search

OpenUnison / openunison-k8s

Access portal for Kubernetes
Apache License 2.0
105 stars 5 forks source link

if certs.use_k8s_cm=true then openunison-operator does not create secrets and Orchestra does not start #65

Closed agtogna closed 1 year ago

agtogna commented 1 year ago

Hello, I've tried to install an Orchestra using the in-cluster cert-manager:

certs:
  use_k8s_cm: true

but the orchestra pod never starts because it's waiting for a secret to be mounted. In the operator logs it can be seen that it cannot reach the CSR API endopoint /apis/certificates.k8s.io/v1beta1/certificatesigningrequests/openunison-orchestra.openunison.svc

Here are the logs:


Using version 'openunison.tremolo.io/v6'
Warning: Nashorn engine is planned to be removed from a future JDK release

[...]

Processing key 'unison-tls'
Checking if kubernetes secret exists
Creating keypair
Signing by Kubernetes' CA
Posting CSR
Problem calling '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests' - 404
{"apiVersion":"certificates.k8s.io/v1beta1","kind":"CertificateSigningRequest","metadata":{"name":"openunison-orchestra.openunison.svc"},"spec":{"request":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJRE96Q0NBaU1DQVFBd2daY3hFakFRQmdOVkJBWVRDVTE1UTI5MWJuUnllVEVaTUJjR0ExVUVDQXdRVTNSaA0KZEdVZ2IyWWdRMngxYzNSbGNqRVRNQkVHQTFVRUJ3d0tUWGtnUTJ4MWMzUmxjakVPTUF3R0ExVUVDZ3dGVFhsUA0KY21jeEV6QVJCZ05WQkFzTUNrdDFZbVZ5Ym1WMFpYTXhMREFxQmdOVkJBTU1JMjl3Wlc1MWJtbHpiMjR0YjNKag0KYUdWemRISmhMbTl3Wlc1MWJtbHpiMjR1YzNaak1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQg0KQ2dLQ0FRRUFod1NmTzRSb01xVkNYa1BSN0pVamovclBNTndYdDE0VXZ6ZWhIM0lqeGd3MXBIdXM0RzJLOFhwSg0KU3lPZUdZK0l4enY4Z0xIeGRZSWQ3bS9nQ2N1MzNjK0JpM0ZVd3FhK3l3THlaVzRiUE4zdlhJamRram5zOVowYg0KQU53OG14VkloU1hkaDhxSE1QL0R1VDF6bHVMQ1pxVUVhOHVLVXJUL3lTbmwxay9CbmFxbEMzL0RsVWhkMUs5eQ0KWEZ5TlVZanlDczNLdnhMVHFDVXZwMzZwMS93WUduNW8xTkpBdG9vdE50NmhFVDg2Z3N1ekFYaWxYZDRDTlNzNg0KSGtsbU5aSjB3TUdHWUtxa1F0OGtpZk9ic2lHNTh3cVhHSVJLaTMvVjYzaS9MbDROWHpFVFFqam53aEorQk10eA0KdmpSVFZLWVJRQlp0bmpjTG9lUFRPOUl2UVdXUVl3SURBUUFCb0Y0d1hBWUpLb1pJaHZjTkFRa09NVTh3VFRCTA0KQmdOVkhSRUVSREJDZ2lOdmNHVnVkVzVwYzI5dUxXOXlZMmhsYzNSeVlTNXZjR1Z1ZFc1cGMyOXVMbk4yWTRJYg0KYXpoellYQnBMbTVoZG1GeVkyOXpMbU5qYjJVdGJtTXVZMjl0TUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCeg0KWFpNWlZIaC9xbFVha2dGS2U0eTNMSGk0cGsveUF6UHFRMHhzZHF3dzZybG9KWWYxWUZZd01vMUdpRk1tT3Z2dA0KVW1EamFmeGN0WEFmQjFrWllPaU56K2RYYUtrU25yeUI4dEh4ZHlRMG9iQlpIV0ZCY2pLNEhzR1dFSTNvcUtkeQ0KNEVucGZ2a3VQajVDTTJ1Y2ZiZklUWExUYVMvU0xUemJra1hOckxGSk5hRThob1NQQy9wM3ZvZzJDNS9FVklIZw0KODhYS1gzNFI2SE03QXZ1dnJSazBmblZUTFFreHhxMmdrb1hGSlp4M2xPWHgvNXgzVW9JRDVrOUdrbWdoMjNrWQ0KSUtqY2l2dHl1bCsvcWI1Yzl3YU9NY3JjOWZ3WmNoU3RTWGVZWkpKcnhOclBQOGRHYmdBckUxN0dYTkhkQWlEZw0KVVZUcm1pUnU2RGl3bkwwdURXZDgKLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==","usages":["digital signature","key encipherment","server auth"]}}
Approving CSR
Problem calling '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/openunison-orchestra.openunison.svc/approval' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}

Retrieving signed certificate
Problem calling '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/openunison-orchestra.openunison.svc' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}

Sleeping, then trying again
trying again
Problem calling '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/openunison-orchestra.openunison.svc' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}

Sleeping, then trying again
trying again
Problem calling '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/openunison-orchestra.openunison.svc' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}

Sleeping, then trying again
trying again
Problem calling '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/openunison-orchestra.openunison.svc' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}

Sleeping, then trying again
trying again
Problem calling '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/openunison-orchestra.openunison.svc' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}

Sleeping, then trying again
trying again
Problem calling '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/openunison-orchestra.openunison.svc' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}

Sleeping, then trying again
trying again
Problem calling '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/openunison-orchestra.openunison.svc' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}

Sleeping, then trying again
trying again
Problem calling '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/openunison-orchestra.openunison.svc' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}

Sleeping, then trying again
trying again
Problem calling '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/openunison-orchestra.openunison.svc' - 404
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"the server could not find the requested resource","reason":"NotFound","details":{},"code":404}

Sleeping, then trying again
trying again
Problem calling '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/openunison-orchestra.openunison.svc' - 403
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"certificatesigningrequests.certificates.k8s.io \"openunison-orchestra.openunison.svc\" is forbidden: User \"system:serviceaccount:openunison:openunison-operator\" cannot get resource \"certificatesigningrequests\" in API group \"certificates.k8s.io\" at the cluster scope","reason":"Forbidden","details":{"name":"openunison-orchestra.openunison.svc","group":"certificates.k8s.io","kind":"certificatesigningrequests"},"code":403}

Sleeping, then trying again
mlbiam commented 1 year ago

we're removing that feature in the next release. it's pretty much useless from a practical standpoint since no one trusts those certs to begin with. If you don't have something to generate certs for you let the operator generate certs for you that are self signed.