OpenUnison / openunison-k8s

Access portal for Kubernetes
Apache License 2.0
105 stars 5 forks source link

Could not execute workflow jitdb #128

Open rglover-tal opened 3 weeks ago

rglover-tal commented 3 weeks ago

Setting up OpenUnison with ArgoCD. When I try to login I get "You are not authorized for failed authentication. If you feel you received this message in error, please contact your system administrator or help desk."

I have tried using both Dex and Keycloak, it looks like the claims and scopes are configured correctly

com.tremolosecurity.provisioning.core.ProvisioningException: WorkflowImpl jitdb does not exist
    at com.tremolosecurity.provisioning.core.ProvisioningEngineImpl.getWorkflowCopy(ProvisioningEngineImpl.java:1107) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.provisioning.core.ProvisioningEngineImpl.getWorkFlow(ProvisioningEngineImpl.java:1067) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.provisioning.auth.JITAuthMech.doGet(JITAuthMech.java:126) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.execAuth(AuthManagerImpl.java:452) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.nextAuth(AuthManagerImpl.java:134) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.nextAuth(AuthManagerImpl.java:88) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.FullMappingAuthMech.doGet(FullMappingAuthMech.java:85) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.execAuth(AuthManagerImpl.java:452) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.nextAuth(AuthManagerImpl.java:134) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.sys.AuthManagerImpl.nextAuth(AuthManagerImpl.java:88) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.unison.proxy.auth.openidconnect.OpenIDConnectAuthMech.doGet(OpenIDConnectAuthMech.java:484) ~[unison-auth-openidconnect-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:196) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:89) ~[unison-sdk-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:111) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.AuthSys.doAuth(AuthSys.java:88) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:105) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.ConfigSys.doConfig(ConfigSys.java:296) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:93) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.filter.UnisonServletFilter.doFilter(UnisonServletFilter.java:299) ~[unison-server-core-1.0.41.jar:?]
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:393) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) ~[xnio-api-3.8.16.Final.jar:3.8.16.Final]
    at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]```

```apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: openunison
  namespace: argocd
spec:
  project: default
  ignoreDifferences:
  - group: "admissionregistration.k8s.io"
    kind: "ValidatingWebhookConfiguration"
    jsonPointers:
    - /webhooks/0/clientConfig/caBundle
    - /webhooks/1/clientConfig/caBundle
    - /webhooks/2/clientConfig/caBundle
    - /webhooks/3/clientConfig/caBundle
    - /webhooks/4/clientConfig/caBundle
  syncPolicy:
    syncOptions:
    - RespectIgnoreDifferences=true
  source:
    repoURL: 'https://nexus.tremolo.io/repository/helm'
    targetRevision: 2.3.61
    helm:
      values: |-
        network:
          openunison_host: "nsalot.env"
          dashboard_host: "k8sdb.apps.domain.int"
          api_server_host: "k8sapi.apps.domain.int"
          session_inactivity_timeout_seconds: 900
          k8s_url: https://k8s-api.env:6443
          createIngressCertificate: true
          ingress_type: nginx
          ingress_annotations: 
