Closed eyupdzhanY1 closed 1 year ago
I have tried to deploy with ArgoCD and same issue arises, secret does not seem to be created.
If the orchestra
Secret
isn't being created, then there's likely an issue with the operator. Please post the output from the openunison-operator
Pod
and your values.yaml
Checking if need to create a status for : 'ADDED'
Generating status
Creating status patch : {"digest":"yI8WXm3wfwYZVXBYxh0a62N3QG8QEOPjE3Cpei2e9IU=","conditions":{"reason":"error","lastTransitionTime":"2023-03-20 07:06:39UTC","type":"Failed","status":"True"}}
Patching to '/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons/orchestra/status'
Patch : '{"status":{"digest":"yI8WXm3wfwYZVXBYxh0a62N3QG8QEOPjE3Cpei2e9IU=","conditions":{"reason":"error","lastTransitionTime":"2023-03-20 07:06:39UTC","type":"Failed","status":"True"}}}'
{code=200, data={"apiVersion":"openunison.tremolo.io/v6","kind":"OpenUnison","metadata":{"annotations":{"argocd.argoproj.io/sync-wave":"20","helm-update":"Mar 20 21:06:12 2023 EET","meta.helm.sh/release-name":"orchestra","meta.helm.sh/release-namespace":"openunison"},"creationTimestamp":"2023-03-20T19:06:35Z","generation":1,"labels":{"app.kubernetes.io/component":"openunison","app.kubernetes.io/instance":"openunison-orchestra","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"openunison","app.kubernetes.io/part-of":"openunison"},"managedFields":[{"apiVersion":"openunison.tremolo.io/v6","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:argocd.argoproj.io/sync-wave":{},"f:helm-update":{},"f:meta.helm.sh/release-name":{},"f:meta.helm.sh/release-namespace":{}},"f:labels":{".":{},"f:app.kubernetes.io/component":{},"f:app.kubernetes.io/instance":{},"f:app.kubernetes.io/managed-by":{},"f:app.kubernetes.io/name":{},"f:app.kubernetes.io/part-of":{}}},"f:spec":{".":{},"f:activemq_image":{},"f:deployment_data":{".":{},"f:liveness_probe_command":{},"f:node_selectors":{},"f:pull_secret":{},"f:readiness_probe_command":{},"f:tokenrequest_api":{".":{},"f:audience":{},"f:enabled":{},"f:expirationSeconds":{}}},"f:dest_secret":{},"f:enable_activemq":{},"f:hosts":{},"f:image":{},"f:key_store":{".":{},"f:key_pairs":{".":{},"f:create_keypair_template":{},"f:keys":{}},"f:static_keys":{},"f:trusted_certificates":{},"f:update_controller":{".":{},"f:days_to_expire":{},"f:image":{},"f:schedule":{}}},"f:myvd_configmap":{},"f:non_secret_data":{},"f:openunison_network_configuration":{".":{},"f:activemq_dir":{},"f:allowed_client_names":{},"f:ciphers":{},"f:client_auth":{},"f:force_to_secure":{},"f:open_external_port":{},"f:open_port":{},"f:path_to_deployment":{},"f:path_to_env_file":{},"f:quartz_dir":{},"f:secure_external_port":{},"f:secure_key_alias":{},"f:secure_port":{}},"f:replicas":{},"f:saml_remote_idp":{},"f:secret_data":{},"f:source_secret":{}}},"manager":"ouctl","operation":"Update","time":"2023-03-20T19:06:35Z"},{"apiVersion":"openunison.tremolo.io/v6","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{".":{},"f:lastTransitionTime":{},"f:status":{},"f:type":{}},"f:digest":{}}},"manager":"Apache-HttpClient","operation":"Update","subresource":"status","time":"2023-03-20T19:06:39Z"}],"name":"orchestra","namespace":"openunison","resourceVersion":"61002434","uid":"51b492e5-d184-461c-8e77-e2078735e807"},"spec":{"activemq_image":"docker.io/tremolosecurity/activemq-docker:latest","deployment_data":{"liveness_probe_command":["/usr/local/openunison/bin/check_alive.sh","https