Struggling to install Retool Self Hosted via Helm Chart in RedHat OpenShift

timchase01 · March 22, 2023, 2:29pm

Hi All,

I've been trying to install Retool into our OpenShift cluster so I can evaluate it as an easy no/low code solution for some UI uses cases that I have. I'm struggling to get it to deploy and work though.

I followed the instructions for the Helm Chart deployment option but when I do I get an error that the networking.ingress can't be nil.

I then tried to add a host to the ingress section and when I take that approach it installs, but never actually turns up. I'm kind of lost as to what to look at or do from this point.

Here is the values.yaml that I used. Any ideas?

backend:
  annotations: {}
  labels: {}
commandline:
  args: []
config:
  auth:
    google:
      clientId: null
      clientSecret: null
      domain: null
  encryptionKey: ***
  jwtSecret: ***
  licenseKey: ***
  postgresql: {}
  useInsecureCookies: true
deployment:
  annotations: {}
env: {}
environmentSecrets: []
environmentVariables: []
externalSecrets:
  enabled: false
  externalSecretsOperator:
    backendType: secretsManager
    enabled: false
    secretRef: []
  name: retool-config
extraConfigMapMounts: []
extraContainers: []
extraManifests: []
extraVolumeMounts: []
extraVolumes: []
files: {}
image:
  pullPolicy: IfNotPresent
  repository: tryretool/backend
  tag: '2.111.4'
ingress:
  annotations: {}
  enabled: true
    hosts: 
  - host: retool.apps.itocpnp-use-01.ua4y.p1.openshiftapps.com
    paths:
    - path: "/"
      pathType: Prefix
  labels: {}
  pathType: ImplementationSpecific
  tls: null
initContainers: {}
jobRunner:
  annotations: {}
  labels: {}
livenessProbe:
  enabled: true
  failureThreshold: 3
  initialDelaySeconds: 30
  path: /api/checkHealth
  timeoutSeconds: 10
nodeSelector: {}
persistentVolumeClaim:
  accessModes:
    - ReadWriteOnce
  annotations: {}
  enabled: false
  existingClaim: false
  size: 15Gi
podAnnotations: {}
podLabels: {}
postgresql:
  auth:
    database: hammerhead_production
    postgresPassword: retool
    username: retool
  enabled: true
  image:
    repository: postgres
    tag: '11'
  postgresqlDataDir: /data/pgdata
  primary:
    persistence:
      enabled: true
      mountPath: /data/
  service:
    port: 5432
  ssl_enabled: false
priorityClassName: ''
readinessProbe:
  enabled: true
  initialDelaySeconds: 30
  path: /api/checkHealth
  periodSeconds: 10
  successThreshold: 5
  timeoutSeconds: 10
replicaCount: 2
resources:
  limits:
    cpu: 4096m
    memory: 8192Mi
  requests:
    cpu: 2048m
    memory: 4096Mi
revisionHistoryLimit: 3
securityContext:
  allowPrivilegeEscalation: false
  enabled: false
  fsGroup: 2000
  runAsUser: 1000
securityGroupPolicy:
  enabled: false
  groupIds: []
service:
  annotations: {}
  externalPort: 3000
  internalPort: 3000
  labels: {}
  selector: {}
  type: ClusterIP
serviceAccount:
  annotations: {}
  create: true
  name: null
tolerations: []

timchase01 · March 22, 2023, 4:31pm

I reached out to my rosa admin and it looks like it is failing to deploy because of the resource limits they have on the cluster. I'm working with them to increase those based on what is in the helm chart and hopefully then I'll be set.

victoria · March 22, 2023, 7:10pm

Oh awesome! Hopefully that solves it Let me know how you're able to get on

timchase01 · March 23, 2023, 6:29pm

I'm making a little bit of progress. I think I've figured out the resource issue, but now I'm running into this issue with the postgresql part being installed by the helm chart.

create Pod retool-postgresql-0 in StatefulSet retool-postgresql failed error: pods "retool-postgresql-0" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider "nonroot-builder": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .spec.securityContext.fsGroup: Invalid value: []int64{1001}: 1001 is not an allowed group, spec.containers[0].securityContext.runAsUser: Invalid value: 1001: must be in the ranges: [1001070000, 1001079999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "pcap-dedicated-admins": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "log-collector-scc": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "splunkforwarder": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount, provider "velero-privileged": Forbidden: not usable by user or serviceaccount]

Any ideas? Sorry if these are newbie questions. First time using Kubernetes and RedHat OpenShift.

victoria · March 27, 2023, 7:34pm

Hmm these errors seem to be related to OpenShift, so I'm actually not too familiar with them.

Would something like this help?

https://stackoverflow.com/questions/68543425/start-pod-with-root-privilege-on-openshift

It seems like the problem is related to permissions, specifcially "I figured that the pod is not running with root privilege."