Configuring MEILI_MASTER_KEY for karakeep and meilisearch results in 403 authentication errors #1572
Description
Describe the Bug
Installation configuration was done based on https://docs.karakeep.app/configuration
On a clean install of karakeep and meilisearch in a kubernetes environment on a fresh pvc, configuring the MEILI_MASTER_KEY for both karakeep and meilisearch results in 403s when loading the search view in the karakeep app.
Choosing to not configure the master key results in no errors
Steps to Reproduce
- Generate a master key using
openssl rand -base64 36 - kubectl apply -f example-manifest.yaml with master key secret
# example-manifest.yaml
---
apiVersion: v1
kind: Namespace
metadata:
name: hoarder
---
apiVersion: v1
data:
BROWSER_WEB_URL: http://chrome:9222
DATA_DIR: /data
DISABLE_SIGNUPS: "false"
MEILI_ADDR: http://meilisearch:7700
NEXTAUTH_URL: http://fake
kind: ConfigMap
metadata:
name: hoarder
---
apiVersion: v1
data:
MEILI_NO_ANALYTICS: "true"
kind: ConfigMap
metadata:
name: meilisearch
---
apiVersion: v1
kind: Service
metadata:
name: chrome
spec:
ports:
- port: 9222
protocol: TCP
targetPort: 9222
selector:
app: chrome
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app: hoarder
name: hoarder
spec:
ports:
- name: http
port: 3000
targetPort: 3000
selector:
app: hoarder
---
apiVersion: v1
kind: Service
metadata:
name: meilisearch
spec:
ports:
- port: 7700
protocol: TCP
targetPort: 7700
selector:
app: meilisearch
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Mi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: meilisearch
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: chrome
spec:
replicas: 1
selector:
matchLabels:
app: chrome
template:
metadata:
labels:
app: chrome
spec:
containers:
- command:
- chromium-browser
- --headless
- --no-sandbox
- --disable-gpu
- --disable-dev-shm-usage
- --remote-debugging-address=0.0.0.0
- --remote-debugging-port=9222
- --hide-scrollbars
image: gcr.io/zenika-hub/alpine-chrome:123
name: chrome
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hoarder
spec:
replicas: 1
selector:
matchLabels:
app: hoarder
template:
metadata:
labels:
app: hoarder
spec:
containers:
- envFrom:
- secretRef:
name: hoarder
- configMapRef:
name: hoarder
image: ghcr.io/karakeep-app/karakeep:0.25.0
imagePullPolicy: Always
name: hoarder
ports:
- containerPort: 3000
volumeMounts:
- mountPath: /data
name: data
volumes:
- name: data
persistentVolumeClaim:
claimName: data
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: meilisearch
spec:
replicas: 1
selector:
matchLabels:
app: meilisearch
template:
metadata:
labels:
app: meilisearch
spec:
containers:
- envFrom:
- configMapRef:
name: meilisearch
- secretRef:
name: meilisearch
image: getmeili/meilisearch:v1.13.3
name: meilisearch
volumeMounts:
- mountPath: /meili_data
name: meilisearch
volumes:
- name: meilisearch
persistentVolumeClaim:
claimName: meilisearch
---
apiVersion: v1
data:
MEILI_MASTER_KEY: QTRVd0dwdTRITHFxWDNhdWJGMnNMbmpqYXByV2ZVbHJSYU5FdStjR1pzTHROWWdFCg==
NEXTAUTH_PUBLIC_SECRET: dE5IOFNpbkRCQWVjdDMzeTh0MmxKMnovNmxFT0J4Q1VMSFpNdlAydWYrUFdsS3pjCg==
NEXTAUTH_SECRET: SnRDVUhadkpjeFRkLzh2UDgybGdOT2x0M0lJMExMYXYwYkV4K0o3QklGUmVrTGRMCg==
kind: Secret
metadata:
name: hoarder
namespace: hoarder
type: Opaque
---
apiVersion: v1
data:
MEILI_MASTER_KEY: QTRVd0dwdTRITHFxWDNhdWJGMnNMbmpqYXByV2ZVbHJSYU5FdStjR1pzTHROWWdFCg==
kind: Secret
metadata:
name: meilisearch
namespace: hoarder
type: OpaqueVerify the env vars match on each container
k -n hoarder exec -it pods/meilisearch-6dcc478c6b-mng78 -- printenv
MEILI_MASTER_KEY=A4UwGpu4HLqqX3aubF2sLnjjaprWfUlrRaNEu+cGZsLtNYgEk exec -it pods/hoarder-66f8995867-zfkhl -n hoarder -- printenv
MEILI_MASTER_KEY=A4UwGpu4HLqqX3aubF2sLnjjaprWfUlrRaNEu+cGZsLtNYgE- Naviate to karakeeper ui and sign up with new account
- Navigate to search page
View errors in pod logs
hoarder
MeiliSearchApiError: The provided API key is invalid.
at /app/apps/web/.next/server/chunks/269.js:3:1189
... 2 lines matching cause stack trace ...
at process.processTicksAndRejections (node:internal/process/task_queues:105:5) {
cause: Y [MeiliSearchApiError]: The provided API key is invalid.
at /app/apps/web/.next/server/chunks/269.js:3:1189
at Generator.next (<anonymous>)
at W (/app/apps/web/.next/server/chunks/269.js:1:19808)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5) {
code: 'invalid_api_key',
type: 'auth',
link: 'https://docs.meilisearch.com/errors#invalid_api_key',
httpStatus: 403
},
code: 'INTERNAL_SERVER_ERROR',
name: 'TRPCError'
}meilisearch
2025-06-09T05:36:23.393107Z WARN HTTP request{method=GET host="meilisearch:7700" route=/indexes query_parameters= user_agent=node status_code=403 error=The provided API key is invalid.}: tracing_actix_web::middleware: Error encountered while processing the incoming HTTP request: ResponseError { code: 403, message: "The provided API key is invalid.", error_code: "invalid_api_key", error_type: "auth", error_link: "https://docs.meilisearch.com/errors#invalid_api_key" }Expected Behaviour
karakeep app successfully authenticates with meilisearch when configured with a master key
Screenshots or Additional Context
Related issue: #940
Device Details
Firefox 139.0.1 (64-bit) MacOs
Exact Karakeep Version
v0.25.0
Have you checked the troubleshooting guide?
- I have checked the troubleshooting guide and I haven't found a solution to my problem