georgi-at-skribble
commented
3 months ago For anyone having the same issue with no meaningful error, the issue was I did no notice that my github teams value is missing ORG
this works - teams: Orgname/teamname this don't - teams: teamname/
I double test it and this was the real problem with my deployment.
mlbiam
I am losing my mind over this for the last day.
Deployed with ouctl, helm-charts, Argocd...everytime I get the same problem.
The github redirect works -> when try to access the portal I get prompts to Authorize the Github app and after that : Invalid Login
I don't see anything in the pods logs, neither the api-server. Just this one line in ochestra logs:
[2024-08-22 09:52:02,002][XNIO-1 task-7] INFO AccessLog - [AuFail] - completelogin - https://k8s.XXXXXXXXXXXX.space/auth/github - cn=none - enterprise-idp [10.244.1.4] - [f5072499b42b30a82332b3c9076d7457dbed95bfc]
Nothing before, nothing after...
Tried on managed cluster and my own bare kubernetes.
Here is my values.yaml
`network: openunison_host: "k8s.XXXXXXXX.space" dashboard_host: "k8sdb.XXXXXXX.space" api_server_host: "k8sapi.XXXXXXX.space" session_inactivity_timeout_seconds: 900 k8s_url: https://XX.XX.XX.XX:6443 force_redirect_to_tls: false createIngressCertificate: false ingress_type: nginx ingress_annotations: cert-manager.io/cluster-issuer: letsencrypt-production kubernetes.io/ingress.class: nginx
cert_template: ou: "Kubernetes" o: "Space" l: "InfraCluster" st: "State of Cluster" c: "Switzerland"
myvd_config_path: "WEB-INF/myvd.conf" k8s_cluster_name: infracluster enable_impersonation: true
impersonation: use_jetstack: true explicit_certificate_trust: true
dashboard: namespace: "kubernetes-dashboard" cert_name: "kubernetes-dashboard-certs" label: "k8s-app=kubernetes-dashboard" service_name: kubernetes-dashboard require_session: true new: true
certs: use_k8s_cm: false
trusted_certs: []
monitoring: prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s
github: client_id: XXXXXXXXXXX teams: developers/
network_policies: enabled: false ingress: enabled: true labels: kubernetes.io/metadata.name: ingress-nginx-internet monitoring: enabled: true labels: kubernetes.io/metadata.name: monitoring apiserver: enabled: true labels: kubernetes.io/metadata.name: kube-system
services: enable_tokenrequest: false token_request_audience: api token_request_expiration_seconds: 600 node_selectors: []
openunison: replicas: 1 non_secret_data: K8S_DB_SSO: oidc PROMETHEUS_SERVICE_ACCOUNT: system:serviceaccount:monitoring:prometheus-k8s secrets: [] html: prefix: openunison enable_provisioning: false use_standard_jit_workflow: true az_groups:
Any ideas?