm-controller: v1.0.1
image-automation-controller: v0.38.0
image-reflector-controller: v0.32.0
kustomize-controller: v1.3.0
notification-controller: v1.3.0
source-controller: v1.3.0

• Helm Chart Version: 5.5.2

• values.yaml:

apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
  name: nextcloud
  namespace: nextcloud
spec:
  timeout: 1h
  chart:
    spec:
      chart: nextcloud
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: nextcloud
  interval: 12h
  values:
    replicaCount: 1
    image:
      flavor: apache
    internalDatabase:
      enabled: false
    externalDatabase:
      enabled: true
      type: postgresql
      host: nextcloud-rw
      database: nextcloud
      existingSecret:
        enabled: true
        secretName: nextcloud-db
        usernameKey: username
        passwordKey: password
    startupProbe:
      enabled: true
      initialDelaySeconds: 20
      failureThreshold: 10
    ingress:
      enabled: true
      servicePort: 80
      annotations:
        traefik.ingress.kubernetes.io/router.middlewares: nextcloud-maxrequestbodybytes@kubernetescrd
        external-dns.alpha.kubernetes.io/target: drive.example.com
        external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
      tls:
        - hosts:
            - drive.example.com
    persistence:
      enabled: true
      accessMode: ReadWriteOnce
      size: 10Gi
    redis:
      enabled: true
    nextcloud:
      host: drive.example.com
      objectStore:
        s3:
          enabled: true
          ssl: true
          port: "443"
          region: "eu-central-003"
          autocreate: false
          existingSecret: s3
          secretKeys:
            accessKey: accessKey
            secretKey: secretKey
            bucket: bucket
            host: host
      existingSecret:
        enabled: true
        secretName: nextcloud-user
        usernameKey: username
        passwordKey: password
      mail:
        enabled: false
    cronjob:
      enabled: true
    phpClientHttpsFix:
      enabled: true
      protocol: https

S3 credentials

---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
  creationTimestamp: null
  name: s3
  namespace: nextcloud
spec:
  encryptedData:
    accessKey: *redacted*
    bucket: *redacted*
    host: *redacted*
    secretKey: *redacted*
  template:
    metadata:
      creationTimestamp: null
      name: s3
      namespace: nextcloud

[unbelauscht]

So apparently the sse_c_key must be set, because it doesn't render correctly if not supplied.

$ helm template ./nextcloud --values HelmRelease.yaml --generate-name
...
 - name: OBJECTSTORE_S3_SSE_C_KEY
    valueFrom:
      secretKeyRef:
        name: s3
        key:

EDIT: yep, the sse_c_key was missing, now it works. Maybe the helm chart docs need a little more love like: Which values are required and which ones override other and which one's don't need to be set if value x or y is set.

[WladyX]

On the same note, is SSE mandatory? anyway we can disable it?
I have minio and don't have SSE enabled.
Thank you!

[unbelauscht]

On the same note, is SSE mandatory? anyway we can disable it?

I couldn't make the chart work without it.

[WladyX]

Thank for update, I've ended up enabling the SSE, was not that hard, just had to add the certs and make the reverse proxy connect to the minio backend via SSL.

[joshtrichards]

Confirmed (at least by looking at the code; with the caveat that I'm more familiar with the underlying container image than the Helm chart). Looks like the issue is here on line 304:

helm/charts/nextcloud/templates/_helpers.tpl

Lines 304 to 315 in 58ecb7d

	{{- if and .Values.nextcloud.objectStore.s3.existingSecret .Values.nextcloud.objectStore.s3.secretKeys.bucket }}
	- name: OBJECTSTORE_S3_SSE_C_KEY
	valueFrom:
	secretKeyRef:
	name: {{ .Values.nextcloud.objectStore.s3.existingSecret }}
	key: {{ .Values.nextcloud.objectStore.s3.secretKeys.sse_c_key }}
	{{- else }}
	- name: OBJECTSTORE_S3_SSE_C_KEY
	value: {{ .Values.nextcloud.objectStore.s3.sse_c_key | quote }}
	{{- end }}
	{{- end }}{{/* end if nextcloud.objectStore.s3.enabled */}}
	{{/*

The reference to .Values.nextcloud.objectStore.s3.secretKeys.bucket looks to be a typo. Probably should be .Values.nextcloud.objectStore.s3.secretKeys.sse_c_key.

Introduced recently in #464

[jessebot]

yep that is a typo! sorry about that and thanks @joshtrichards and @unbelauscht for catching this! I'll submit a PR to fix that. 🙏