Comments (6)
matty1979
commented on June 12, 2024
value.yaml
network:
openunison_host: "ou.ou-test.runshiftup.local"
dashboard_host: "dashboard.ou-test.runshiftup.local"
api_server_host: "http://127.0.0.1:49202/856a8c21-4dad-48d9-b82a-c9ba7dab23cc"
session_inactivity_timeout_seconds: 900
k8s_url: https://kubernetes.default.svc:6443
createIngressCertificate: true
ingress_type: nginx
ingress_annotations:
kubernetes.io/ingress.class: nginx
force_redirect_to_tls: true
ingress_certificate: ou-tls-certificate
cert_template:
ou: "Kubernetes"
o: "Dev"
l: "My Cluster"
st: "VA"
c: "US"
image: "docker.io/tremolosecurity/openunison-k8s-login-oidc:latest"
myvd_config_path: "WEB-INF/myvd.conf"
k8s_cluster_name: k3d-dev
enable_impersonation: true
dashboard:
namespace: "kubernetes-dashboard"
cert_name: "kubernetes-dashboard-certs"
label: "k8s-app=kubernetes-dashboard"
service_name: kubernetes-dashboard
certs:
use_k8s_cm: false
trusted_certs: []
monitoring:
prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s
oidc:
client_id: 2523f4fb-005d-4b8d-99f3-f61a444bd55a
auth_url: https://login.prod-a.runshiftup.com/auth/realms/ShiftUp/protocol/openid-connect/auth
token_url: https://login.prod-a.runshiftup.com/auth/realms/ShiftUp/protocol/openid-connect/token
user_in_idtoken: false
userinfo_url: https://login.prod-a.runshiftup.com/auth/realms/ShiftUp/protocol/openid-connect/userinfo
domain: ou.ou-test.runshiftup.local
scopes: openid email profile
claims:
email: email
profile: profile
roles: roles
sub: sub
web-origins: web-origins
impersonation:
use_jetstack: false
jetstack_oidc_proxy_image: quay.io/jetstack/kube-oidc-proxy:v0.3.0
explicit_certificate_trust: false
ca_secret_name: ou-tls-secret
network_policies:
enabled: false
ingress:
enabled: true
labels:
app.kubernetes.io/name: ingress-nginx
monitoring:
enabled: true
labels:
app.kubernetes.io/name: monitoring
apiserver:
enabled: true
labels:
app.kubernetes.io/name: kube-system
services:
enable_tokenrequest: false
token_request_audience: api
token_request_expiration_seconds: 600
node_selectors: []
pullSecret: ""
openunison:
replicas: 1
non_secret_data: {}
secrets: []
from openunison-k8s-login-oidc.
matty1979
commented on June 12, 2024
openunison-orchestra in namespace openunison isn't creating an endpoint
from openunison-k8s-login-oidc.
mlbiam
commented on June 12, 2024
I see two issues:
api_server_host: "http://127.0.0.1:49202/856a8c21-4dad-48d9-b82a-c9ba7dab23cc"
combined with
enable_impersonation: true
The network.api_server_host gets used as a host in the Ingress object that is created. It's also used in the internal certificate created for OpenUnison so it must be a valid host name. This is likely why you're not seeing any Endpoint or Ingress objects.
https://openunison.github.io/deployauth.html#host-names-and-networking details how network.*_host settings relate to your Ingress and LoadBalancer. If you want to enable impersonation support, create a host name for the api requests or disable impersonation if you want k3s to interact with OpenUnison directly using openid connect.
If you're not using impersonation, set network.k8s_url to http://127.0.0.1:49202/856a8c21-4dad-48d9-b82a-c9ba7dab23cc
Delete the orchestra helm deployment (helm delete orchestra -n openunison) to clear out the generated Secret objects. then redeploy with your fixed values.yaml.`
from openunison-k8s-login-oidc.
matty1979
commented on June 12, 2024
Setting impersonation to false and k8s_url: http://127.0.0.1:49202/856a8c21-4dad-48d9-b82a-c9ba7dab23cc
No difference in it.
No endpoints because the endpoint points to the pod, no active pod no endpoint makes sense. No ingress however is being created either however.
from openunison-k8s-login-oidc.
mlbiam
commented on June 12, 2024
No endpoints because the endpoint points to the pod, no active pod no endpoint makes sense. No ingress however is being created either however.
IF the Ingress isn't being created it's likely an issue with the host configuration. the operator logs displays the results when an object fails to get created. You should be able to look for the Ingress being created to see what the failure is. I think whatever is causing the Ingress to not be created is the same issue with the keystore. I'll get openunison running on k3s to check if there's something specific to k3s.
from openunison-k8s-login-oidc.
matty1979
commented on June 12, 2024
Issue was within the oidc_client_secret and caused it not connect. This is /closed
from openunison-k8s-login-oidc.
Related Issues (20)
- Is it possible to add versions for new releases? HOT 2
- Is it possible to supply a custom certificate during installation? HOT 9
- multiple token for multiple cluster of the same user in config HOT 4
- Issue with dashboard proxy with non-default cluster domain (!= cluster.local) HOT 4
- kubectl exec|port-forward fails when using api impersonation HOT 35
- Streaming commands (logs and get -w) cuts off after 20~40 seconds HOT 23
- Unable to login to openunison HOT 58
- check-certs-orchestra getting kubernetes.default.svc.cluster.local: Name or service not known HOT 1
- OpenUnison resource reports Failed state after upgrade 1.0.21, but otherwise works HOT 4
- Not able to access Openunison UI HOT 30
- deployment of oidc-login fails with error " java.lang.IllegalArgumentException: Last unit does not have enough valid bits " HOT 4
- Helm chart for orchestra is not deploying ingress. HOT 7
- Openunison/Kubernetes Cert Issues HOT 2
- Integration with traefik ingressroute HOT 6
- installing helm chart k8s-login-oidc results in error off of openunison_host HOT 3
- Dashboard is Unauthorized HOT 6
- Can't access Kubernetes Dashboard Chapter 7 HOT 2
- Other ingress controllers HOT 3
- OpenID Connect to AWS eks HOT 28
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openunison-k8s-login-oidc.