Impersonation group in the header is missing. Only shows, Impersonate-Group: system:authenticated

[santhoshbhandari3008]

Hi there,

I have successfully integrated Openunison with keycloak but I am not able to impersonate the group into the header. It always shows the below,

curl -v -XGET -H "Impersonate-Group: system:authenticated" -H "X-Real-Ip: 10.0.1.126" -H "X-Request-Id: b85e2d7fb69237313cb8396568a32754" -H "X-Forwarded-Port: 443" -H "Kubectl-Command: kubectl get" -H "Accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json" -H "User-Agent: kubectl/v1.30.2 (linux/amd64) kubernetes/3968350" -H "X-Forwarded-Host: " -H "X-Forwarded-Scheme: https" -H "X-Forwarded-Proto: https" -H "X-Forwarded-For: 10.0.1.126, 10.0.1.27" -H "X-Scheme: https" -H "Kubectl-Session: 2c1a598d-8c98-461f-9712-f2128f1536ad" -H "Impersonate-User: " -H "Accept-Encoding: gzip" -H "Authorization: Bearer " 'https://10.0.0.1:443/api/v1/namespaces/default/pods?limit=500'

I have tried in multiple ways and followed the documentation from the openunison, but couldn't get the groups in the header. Any leads would he highly appreciated.

Below is my values files,

` network: openunison_host: "" dashboard_host: "" api_server_host: "" session_inactivity_timeout_seconds: 900 force_redirect_to_tls: false createIngressCertificate: false ingress_type: nginx ingress_class_name: nginx ingress_annotations: cert-manager.io/cluster-issuer: letsencrypt-issuer nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" external-dns.alpha.kubernetes.io/hostname: ""

nginx.ingress.kubernetes.io/backend-protocol: HTTPS

cert_template:

myvd_config_path: "WEB-INF/myvd.conf" k8s_cluster_name: openunison-k8s-cluster enable_impersonation: true impersonation: use_jetstack: true explicit_certificate_trust: true ca_secret_name: ou-tls-certificate jetstack_oidc_proxy_image: ghcr.io/tremolosecurity/kube-oidc-proxy:latest dashboard: namespace: "kubernetes-dashboard" cert_name: "kubernetes-dashboard-certs" label: "k8s-app=kubernetes-dashboard" service_name: kubernetes-dashboard require_session: true certs: use_k8s_cm: false trusted_certs: [] monitoring: prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s oidc: client_id_is_secret: true user_in_idtoken: true issuer: domain: "" scopes: openid email profile claims: sub: groups email: email given_name: given_name family_name: family_name display_name: name groups: groups network_policies: enabled: false ingress: enabled: true labels: kubernetes.io/metadata.name: ingress-nginx monitoring: enabled: true labels: kubernetes.io/metadata.name: monitoring apiserver: enabled: true labels: kubernetes.io/metadata.name: kube-system services: enable_tokenrequest: false token_request_audience: "https://kubernetes.default.svc.cluster.local" token_request_expiration_seconds: 600 node_selectors: [] openunison: replicas: 1 non_secret_data: K8S_DB_SSO: oidc PROMETHEUS_SERVICE_ACCOUNT: system:serviceaccount:monitoring:prometheus-k8s SHOW_PORTAL_ORGS: "true" K8S_DEPLOYMENT_NAME: "production-k8s-cluster" K8S_DEPLOYMENT_DESC: "This block restricts access and modification by all teams except DevOps." secrets: [] enable_provisioning: false use_standard_jit_workflow: true html: image: docker.io/tremolosecurity/openunison-k8s-html logosConfigMap: custom-logos `

[mlbiam]

Can you verify thr groups are coming in? When you login to OpenUnison, do you see your groups listed in your profile? (click on your user name in the upper left)

[santhoshbhandari3008]

Can you verify thr groups are coming in? When you login to OpenUnison, do you see your groups listed in your profile? (click on your user name in the upper left)

Hi @mlbiam , I don't see the Roles on the profile page.

[mlbiam]

So it looks like the roles aren't coming in from keycloak, did you configure them as a claim in keycloak per https://openunison.github.io/identity%20providers/keycloak/?

[santhoshbhandari3008]

So it looks like the roles aren't coming in from keycloak, did you configure them as a claim in keycloak per https://openunison.github.io/identity%20providers/keycloak/?

Yes, I have created claim to for the groups and added it to the client. The client is used for the argo cd and it shows the groups there

[santhoshbhandari3008]

Hey @mlbiam ,

I got it working. I missed to redeploy the login portal