Open rglover-tal opened 4 days ago
Just to double check, do you want to use the OpenUnison authentication portal or the Namespace as a Service portal? The error is because you don't have the final chart deployed for NaaS (we have a better way to deploy we're documenting, just want to double check your intent first)
I see, I just need NaaS at the moment
Got it. The new method uses argo multi repo applications. You'll need a repo to store your values.yaml. Once you have that, you're application object will look like:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: openunison-dev
namespace: argocd
spec:
destination:
namespace: openunison
server: https://192.168.2.67:6443
ignoreDifferences:
- group: admissionregistration.k8s.io
jsonPointers:
- /webhooks/0/clientConfig/caBundle
- /webhooks/1/clientConfig/caBundle
- /webhooks/2/clientConfig/caBundle
- /webhooks/3/clientConfig/caBundle
- /webhooks/4/clientConfig/caBundle
kind: ValidatingWebhookConfiguration
project: default
sources:
- chart: openunison-operator
helm:
releaseName: openunison
valueFiles:
- $values/idp/charts/openunison/openunison.yaml
repoURL: https://nexus.tremolo.io/repository/helm
targetRevision: 3.0.13
- chart: orchestra
helm:
releaseName: openunison
valueFiles:
- $values/idp/charts/openunison/openunison.yaml
repoURL: https://nexus.tremolo.io/repository/helm
targetRevision: 2.10.59
- chart: orchestra-login-portal
helm:
releaseName: openunison
valueFiles:
- $values/idp/charts/openunison/openunison.yaml
repoURL: https://nexus.tremolo.io/repository/helm
targetRevision: 2.3.56
- chart: openunison-k8s-cluster-management
helm:
releaseName: openunison
valueFiles:
- $values/idp/charts/openunison/openunison.yaml
repoURL: https://nexus.tremolo.io/repository/helm
targetRevision: 3.0.38
- repoURL: git@github.com:TremoloSecurity/argocd-deploy-naas.git
path: external-jit-yaml
- ref: values
repoURL: git@github.com:TremoloSecurity/argocd-deploy-naas.git
syncPolicy:
syncOptions:
- RespectIgnoreDifferences=true
update your repoURL and path for the correct repository that stores your values.yaml
Thanks so much! That worked. I just needed to set portal_release_name: orchestra-login-portal otherwise the service would be created with the wrong name and I would get DNS resolution errors
I am now running into an issue when requesting a namespace it throws this error:
[2024-10-28 16:28:26,863][XNIO-1 task-2] INFO AccessLog - [AzSuccess] - scale-newproject - https://nsalot.env/newproject/register/submit - uid=d65486a2-cb43-40cd-8166-d72e63317580,ou=users,ou=shadow,o=Tremolo - NONE [10.4.128.63] - [ff9175b4f74554c3c8dab2232d8c9b8e8161f7220]
[2024-10-28 16:28:26,865][XNIO-1 task-2] ERROR ScaleRegister - Could not submit workflow
java.lang.NullPointerException: Cannot invoke "String.equalsIgnoreCase(String)" because the return value of "com.tremolosecurity.scalejs.cfg.ScaleAttribute.getType()" is null
at com.tremolosecurity.scalejs.register.ws.ScaleRegister.submitWorkflow(ScaleRegister.java:228) ~[unison-scalejs-register-1.0.41.jar:?]
at com.tremolosecurity.scalejs.register.ws.ScaleRegister.doFilter(ScaleRegister.java:117) ~[unison-scalejs-register-1.0.41.jar:?]
at com.tremolosecurity.proxy.filter.HttpFilterChainImpl.nextFilter(HttpFilterChainImpl.java:85) ~[unison-sdk-1.0.41.jar:?]
at com.tremolosecurity.proxy.ProxySys.doPush(ProxySys.java:190) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:139) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:138) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:139) ~[unison-sdk-1.0.41.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:111) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.proxy.auth.AuthSys.doAuth(AuthSys.java:140) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:105) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.proxy.ConfigSys.doConfig(ConfigSys.java:296) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:93) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.filter.UnisonServletFilter.doFilter(UnisonServletFilter.java:299) ~[unison-server-core-1.0.41.jar:?]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:393) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) ~[xnio-api-3.8.16.Final.jar:3.8.16.Final]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2024-10-28 16:28:34,135][XNIO-1 task-2] INFO AccessLog - [AzSuccess] - k8sidp - https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration - uid=Anonymous,o=Tremolo - NONE [127.0.0.1] - [f08d71945c3086c41c66ffb1106033750b697d72f]
I have also tried setting the naas helm values to the defaults which didnt help. There also doesnt seem to be access to the admin area even though I have set the values to match the oidc groups.
Let me know if this is unrelated, I can open another issue. I really appreciate the assistance
naas:
forms:
new_namespace:
use_default: true
workflows:
new_namespace:
use_default: true
groups:
privilegedAccessGroup: "/en-devops"
default:
- name: administrators
bindings:
- type: ClusterRole
binding: admins
name: admin
description: Manage kubernetes namespace $cluster$ $nameSpace$
workflow:
label: "namespace administrator"
displayLabel: $name$ Administrator
emailTemplate: Approve administrator access to $cluster$ $name$
approvalLabel: Approve administrator access for $cluster$ - $name$
userNotification:
subject: Admin access to $cluster$ $name$ approved
message: Your access has been approved
org:
label: Administrators
description: Namespace Administrators
external:
fieldName: adminGroup
label: "Administrator Group"
errorMessage: "Invalid administrator group"
- name: viewer
description: View kubernetes namespace $cluster$ $nameSpace$
bindings:
- type: ClusterRole
binding: viewers
name: view
external:
fieldName: viewerGroup
label: "Viewer Group"
errorMessage: "Invalid viewer group"
workflow:
label: "namespace viewer"
displayLabel: $name$ Administrator
emailTemplate: Approve viewer access to $cluster$ $name$
approvalLabel: Approve viewer access for $cluster$ - $name$
userNotification:
subject: View access to $cluster$ $name$ approved
message: Your access has been approved
org:
label: Viewers
description: Namespace Viewers
internal:
enabled: true
suffix: ""
external:
enabled: true
admin_group: "/en-devops"
suffix: ""
cluster_admin_group: "/en-devops"
reasons: []
crd:
deploy: true
betas: false
privilegedAccessGroup: "/en-devops"
I'd remove this one. This just means that your admins won't have access to cluster-admin. It's not documented yet but it's there for a future feature we're building around temporary privileges.
I would suggest replacing your naas
section with:
naas:
internal:
enabled: true
suffix: "-internal"
external:
enabled: true
admin_group: "/en-devops"
suffix: "-external"
this will use the default chart values for most customizations. there are lots of ways to customize from there, but i'd start with the defaults.
It only seems to work when disabling external groups. As soon as I enable external groups the openunison pod throws an error when requesting a namespace: (I also did have to set the releasename for the orchestra chart to orchestra to get the CRBs to work but I assume that isnt related to any of these issues below)
[2024-10-29 11:39:16,630][XNIO-1 task-3] INFO AccessLog - [AzSuccess] - scale-newproject - https://nsalot.env/newproject/register/submit - uid=ChUxMTU2MzQ3NTk4NDIxMzQ1NTg5MjgSBmdvb2dsZQ,ou=users,ou=shadow,o=Tremolo - NONE [10.4.128.4] - [fad4d721f4d15938fa9325b7b16a36ba26ca06921]
[2024-10-29 11:39:16,633][XNIO-1 task-3] ERROR ScaleRegister - Could not submit workflow
java.lang.NullPointerException: Cannot invoke "String.equalsIgnoreCase(String)" because the return value of "com.tremolosecurity.scalejs.cfg.ScaleAttribute.getType()" is null
at com.tremolosecurity.scalejs.register.ws.ScaleRegister.submitWorkflow(ScaleRegister.java:228) ~[unison-scalejs-register-1.0.41.jar:?]
