search

OpenUnison / openunison-k8s

Access portal for Kubernetes
Apache License 2.0
102 stars 5 forks source link

Newly deployed OpenUnison cannot load its CRDs #108

Closed santiagon610 closed 5 months ago

santiagon610 commented 5 months ago

I'm currently in the process of installing OpenUnison on a Kubernetes cluster, and am getting an error in the OpenUnison pod where it appears to be getting a 401 when attempting to load its CRDs:

/usr/local/openunison/work/webapp/WEB-INF/lib/*:/usr/local/openunison/work/webapp/WEB-INF/classes:/tmp/quartz
[2024-04-13 17:11:45,030][main] INFO  OpenUnisonOnUndertow - Starting OpenUnison on Undertow 1.0.40-2024030801
[2024-04-13 17:11:45,045][main] INFO  OpenUnisonOnUndertow - Parsing YAML : '/etc/openunison/openunison.yaml'
[2024-04-13 17:11:45,217][main] INFO  OpenUnisonOnUndertow - Config Open Port : '8080'
[2024-04-13 17:11:45,218][main] INFO  OpenUnisonOnUndertow - Disable HTTP2 : 'false'
[2024-04-13 17:11:45,218][main] INFO  OpenUnisonOnUndertow - Allow unescaped characters : 'false'
[2024-04-13 17:11:45,219][main] INFO  OpenUnisonOnUndertow - Config Open External Port : '80'
[2024-04-13 17:11:45,219][main] INFO  OpenUnisonOnUndertow - Config Secure Port : '8443'
[2024-04-13 17:11:45,219][main] INFO  OpenUnisonOnUndertow - Config Secure External Port : '443'
[2024-04-13 17:11:45,220][main] INFO  OpenUnisonOnUndertow - Config Context Root :  '/'
[2024-04-13 17:11:45,220][main] INFO  OpenUnisonOnUndertow - Force to Secure : 'true'
[2024-04-13 17:11:45,220][main] INFO  OpenUnisonOnUndertow - ActiveMQ Directory : '/tmp/amq'
[2024-04-13 17:11:45,220][main] INFO  OpenUnisonOnUndertow - Quartz Directory : '/tmp/quartz'
[2024-04-13 17:11:45,221][main] INFO  OpenUnisonOnUndertow - Config TLS Client Auth Mode : 'none'
[2024-04-13 17:11:45,222][main] INFO  OpenUnisonOnUndertow - Config TLS Allowed Client Subjects : '[]'
[2024-04-13 17:11:45,222][main] INFO  OpenUnisonOnUndertow - Config TLS Protocols : 'null'
[2024-04-13 17:11:45,222][main] INFO  OpenUnisonOnUndertow - Config TLS Ciphers : '[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384]'
[2024-04-13 17:11:45,223][main] INFO  OpenUnisonOnUndertow - Config Path to Deployment : '/usr/local/openunison/work'
[2024-04-13 17:11:45,223][main] INFO  OpenUnisonOnUndertow - Config Path to Environment File : '/etc/openunison/ou.env'
[2024-04-13 17:11:45,223][main] INFO  OpenUnisonOnUndertow - Redirect to contex root : 'false'
[2024-04-13 17:11:45,223][main] INFO  OpenUnisonOnUndertow - Support socket shutdown : false
[2024-04-13 17:11:45,229][main] INFO  OpenUnisonOnUndertow - true
[2024-04-13 17:11:45,230][main] INFO  OpenUnisonOnUndertow - Creating unisonServiceProps
[2024-04-13 17:11:45,266][main] INFO  OpenUnisonOnUndertow - Temporary unisonServiceProps : '/tmp/unisonService10678310672480830340props'
[2024-04-13 17:11:45,281][main] INFO  OpenUnisonOnUndertow - Loading environment file : '/etc/openunison/ou.env'
[2024-04-13 17:11:45,282][main] INFO  OpenUnisonOnUndertow - Adding property : 'K8S_DB_SSO'
[2024-04-13 17:11:45,282][main] INFO  OpenUnisonOnUndertow - Adding property : 'unisonKeystorePassword'
[2024-04-13 17:11:45,282][main] INFO  OpenUnisonOnUndertow - Adding property : 'K8S_SELF_LINK'
