search

AzBuilder / terrakube-helm-chart

Helm chart to install Terrakube in any Kubernetes cluster
Apache License 2.0
30 stars 23 forks source link

Error 500 When Creating Organization with LDAP or Microsoft Azure AD Authentication #133

Open Shubham-Jawkar1 opened 1 month ago

Shubham-Jawkar1 commented 1 month ago

Description: I have deployed Terrakube with a self-signed certificate. After logging in, I am encountering an issue when trying to create an organization. The operation fails, and in the browser's inspect section, I can see that a 500 error is being returned. I am facing this issue with both OpenLDAP and Azure AD authentication methods

Steps to Reproduce: Deploy Terrakube with a self-signed certificate. Configure LDAP or Microsoft Azure AD authentication. Log in using LDAP or Azure AD credentials. Attempt to create an organization.

Expected Behavior: The organization should be created successfully without any errors.

Actual Behavior: The operation fails, and a 500 error is returned in the browser.

Additional Information:

Browser Console Errors: 500 Internal Server Error API Container Logs: (See attached log file for reference)

Environment:

Terrakube version: [3.17.6] Deployment method: [e.g, Azure Kubernetes Service] Authentication method: [OpenLDAP, Microsoft Azure AD] Browser: [e.g., Chrome, Edge]

Please let me know if you need any additional information or if there are any steps I can take to help diagnose this issue further.

terrakube-api.log

alfespa17 commented 1 month ago

You need to upgrade your ingress setup by default is using "https://terrakube-api.minikube.net" that is just for testing

java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "https://terrakube-api.minikube.net/dex"
    at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:168) ~[spring-security-oauth2-jose-6.1.9.jar:6.1.9]

You can check the following link.

https://docs.terrakube.io/getting-started/deployment/ingress-configuration

alfespa17 commented 1 month ago

To use self signed certificats you will also need to read the following:

https://docs.terrakube.io/getting-started/deployment/custom-ca-certs

Shubham-Jawkar1 commented 1 month ago

@alfespa17 , Thank you for the response. I've referred to the following link for using Dex with Azure AD https://docs.terrakube.io/getting-started/user-management/azure-active-directory

As per the documentation, the Dex DNS is derived from the API DNS, i.e., https:///dex. Could you please confirm if I need to create a separate DNS entry for the Dex DNS as well? and how to configure DEX issuer

alfespa17 commented 1 month ago

@alfespa17 , Thank you for the response. I've referred to the following link for using Dex with Azure AD https://docs.terrakube.io/getting-started/user-management/azure-active-directory

As per the documentation, the Dex DNS is derived from the API DNS, i.e., https:///dex. Could you please confirm if I need to create a separate DNS entry for the Dex DNS as well? and how to configure DEX issuer

You don't need a different domain you can have DEX in the following URL for example https://terrakube-api.minikube.net/dex ant it should work correctly, so you can reuse the API domain to expose DEX too

Shubham-Jawkar1 commented 1 month ago

Hi @alfespa17 , How can I ensure that Dex is working correctly? Additionally, when I hit the following URL >> https://terrakube-api.minikube.net/dex/.well-known/openid-configuration), I get the response shown below. Is this expected?

{ "issuer": "https://terrakube-api.minikube.net/dex", "authorization_endpoint": "https://terrakube-api.minikube.net/dex/auth", "token_endpoint": "https://terrakube-api.minikube.net/dex/token", "jwks_uri": "https://terrakube-api.minikube.net/dex/keys", "userinfo_endpoint": "https://terrakube-api.minikube.net/dex/userinfo", "device_authorization_endpoint": "https://terrakube-api.minikube.net/dex/device/code", "grant_types_supported": [ "authorization_code", "implicit", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code", "urn:ietf:params:oauth:grant-type:token-exchange" ], "response_types_supported": [ "code", "id_token", "token" ], "subject_types_supported": [ "public" ], "id_token_signing_alg_values_supported": [ "RS256" ], "code_challenge_methods_supported": [ "S256", "plain" ], "scopes_supported": [ "openid", "email", "groups", "profile", "offline_access" ], "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ], "claims_supported": [ "iss", "sub", "aud", "iat", "exp", "email", "email_verified", "locale", "name", "preferred_username", "at_hash" ] }

alfespa17 commented 1 month ago

That is correct if you are using https://terrakube-api.minikube.net you can use that endpoint /dex/.well-known/openid-configuration just to check if dex is returning information correctly, now you only need to test from the UI if you are able to login.

Shubham-Jawkar1 commented 1 month ago

@alfespa17 , thanks for the confirmation. Endpoint [/dex/.well-known/openid-configuration] is responding but still faced the same issue and same error logs which I shared earlier

alfespa17 commented 1 month ago

hello @Shubham-Jawkar1 can you share the example yaml file that you are using for the deployment (without any sensitive information)

alfespa17 commented 1 month ago

Just to confirm you are using minikube to test right?