-
Notifications
You must be signed in to change notification settings - Fork 410
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kestra will go to > 80% CPU and 100% ram if secret in webhook trigger #4095
Comments
Hi, |
Unfortunately I can only confirm that the exception does not appear in the log anymore. |
Can you paste here your full flow YAML and the resources allocated to your container? |
Sure. The value The flow yaml: id: trigger-docker-server-autodeploy
namespace: hl443
description: Trigger autodeploy for all Docker servers
labels:
type: autodeploy
variables:
servers:
- fqn: docker01.hl443.de
user: root
- fqn: docker02.hl443.de
user: root
- fqn: docker03.hl443.de
user: root
- fqn: nextcloud.hl443.de
user: root
tasks:
- id: parallel
type: io.kestra.plugin.core.flow.EachParallel
value: "{{ vars.servers }}"
tasks:
- id: debugLog
type: io.kestra.plugin.core.log.Log
message:
- "{{ taskrun.value }}"
- id: trigger-autodeploy
type: io.kestra.plugin.fs.ssh.Command
host: "{{ json(taskrun.value)['fqn'] }}"
username: "{{ json(taskrun.value)['user'] }}"
authMethod: PUBLIC_KEY
privateKey: "{{ secret('SSH_ACCESS_KEY_' + json(taskrun.value)['fqn'] | replace({'.': '_'})) }}"
warningOnStdErr: false
commands:
- "source ~/.profile"
- "cd $HOMELAB_APPS_ROOT"
- "git pull"
- "./autodeploy.mts"
triggers:
- id: on-git-commit
type: io.kestra.plugin.core.trigger.Webhook
key: mySuperSecretKey
#key: "{{ secret('TRIGGER_DOCKER_SERVER_AUTODEPLOY_WEBHOOK_SECRET') }}"
disabled: false The docker-compose: version: "3.4"
services:
postgres:
image: postgres:16.3
restart: unless-stopped
volumes:
- ${HOMELAB_APPS_ROOT:?}/kestra/data/postgres-data:/var/lib/postgresql/data
environment:
POSTGRES_DB: kestra
POSTGRES_USER: kestra
POSTGRES_PASSWORD: ${KESTRA_POSTGRES_PASSWORD:?}
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
interval: 30s
timeout: 10s
retries: 10
networks:
- default
- proxynet
kestra:
image: kestra/kestra:v0.17.5-full
restart: unless-stopped
pull_policy: always
# Note that this is meant for development only. Refer to the documentation for production deployments of Kestra which runs without a root user.
user: "root"
command: server standalone --worker-thread=128
volumes:
- ${HOMELAB_APPS_ROOT:?}/kestra/data/kestra-data:/app/storage
- /var/run/docker.sock:/var/run/docker.sock
- /tmp/kestra-wd:/tmp/kestra-wd
env_file:
- ${HOMELAB_APPS_ROOT:?}/kestra/.env
environment:
KESTRA_CONFIGURATION: |
datasources:
postgres:
url: jdbc:postgresql://postgres:5432/kestra
driverClassName: org.postgresql.Driver
username: kestra
password: ${KESTRA_POSTGRES_PASSWORD:?}
kestra:
server:
basic-auth:
enabled: false
username: "[email protected]" # it must be a valid email address
password: kestra
repository:
type: postgres
storage:
type: local
local:
base-path: "/app/storage"
queue:
type: postgres
tasks:
tmp-dir:
path: /tmp/kestra-wd/tmp
url: http://kestra.hl443.de/
labels:
traefik.enable: true
# Frontend
traefik.http.routers.kestra.rule: Host(`kestra.hl443.de`)
traefik.http.routers.kestra.entrypoints: websecure
traefik.http.routers.kestra.tls.certresolver: myresolver
traefik.http.services.kestra.loadbalancer.server.port: 8080
traefik.http.routers.kestra.service: kestra
traefik.http.routers.kestra-metrics.rule: Host(`kestra-metrics.hl443.de`)
traefik.http.routers.kestra-metrics.entrypoints: websecure
traefik.http.routers.kestra-metrics.tls.certresolver: myresolver
traefik.http.services.kestra-metrics.loadbalancer.server.port: 8081
traefik.http.routers.kestra-metrics.service: kestra-metrics
ports:
- 127.0.0.1:8080:8080
- 127.0.0.1:9080:8081
networks:
- default
- proxynet
depends_on:
postgres:
condition: service_started
networks:
default:
proxynet:
external: true The version of the .env file without values: KESTRA_POSTGRES_PASSWORD=
SECRET_SSH_ACCESS_KEY_docker01_hl443_de=
SECRET_SSH_ACCESS_KEY_docker02_hl443_de=
SECRET_SSH_ACCESS_KEY_docker03_hl443_de=
SECRET_TRIGGER_DOCKER_SERVER_AUTODEPLOY_WEBHOOK_SECRET= The LXC-Container config:
|
I think I just found the cause. |
Describe the issue
I created a webhook-trigger for my workflow.
When the key is defined directly as literal, everything works.
However If I use a secret, the system will go to >80% CPU and 100% RAM and needs to be hard-reset, when the webhook is triggerd.
I use a docker-compose file where the secrets are in a
.env
file and this file is referenced in the servicekestra
viaenv_file:
.the working trigger:
the "freezing" trigger:
here are the logs:
Environment
The text was updated successfully, but these errors were encountered: