Unable to get user roles with GitHub authentication
lbanita opened this issue · 4 comments
I am trying to deploy OpenUnison but having issues with getting my user to have associated roles.
Any help is appreciated in figuring out what I am doing wrong- thank you.
I can access the openunison_host and login, but I can see that I do not have any roles assigned. Trying to access the dashboard also gives me an error
You are not authorized for failed authentication. If you feel you received this message in error, please contact your system administrator or help desk
Looking at the logs for openunison, I can see the following
[2024-07-12 14:22:40,600][XNIO-1 task-5] WARN OpenShiftTarget - Unexpected result calling 'https://kubernetes.default.svc/apis/openunison.tremolo.io/v1/namespaces/openunison/users/null' - 404 / {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"users.openunison.tremolo.io \"null\" not found","reason":"NotFound","details":{"name":"null","group":"openunison.tremolo.io","kind":"users"},"code":404}
Checking inside the cluster though, I can see the users that are part of my organization
# k describe user lbanita
Name: lbanita
Namespace: openunison
Labels: <none>
Annotations: <none>
API Version: openunison.tremolo.io/v1
Kind: User
Metadata:
Creation Timestamp: 2024-07-11T13:31:10Z
Generation: 2
Resource Version: 335651526
UID: d23cb648-b1d6-4ed8-a38b-6260198f4b09
Spec:
Email: l****@gmail.com
first_name: na
Groups:
ou-lbanita
ou-lbanita/openunison
ou-lbanita/dev
ou-lbanita/prod
ou-lbanita/stage
ou-lbanita/owners
last_name: na
Sub: lbanita
UID: lbanitaI am deploying using ArgoCD on EKS, alongside cert-manager and nginx-ingress-controller
repoURL: https://nexus.tremolo.io/repository/helm
targetRevision: 2.3.56
chart: orchestra-login-portal-argocdThis is my values file
network:
openunison_host: "openunison.dev.lbanita.com"
dashboard_host: "openunison-dash.dev.lbanita.com"
api_server_host: "openuniusonapi.dev.lbanita.com"
session_inactivity_timeout_seconds: 900
k8s_url: https://*******************.us-east-1.eks.amazonaws.com
force_redirect_to_tls: true
createIngressCertificate: false
ingress_type: nginx
ingress_annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
kubernetes.io/ingress.class: nginx
cert_template:
ou: "Kubernetes"
o: "MyOrg"
l: "My Cluster"
st: "State of Cluster"
c: "MyCountry"
myvd_config_path: "WEB-INF/myvd.conf"
k8s_cluster_name: openunison-cp
enable_impersonation: true
impersonation:
use_jetstack: true
explicit_certificate_trust: false
dashboard:
enabled: true
namespace: "kube-system"
cert_name: "kubernetes-dashboard-certs"
label: "app.kubernetes.io/instance=kubernetes-dashboard"
service_name: kubernetes-dashboard
require_session: true
certs:
use_k8s_cm: false
trusted_certs: []
monitoring:
prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s
github:
client_id: O**************
teams: ou-lbanita/
network_policies:
enabled: false
ingress:
enabled: true
labels:
app.kubernetes.io/name: ingress-nginx
monitoring:
enabled: true
labels:
app.kubernetes.io/name: monitoring
apiserver:
enabled: false
labels:
app.kubernetes.io/name: kube-system
services:
enable_tokenrequest: false
token_request_audience: api
token_request_expiration_seconds: 600
node_selectors: []
openunison:
replicas: 1
non_secret_data:
K8S_DB_SSO: oidc
PROMETHEUS_SERVICE_ACCOUNT: system:serviceaccount:monitoring:prometheus-k8s
SHOW_PORTAL_ORGS: "true"
secrets: []
enable_provisioning: false
use_standard_jit_workflow: true
az_groups:
- ou-lbanita/openunisonI have created the clusterrolebinding:
# k describe clusterrolebinding github-cluster-admins
Name: github-cluster-admins
Labels: <none>
Annotations: <none>
Role:
Kind: ClusterRole
Name: cluster-admin
Subjects:
Kind Name Namespace
---- ---- ---------
Group ou-lbanita/ownershmm, the fact that the groups are in the user object is really odd, that's usually the hard part. Are there any exceptions in the orchestra pod's logs? (look for the word Exception). Can you change the chart version to 2.3.56? I don't know of any issue specifically that would have been fixed but worth getting onto the latest charts.
Thank you for the quick answer. I am already on 2.3.56 (as mentioned in the initial message )
I tried searching trough all the pods, no mention of Exception.
I deleted everything including CRDs and re-deployed with the same values - but same result. Resource of Kind "User" gets created, listing all the correct groups, but the same warning
I've attached a full log of the openunison pod.
openunison-openunison.log
I decided to install via outctl for a try instead of argocd because of the Rawkode video ( excellent video btw). Everything worked flawlessly with the same exact values file - in argocd as mentioned I have the following values:
- repoURL: https://nexus.tremolo.io/repository/helm
targetRevision: 2.3.56
chart: orchestra-login-portal-argocdA couple of things to note:
- The UI is different - with argocd deployment the menu was horizontal . With ouctl it's vertical on the right side like in the Rawkode video
- During deployment with ArgoCD(i disabled Self-Heal & AutoSync), at some point it would fail complaining about the authenticity of the X509 certificate and it would stop progressing. I would click re-sync with the Replace option enabled ( https://argo-cd.readthedocs.io/en/stable/user-guide/sync-options/#replace-resource-instead-of-applying-changes ), everything would come online and appear Healthy in ArgoCD and without errors in the pods.
- The pod would be named openunison-openunison in the ArgoCD deployment instead of openunison-orchestra as with the ouctl deployment.
Am I deploying somehow a wrong version ?
I decided to install via outctl for a try instead of argocd because of the Rawkode video ( excellent video btw). Everything worked flawlessly with the same exact values file
Fantastic!
Am I deploying somehow a wrong version ?
I need to revisit the argocd deployment. The ArgoCD chart is a combination of the openunison-operator, orchestra, and orchestra-login-portal charts. The ouctl command deploys those helm charts seperately. now that argocd supports multiple sources for an application i might update it for that.