at com.tremolosecurity.scalejs.register.ws.ScaleRegister.doFilter(ScaleRegister.java:117) ~[unison-scalejs-register-1.0.41.jar:?]
at com.tremolosecurity.proxy.filter.HttpFilterChainImpl.nextFilter(HttpFilterChainImpl.java:85) ~[unison-sdk-1.0.41.jar:?]
at com.tremolosecurity.proxy.ProxySys.doPush(ProxySys.java:190) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:139) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:138) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:139) ~[unison-sdk-1.0.41.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:111) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.proxy.auth.AuthSys.doAuth(AuthSys.java:140) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:105) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.proxy.ConfigSys.doConfig(ConfigSys.java:296) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:93) ~[unison-server-core-1.0.41.jar:?]
at com.tremolosecurity.filter.UnisonServletFilter.doFilter(UnisonServletFilter.java:299) ~[unison-server-core-1.0.41.jar:?]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:393) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) ~[xnio-api-3.8.16.Final.jar:3.8.16.Final]
at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
I also cant seem to get access to the admin side. I see when enabling the external groups its configuring k8s-cluster-k8s-administrators-external even though I specified en-devops as the OIDC group.
naas:
groups:
internal:
enabled: false
suffix: "-internal"
external:
suffix: "-external"
enabled: true
admin_group: "en-devops"
It only seems to work when disabling external groups
hm, odd. must be an issue in the group form definition. I'll see if I can reproduce.
I also cant seem to get access to the admin side.
looks like your values are misconfigured. it should be:
naas:
groups:
internal:
enabled: false
suffix: "-internal"
external:
suffix: "-external"
enabled: true
adminGroup: "en-devops"
clusterAdminGroup: "en-devops"
take a look at https://openunison.github.io/namespace_as_a_service/#external-groups
Where did you pull your values.yaml from? Looks like we need to clean that up.
Also, what's your identity provider? I saw the "/" in front of groups so I'm guessing KeyCloak?
@rglover-tal i was able to reproduce and fix the issue. I also updated the openunison docs. Here's my working Application
object:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: openunison-login
namespace: argocd
spec:
destination:
namespace: openunison
server: https://192.168.2.15:6443
ignoreDifferences:
- group: admissionregistration.k8s.io
jsonPointers:
- /webhooks/0/clientConfig/caBundle
- /webhooks/1/clientConfig/caBundle
- /webhooks/2/clientConfig/caBundle
- /webhooks/3/clientConfig/caBundle
- /webhooks/4/clientConfig/caBundle
kind: ValidatingWebhookConfiguration
project: labtesting
sources:
- chart: openunison-operator
helm:
releaseName: openunison
valueFiles:
- $values/naas/values.yaml
repoURL: https://nexus.tremolo.io/repository/helm
targetRevision: 3.0.13
- chart: orchestra
helm:
releaseName: orchestra
valueFiles:
- $values/naas/values.yaml
repoURL: https://nexus.tremolo.io/repository/helm
targetRevision: 2.10.61
- chart: orchestra-login-portal
helm:
releaseName: orchestra-login-portal
valueFiles:
- $values/naas/values.yaml
repoURL: https://nexus.tremolo.io/repository/helm
targetRevision: 2.3.57
- chart: openunison-k8s-cluster-management
helm:
releaseName: cluster-management
valueFiles:
- $values/naas/values.yaml
repoURL: https://nexus.tremolo.io/repository/helm
targetRevision: 3.0.41
- repoURL: https://github.com/TremoloSecurityDemos/openunison-argocd.git
path: naas
- ref: values
repoURL: https://github.com/TremoloSecurityDemos/openunison-argocd.git