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration","issuer","https://127.0.0.1:8443/check_alive","alive"],"node_selectors":[],"pull_secret":"","readiness_probe_command":["/usr/local/openunison/bin/check_alive.sh","https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration","issuer","https://127.0.0.1:8443/check_alive","alive"],"tokenrequest_api":{"audience":"api","enabled":false,"expirationSeconds":600}},"dest_secret":"orchestra","enable_activemq":false,"hosts":[{"annotations":[],"ingress_name":"openunison","ingress_type":"nginx","names":[{"env_var":"OU_HOST","name":"k8sou..com"},{"env_var":"K8S_DASHBOARD_HOST","name":"k8sdb..com"}],"secret_name":"ou-tls-certificate"}],"image":"docker.io/tremolosecurity/openunison-k8s","key_store":{"key_pairs":{"create_keypair_template":[{"name":"ou","value":"Kubernetes"},{"name":"o","value":"MyOrg"},{"name":"l","value":"My Cluster"},{"name":"st","value":"State of Cluster"},{"name":"c","value":"MyCountry"}],"keys":[{"create_data":{"ca_cert":true,"key_size":2048,"server_name":"openunison-orchestra.openunison.svc","sign_by_k8s_ca":false,"subject_alternative_names":[]},"import_into_ks":"keypair","name":"unison-tls"},{"create_data":{"ca_cert":false,"key_size":2048,"server_name":"k8sou..com","sign_by_k8s_ca":false,"subject_alternative_names":["k8sdb..com"]},"import_into_ks":"certificate","name":"unison-ca","tls_secret_name":"ou-tls-certificate"},{"create_data":{"ca_cert":true,"delete_pods_labels":["k8s-app=kubernetes-dashboard"],"key_size":2048,"secret_info":{"cert_name":"dashboard.crt","key_name":"dashboard.key","type_of_secret":"Opaque"},"server_name":"kubernetes-dashboard.kubernetes-dashboard.svc","sign_by_k8s_ca":false,"subject_alternative_names":[],"target_namespace":"kubernetes-dashboard"},"import_into_ks":"certificate","name":"kubernetes-dashboard","replace_if_exists":true,"tls_secret_name":"kubernetes-dashboard-certs"},{"create_data":{"ca_cert":true,"key_size":2048,"server_name":"unison-saml2-rp-sig","sign_by_k8s_ca":false,"subject_alternative_names":[]},"import_into_ks":"keypair","name":"unison-saml2-rp-sig"},{"create_data":{"ca_cert":false,"key_size":2048,"server_name":"remote-k8s-idp-sig","sign_by_k8s_ca":false,"subject_alternative_names":[]},"import_into_ks":"keypair","name":"remote-k8s-idp-sig"}]},"static_keys":[{"name":"session-unison","version":1},{"name":"lastmile-oidc","version":1}],"trusted_certificates":[{"name":"okta-cert","pem_data":"=="}],"update_controller":{"days_to_expire":10,"image":"docker.io/tremolosecurity/kubernetes-artifact-deployment:1.1.0","schedule":"0 2 * * *"}},"myvd_configmap":"myvd","non_secret_data":[{"name":"K8S_URL","value":"https://vf11-vos-aks-prod-dns-a6211d47.hcp.eastus2.azmk8s.io:443"},{"name":"SESSION_INACTIVITY_TIMEOUT_SECONDS","value":"900"},{"name":"K8S_DASHBOARD_NAMESPACE","value":"kubernetes-dashboard"},{"name":"K8S_DASHBOARD_SERVICE","value":"kubernetes-dashboard"},{"name":"K8S_CLUSTER_NAME","value":"openunison-cp"},{"name":"OPENUNISON_PROVISIONING_ENABLED","value":"false"},{"name":"K8S_IMPERSONATION","value":"false"},{"name":"PROMETHEUS_SERVICE_ACCOUNT","value":"system:serviceaccount:monitoring:prometheus-k8s"},{"name":"OU_SVC_NAME","value":"openunison-orchestra.openunison.svc"},{"name":"K8S_TOKEN_TYPE","value":"legacy"},{"name":"K8S_DB_SSO","value":"saml2"},{"name":"PROMETHEUS_SERVICE_ACCOUNT","value":"system:serviceaccount:monitoring:prometheus-k8s"},{"name":"SHOW_PORTAL_ORGS","value":"false"}],"openunison_network_configuration