[2024-04-13 17:11:45,282][main] INFO  OpenUnisonOnUndertow - Adding property : 'K8S_DB_SECRET'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'K8S_DASHBOARD_NAMESPACE'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'OU_SVC_NAME'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'OU_QUARTZ_MASK'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'K8S_TOKEN_TYPE'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'K8S_OPENUNISON_NS'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'K8S_DASHBOARD_SERVICE'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'PROMETHEUS_SERVICE_ACCOUNT'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'OU_HOST'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'K8S_URL'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'K8S_IMPERSONATION'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'K8S_DASHBOARD_HOST'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'SESSION_INACTIVITY_TIMEOUT_SECONDS'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'OPENUNISON_PROVISIONING_ENABLED'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'MYVD_CONFIG_PATH'
[2024-04-13 17:11:45,283][main] INFO  OpenUnisonOnUndertow - Adding property : 'K8S_CLUSTER_NAME'
[2024-04-13 17:11:45,284][main] INFO  OpenUnisonOnUndertow - Loading keystore for Undertow
[2024-04-13 17:11:45,284][main] INFO  OpenUnisonOnUndertow - OpenUnison XML File : '/usr/local/openunison/work/webapp/WEB-INF/unison.xml'
[2024-04-13 17:11:45,296][main] INFO  OpenUnisonConfigLoader - No config from include files, using original
[2024-04-13 17:11:45,942][main] INFO  OpenUnisonOnUndertow - Loading keystore : '/etc/openunison/unisonKeyStore.p12'
[2024-04-13 17:11:45,942][main] INFO  OpenUnisonOnUndertow - Building Undertow
[2024-04-13 17:11:45,965][main] INFO  OpenUnisonOnUndertow - Check if enabling HTTP2 - false
[2024-04-13 17:11:45,965][main] INFO  OpenUnisonOnUndertow - Enabling HTTP2
[2024-04-13 17:11:45,968][main] INFO  OpenUnisonOnUndertow - Adding open port : '8080'
[2024-04-13 17:11:46,389][main] INFO  OpenUnisonOnUndertow - NOT Supporting TLS Protocol : 'TLSv1.3'
[2024-04-13 17:11:46,389][main] INFO  OpenUnisonOnUndertow - Supporting TLS Protocol : 'TLSv1.2'
[2024-04-13 17:11:46,390][main] INFO  OpenUnisonOnUndertow - Configured TLS Listener on Port 8443
[2024-04-13 17:11:46,391][main] INFO  OpenUnisonOnUndertow - Path to webapp : '/usr/local/openunison/work/webapp'
[2024-04-13 17:11:46,391][main] INFO  OpenUnisonOnUndertow - Path directory? : 'true'
[2024-04-13 17:11:46,391][main] INFO  OpenUnisonOnUndertow - Path exists : 'true'
[2024-04-13 17:11:46,572][main] INFO  xnio - XNIO version 3.8.13.Final
[2024-04-13 17:11:46,631][main] INFO  nio - XNIO NIO Implementation Version 3.8.8.Final
[2024-04-13 17:11:47,839][main] INFO  OpenUnisonServletFilter - Loading environment file : '/etc/openunison/ou.env'
[2024-04-13 17:11:47,840][main] INFO  OpenUnisonServletFilter - Adding property : 'K8S_DB_SSO'
[2024-04-13 17:11:47,841][main] INFO  OpenUnisonServletFilter - Adding property : 'unisonKeystorePassword'
[2024-04-13 17:11:47,841][main] INFO  OpenUnisonServletFilter - Adding property : 'K8S_SELF_LINK'
[2024-04-13 17:11:47,841][main] INFO  OpenUnisonServletFilter - Adding property : 'K8S_DB_SECRET'
[2024-04-13 17:11:47,841][main] INFO  OpenUnisonServletFilter - Adding property : 'K8S_DASHBOARD_NAMESPACE'
[2024-04-13 17:11:47,841][main] INFO  OpenUnisonServletFilter - Adding property : 'OU_SVC_NAME'
[2024-04-13 17:11:47,841][main] INFO  OpenUnisonServletFilter - Adding property : 'OU_QUARTZ_MASK'
[2024-04-13 17:11:47,841][main] INFO  OpenUnisonServletFilter - Adding property : 'K8S_TOKEN_TYPE'