           cert-manager.io/cluster-issuer: env-issuer

        cert_template:
          ou: "Kubernetes"
          o: "MyOrg"
          l: "My Cluster"
          st: "State of Cluster"
          c: "MyCountry"

        image: "ghcr.io/openunison/openunison-k8s:1.0.41"
        amq_image: "ghcr.io/tremolosecurity/activemq-docker:5.16.6"
        cert_update_image: "ghcr.io/openunison/openunison-kubernetes-operator:1.0.6"
        myvd_config_path: "WEB-INF/myvd.conf"
        k8s_cluster_name: kubernetes
        enable_impersonation: false
        myvd_configmap: myvd

        dashboard:
          namespace: "kubernetes-dashboard"
          cert_name: "kubernetes-dashboard-certs"
          label: "k8s-app=kubernetes-dashboard"
          new_label: "app.kubernetes.io/part-of=kubernetes-dashboard"
          service_name: kubernetes-dashboard
          auth_service_name: kubernetes-dashboard-auth
          api_service_name: kubernetes-dashboard-api
          web_service_name: kubernetes-dashboard-web
          enabled: false

        certs:
          use_k8s_cm: false

        trusted_certs: 
        - name: k8s_master
          pem_b64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIvakNDQWFTZ0F3SUJBZ0lVS0Y3YWtsbDJTWmNaM2xUeVA0dnNmcFN2dEQwd0NnWUlLb1pJemowRUF3SXcKWFRFTE1Ba0dBMVVFQmhNQ1drRXhDekFKQmdOVkJBZ1RBbGRETVJJd0VBWURWUVFIRXdsRFlYQmxJRlJ2ZDI0eApEekFOQmdOVkJBc1RCa1JGVms5UVV6RWNNQm9HQTFVRUF4TVRZMlZ5ZEdGc2IzUXViV0Z6ZEdWeUxtVnVkakFlCkZ3MHlNekF5TWpneE16QXhNREJhRncweU9EQXlNamN4TXpBeE1EQmFNRjB4Q3pBSkJnTlZCQVlUQWxwQk1Rc3cKQ1FZRFZRUUlFd0pYUXpFU01CQUdBMVVFQnhNSlEyRndaU0JVYjNkdU1ROHdEUVlEVlFRTEV3WkVSVlpQVUZNeApIREFhQmdOVkJBTVRFMk5sY25SaGJHOTBMbTFoYzNSbGNpNWxibll3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPClBRTUJCd05DQUFRSXRHN0x2N1ZBZDJTaWo1MGNDUlB1SktsUTdRcU5uNUVqNUxXRllwNVhrK3FJWnVocmJQOU8KNmFDM2YxRjk2SmMrNERGa1dwbUNRb2RYMGpMeDhxeHVvMEl3UURBT0JnTlZIUThCQWY4RUJBTUNBUVl3RHdZRApWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTVwUHZPWHNUR3pLNXhEcnR2clpoWlNNNzIrSXdDZ1lJCktvWkl6ajBFQXdJRFNBQXdSUUloQUlHNXpPanN4VWZFTmFvRHRZb1ZFaXExMWVaRWdSN1dPbG52Y0V2ekdxa1oKQWlBWmxjWHI3Vzd5Uk41d0tKb1FCdDhlL3VRanFQTXU5cDZjNEpGdzFvc2NwUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
        #- name: unison-ca
        #  pem_b64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIvakNDQWFTZ0F3SUJBZ0lVS0Y3YWtsbDJTWmNaM2xUeVA0dnNmcFN2dEQwd0NnWUlLb1pJemowRUF3SXcKWFRFTE1Ba0dBMVVFQmhNQ1drRXhDekFKQmdOVkJBZ1RBbGRETVJJd0VBWURWUVFIRXdsRFlYQmxJRlJ2ZDI0eApEekFOQmdOVkJBc1RCa1JGVms5UVV6RWNNQm9HQTFVRUF4TVRZMlZ5ZEdGc2IzUXViV0Z6ZEdWeUxtVnVkakFlCkZ3MHlNekF5TWpneE16QXhNREJhRncweU9EQXlNamN4TXpBeE1EQmFNRjB4Q3pBSkJnTlZCQVlUQWxwQk1Rc3cKQ1FZRFZRUUlFd0pYUXpFU01CQUdBMVVFQnhNSlEyRndaU0JVYjNkdU1ROHdEUVlEVlFRTEV3WkVSVlpQVUZNeApIREFhQmdOVkJBTVRFMk5sY25SaGJHOTBMbTFoYzNSbGNpNWxibll3V1RBVEJnY3Foa2pPUFFJQkJnZ3Foa2pPClBRTUJCd05DQUFRSXRHN0x2N1ZBZDJTaWo1MGNDUlB1SktsUTdRcU5uNUVqNUxXRllwNVhrK3FJWnVocmJQOU8KNmFDM2YxRjk2SmMrNERGa1dwbUNRb2RYMGpMeDhxeHVvMEl3UURBT0JnTlZIUThCQWY4RUJBTUNBUVl3RHdZRApWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTVwUHZPWHNUR3pLNXhEcnR2clpoWlNNNzIrSXdDZ1lJCktvWkl6ajBFQXdJRFNBQXdSUUloQUlHNXpPanN4VWZFTmFvRHRZb1ZFaXExMWVaRWdSN1dPbG52Y0V2ekdxa1oKQWlBWmxjWHI3Vzd5Uk41d0tKb1FCdDhlL3VRanFQTXU5cDZjNEpGdzFvc2NwUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=

        #active_directory:
        #  base: cn=users,dc=ent2k12,dc=domain,dc=com
        #  host: "192.168.2.75"
        #  port: "636"
        #  bind_dn: "cn=Administrator,cn=users,dc=ent2k12,dc=domain,dc=com"
        #  con_type: ldaps
        #  srv_dns: "false"

        # database:
        #   hibernate_dialect: org.hibernate.dialect.MySQL5InnoDBDialect