":{"activemq_dir":"/tmp/amq","allowed_client_names":[],"ciphers":["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"],"client_auth":"none","force_to_secure":false,"open_external_port":80,"open_port":8080,"path_to_deployment":"/usr/local/openunison/work","path_to_env_file":"/etc/openunison/ou.env","quartz_dir":"/tmp/quartz","secure_external_port":443,"secure_key_alias":"unison-tls","secure_port":8443},"replicas":1,"saml_remote_idp":[{"mapping":{"encryption_cert_alias":"idp-saml2-enc","entity_id":"IDP_ENTITY_ID","logout_url":"IDP_LOGOUT","post_url":"IDP_POST","redirect_url":"IDP_REDIR","signing_cert_alias":"idp-saml2-sig"},"source":{"url":"http://www.okta.com/exks1krlvit4ylVFr1t7"}}],"secret_data":["AD_BIND_PASSWORD","K8S_DB_SECRET","unisonKeystorePassword"],"source_secret":"orchestra-secrets-source"},"status":{"conditions":{"lastTransitionTime":"2023-03-20 07:06:39UTC","status":"True","type":"Failed"},"digest":"yI8WXm3wfwYZVXBYxh0a62N3QG8QEOPjE3Cpei2e9IU="}}
}
Resource 61002411 has already been processed, skipping
No change, skipping
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
network:
openunison_host: "k8sou.example.com"
dashboard_host: "k8sdb.example.com"
api_server_host: "k8sapi.example.com"
session_inactivity_timeout_seconds: 900
k8s_url: https://kluster:443
force_redirect_to_tls: false
createIngressCertificate: true
ingress_type: nginx
ingress_annotations: {}
cert_template:
ou: "Kubernetes"
o: "MyOrg"
l: "My Cluster"
st: "State of Cluster"
c: "MyCountry"
image: docker.io/tremolosecurity/openunison-k8s
myvd_config_path: "WEB-INF/myvd.conf"
k8s_cluster_name: openunison-cp
enable_impersonation: false
impersonation:
use_jetstack: true
jetstack_oidc_proxy_image: docker.io/tremolosecurity/kube-oidc-proxy:latest
explicit_certificate_trust: true
dashboard:
namespace: "kubernetes-dashboard"
cert_name: "kubernetes-dashboard-certs"
label: "k8s-app=kubernetes-dashboard"
service_name: kubernetes-dashboard
require_session: true
certs:
use_k8s_cm: false
trusted_certs:
- name: okta-cert
pem_b64: "string"
monitoring:
prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s
saml:
idp_url: "http://www.okta.com/string"
network_policies:
enabled: false
ingress:
enabled: true
labels:
app.kubernetes.io/name: ingress-nginx
monitoring:
enabled: true
labels:
app.kubernetes.io/name: monitoring
apiserver:
enabled: false
labels:
app.kubernetes.io/name: kube-system
services:
enable_tokenrequest: false
token_request_audience: api
token_request_expiration_seconds: 600
node_selectors: []
openunison:
replicas: 1
non_secret_data:
K8S_DB_SSO: saml2
PROMETHEUS_SERVICE_ACCOUNT: system:serviceaccount:monitoring:prometheus-k8s
SHOW_PORTAL_ORGS: "false"
secrets: []
html:
image: docker.io/tremolosecurity/openunison-k8s-html
enable_provisioning: false
use_standard_jit_workflow: true
I think the issue is saml.idp_url
. That's going to be the URL for your metadata. When you put that url in your browser or run curl on it, you should get back XML. Also, you don't need okta's certificate. The SAML cert will get pulled in and okta's TLS cert is signed by a trusted CA
Yes that was the issue thank you @mlbiam , but i am far from deploying still i think, getting tls errors now. idp.url structure : https://COMPANY.okta.com/app/STRING/sso/saml/metadata
I am running latest ouctl and trying to setup saml2 , i provide idp_url field and trusted certificate. Deployment fails during orchestra setup. Due to pod not being able to find secret.