[2024-04-13 17:11:47,841][main] INFO  OpenUnisonServletFilter - Adding property : 'K8S_OPENUNISON_NS'
[2024-04-13 17:11:47,842][main] INFO  OpenUnisonServletFilter - Adding property : 'K8S_DASHBOARD_SERVICE'
[2024-04-13 17:11:47,842][main] INFO  OpenUnisonServletFilter - Adding property : 'PROMETHEUS_SERVICE_ACCOUNT'
[2024-04-13 17:11:47,842][main] INFO  OpenUnisonServletFilter - Adding property : 'OU_HOST'
[2024-04-13 17:11:47,842][main] INFO  OpenUnisonServletFilter - Adding property : 'K8S_URL'
[2024-04-13 17:11:47,842][main] INFO  OpenUnisonServletFilter - Adding property : 'K8S_IMPERSONATION'
[2024-04-13 17:11:47,842][main] INFO  OpenUnisonServletFilter - Adding property : 'K8S_DASHBOARD_HOST'
[2024-04-13 17:11:47,842][main] INFO  OpenUnisonServletFilter - Adding property : 'SESSION_INACTIVITY_TIMEOUT_SECONDS'
[2024-04-13 17:11:47,842][main] INFO  OpenUnisonServletFilter - Adding property : 'OPENUNISON_PROVISIONING_ENABLED'
[2024-04-13 17:11:47,842][main] INFO  OpenUnisonServletFilter - Adding property : 'MYVD_CONFIG_PATH'
[2024-04-13 17:11:47,842][main] INFO  OpenUnisonServletFilter - Adding property : 'K8S_CLUSTER_NAME'
[2024-04-13 17:11:47,871][main] WARN  OpenUnisonServletFilter - No context paths present, assuming the config path is WEB-INF/unison.xml
[2024-04-13 17:11:47,871][main] INFO  OpenUnisonServletFilter - Initializing OpenUnison 1.0.40-2024030801
[2024-04-13 17:11:47,871][main] INFO  OpenUnisonServletFilter - Unison Configuration File : 'WEB-INF/unison.xml'
[2024-04-13 17:11:47,891][main] INFO  OpenUnisonConfigManager - Loading configuration - com.tremolosecurity.openunison.forceToSSL='true'
[2024-04-13 17:11:47,892][main] INFO  OpenUnisonConfigManager - Loading configuration - com.tremolosecurity.openunison.openPort='8080'
[2024-04-13 17:11:47,892][main] INFO  OpenUnisonConfigManager - Loading configuration - com.tremolosecurity.openunison.securePort='8443'
[2024-04-13 17:11:47,892][main] INFO  OpenUnisonConfigManager - Loading configuration - com.tremolosecurity.openunison.externalOpenPort='80'
[2024-04-13 17:11:47,892][main] INFO  OpenUnisonConfigManager - Loading configuration - com.tremolosecurity.openunison.externalSecurePort='443'
[2024-04-13 17:11:47,910][main] INFO  OpenUnisonConfigManager - Loading configuration - com.tremolosecurity.openunison.activemqdir='/tmp/amq'
[2024-04-13 17:11:47,911][main] INFO  OpenUnisonConfigManager - Loading configuration - com.tremolosecurity.openunison.quartzdir='/tmp/quartz'
[2024-04-13 17:11:47,993][main] INFO  OpenUnisonConfigLoader - No config from include files, using original
[2024-04-13 17:11:48,017][main] INFO  OpenUnisonConfigManager - Removing node : [provisioning: null] - [approvalDB: null]
[2024-04-13 17:11:48,017][main] INFO  OpenUnisonConfigManager - Removing node : [provisioning: null] - [scheduler: null]
[2024-04-13 17:11:48,018][main] INFO  OpenUnisonConfigManager - Removing node : [provisioning: null] - [listeners: null]
[2024-04-13 17:11:48,018][main] INFO  OpenUnisonConfigManager - Removing node : [provisioning: null] - [reports: null]
[2024-04-13 17:11:48,912][main] INFO  InsertChain - Insert : accesslog; server.globalChain.accesslog.
[2024-04-13 17:11:48,913][main] INFO  InsertChain - Insert Class Name : com.tremolosecurity.proxy.myvd.log.AccessLog
[2024-04-13 17:11:48,935][main] INFO  InsertChain - Insert : dse; server.rootdse.dse.