        #   quartz_dialect: org.quartz.impl.jdbcjobstore.StdJDBCDelegate
        #   driver: com.mysql.jdbc.Driver
        #   url: jdbc:mysql://dbs.tremolo.lan:3308/unison
        #   user: root
        #   validation: SELECT 1

        # smtp:
        #   host: smtp.gmail.com
        #   port: 587
        #   user: donotreply@domain.com
        #   from: donotreply@domain.com
        #   tls: true

        monitoring:
          prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s

        impersonation:
          use_jetstack: true
          jetstack_oidc_proxy_image: ghcr.io/tremolosecurity/kube-oidc-proxy:1.0.7
          explicit_certificate_trust: true
          ca_secret_name: ou-tls-certificate

        network_policies:
          enabled: false
          ingress:
            enabled: true
            labels: []
          monitoring:
            enabled: true
            labels: []
          apiserver:
            enabled: true
            labels: []
          namespace_label: kubernetes.io/metadata.name

        oidc:
          client_id: openunison
          issuer: https://authalot.s.REDACTED.io/auth/realms/master
          user_in_idtoken: false
          domain: ""
          scopes: openid email profile groups
          claims:
            sub: sub
            email: email
            given_name: given_name
            family_name: family_name
            display_name: name

        database:
          hibernate_dialect: org.hibernate.dialect.MariaDBDialect
          quartz_dialect: org.quartz.impl.jdbcjobstore.StdJDBCDelegate
          driver: org.mariadb.jdbc.Driver
          url: jdbc:mariadb://mariadb:3306/unison
          user: unison
          validation: SELECT 1

        smtp:
          host: blackhole.blackhole.svc.cluster.local
          port: 1025
          user: "none"
          from: donotreply@domain.com
          tls: false

        services:
          enable_tokenrequest: false
          token_request_audience: api
          token_request_expiration_seconds: 600
          node_selectors: []
          tolerations: []
          pullSecret: ""
          liveness_probe:
          - /usr/local/openunison/bin/check_alive.sh
          - "https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration"
          - "issuer"
          - "https://127.0.0.1:8443/check_alive"
          - "alive"
          readiness_probe:
          - /usr/local/openunison/bin/check_alive.sh
          - "https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration"
          - "issuer"
          - "https://127.0.0.1:8443/check_alive"
          - "alive"

        operator:
          image: ghcr.io/openunison/openunison-kubernetes-operator:1.0.6
          validators: []
          mutators: []
          resources:
            requests:
              memory: 200Mi
              cpu: 0.3
            limits:
              memory: 200Mi
              cpu: 1.0

        openunison:
          enable_activemq: false
          queue:
            max_producers: 2
            connection_factory: com.tremolosecurity.provisioning.amq.AmqSingleKeyProvider
            max_consumers: 1
            max_sessions_per_connection: 10
            task_queue_name: "openunisuron-tasks-{x}"
            smtp_queue_name: "openunison-smtp"
            encryption_key_name: "session-unison"
            num_queues: 6
            multi_task_queues: true
            keep_alive_millis: 60000
            params:
              - name: brokerURL
                source_type: static
                value: "failover:(ssl://amq.openunison.svc:61616,ssl://amq-backup.openunison.svc:61616)?initialReconnectDelay=10000"
              - name: keyAlias
                source_type: static
                value: "amq-client"
              - name: trustAlias
                source_type: static
                value: "amq-server"
          amq:
            pvc: {}
            enabled: false
          secret_ext: ""
          apps: []
          imagePullPolicy: Always
          replicas: 1
          non_secret_data: 
            SHOW_PORTAL_ORGS: "true"
          secrets: []
          role_attribute: portalGroups
          groups:
            areJson: "true"
          env: {}
          portal_release_name: openunison
          authentication:
            refresh_token:
              grace_period_millis: 0
          html:
            image: ghcr.io/openunison/openunison-k8s-react:1.0.0
            legacy: false
            theme:
              startPage: front-page
              hidePages: []
              colors:
                primary: 
                  main: "#AC1622"
                  dark: "#780f17"
                  light: "#bc444e"
                secondary:
                  main: "#16aca0"
                  dark: "#0f7870"
                  light: "#44bcb3"
                error: "#ff1744"
          enable_provisioning: true
          enable_activemq: true
          az_groups: []
          precheck:
            image: ghcr.io/tremolosecurity/python3:1.0.0
          use_standard_jit_workflow: false
          management_proxy:
            enabled: false
          naas:
            ops:
              searchBases: {}
              approveChecked: false
              showPreApprove: true
              approvedLabel: Approved
              deniedLabel: Denied
              reasonApprovedLabel: Reason for approval
              reasonDeniedLabel: Reason for denial
            forms:
              new_namespace:
                use_default: true
            workflows:
              new_namespace:
                use_default: true
            groups:
              external:
                enabled: true
                adminGroup: en-devops@REDACTED.com
                clusterAdminGroup: en-devops@REDACTED.com
            reasons: []

        crd:
          deploy: true
          betas: false

    chart: orchestra-login-portal-argocd
  destination:
    server: https://k8s-api.env:6443
    namespace: openunison
mlbiam commented 3 weeks ago

Just to double check, do you want to use the OpenUnison authentication portal or the Namespace as a Service portal? The error is because you don't have the final chart deployed for NaaS (we have a better way to deploy we're documenting, just want to double check your intent first)

rglover-tal commented 3 weeks ago

I see, I just need NaaS at the moment

mlbiam commented 3 weeks ago

Got it. The new method uses argo multi repo applications. You'll need a repo to store your values.yaml. Once you have that, you're application object will look like:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: openunison-dev
  namespace: argocd
spec:
  destination:
    namespace: openunison
    server: https://192.168.2.67:6443
  ignoreDifferences:
  - group: admissionregistration.k8s.io
    jsonPointers:
    - /webhooks/0/clientConfig/caBundle
    - /webhooks/1/clientConfig/caBundle
    - /webhooks/2/clientConfig/caBundle
    - /webhooks/3/clientConfig/caBundle
    - /webhooks/4/clientConfig/caBundle
    kind: ValidatingWebhookConfiguration
  project: default
  sources:
  - chart: openunison-operator
    helm:
      releaseName: openunison
      valueFiles:
      - $values/idp/charts/openunison/openunison.yaml
    repoURL: https://nexus.tremolo.io/repository/helm
    targetRevision: 3.0.13
  - chart: orchestra
    helm:
      releaseName: openunison
      valueFiles:
      - $values/idp/charts/openunison/openunison.yaml
    repoURL: https://nexus.tremolo.io/repository/helm
    targetRevision: 2.10.59
  - chart: orchestra-login-portal
    helm:
      releaseName: openunison
      valueFiles:
      - $values/idp/charts/openunison/openunison.yaml
    repoURL: https://nexus.tremolo.io/repository/helm
    targetRevision: 2.3.56
  - chart: openunison-k8s-cluster-management
    helm:
      releaseName: openunison
      valueFiles:
      - $values/idp/charts/openunison/openunison.yaml
    repoURL: https://nexus.tremolo.io/repository/helm
    targetRevision: 3.0.38
  - repoURL: git@github.com:TremoloSecurity/argocd-deploy-naas.git
    path: external-jit-yaml
  - ref: values
    repoURL: git@github.com:TremoloSecurity/argocd-deploy-naas.git
  syncPolicy:
    syncOptions:
    - RespectIgnoreDifferences=true

update your repoURL and path for the correct repository that stores your values.yaml

rglover-tal commented 3 weeks ago

Thanks so much! That worked. I just needed to set portal_release_name: orchestra-login-portal otherwise the service would be created with the wrong name and I would get DNS resolution errors

I am now running into an issue when requesting a namespace it throws this error:

[2024-10-28 16:28:26,863][XNIO-1 task-2] INFO  AccessLog - [AzSuccess] - scale-newproject - https://nsalot.env/newproject/register/submit - uid=d65486a2-cb43-40cd-8166-d72e63317580,ou=users,ou=shadow,o=Tremolo - NONE [10.4.128.63] - [ff9175b4f74554c3c8dab2232d8c9b8e8161f7220]
[2024-10-28 16:28:26,865][XNIO-1 task-2] ERROR ScaleRegister - Could not submit workflow
java.lang.NullPointerException: Cannot invoke "String.equalsIgnoreCase(String)" because the return value of "com.tremolosecurity.scalejs.cfg.ScaleAttribute.getType()" is null
    at com.tremolosecurity.scalejs.register.ws.ScaleRegister.submitWorkflow(ScaleRegister.java:228) ~[unison-scalejs-register-1.0.41.jar:?]
    at com.tremolosecurity.scalejs.register.ws.ScaleRegister.doFilter(ScaleRegister.java:117) ~[unison-scalejs-register-1.0.41.jar:?]
    at com.tremolosecurity.proxy.filter.HttpFilterChainImpl.nextFilter(HttpFilterChainImpl.java:85) ~[unison-sdk-1.0.41.jar:?]
    at com.tremolosecurity.proxy.ProxySys.doPush(ProxySys.java:190) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:139) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:138) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:139) ~[unison-sdk-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:111) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.AuthSys.doAuth(AuthSys.java:140) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:105) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.ConfigSys.doConfig(ConfigSys.java:296) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:93) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.filter.UnisonServletFilter.doFilter(UnisonServletFilter.java:299) ~[unison-server-core-1.0.41.jar:?]
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:393) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) ~[xnio-api-3.8.16.Final.jar:3.8.16.Final]
    at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]
[2024-10-28 16:28:34,135][XNIO-1 task-2] INFO  AccessLog - [AzSuccess] - k8sidp - https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration - uid=Anonymous,o=Tremolo - NONE [127.0.0.1] - [f08d71945c3086c41c66ffb1106033750b697d72f]

I have also tried setting the naas helm values to the defaults which didnt help. There also doesnt seem to be access to the admin area even though I have set the values to match the oidc groups.

