HTTP Error 500 for /accounts/login/, resolved by setting DEBUG=1 #3813
Description
Tandoor Version
2.0.0-beta-2
Setup
Kubernetes
Reverse Proxy
Others (please state below)
Other
ingress-nginx
Bug description
After updating to beta-2, my liveness and readiness probes (HTTP request to /) are failing.
In the logs of the recipes container, I can see the kube-probe request coming in, hitting /, and being redirected to /accounts/login, which then gives a HTTP 500 error (which fails the liveness probe). Port-forwarding to the recipes container and querying / gives the same result.
Interestingly, running the same Deployment manifest with the env-var DEBUG set to "1" results in the query for /accounts/login succeeding. There's nothing immediately apparent in the output of the recipes container. Changing the value of --log-level passed to the gunicorn command makes no difference to the behaviour of the probes.
Deployment spec looks like this:
apiVersion: apps/v1
kind: Deployment
metadata:
name: recipes
labels:
app: recipes
environment: production
tier: frontend
spec:
replicas: 2
strategy:
type: Recreate
selector:
matchLabels:
app: recipes
environment: production
template:
metadata:
labels:
app: recipes
tier: frontend
environment: production
spec:
restartPolicy: Always
serviceAccount: recipes
serviceAccountName: recipes
initContainers:
- name: init-chmod-data
# Configure options for S3
envFrom:
- secretRef:
name: tandoor-s3-storage
env:
- name: DB_ENGINE
value: django.db.backends.postgresql
- name: ENABLE_PDF_EXPORT
value: "1"
- name: POSTGRES_HOST
valueFrom:
secretKeyRef:
name: tandoor-pg-app
key: host
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
name: tandoor-pg-app
key: port
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: tandoor-pg-app
key: user
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: tandoor-pg-app
key: password
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: tandoor-pg-app
key: dbname
# Actually set from tandoor-s3-storage, because abusing envFrom is
# easier than setting up a dedicated secret.
# - name: SECRET_KEY
- name: SOCIAL_DEFAULT_ACCESS
value: "1"
- name: SOCIAL_DEFAULT_GROUP
value: users
- name: SOCIAL_PROVIDERS
value: allauth.socialaccount.providers.openid_connect
- name: SOCIALACCOUNT_PROVIDERS
valueFrom:
secretKeyRef:
name: tandoor-keycloak
key: provider-config
- name: TZ
value: Europe/London
# yamllint disable rule:comments rule:line-length
# Rules are disabled thanks to how Flux applies changes; the space
# is stripped between the end of the "real" line and the imagepolicy
# tag.
# !!! DO NOT UPDATE - MANAGED BY FLUX !!!
image: ghcr.io/tandoorrecipes/recipes:2.0.0-beta-2 # {"$imagepolicy": "tandoor:tandoor"}
# yamllint enable rule:comments rule:line-length
resources:
requests:
cpu: 250m
memory: 64Mi
command:
- sh
- -c
- |
set -e
source venv/bin/activate
echo "Updating database"
python manage.py migrate
python manage.py collectstatic --noinput
echo "Done"
securityContext:
runAsUser: 0
volumeMounts:
- mountPath: /opt/recipes/staticfiles
name: static
# mount as subPath due to lost+found on ext4 pvc
subPath: files
containers:
- name: recipes-nginx
image: nginx:mainline
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
protocol: TCP
name: http
- containerPort: 8080
protocol: TCP
name: gunicorn
resources:
requests:
cpu: 250m
memory: 64Mi
volumeMounts:
- mountPath: /static
name: static
# mount as subPath due to lost+found on ext4 pvc
subPath: files
- name: nginx-config
mountPath: /etc/nginx/nginx.conf
subPath: nginx-config
readOnly: true
- name: recipes
image: ghcr.io/tandoorrecipes/recipes:2.0.0-beta-2
imagePullPolicy: IfNotPresent
command:
- /opt/recipes/venv/bin/gunicorn
- -b
- :8080
- --access-logfile
- "-"
- --error-logfile
- "-"
- --log-level
- DEBUG
- recipes.wsgi
livenessProbe:
failureThreshold: 5
httpGet:
path: /
port: 8080
scheme: HTTP
periodSeconds: 30
timeoutSeconds: 5
readinessProbe:
httpGet:
path: /
port: 8080
scheme: HTTP
periodSeconds: 30
timeoutSeconds: 5
resources:
requests:
cpu: 250m
memory: 128Mi
volumeMounts:
- mountPath: /opt/recipes/staticfiles
name: static
# mount as subPath due to lost+found on ext4 pvc
subPath: files
# Configure options for S3
envFrom:
- secretRef:
name: tandoor-s3-storage
env:
- name: ALLOWED_HOSTS
value: '*'
- name: DEBUG
value: "0"
- name: ENABLE_METRICS
value: "1"
- name: ENABLE_SIGNUP
value: "1"
- name: GUNICORN_MEDIA
value: "0"
- name: DB_ENGINE
value: django.db.backends.postgresql
- name: ENABLE_PDF_EXPORT
value: "1"
- name: POSTGRES_HOST
valueFrom:
secretKeyRef:
name: tandoor-pg-app
key: host
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
name: tandoor-pg-app
key: port
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: tandoor-pg-app
key: user
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: tandoor-pg-app
key: password
# Actually set from tandoor-s3-storage, because abusing envFrom is
# easier than setting up a dedicated secret.
# - name: SECRET_KEY
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: tandoor-pg-app
key: dbname
# Actually set from tandoor-s3-storage, because abusing envFrom is
# easier than setting up a dedicated secret.
# - name: SECRET_KEY
- name: SOCIAL_DEFAULT_ACCESS
value: "1"
- name: SOCIAL_DEFAULT_GROUP
value: users
- name: SOCIAL_PROVIDERS
value: allauth.socialaccount.providers.openid_connect
- name: SOCIALACCOUNT_PROVIDERS
valueFrom:
secretKeyRef:
name: tandoor-keycloak
key: provider-config
- name: TZ
value: Europe/London
securityContext:
runAsUser: 65534
volumes:
- name: static
persistentVolumeClaim:
claimName: recipes-static
- name: nginx-config
configMap:
name: recipes-nginx-configRelevant logs
Non-debug:
[2025-07-07 13:33:50 +0100] [7] [DEBUG] GET /
172.16.0.1 - - [07/Jul/2025:13:33:50 +0100] "GET / HTTP/1.1" 302 0 "-" "kube-probe/1.33"
[2025-07-07 13:33:50 +0100] [7] [DEBUG] GET /accounts/login/
172.16.0.1 - - [07/Jul/2025:13:33:50 +0100] "GET /accounts/login/?next=/ HTTP/1.1" 500 145 "http://172.16.0.107:8080/" "kube-probe/1.33"
[2025-07-07 13:34:00 +0100] [7] [DEBUG] GET /
172.16.0.1 - - [07/Jul/2025:13:34:00 +0100] "GET / HTTP/1.1" 302 0 "-" "kube-probe/1.33"
[2025-07-07 13:34:00 +0100] [7] [DEBUG] GET /accounts/login/
172.16.0.1 - - [07/Jul/2025:13:34:00 +0100] "GET /accounts/login/?next=/ HTTP/1.1" 500 145 "http://172.16.0.107:8080/" "kube-probe/1.33"
Debug:
[2025-07-07 13:35:33 +0100] [7] [DEBUG] GET /
172.16.0.1 - - [07/Jul/2025:13:35:33 +0100] "GET / HTTP/1.1" 302 0 "-" "kube-probe/1.33"
[2025-07-07 13:35:33 +0100] [7] [DEBUG] GET /accounts/login/
172.16.0.1 - - [07/Jul/2025:13:35:33 +0100] "GET /accounts/login/?next=/ HTTP/1.1" 200 6229 "http://172.16.0.111:8080/" "kube-probe/1.33"
[2025-07-07 13:35:36 +0100] [7] [DEBUG] GET /
172.16.0.1 - - [07/Jul/2025:13:35:36 +0100] "GET / HTTP/1.1" 302 0 "-" "kube-probe/1.33"
[2025-07-07 13:35:36 +0100] [7] [DEBUG] GET /accounts/login/
172.16.0.1 - - [07/Jul/2025:13:35:36 +0100] "GET /accounts/login/?next=/ HTTP/1.1" 200 6229 "http://172.16.0.111:8080/" "kube-probe/1.33"