[2024-04-13 17:11:48,945][main] INFO  InsertChain - Insert Class Name : net.sourceforge.myvd.inserts.RootDSE
[2024-04-13 17:11:48,958][main] INFO  InsertChain - Insert : root; server.myvdroot.root.
[2024-04-13 17:11:48,959][main] INFO  InsertChain - Insert Class Name : net.sourceforge.myvd.inserts.RootObject
[2024-04-13 17:11:48,971][main] INFO  InsertChain - Insert : mapping; server.shadowUsers.mapping.
[2024-04-13 17:11:48,971][main] INFO  InsertChain - Insert Class Name : net.sourceforge.myvd.inserts.mapping.AttributeMapper
[2024-04-13 17:11:48,974][main] INFO  InsertChain - Insert : api; server.shadowUsers.api.
[2024-04-13 17:11:48,974][main] INFO  InsertChain - Insert Class Name : com.tremolosecurity.myvd.K8sCrdInsert
[2024-04-13 17:11:49,021][main] INFO  BrokerHolder - Starting KahaDB with path /tmp/amq/unison-mq-local
[2024-04-13 17:11:49,297][main] INFO  BrokerService - Loaded the Bouncy Castle security provider at position: -1
[2024-04-13 17:11:49,304][main] INFO  BrokerHolder - Waiting for broker to start...
[2024-04-13 17:11:49,395][Thread-0] INFO  BrokerService - Using Persistence Adapter: KahaDBPersistenceAdapter[/tmp/amq/unison-mq-local]
[2024-04-13 17:11:49,400][Thread-0] INFO  BrokerService - Starting Persistence Adapter: KahaDBPersistenceAdapter[/tmp/amq/unison-mq-local]
[2024-04-13 17:11:49,419][Thread-0] INFO  KahaDBStore - Starting KahaDBStore
[2024-04-13 17:11:49,420][Thread-0] INFO  MessageDatabase - Opening MessageDatabase
[2024-04-13 17:11:49,788][Thread-0] INFO  BrokerService - Starting Temp Data Store
[2024-04-13 17:11:49,789][Thread-0] INFO  PListStoreImpl - PListStore:[/tmp/unison-tmp-mq-local] started
[2024-04-13 17:11:49,790][Thread-0] INFO  BrokerService - Starting Job Scheduler Store
[2024-04-13 17:11:49,790][Thread-0] INFO  BrokerService - Persistence Adapter successfully started
[2024-04-13 17:11:50,028][Thread-0] INFO  BrokerService - Apache ActiveMQ 5.18.3 (local, ID:openunison-openunison-566fdd785c-nlc8f-39713-1713028309839-0:1) is starting
[2024-04-13 17:11:50,041][Thread-0] INFO  BrokerService - Apache ActiveMQ 5.18.3 (local, ID:openunison-openunison-566fdd785c-nlc8f-39713-1713028309839-0:1) started
[2024-04-13 17:11:50,041][Thread-0] INFO  BrokerService - For help or more information please see: http://activemq.apache.org
[2024-04-13 17:11:52,354][main] WARN  BrokerRegistry - Broker localhost not started so using local instead
[2024-04-13 17:11:52,366][main] INFO  TransportConnector - Connector vm://localhost started
[2024-04-13 17:11:52,630][main] WARN  BrokerRegistry - Broker localhost not started so using local instead
[2024-04-13 17:11:52,682][main] INFO  OpenShiftTarget - Config url='https://kubernetes.default.svc'
[2024-04-13 17:11:52,685][main] INFO  OpenShiftTarget - Use Token: 'true'
[2024-04-13 17:11:52,685][main] INFO  OpenShiftTarget - tokenType: 'tokenapi'
[2024-04-13 17:11:52,687][main] INFO  OpenShiftTarget - Config tokenPath='/var/run/secrets/tokens/ou-token'
[2024-04-13 17:11:52,991][main] INFO  OpenShiftTarget - label: 'Local Deployment'
[2024-04-13 17:11:52,993][main] WARN  OpenShiftTarget - gitUrl not found
[2024-04-13 17:11:52,994][main] INFO  OpenShiftTarget - drqueues: ''
com.tremolosecurity.provisioning.core.ProvisioningException: Could not load CRDs
    at com.tremolosecurity.k8s.watch.K8sWatcher.initalRun(K8sWatcher.java:176)
    at com.tremolosecurity.provisioning.targets.LoadTargetsFromK8s.loadDynamicTargets(LoadTargetsFromK8s.java:253)