Let me know if this is unrelated, I can open another issue. I really appreciate the assistance

 naas:
    forms:
      new_namespace:
        use_default: true
    workflows:
      new_namespace:
        use_default: true
    groups:
      privilegedAccessGroup: "/en-devops"
      default:
      - name: administrators
        bindings:
          - type: ClusterRole
            binding: admins
            name: admin
        description: Manage kubernetes namespace $cluster$ $nameSpace$
        workflow:
          label: "namespace administrator"
          displayLabel: $name$ Administrator
          emailTemplate: Approve administrator access to $cluster$ $name$
          approvalLabel: Approve administrator access for $cluster$ - $name$
          userNotification:
            subject: Admin access to $cluster$ $name$ approved
            message: Your access has been approved
          org:
            label: Administrators
            description: Namespace Administrators
        external:
          fieldName: adminGroup
          label: "Administrator Group"
          errorMessage: "Invalid administrator group"
      - name: viewer
        description: View kubernetes namespace $cluster$ $nameSpace$
        bindings:
          - type: ClusterRole
            binding: viewers
            name: view
        external:
          fieldName: viewerGroup
          label: "Viewer Group"
          errorMessage: "Invalid viewer group"
        workflow:
          label: "namespace viewer"
          displayLabel: $name$ Administrator
          emailTemplate: Approve viewer access to $cluster$ $name$
          approvalLabel: Approve viewer access for $cluster$ - $name$
          userNotification:
            subject: View access to $cluster$ $name$ approved
            message: Your access has been approved
          org:
            label: Viewers
            description: Namespace Viewers
      internal:
        enabled: true
        suffix: ""
      external:
        enabled: true
        admin_group: "/en-devops"
        suffix: ""
        cluster_admin_group: "/en-devops"
    reasons: []

crd:
  deploy: true
  betas: false
mlbiam commented 3 weeks ago

privilegedAccessGroup: "/en-devops"

I'd remove this one. This just means that your admins won't have access to cluster-admin. It's not documented yet but it's there for a future feature we're building around temporary privileges.

I would suggest replacing your naas section with:

  naas:
    internal:
        enabled: true
        suffix: "-internal"
      external:
        enabled: true
        admin_group: "/en-devops"
        suffix: "-external"

this will use the default chart values for most customizations. there are lots of ways to customize from there, but i'd start with the defaults.

rglover-tal commented 3 weeks ago

It only seems to work when disabling external groups. As soon as I enable external groups the openunison pod throws an error when requesting a namespace: (I also did have to set the releasename for the orchestra chart to orchestra to get the CRBs to work but I assume that isnt related to any of these issues below)

[2024-10-29 11:39:16,630][XNIO-1 task-3] INFO  AccessLog - [AzSuccess] - scale-newproject - https://nsalot.env/newproject/register/submit - uid=ChUxMTU2MzQ3NTk4NDIxMzQ1NTg5MjgSBmdvb2dsZQ,ou=users,ou=shadow,o=Tremolo - NONE [10.4.128.4] - [fad4d721f4d15938fa9325b7b16a36ba26ca06921]
[2024-10-29 11:39:16,633][XNIO-1 task-3] ERROR ScaleRegister - Could not submit workflow
java.lang.NullPointerException: Cannot invoke "String.equalsIgnoreCase(String)" because the return value of "com.tremolosecurity.scalejs.cfg.ScaleAttribute.getType()" is null
    at com.tremolosecurity.scalejs.register.ws.ScaleRegister.submitWorkflow(ScaleRegister.java:228) ~[unison-scalejs-register-1.0.41.jar:?]
    at com.tremolosecurity.scalejs.register.ws.ScaleRegister.doFilter(ScaleRegister.java:117) ~[unison-scalejs-register-1.0.41.jar:?]
    at com.tremolosecurity.proxy.filter.HttpFilterChainImpl.nextFilter(HttpFilterChainImpl.java:85) ~[unison-sdk-1.0.41.jar:?]
    at com.tremolosecurity.proxy.ProxySys.doPush(ProxySys.java:190) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:139) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:138) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:139) ~[unison-sdk-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:111) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.auth.AuthSys.doAuth(AuthSys.java:140) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:105) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.proxy.ConfigSys.doConfig(ConfigSys.java:296) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:93) ~[unison-server-core-1.0.41.jar:?]
    at com.tremolosecurity.filter.UnisonServletFilter.doFilter(UnisonServletFilter.java:299) ~[unison-server-core-1.0.41.jar:?]
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101) ~[undertow-servlet-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:393) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859) ~[undertow-core-2.3.15.Final.jar:2.3.15.Final]
    at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) ~[jboss-threads-2.3.6.Final.jar:2.3.6.Final]
    at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) ~[xnio-api-3.8.16.Final.jar:3.8.16.Final]
    at java.base/java.lang.Thread.run(Thread.java:1583) [?:?]

I also cant seem to get access to the admin side. I see when enabling the external groups its configuring k8s-cluster-k8s-administrators-external even though I specified en-devops as the OIDC group.

