search

OpenUnison / openunison-k8s

Access portal for Kubernetes
Apache License 2.0
105 stars 5 forks source link

Cannot deploy via ArgoCD #132

Closed mierea closed 1 week ago

mierea commented 1 week ago

My application.yaml

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: openunison-login
  namespace: argocd
spec:
  destination:
    namespace: openunison
    server: https://internal k8s ip here:6443
  ignoreDifferences:
  - group: admissionregistration.k8s.io
    jsonPointers:
    - /webhooks/0/clientConfig/caBundle
    - /webhooks/1/clientConfig/caBundle
    - /webhooks/2/clientConfig/caBundle
    - /webhooks/3/clientConfig/caBundle
    - /webhooks/4/clientConfig/caBundle
    kind: ValidatingWebhookConfiguration
  project: openunison
  sources:
  - repoURL: https://internal git here.git
    targetRevision: main 
    path: manifests
  - chart: openunison-operator
    helm:
      releaseName: openunison
      valueFiles:
      - $values/naas/values.yaml
    repoURL: https://nexus.tremolo.io/repository/helm
    targetRevision: 3.0.13

  - chart: orchestra
    helm:
      releaseName: orchestra
      valueFiles:
      - $values/naas/values.yaml
    repoURL: https://nexus.tremolo.io/repository/helm
    targetRevision: 2.10.61

  - chart: orchestra-login-portal
    helm:
      releaseName: orchestra-login-portal
      valueFiles:
      - $values/naas/values.yaml
    repoURL: https://nexus.tremolo.io/repository/helm
    targetRevision: 2.3.57

  - chart: openunison-k8s-cluster-management
    helm:
      releaseName: cluster-management
      valueFiles:
      - $values/naas/values.yaml
    repoURL: https://nexus.tremolo.io/repository/helm
    targetRevision: 3.0.41

  - repoURL: https://internal git here.git
    path: naas
  - ref: values
    repoURL: https://internal git here.git
  syncPolicy:
    syncOptions:
    - RespectIgnoreDifferences=true

My secrets file:

apiVersion: v1
type: Opaque
metadata:
  name: orchestra-secrets-source
  namespace: openunison
data:
  K8S_DB_SECRET: random pass base64 without ampersand
  unisonKeystorePassword: random pass base64 without ampersand
  OIDC_CLIENT_SECRET: client secret here base64
kind: Secret

My values file:

network:
  openunison_host: "k8sou.url"
  dashboard_host: "k8sdb.url"
  api_server_host: "k8sapiurl"
  session_inactivity_timeout_seconds: 900
  k8s_url: https://k8s ip:6443
  force_redirect_to_tls: false
  createIngressCertificate: true
  ingress_type: nginx
  ingress_annotations: { cert-manager.io/cluster-issuer: letsencrypt-dev }

cert_template:
  ou: "Kubernetes"
  o: "MyOrg"
  l: "My Cluster"
  st: "State of Cluster"
  c: "MyCountry"

myvd_config_path: "WEB-INF/myvd.conf"
k8s_cluster_name: k8s
enable_impersonation: true

impersonation:
  use_jetstack: true
  explicit_certificate_trust: true

dashboard:
  namespace: "kubernetes-dashboard"
  cert_name: "kubernetes-dashboard-certs"
  label: "k8s-app=kubernetes-dashboard"
  service_name: kubernetes-dashboard
  require_session: true
  new: true

certs:
  use_k8s_cm: false

trusted_certs:
  - name: k8s
    pem_b64: base64 cluter cert

monitoring:
  prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s

# Uncomment one of the below options for authentication

#active_directory:
#  base: cn=users,dc=ent2k12,dc=domain,dc=com
#  host: "192.168.2.75"
#  port: "636"
#  bind_dn: "cn=Administrator,cn=users,dc=ent2k12,dc=domain,dc=com"
#  con_type: ldaps
#  srv_dns: "false"

oidc:
 client_id: k8s-shared-dev
 issuer: https://keycloak here/realms/master
 user_in_idtoken: false
 domain: ""
 scopes: openid email profile groups
 claims:
   sub: sub
   email: email
   given_name: given_name
   family_name: family_name
   display_name: name
   groups: groups