syncPolicy:
syncOptions:
- RespectIgnoreDifferences=true
and here's my values.yaml:
network:
openunison_host: "k8sou.192-168-2-15.nip.io"
dashboard_host: "k8sdb.192-168-2-15.nip.io"
api_server_host: "k8sapi.192-168-2-15.nip.io"
session_inactivity_timeout_seconds: 900
k8s_url: https://192.168.2.130:6443
force_redirect_to_tls: false
createIngressCertificate: true
ingress_type: nginx
ingress_annotations: {}
cert_template:
ou: "Kubernetes"
o: "MyOrg"
l: "My Cluster"
st: "State of Cluster"
c: "MyCountry"
myvd_config_path: "WEB-INF/myvd.conf"
k8s_cluster_name: openunison-cp
enable_impersonation: true
impersonation:
use_jetstack: true
explicit_certificate_trust: true
dashboard:
namespace: "kubernetes-dashboard"
cert_name: "kubernetes-dashboard-certs"
label: "k8s-app=kubernetes-dashboard"
service_name: kubernetes-dashboard
require_session: true
new: true
certs:
use_k8s_cm: false
trusted_certs: []
monitoring:
prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s
# Uncomment one of the below options for authentication
#active_directory:
# base: cn=users,dc=ent2k12,dc=domain,dc=com
# host: "192.168.2.75"
# port: "636"
# bind_dn: "cn=Administrator,cn=users,dc=ent2k12,dc=domain,dc=com"
# con_type: ldaps
# srv_dns: "false"
oidc:
client_id: openunison
issuer: https://kc.labm.tremolo.dev/realms/locallab
user_in_idtoken: false
domain: ""
scopes: openid email profile groups
claims:
sub: sub
email: email
given_name: given_name
family_name: family_name
display_name: name
groups: groups
#github:
# client_id: d85d77c55a08c9bcbb15
# teams: TremoloSecurity/
#saml:
# idp_url: "https://portal.apps.tremolo.io/idp-test/metadata/dfbe4040-cd32-470e-a9b6-809c8f857c40"
network_policies:
enabled: false
ingress:
enabled: true
labels:
app.kubernetes.io/name: ingress-nginx
monitoring:
enabled: true
labels:
app.kubernetes.io/name: monitoring
apiserver:
enabled: false
labels:
app.kubernetes.io/name: kube-system
services:
enable_tokenrequest: false
token_request_audience: api
token_request_expiration_seconds: 600
node_selectors: []
openunison:
amq:
enabled: true
ha: true
pvc:
enabled: true
accessmode: ReadWriteOnce
storageclass: local-path
replicas: 1
non_secret_data:
K8S_DB_SSO: oidc
PROMETHEUS_SERVICE_ACCOUNT: system:serviceaccount:monitoring:prometheus-k8s
SHOW_PORTAL_ORGS: "true"
secrets: []
role_attribute: portalGroups
groups:
areJson: "true"
enable_provisioning: true
use_standard_jit_workflow: false
naas:
groups:
internal:
enabled: true
external:
enabled: true
adminGroup: /cluster-admins
clusterAdminGroup: /openunison-admins
# enable_activemq: true
# activemq_use_pvc: true
# role_attribute: portalGroups
# groups:
# areJson: "true"
#az_groups:
#- CN=k8s-users,CN=Users,DC=ent2k12,DC=domain,DC=com
#myvd_configmap: myvdconfig
# For Namespace as a Service
database:
hibernate_dialect: org.hibernate.dialect.MariaDBDialect
quartz_dialect: org.quartz.impl.jdbcjobstore.StdJDBCDelegate
driver: org.mariadb.jdbc.Driver
url: jdbc:mariadb://mariadb.labdbs.tremolo.dev:3306/argocdunnison
user: ouargocd
validation: SELECT 1
smtp:
host: blackhole.blackhole.svc.cluster.local
port: 1025
user: "none"
from: donotreply@domain.com
tls: false
One of the tweaks i made was to change the release names in the Application
object to line up with the helm releases. I think you mentioned setting openunison.orchestra_login_portal_name
, you'll want to remove that from your values.
Setting up OpenUnison with ArgoCD. When I try to login I get "You are not authorized for failed authentication. If you feel you received this message in error, please contact your system administrator or help desk."
I have tried using both Dex and Keycloak, it looks like the claims and scopes are configured correctly