  naas:
    groups:
      internal:
        enabled: false
        suffix: "-internal"
      external:
        suffix: "-external"
        enabled: true
        admin_group: "en-devops"
mlbiam commented 3 weeks ago

It only seems to work when disabling external groups

hm, odd. must be an issue in the group form definition. I'll see if I can reproduce.

I also cant seem to get access to the admin side.

looks like your values are misconfigured. it should be:

  naas:
    groups:
      internal:
        enabled: false
        suffix: "-internal"
      external:
        suffix: "-external"
        enabled: true
        adminGroup: "en-devops"
        clusterAdminGroup: "en-devops"

take a look at https://openunison.github.io/namespace_as_a_service/#external-groups

Where did you pull your values.yaml from? Looks like we need to clean that up.

Also, what's your identity provider? I saw the "/" in front of groups so I'm guessing KeyCloak?

mlbiam commented 3 weeks ago

@rglover-tal i was able to reproduce and fix the issue. I also updated the openunison docs. Here's my working Application object:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: openunison-login
  namespace: argocd
spec:
  destination:
    namespace: openunison
    server: https://192.168.2.15:6443
  ignoreDifferences:
  - group: admissionregistration.k8s.io
    jsonPointers:
    - /webhooks/0/clientConfig/caBundle
    - /webhooks/1/clientConfig/caBundle
    - /webhooks/2/clientConfig/caBundle
    - /webhooks/3/clientConfig/caBundle
    - /webhooks/4/clientConfig/caBundle
    kind: ValidatingWebhookConfiguration
  project: labtesting
  sources:
  - chart: openunison-operator
    helm:
      releaseName: openunison
      valueFiles:
      - $values/naas/values.yaml
    repoURL: https://nexus.tremolo.io/repository/helm
    targetRevision: 3.0.13

  - chart: orchestra
    helm:
      releaseName: orchestra
      valueFiles:
      - $values/naas/values.yaml
    repoURL: https://nexus.tremolo.io/repository/helm
    targetRevision: 2.10.61

  - chart: orchestra-login-portal
    helm:
      releaseName: orchestra-login-portal
      valueFiles:
      - $values/naas/values.yaml
    repoURL: https://nexus.tremolo.io/repository/helm
    targetRevision: 2.3.57

  - chart: openunison-k8s-cluster-management
    helm:
      releaseName: cluster-management
      valueFiles:
      - $values/naas/values.yaml
    repoURL: https://nexus.tremolo.io/repository/helm
    targetRevision: 3.0.41

  - repoURL: https://github.com/TremoloSecurityDemos/openunison-argocd.git
    path: naas
  - ref: values
    repoURL: https://github.com/TremoloSecurityDemos/openunison-argocd.git
  syncPolicy:
    syncOptions:
    - RespectIgnoreDifferences=true

and here's my values.yaml:

network:
  openunison_host: "k8sou.192-168-2-15.nip.io"
  dashboard_host: "k8sdb.192-168-2-15.nip.io"
  api_server_host: "k8sapi.192-168-2-15.nip.io"
  session_inactivity_timeout_seconds: 900
  k8s_url: https://192.168.2.130:6443
  force_redirect_to_tls: false
  createIngressCertificate: true
  ingress_type: nginx
  ingress_annotations: {}

cert_template:
  ou: "Kubernetes"
  o: "MyOrg"
  l: "My Cluster"
  st: "State of Cluster"
  c: "MyCountry"

myvd_config_path: "WEB-INF/myvd.conf"
k8s_cluster_name: openunison-cp
enable_impersonation: true

impersonation:
  use_jetstack: true
  explicit_certificate_trust: true

dashboard:
  namespace: "kubernetes-dashboard"
  cert_name: "kubernetes-dashboard-certs"
  label: "k8s-app=kubernetes-dashboard"
  service_name: kubernetes-dashboard
  require_session: true
  new: true

certs:
  use_k8s_cm: false

