Closed ddellarocca closed 3 years ago
With this configuration if i reach to https://ou.example.com/ i get Internal Server Error
Is that coming from OpenUnison or trafaek? If it's from OpenUnison is there a stack trace in the pod's logs?
oidc: issuer did not match the issuer returned by provider, expected "https://ou.example.com/auth/idp/k8s-login-cli" got "http://ou.example.com/auth/idp/k8s-login-cli"
This is a known issue that is has been fixed in 1.0.23 (should be released by tuesday) https://github.com/TremoloSecurity/OpenUnison/issues/549
Is that coming from OpenUnison or trafaek? If it's from OpenUnison is there a stack trace in the pod's logs?
It's coming from traefik, the pod never gets the request, if i set up traefik with insecureskipverify
flag it correctly forward to openunison pod and all works, as i mentioned before i think the problem is relative to traefik refusing openunison's self signed cert.
This is a known issue that is has been fixed in 1.0.23 (should be released by tuesday) TremoloSecurity/OpenUnison#549
Great news, i'll test as soon as it gets released then
It's coming from traefik, the pod never gets the request, if i set up traefik with insecureskipverify flag it correctly forward to openunison pod and all works, as i mentioned before i think the problem is relative to traefik refusing openunison's self signed cert
Can you tell traefik to trust the unison-tls
Secret
in the openunison namespace?
Can you tell traefik to trust the
unison-tls
Secret in theopenunison
namespace?
Unfortunately i didn't find any options to do that
Assuming traefik adds the X-Forwarded-Proto
header you can now add networking.force_redirect_to_tls: false
to your values.yaml and after updating your local helm repo upgrade, then upgrade your openunison and orchestra repo deployments.
In the end we switched to kube-oidc-proxy because we would enable that anyway in openunison.
Hi, I'm trying to deploy openunison in an eks cluster with traefik ingressroute and a certificate signed with cert-manager. The ingressroute config is the following:
With this configuration if i reach to https://ou.example.com/ i get
Internal Server Error
, if i change the port in each rule from443
to80
i can reach openunison dashboard correctly but i can't use kubectl because of this error2021/05/28 15:39:27 http: panic serving 127.0.0.1:54726: oidc: issuer did not match the issuer returned by provider, expected "https://ou.example.com/auth/idp/k8s-login-cli" got "http://ou.example.com/auth/idp/k8s-login-cli"
.I'm guessing that the problem is related to traefik refusing to expose an endpoint if the service certificate is invalid (self signed in this case) when using https to connect to the service.
I've also tested in a local cluster with kind and if i set
insecureskipverify
in traefik it works correctly but i can't set that flag on the production cluster. Is there a way to workaround this issue?PS. the secret
openunison-tls-certificate
is the certificate created by cert-manager and it is valid.