#github:
#  client_id: d85d77c55a08c9bcbb15
#  teams: TremoloSecurity/

#saml:
#  idp_url: "https://portal.apps.tremolo.io/idp-test/metadata/dfbe4040-cd32-470e-a9b6-809c8f857c40"

network_policies:
  enabled: false
  ingress:
    enabled: true
    labels:
      app.kubernetes.io/name: ingress-nginx
  monitoring:
    enabled: true
    labels:
      app.kubernetes.io/name: monitoring
  apiserver:
    enabled: false
    labels:
      app.kubernetes.io/name: kube-system

services:
  enable_tokenrequest: false
  token_request_audience: https://kubernetes.default.svc
  token_request_expiration_seconds: 600
  node_selectors: []

openunison:
  amq:
    enabled: false
    ha: false
    pvc:
      enabled: false
      accessmode: ReadWriteOnce
      storageclass: my-sc
  replicas: 1
  non_secret_data:
    K8S_DB_SSO: oidc
    PROMETHEUS_SERVICE_ACCOUNT: system:serviceaccount:monitoring:prometheus-k8s
    SHOW_PORTAL_ORGS: "true"
  secrets: []
  role_attribute: portalGroups
  groups:
    areJson: "true"
  enable_provisioning: true
  use_standard_jit_workflow: false
  naas:
    groups:
      internal:
        enabled: true
      external:
        enabled: true
        adminGroup: /cluster-admins
        clusterAdminGroup: /openunison-admins
  # enable_activemq: true
  # activemq_use_pvc: true
  # role_attribute: portalGroups
  # groups:
  #   areJson: "true"
  #az_groups:
  #- CN=k8s-users,CN=Users,DC=ent2k12,DC=domain,DC=com

#myvd_configmap: myvdconfig

# For Namespace as a Service

database:
  hibernate_dialect: org.hibernate.dialect.MariaDBDialect
  quartz_dialect: org.quartz.impl.jdbcjobstore.StdJDBCDelegate
  driver: org.mariadb.jdbc.Driver
  url: jdbc:mariadb://mariadb.openunison.svc.cluster.local:3306/argocdunison?password=mypasshgere
  user: argocdunison
  validation: SELECT 1

# smtp:
#  host: blackhole.blackhole.svc.cluster.local
#  port: 1025
#  user: "none"
#  from: donotreply@domain.com
#  tls: false

I tried with and without ActiveMq, with and without trusted certs, with and without cert generation etc.

on first sync it fails because the order of operations must be wrong (waits for webhooks before orchestra is even deployed) trying to sync orchestra generates this in the operator error log

Could not process request:
java.lang.NullPointerException: Cannot invoke "String.getBytes(String)" because the return value of "java.util.Map.get(Object)" is null
        at com.tremolosecurity.openunison.secret.Generator.setupAmqSecrets(Generator.java:864)
        at com.tremolosecurity.openunison.secret.Generator.load(Generator.java:124)
        at com.tremolosecurity.openunison.operator.Operator.processObject(Operator.java:276)
        at com.tremolosecurity.openunison.operator.Operator.runWatch(Operator.java:183)
        at com.tremolosecurity.openunison.command.OpenUnisonOperator.main(OpenUnisonOperator.java:65)

Any idea what I'm doing wrong?

mlbiam commented 1 week ago

The error your seeing is because your secret doesn't include the database or smtp passwords. See https://openunison.github.io/namespace_as_a_service/ Using ArgoCD.

You will and to also reenable amq. If you have storage available, I'd enable the PVC too. See Production AMQ on the same page.

mierea commented 1 week ago

Found my answer here: 

    amqEnvSecret.getData().put("JDBC_DRIVER", this.props.get("OU_JDBC_DRIVER").getBytes("UTF-8"));
    amqEnvSecret.getData().put("JDBC_URL", this.props.get("OU_JDBC_URL").getBytes("UTF-8"));
    amqEnvSecret.getData().put("JDBC_USER", this.props.get("OU_JDBC_USER").getBytes("UTF-8"));
    amqEnvSecret.getData().put("JDBC_PASSWORD", this.props.get("OU_JDBC_PASSWORD").getBytes("UTF-8"));
    amqEnvSecret.getData().put("TLS_KS_PWD", ksPassword.getBytes("UTF-8"));
mierea commented 1 week ago

Heh @mlbiam you beat me to it. After I added this I still had few errors that were sovlved by tweaking the values file.

Also you need to sync multiple times what is left out of sync to actually sync everything (sync wave not really working i guess)

I'll close the ticket, thanks!

mlbiam commented 1 week ago

Excellent @mierea ! Feedback on our deployment docs and methods is greatly appreciated! We want to make openunison easier to deploy.