    at com.tremolosecurity.provisioning.core.ProvisioningEngineImpl.generateTargets(ProvisioningEngineImpl.java:897)
    at com.tremolosecurity.provisioning.core.ProvisioningEngineImpl.<init>(ProvisioningEngineImpl.java:492)
    at com.tremolosecurity.config.util.UnisonConfigManagerImpl.initialize(UnisonConfigManagerImpl.java:484)
    at com.tremolosecurity.filter.UnisonServletFilter.init(UnisonServletFilter.java:369)
    at com.tremolosecurity.openunison.OpenUnisonServletFilter.init(OpenUnisonServletFilter.java:118)
    at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:111)
    at io.undertow.servlet.core.ManagedFilter.createFilter(ManagedFilter.java:86)
    at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:598)
    at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:559)
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:605)
    at com.tremolosecurity.openunison.undertow.OpenUnisonOnUndertow.main(OpenUnisonOnUndertow.java:357)
Caused by: java.io.IOException: Unexpected result calling 'https://kubernetes.default.svc/apis/apiextensions.k8s.io/v1/customresourcedefinitions/targets.openunison.tremolo.io' - 401 / {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    at com.tremolosecurity.unison.openshiftv3.OpenShiftTarget.callWS(OpenShiftTarget.java:546)
    at com.tremolosecurity.k8s.watch.K8sWatcher.findCrdUri(K8sWatcher.java:198)
    at com.tremolosecurity.k8s.watch.K8sWatcher.initalRun(K8sWatcher.java:105)
    ... 14 more
Exception in thread "main" jakarta.servlet.ServletException: com.tremolosecurity.provisioning.core.ProvisioningException: Could not load CRDs
    at com.tremolosecurity.filter.UnisonServletFilter.init(UnisonServletFilter.java:400)
    at com.tremolosecurity.openunison.OpenUnisonServletFilter.init(OpenUnisonServletFilter.java:118)
    at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:111)
    at io.undertow.servlet.core.ManagedFilter.createFilter(ManagedFilter.java:86)
    at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:598)
    at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:559)
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:605)
    at com.tremolosecurity.openunison.undertow.OpenUnisonOnUndertow.main(OpenUnisonOnUndertow.java:357)
Caused by: com.tremolosecurity.provisioning.core.ProvisioningException: Could not load CRDs
    at com.tremolosecurity.k8s.watch.K8sWatcher.initalRun(K8sWatcher.java:176)
    at com.tremolosecurity.provisioning.targets.LoadTargetsFromK8s.loadDynamicTargets(LoadTargetsFromK8s.java:253)
    at com.tremolosecurity.provisioning.core.ProvisioningEngineImpl.generateTargets(ProvisioningEngineImpl.java:897)
    at com.tremolosecurity.provisioning.core.ProvisioningEngineImpl.<init>(ProvisioningEngineImpl.java:492)
    at com.tremolosecurity.config.util.UnisonConfigManagerImpl.initialize(UnisonConfigManagerImpl.java:484)
    at com.tremolosecurity.filter.UnisonServletFilter.init(UnisonServletFilter.java:369)
    ... 9 more
Caused by: java.io.IOException: Unexpected result calling 'https://kubernetes.default.svc/apis/apiextensions.k8s.io/v1/customresourcedefinitions/targets.openunison.tremolo.io' - 401 / {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    at com.tremolosecurity.unison.openshiftv3.OpenShiftTarget.callWS(OpenShiftTarget.java:546)
    at com.tremolosecurity.k8s.watch.K8sWatcher.findCrdUri(K8sWatcher.java:198)
    at com.tremolosecurity.k8s.watch.K8sWatcher.initalRun(K8sWatcher.java:105)
    ... 14 more