trusted_certs: []

monitoring:
  prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s

# Uncomment one of the below options for authentication

#active_directory:
#  base: cn=users,dc=ent2k12,dc=domain,dc=com
#  host: "192.168.2.75"
#  port: "636"
#  bind_dn: "cn=Administrator,cn=users,dc=ent2k12,dc=domain,dc=com"
#  con_type: ldaps
#  srv_dns: "false"

oidc:
 client_id: openunison
 issuer: https://kc.labm.tremolo.dev/realms/locallab
 user_in_idtoken: false
 domain: ""
 scopes: openid email profile groups
 claims:
   sub: sub
   email: email
   given_name: given_name
   family_name: family_name
   display_name: name
   groups: groups

#github:
#  client_id: d85d77c55a08c9bcbb15
#  teams: TremoloSecurity/

#saml:
#  idp_url: "https://portal.apps.tremolo.io/idp-test/metadata/dfbe4040-cd32-470e-a9b6-809c8f857c40"

network_policies:
  enabled: false
  ingress:
    enabled: true
    labels:
      app.kubernetes.io/name: ingress-nginx
  monitoring:
    enabled: true
    labels:
      app.kubernetes.io/name: monitoring
  apiserver:
    enabled: false
    labels:
      app.kubernetes.io/name: kube-system

services:
  enable_tokenrequest: false
  token_request_audience: api
  token_request_expiration_seconds: 600
  node_selectors: []

openunison:
  amq:
    enabled: true
    ha: true
    pvc:
      enabled: true
      accessmode: ReadWriteOnce
      storageclass: local-path
  replicas: 1
  non_secret_data:
    K8S_DB_SSO: oidc
    PROMETHEUS_SERVICE_ACCOUNT: system:serviceaccount:monitoring:prometheus-k8s
    SHOW_PORTAL_ORGS: "true"
  secrets: []
  role_attribute: portalGroups
  groups:
    areJson: "true"
  enable_provisioning: true
  use_standard_jit_workflow: false
  naas:
    groups:
      internal:
        enabled: true
      external:
        enabled: true
        adminGroup: /cluster-admins
        clusterAdminGroup: /openunison-admins
  # enable_activemq: true
  # activemq_use_pvc: true
  # role_attribute: portalGroups
  # groups:
  #   areJson: "true"
  #az_groups:
  #- CN=k8s-users,CN=Users,DC=ent2k12,DC=domain,DC=com

#myvd_configmap: myvdconfig

# For Namespace as a Service

database:
  hibernate_dialect: org.hibernate.dialect.MariaDBDialect
  quartz_dialect: org.quartz.impl.jdbcjobstore.StdJDBCDelegate
  driver: org.mariadb.jdbc.Driver
  url: jdbc:mariadb://mariadb.labdbs.tremolo.dev:3306/argocdunnison
  user: ouargocd
  validation: SELECT 1

smtp:
 host: blackhole.blackhole.svc.cluster.local
 port: 1025
 user: "none"
 from: donotreply@domain.com
 tls: false

One of the tweaks i made was to change the release names in the Application object to line up with the helm releases. I think you mentioned setting openunison.orchestra_login_portal_name, you'll want to remove that from your values.

mierea commented 1 week ago

@mlbiam using exactly the configuration you have and I get error:

MountVolume.SetUp failed for volume "secret-volume" : secret "orchestra" not found

I also tried setting up this:

apiVersion: v1
data:
  OIDC_CLIENT_SECRET: base64here
kind: Secret
metadata:
  name: orchestra-secrets-source
  namespace: openunison
type: Opaque

Is there a place where I can find a working tutorial on how to set it up via argocd?

The solution seems amazing from the vids I saw but its frustrating to set it up.

mlbiam commented 1 week ago

@mierea It looks like you're missing K8S_DB_SECRET and unisonKeystorePassword. See https://openunison.github.io/deployauth/#deploying-with-argocd for step-by-step instructions. If you're still having issues, please open up a new issue as it appears your usecase and error is different then the original ticket.