search

Icinga / helm-charts

Kubernetes Helm charts to deploy a ready-to-use Icinga monitoring stack.
https://icinga.com
Apache License 2.0
8 stars 11 forks source link

[Bug]: Error when setting auth: type: external #59

Open conorgriffin1995 opened 1 month ago

conorgriffin1995 commented 1 month ago

Affected Chart

icingaweb2

Which version of the app contains the bug?

0.3.0

Please describe your problem

When attempting to set the auth as external in icingaweb2 I am getting an error.

helm values:

icingaweb2:
  enabled: true
  auth:
    type: external
    resource: icingaweb2db
    admin_password: 
      value: "${icinga_db_admin_password}"
....

Error in icingaweb2 pod logs after helm deployment:

[Tue Jul 16 12:06:04.432743834 2024] [docker_entrypoint:info] [pid 1] DOCKERE: Checking database resources used as backends [Tue Jul 16 12:06:04.561396276 2024] [docker_entrypoint:info] [pid 1] DOCKERE: Ensuring database authentication backend "icingaweb2" to have a user "icingaadmin" with the password "***" PHP Fatal error: Uncaught Error: Call to undefined method Icinga\Authentication\User\ExternalBackend::select() in /entrypoint-db-init/application/clicommands/DbCommand.php:69 Stack trace:

0 /usr/share/icingaweb2/library/Icinga/Cli/Loader.php(269): Icinga\Module\Dockerentrypoint\Clicommands\DbCommand->userAction()

1 /usr/share/icingaweb2/library/Icinga/Application/Cli.php(165): Icinga\Cli\Loader->dispatch()

2 /usr/share/icingaweb2/library/Icinga/Application/Cli.php(155): Icinga\Application\Cli->dispatchOnce()

3 /usr/share/icingaweb2/bin/icingacli(7): Icinga\Application\Cli->dispatch()

4 {main}

thrown in /entrypoint-db-init/application/clicommands/DbCommand.php on line 69

Fatal error: Uncaught Error: Call to undefined method Icinga\Authentication\User\ExternalBackend::select() in /entrypoint-db-init/application/clicommands/DbCommand.php:69 Stack trace:

0 /usr/share/icingaweb2/library/Icinga/Cli/Loader.php(269): Icinga\Module\Dockerentrypoint\Clicommands\DbCommand->userAction()

1 /usr/share/icingaweb2/library/Icinga/Application/Cli.php(165): Icinga\Cli\Loader->dispatch()

2 /usr/share/icingaweb2/library/Icinga/Application/Cli.php(155): Icinga\Application\Cli->dispatchOnce()

3 /usr/share/icingaweb2/bin/icingacli(7): Icinga\Application\Cli->dispatch()

4 {main}

thrown in /entrypoint-db-init/application/clicommands/DbCommand.php on line 69

conorgriffin1995 commented 1 month ago

I think the solution here is to do it via the UI ? It looks like setting external auth cannot be done in the helm deployment.

conorgriffin1995 commented 1 month ago

@mocdaniel I have set external login using the icinga UI as stated in the documentation (https://icinga.com/docs/icinga-web/latest/doc/05-Authentication/)

Navigate into Configuration > Application > Authentication. Authentication methods are configured in the /etc/icingaweb2/authentication.ini file.

External Authentication -> Authentication to the web server can be delegated with the autologin section which specifies an external backend.

I have done this:

image

I can see the config change in authentication.ini

image

I am using an OAuth2 proxy which is running as a pod inside my icinga kubernetes cluster to manage the authentication against Azure Active Directory and I can successfully sign into the application using my Azure Identity. The problem is after I login through Microsoft I am brought to the basic authentication login page for icinga, which tells me icinga is not recognizing the external authentication.

Sign in using OAuth2 endpoint login.microsoft..

image

But then I am brought to icinga login page, is there something I am missing or could this be a bug?

image

I can see the following cookies in the session:

image