This is running on Kubernetes v1.29.1 in DigitalOcean.

❯ kc get nodes
NAME                             STATUS   ROLES    AGE   VERSION
my-k8s-green-nodepool01-jq0ey    Ready    <none>   9d    v1.29.1

I deployed this using an ArgoCD application wrapper around the ArgoCD application provided in the docs. The repoURL are leading to a mirror of the Helm chart, and the raw chart referenced is simply to generate the secrets and the cluster role binding for the user account being passed in via the OIDC claim.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: openunison
  namespace: argocd
spec:
  project: openunison
  ignoreDifferences:
    - group: "admissionregistration.k8s.io"
      kind: "ValidatingWebhookConfiguration"
      jsonPointers:
        - /webhooks/0/clientConfig/caBundle
        - /webhooks/1/clientConfig/caBundle
        - /webhooks/2/clientConfig/caBundle
        - /webhooks/3/clientConfig/caBundle
        - /webhooks/4/clientConfig/caBundle
  syncPolicy:
    automated:
      prune: true
      selfHeal: false
    syncOptions:
      - RespectIgnoreDifferences=true
  destination:
    name: in-cluster
    namespace: openunison
  sources:
    - repoURL: https://git.mydomain.com/myorg/argo-apps.git
      targetRevision: "main"
      path: charts/raw
      helm:
        valuesObject:
          resources:
            - apiVersion: external-secrets.io/v1beta1
              kind: ExternalSecret
              metadata:
                name: orchestra-secrets-source
                namespace: openunison
              spec:
                refreshInterval: 2m
                secretStoreRef:
                  kind: ClusterSecretStore
                  name: doppler-openunison
                data:
                  - secretKey: OIDC_CLIENT_ID
                    remoteRef:
                      key: JUMPCLOUD_OPENUNISON_CLIENT_ID
                  - secretKey: OIDC_CLIENT_SECRET
                    remoteRef:
                      key: JUMPCLOUD_OPENUNISON_CLIENT_SECRET
                  - secretKey: K8S_DB_SECRET
                    remoteRef:
                      key: OPENUNISON_GREEN_K8S_DB_SECRET
                  - secretKey: unisonKeystorePassword
                    remoteRef:
                      key: OPENUNISON_GREEN_K8S_UNISON_KEYSTORE_PW
            - kind: ClusterRoleBinding
              apiVersion: rbac.authorization.k8s.io/v1
              metadata:
                name: openunison-admin
              subjects:
                - kind: Group
                  name: OPENUNISON_K8S_ADMIN
              roleRef:
                kind: ClusterRole
                name: cluster-admin
                apiGroup: rbac.authorization.k8s.io
    - repoURL: https://git.mydomain.com/myorg/argo-apps.git
      targetRevision: "main"
      path: charts/orchestra-login-portal-argocd-2.3.54
      helm:
        valuesObject:
          network:
            openunison_host: "ou-green.mydomain.com"
            dashboard_host: "dashboard-green.mydomain.com"
            api_server_host: "ou-api-green.mydomain.com"
            session_inactivity_timeout_seconds: 900
            k8s_url: https://kubernetes.default.svc
            force_redirect_to_tls: true
            createIngressCertificate: false
            ingress_type: nginx
            ingress_annotations:
              cert-manager.io/cluster-issuer: "letsencrypt-prod"
              kubernetes.io/ingress.class: "nginx"
          cert_template:
            ou: "Kubernetes"
            o: "My Company"
            l: "New York"
            st: "New York"
            c: "United States"
          myvd_config_path: "WEB-INF/myvd.conf"
          k8s_cluster_name: my-cluster-name
          enable_impersonation: false
          impersonation:
            use_jetstack: true
            explicit_certificate_trust: true
          dashboard:
            namespace: "openunison"
            cert_name: "kubernetes-dashboard-certs"
            label: "k8s-app=kubernetes-dashboard"
            service_name: kubernetes-dashboard
            require_session: true
          certs:
            use_k8s_cm: false
          trusted_certs: []
          oidc:
            issuer: https://oauth.id.jumpcloud.com/
            client_id_is_secret: true
            user_in_idtoken: false
            scopes: openid email profile groups
            claims:
              sub: username
              email: email
              givenName: given_name
              familyName: family_name
              displayName: name
              groups: groups
          network_policies:
            enabled: false
            ingress:
              enabled: true
              labels:
                kubernetes.io/metadata.name: ingress-nginx-internet
            monitoring:
              enabled: true
              labels:
                kubernetes.io/metadata.name: monitoring
            apiserver:
              enabled: true
              labels:
                kubernetes.io/metadata.name: kube-system
          services:
            enable_tokenrequest: true
            token_request_audience: api
            token_request_expiration_seconds: 600
            node_selectors: []
          openunison:
            replicas: 1
            non_secret_data:
              K8S_DB_SSO: oidc
            secrets: []
            html:
              prefix: openunison
            enable_provisioning: false

