Comments (21)
mlbiam
commented on June 11, 2024
if you're using a publicly signed cert, make sure to remove unison-ca cert from your CR
from openunison-k8s-login-activedirectory.
tkg61
commented on June 11, 2024
Thanks for the reply! Do i remove just the following from the Orchestra CR:
name:unison-ca
pem-data: XXXXXXXX...
or do i need to remove some of the surrounding items (schedule, image, days_to_expire, etc)
from openunison-k8s-login-activedirectory.
mlbiam
commented on June 11, 2024
nope, just the unison-ca. if its not there we take that out of the kubectl
from openunison-k8s-login-activedirectory.
tkg61
commented on June 11, 2024
i removed just the unison-ca line, keeping the others (pem-data, etc), remade the CR and this is showing up now for the tokens page.
from openunison-k8s-login-activedirectory.
mlbiam
commented on June 11, 2024
you need to remove the entire yaml array block (name and pem-data)
from openunison-k8s-login-activedirectory.
tkg61
commented on June 11, 2024
you need to remove the entire yaml array block (name and pem-data)
I have removed the Yaml for the name and pem-data but am still receiving the same page. Here is the yaml if that helps sort things out:
apiVersion: openunison.tremolo.io/v1
kind: OpenUnison
metadata:
creationTimestamp: "2020-04-08T20:15:52Z"
generation: 1
name: orchestra
namespace: openunison
resourceVersion: "10030040"
selfLink: /apis/openunison.tremolo.io/v1/namespaces/openunison/openunisons/orchestra
uid: 49c50f33-11cf-XXXXXXXXXXXXXXXXXXXXXX
spec:
dest_secret: orchestra
enable_activemq: false
hosts:
- ingress_name: openunison
names:
- env_var: OU_HOST
name: my.login.example.org
- env_var: K8S_DASHBOARD_HOST
name: my.dashboard.example.org
secret_name: ou-tls-certificate
image: docker.io/tremolosecurity/openunison-k8s-login-activedirectory:latest
key_store:
key_pairs:
create_keypair_template:
- name: ou
value: example-cluster
- name: o
value: MYORG
- name: l
value: Arlington
- name: st
value: Virginia
- name: c
value: US
keys:
- create_data:
ca_cert: true
key_size: 2048
server_name: openunison.openunison.svc.cluster.local
sign_by_k8s_ca: true
subject_alternative_names: []
import_into_ks: keypair
name: unison-tls
- create_data:
ca_cert: false
delete_pods_labels:
- k8s-app=kubernetes-dashboard
key_size: 2048
secret_info:
cert_name: dashboard.crt
key_name: dashboard.key
type_of_secret: Opaque
server_name: kubernetes-dashboard.kube-system.svc.cluster.local
sign_by_k8s_ca: true
subject_alternative_names: []
target_namespace: kube-system
import_into_ks: none
name: kubernetes-dashboard
replace_if_exists: true
tls_secret_name: kubernetes-dashboard-certs
- create_data:
ca_cert: true
key_size: 2048
server_name: unison-saml2-rp-sig
sign_by_k8s_ca: false
subject_alternative_names: []
import_into_ks: keypair
name: unison-saml2-rp-sig
static_keys:
- name: session-unison
version: 1
- name: lastmile-oidc
version: 1
trusted_certificates:
- name: trusted-adldaps
pem_data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t........
update_controller:
days_to_expire: 10
image: docker.io/tremolosecurity/kubernetes-artifact-deployment:1.1.0
schedule: 0 2 * * *
non_secret_data:
- name: AD_PORT
value: "636"
- name: AD_BASE_DN
value: OU=Users,DC=exmaple,DC=org
- name: AD_BIND_DN
value: CN=SVC-ACCT,OU=Users,DC=exmaple,DC=org
- name: USE_K8S_CM
value: "true"
- name: OU_CERT_L
value: Arlington
- name: OU_CERT_O
value: MYORG
- name: OU_HOST
value: my.login.example.org
- name: OU_CERT_OU
value: example-cluster
- name: K8S_URL
value: https://example-api.example.org:6443
- name: OU_CERT_C
value: US
- name: K8S_DASHBOARD_HOST
value: my.dashboard.example.org
- name: SESSION_INACTIVITY_TIMEOUT_SECONDS
value: "86400"
- name: SRV_DNS
value: "false"
- name: AD_CON_TYPE
value: ldaps
- name: OU_CERT_ST
value: Virginia
- name: MYVD_CONFIG_PATH
value: WEB-INF/myvd.conf
- name: AD_HOST
value: my-ad.example.org
openunison_network_configuration:
activemq_dir: /tmp/amq
allowed_client_names: []
ciphers:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
client_auth: none
force_to_secure: true
open_external_port: 80
open_port: 8080
path_to_deployment: /usr/local/openunison/work
path_to_env_file: /etc/openunison/ou.env
quartz_dir: /tmp/quartz
secure_external_port: 443
secure_key_alias: unison-tls
secure_port: 8443
replicas: 1
secret_data:
- unisonKeystorePassword
- AD_BIND_PASSWORD
- K8S_DB_SECRET
source_secret: orchestra-secrets-source
status:
conditions:
lastTransitionTime: 2020-04-08 08:15:54GMT
status: "True"
type: Completed
digest: Uic0l9Wylx8feuYaj8RtuVsV0MxUJnLXXXXXXXXXXXXXXXXXXX
from openunison-k8s-login-activedirectory.
mlbiam
commented on June 11, 2024
Are there errors in the openunison pod?
from openunison-k8s-login-activedirectory.
tkg61
commented on June 11, 2024
I am getting one error in the orchestra pod:
[2020-04-10 18:09:25,642][XNIO-1 task-11] ERROR ConfigSys - Could not process request
javax.servlet.ServletException: Could not execute request
at com.tremolosecurity.proxy.ProxySys.doURI(ProxySys.java:112) ~[unison-server-core-1.0.17.1.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:141) ~[unison-server-core-1.0.17.1.jar:?]
at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:135) ~[unison-server-core-1.0.17.1.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.17.1.jar:?]
at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:139) ~[unison-sdk-1.0.17.1.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:111) ~[unison-server-core-1.0.17.1.jar:?]
at com.tremolosecurity.proxy.auth.AuthSys.doAuth(AuthSys.java:162) ~[unison-server-core-1.0.17.1.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:105) ~[unison-server-core-1.0.17.1.jar:?]
at com.tremolosecurity.proxy.ConfigSys.doConfig(ConfigSys.java:293) [unison-server-core-1.0.17.1.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:93) [unison-server-core-1.0.17.1.jar:?]
at com.tremolosecurity.filter.UnisonServletFilter.doFilter(UnisonServletFilter.java:290) [unison-server-core-1.0.17.1.jar:?]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99) [undertow-servlet-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:376) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) [undertow-core-2.0.29.Final.jar:2.0.29.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_242]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_242]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_242]
Caused by: java.lang.NullPointerException
at com.tremolosecurity.scalejs.KubectlTokenLoader.loadToken(KubectlTokenLoader.java:122) ~[unison-applications-k8s-1.0.17.1.jar:?]
at com.tremolosecurity.scalejs.token.ws.ScaleToken.doFilter(ScaleToken.java:66) ~[unison-scalejs-token-1.0.17.1.jar:?]
at com.tremolosecurity.proxy.filter.HttpFilterChainImpl.nextFilter(HttpFilterChainImpl.java:86) ~[unison-server-core-1.0.17.1.jar:?]
at com.tremolosecurity.proxy.ProxySys.doURI(ProxySys.java:97) ~[unison-server-core-1.0.17.1.jar:?]
