java.io.FileNotFoundException: /etc/extracerts/input.props about openunison-k8s-login-activedirectory HOT 17 CLOSED

Is there also an input.props in your configmaps directory? Alternatively if you'd rather use helm we'd love feedback on https://github.com/OpenUnison/helm-charts

from openunison-k8s-login-activedirectory.

No there wasn't. With the input.props in configmaps and secrets directories the artifact-deployment completed successfully.

Now I have pod/openunison-operator running, but that's all.

Thanks I will look at the helm-charts.

from openunison-k8s-login-activedirectory.

Helm deployment works well. Operator is running, OpenUnison/orchestra is ok. But I still can't access the portal. I have ingress-nginx with MetalLB loadbalancer. The deployment is not clear for me as you don't use svc, ingress etc. How can I debug it?

from openunison-k8s-login-activedirectory.

Glad to hear the helm deployment worked well. There is a Service and Ingress object , it was created. by the operator based on the orchestra OpenUnison object (kubectl get openunison orchestra -n openunison -o yaml).

Did the hosts specified in network.openunison_host and network.dashboard_host havee DNS entries that correspond to your load balancer?

from openunison-k8s-login-activedirectory.

Yes I have have both DNS entries that correspond to my load balancer openunison_host and dashboard_host. - https://openunison_hostname 404 Not Found nginx/1.17.8

I installed new cluster 1 master 1 node centos 7. Just simple dashboard, ingress-nginx just nodeport and helm deploy. - https://openunison_hostname:30665 (nodeport) 404 Not Found nginx/1.17.8

I found thi lab - https://github.com/TremoloSecurity/k8s-idm-lab -bur still can't view the portal. https://ou.apps.192.168.122.148.nip.io/ - 503 Service Temporarily Unavailable nginx/1.17.8

from openunison-k8s-login-activedirectory.

On your cluster with your helm chart:

1. Does the openunison Ingress exist in the openunison namespace?
2. Do the host names in your ingress object line up with whats in your values.yaml?
3. Are there any errors in your Ingress controller's logs?

A 404 from Ingress usually means its not picking up your Ingress objcet and is a kubernetes level config issue in the chain of Ingress -> service -> endpoint -> pod

A 503 means ingress is configured properly but OpenUnison didn't start. You can take a look at the logs (kubectl logs -l application=openunison-operator -n openunison)

from openunison-k8s-login-activedirectory.

In both my clusters old and new openunison ingres and svc doesn't exist. That's why I was confused about it.

In the lab there is svc and ingress. I was waiting long time for openunison-orchestra pod, but it's runnig now.

from openunison-k8s-login-activedirectory.

ok, so in your helm cluster - there's no service or ingress? Is there a pod called openunison-orchestra-XXXX?

from openunison-k8s-login-activedirectory.

no only openunison-operator

from openunison-k8s-login-activedirectory.

take a look at the logs for the operator. Any errors?

from openunison-k8s-login-activedirectory.

I uninstall helm orchestra and reinstalled
Problem calling '/api/v1/namespaces/openunison/services/openunison-orchestra' - 404
Problem calling '/apis/rbac.authorization.k8s.io/v1/namespaces/openunison/rolebindings/oidc-user-sessions-orchestra' - 404
Problem calling '/apis/rbac.authorization.k8s.io/v1/namespaces/openunison/roles/oidc-user-sessions-orchestra' - 404
Problem calling '/api/v1/namespaces/openunison/serviceaccounts/openunison-orchestra' - 404
...

looks like can't access pi
api_server_host: - what does it means?
k8s_url: https://hostname:6443

from openunison-k8s-login-activedirectory.

api_server_host: - what does it means?

you can ignore this for now. It only matters when impersonation is true and thats not supported until the next version

Problem calling '/api/v1/namespaces/openunison/services/openunison-orchestra' - 404
Problem calling '/apis/rbac.authorization.k8s.io/v1/namespaces/openunison/rolebindings/oidc-user-sessions-orchestra' - 404
Problem calling '/apis/rbac.authorization.k8s.io/v1/namespaces/openunison/roles/oidc-user-sessions-orchestra' - 404
Problem calling '/api/v1/namespaces/openunison/serviceaccounts/openunison-orchestra' - 404

this was on create? thats odd. Does the openunison namespace exist?

from openunison-k8s-login-activedirectory.

after helm uninstall & delete namespace & helm install there is error storing trusted certificates
java.lang.RuntimeException: java.security.cert.CertificateException: java.io.IOException: Incomplete data

I have certificate chain. AD certificate was signed by root certificate anf I have to add this to values.yaml.
trusted_certs:

• name: ldaps
  pem_b64: "-----BEGIN CERTIFICATE----- ..... -----END CERTIFICATE-----"

from openunison-k8s-login-activedirectory.

Need to base64 encode the certificate chain into one single line encoded string

from openunison-k8s-login-activedirectory.

First, thank you for all help! base64 encode the chain in one line works, but there are still some issues:
openunison-orchestra-657bcb84f-trvp5 0/1 Pending 0 0s
openunison-orchestra-694f7fd5c5-9xn4f 0/1 Terminating 0 5s
openunison-orchestra-95798b97f-vlfjv 0/1 Pending 0 1s
openunison-orchestra-f6fcc9bf5-5l9d8 0/1 Terminating 0 2s

log:
Processing key 'unison-saml2-rp-sig'
Checking if kubernetes secret exists
Secret exists
Adding existing secret to keystore
Storing to keystore
3
Secret exists, deleting
Posting secret
Remote Identity Providers : undefined
No IdPs, stopping
DIGEST : ZG6zcF0bW92UVTTl/SPXFe1y7H5mUoIvET00AgfVaj8=
No secret data has changed, not updating the secret
Done
Problem calling '/api/v1/namespaces/openunison/secrets/amq-secrets-orchestra' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"secrets "amq-secrets-orchestra" not found","reason":"NotFound","details":{"name":"amq-secrets-orchestra","kind":"secrets"},"code":404}

Problem calling '/api/v1/namespaces/openunison/secrets/amq-env-secrets-orchestra' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"secrets "amq-env-secrets-orchestra" not found","reason":"NotFound","details":{"name":"amq-env-secrets-orchestra","kind":"secrets"},"code":404}

Problem calling '/api/v1/namespaces/openunison/services/amq' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"services "amq" not found","reason":"NotFound","details":{"name":"amq","kind":"services"},"code":404}

Problem calling '/apis/apps/v1/namespaces/openunison/deployments/amq-orchestra' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"deployments.apps "amq-orchestra" not found","reason":"NotFound","details":{"name":"amq-orchestra","group":"apps","kind":"deployments"},"code":404}

from openunison-k8s-login-activedirectory.

After a few minutes, the portal is runnig and I can login. Thank you.

from openunison-k8s-login-activedirectory.

awesome! thanks for hanging in there. its great feedback when someone else gives it a try. Those errors you saw can be ignored. They're for when using the automation portal which deploys activemq. The login portal doesn't need it but we can do a better job of avoiding those messages. If you can login i'll close out the issue and please open a new ticket with any other questions!

from openunison-k8s-login-activedirectory.