I'm open to suggestions - I've already tried disabling openunison.enable_provisioning and cleaned up any references to service accounts that aren't present in this cluster (like Prometheus, for example).

Has anyone else run into something similar? Thanks!

mlbiam commented 5 months ago

I think spec.sources[1].helm.valueObjects.services.token_request_audience is the issue:

token_request_audience: api

Try changing this to token_request_audience: https://kubernetes.default.svc. Once upon a time api was an accepted audience, but most distros have fixed that.

santiagon610 commented 5 months ago

Thanks, @mlbiam - I made that change and redeployed (removed the app entirely from Argo and let it recreate, just in case there were any gremlins remaining), and no change in behavior.

[2024-04-15 14:10:24,175][main] WARN  BrokerRegistry - Broker localhost not started so using local instead
[2024-04-15 14:10:24,245][main] INFO  OpenShiftTarget - Config url='https://kubernetes.default.svc'
[2024-04-15 14:10:24,253][main] INFO  OpenShiftTarget - Use Token: 'true'
[2024-04-15 14:10:24,254][main] INFO  OpenShiftTarget - tokenType: 'tokenapi'
[2024-04-15 14:10:24,257][main] INFO  OpenShiftTarget - Config tokenPath='/var/run/secrets/tokens/ou-token'
[2024-04-15 14:10:24,531][main] INFO  OpenShiftTarget - label: 'Local Deployment'
[2024-04-15 14:10:24,535][main] WARN  OpenShiftTarget - gitUrl not found
[2024-04-15 14:10:24,536][main] INFO  OpenShiftTarget - drqueues: ''
com.tremolosecurity.provisioning.core.ProvisioningException: Could not load CRDs
    at com.tremolosecurity.k8s.watch.K8sWatcher.initalRun(K8sWatcher.java:176)
    at com.tremolosecurity.provisioning.targets.LoadTargetsFromK8s.loadDynamicTargets(LoadTargetsFromK8s.java:253)
    at com.tremolosecurity.provisioning.core.ProvisioningEngineImpl.generateTargets(ProvisioningEngineImpl.java:897)
    at com.tremolosecurity.provisioning.core.ProvisioningEngineImpl.<init>(ProvisioningEngineImpl.java:492)
    at com.tremolosecurity.config.util.UnisonConfigManagerImpl.initialize(UnisonConfigManagerImpl.java:484)
    at com.tremolosecurity.filter.UnisonServletFilter.init(UnisonServletFilter.java:369)
    at com.tremolosecurity.openunison.OpenUnisonServletFilter.init(OpenUnisonServletFilter.java:118)
    at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:111)
    at io.undertow.servlet.core.ManagedFilter.createFilter(ManagedFilter.java:86)
    at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:598)
    at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:559)
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:605)
    at com.tremolosecurity.openunison.undertow.OpenUnisonOnUndertow.main(OpenUnisonOnUndertow.java:357)
Caused by: java.io.IOException: Unexpected result calling 'https://kubernetes.default.svc/apis/apiextensions.k8s.io/v1/customresourcedefinitions/targets.openunison.tremolo.io' - 401 / {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    at com.tremolosecurity.unison.openshiftv3.OpenShiftTarget.callWS(OpenShiftTarget.java:546)
    at com.tremolosecurity.k8s.watch.K8sWatcher.findCrdUri(K8sWatcher.java:198)
    at com.tremolosecurity.k8s.watch.K8sWatcher.initalRun(K8sWatcher.java:105)
    ... 14 more
Exception in thread "main" jakarta.servlet.ServletException: com.tremolosecurity.provisioning.core.ProvisioningException: Could not load CRDs