... 41 more
from openunison-k8s-login-activedirectory.
mlbiam
commented on June 11, 2024
Can you delete the image and let it re-pull? The line numbers are off.
from openunison-k8s-login-activedirectory.
mlbiam
commented on June 11, 2024
oh, i just noticed you're on 1.0.17.1. Can you point your image to tremolosecurity/betas:k8s-login-ad-1.0.18? You'll want to change it in your CR.
from openunison-k8s-login-activedirectory.
tkg61
commented on June 11, 2024
That's weird cause the CR says that it is trying to pull the latest:
"image": "tremolosecurity/openunison-k8s-login-activedirectory:latest",
"imageID": "docker-pullable://tremolosecurity/openunison-k8s-login-activedirectory@sha256:9f7851f5a6c5a9d5dd121c9aa496a9e42c80b8615c3e042f88d0d56683bb9c8a",
"containerID": "docker://0f326439effd73fa8454db64b94f4565a4f34251cfb887ff0f2e5ce6e78b6e5f"
from openunison-k8s-login-activedirectory.
tkg61
commented on June 11, 2024
I have pulled with the latest image and the token page is now working. The openunison CA section of the page has disappeared and only the Kuberentes API Server CA is showing with the same internal cert. I checked the yaml again and the unison-ca is not in there. Is there something else i need to re-do to remove the internal k8s cert?
from openunison-k8s-login-activedirectory.
mlbiam
commented on June 11, 2024
That's weird cause the CR says that it is trying to pull the latest:
latest is still 1.0.17.1 (for another day or two anyways)
The openunison CA section of the page has disappeared and only the Kuberentes API Server CA is showing with the same internal cert. I checked the yaml again and the unison-ca is not in there. Is there something else i need to re-do to remove the internal k8s cert?
to double check the k8s url has a commercially signed cert too?
from openunison-k8s-login-activedirectory.
tkg61
commented on June 11, 2024
The Kubernetes API Cert is still internal but we are going to be accessing it through a nginx proxy that is publicly signed and will loadbalance our requests to the three managers.
from openunison-k8s-login-activedirectory.
mlbiam
commented on June 11, 2024
that makes sense. looking at the config i don't think we're handling that use case right now. Give me a minute and I think we can handle this easily
from openunison-k8s-login-activedirectory.
tkg61
commented on June 11, 2024
Fantastic! Thanks so much!
from openunison-k8s-login-activedirectory.
mlbiam
commented on June 11, 2024
In your CR add a value:
- name: K8S_API_SERVER_CERT
value: ""
Once the pod is re-launched the k8s cert should be gone too
from openunison-k8s-login-activedirectory.
tkg61
commented on June 11, 2024
Thanks! Do i add that under non_secret_data?
from openunison-k8s-login-activedirectory.
mlbiam
commented on June 11, 2024
correct
from openunison-k8s-login-activedirectory.
tkg61
commented on June 11, 2024
It worked! Thanks for the help!
The browser still displays:
export TMP_CERT=$(mktemp) && echo -e "" > $TMP_CERT && ....
But it still works even though nothing happens.
Thanks again for all the help!
from openunison-k8s-login-activedirectory.
mlbiam
commented on June 11, 2024
yeah, it will but should show </dev/null for linux when it sets the cert (only way i could get it to delete a cert). thanks for unconvreing this usecase for us!
from openunison-k8s-login-activedirectory.
Related Issues (20)
- Apps external to k8s HOT 9
- ERROR ConfigSys : Given final block not properly padded. Such issues can arise if a bad key is used during decryption. HOT 34
- java.io.FileNotFoundException: /etc/extracerts/input.props HOT 17
- openunison-orchestra Terminating HOT 12
- Own TLS Certificate ans SSO HOT 23
- Re-created kubernetes api cert, openunison shows "unauthorized" HOT 43
- kubectl Windows Command doesn't work HOT 2
- Using Openldap and Istio Ingress HOT 38
- Error while trying to build locally HOT 3
- Customizing the look and feel HOT 2
- Group has different DN other than LDAP HOT 2
- Multi Cluster Authentication HOT 15
- Deployment with istio gateway and virtualservice causes certificate issues HOT 26
- Upgrade from 1.0.18 HOT 17
- Show Icons to only who has access to cluster in multi cluster authentication HOT 9
- Installing offline HOT 3
- Credentials in Plain Text in /auth/formLogin HOT 3
- An error occurred while processing this request. Please see the system administrator for assistance. HOT 3
- old expired sessions HOT 15
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openunison-k8s-login-activedirectory.