    at com.tremolosecurity.filter.UnisonServletFilter.init(UnisonServletFilter.java:400)
    at com.tremolosecurity.openunison.OpenUnisonServletFilter.init(OpenUnisonServletFilter.java:118)
    at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:111)
    at io.undertow.servlet.core.ManagedFilter.createFilter(ManagedFilter.java:86)
    at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:598)
    at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:559)
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:605)
    at com.tremolosecurity.openunison.undertow.OpenUnisonOnUndertow.main(OpenUnisonOnUndertow.java:357)
Caused by: com.tremolosecurity.provisioning.core.ProvisioningException: Could not load CRDs
    at com.tremolosecurity.k8s.watch.K8sWatcher.initalRun(K8sWatcher.java:176)
    at com.tremolosecurity.provisioning.targets.LoadTargetsFromK8s.loadDynamicTargets(LoadTargetsFromK8s.java:253)
    at com.tremolosecurity.provisioning.core.ProvisioningEngineImpl.generateTargets(ProvisioningEngineImpl.java:897)
    at com.tremolosecurity.provisioning.core.ProvisioningEngineImpl.<init>(ProvisioningEngineImpl.java:492)
    at com.tremolosecurity.config.util.UnisonConfigManagerImpl.initialize(UnisonConfigManagerImpl.java:484)
    at com.tremolosecurity.filter.UnisonServletFilter.init(UnisonServletFilter.java:369)
    ... 9 more
Caused by: java.io.IOException: Unexpected result calling 'https://kubernetes.default.svc/apis/apiextensions.k8s.io/v1/customresourcedefinitions/targets.openunison.tremolo.io' - 401 / {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    at com.tremolosecurity.unison.openshiftv3.OpenShiftTarget.callWS(OpenShiftTarget.java:546)
    at com.tremolosecurity.k8s.watch.K8sWatcher.findCrdUri(K8sWatcher.java:198)
    at com.tremolosecurity.k8s.watch.K8sWatcher.initalRun(K8sWatcher.java:105)
    ... 14 more

I may need to take a deeper dive into the docs to make sure that the app has all of the permissions that it's expecting to have, though 401 seems less like permissions but more like the OpenUnison service authenticating against Kubernetes itself.

mlbiam commented 5 months ago

Hm, what kubernetes distro? Try setting it to https://kubernetes.default.svc.cluster.local

santiagon610 commented 5 months ago

Thanks, @mlbiam - this is running in DigitalOcean Managed Kubernetes. Though changing the URL didn't end up changing the downstream call from the OpenUnison pod (it was still targeting https://kubernetes.default.svc), I was able to work around this behavior by simply disabling spec.sources[1].helm.valuesObject.services.enable_tokenrequest.

mlbiam commented 5 months ago

by simply disabling spec.sources[1].helm.valuesObject.services.enable_tokenrequest

Yeah, that's where i was going to go next. If you take a look at your pod's token and see the aud claim that would be the correct value to use. The target URL won't change, that's standard across implementations, but if the required audiences is customized by digital ocean that could cause issues. Disabling tokenrequest will still work, its just the tokens used by kube-oidc-proxy are now good for an hour i think instead of 10 min (minimum kube will create them for)

santiagon610 commented 5 months ago

Awesome, thanks for the help! Looking forward to getting this working in my POC cluster.