search

OpenUnison / openunison-k8s

Access portal for Kubernetes
Apache License 2.0
93 stars 5 forks source link

MountVolume.SetUp failed for volume "secret-volume" : secret "orchestra" not found #69

Closed eyupdzhanY1 closed 1 year ago

eyupdzhanY1 commented 1 year ago

I am running latest ouctl and trying to setup saml2 , i provide idp_url field and trusted certificate. Deployment fails during orchestra setup. Due to pod not being able to find secret.

eyupdzhanY1 commented 1 year ago

I have tried to deploy with ArgoCD and same issue arises, secret does not seem to be created.

mlbiam commented 1 year ago

If the orchestra Secret isn't being created, then there's likely an issue with the operator. Please post the output from the openunison-operator Pod and your values.yaml

eyupdzhanY1 commented 1 year ago 

Checking if need to create a status for : 'ADDED'
Generating status
Creating status patch : {"digest":"yI8WXm3wfwYZVXBYxh0a62N3QG8QEOPjE3Cpei2e9IU=","conditions":{"reason":"error","lastTransitionTime":"2023-03-20 07:06:39UTC","type":"Failed","status":"True"}}
Patching to '/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons/orchestra/status'
Patch : '{"status":{"digest":"yI8WXm3wfwYZVXBYxh0a62N3QG8QEOPjE3Cpei2e9IU=","conditions":{"reason":"error","lastTransitionTime":"2023-03-20 07:06:39UTC","type":"Failed","status":"True"}}}'
{code=200, data={"apiVersion":"openunison.tremolo.io/v6","kind":"OpenUnison","metadata":{"annotations":{"argocd.argoproj.io/sync-wave":"20","helm-update":"Mar 20 21:06:12 2023 EET","meta.helm.sh/release-name":"orchestra","meta.helm.sh/release-namespace":"openunison"},"creationTimestamp":"2023-03-20T19:06:35Z","generation":1,"labels":{"app.kubernetes.io/component":"openunison","app.kubernetes.io/instance":"openunison-orchestra","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"openunison","app.kubernetes.io/part-of":"openunison"},"managedFields":[{"apiVersion":"openunison.tremolo.io/v6","fieldsType":"FieldsV1","fieldsV1":{"f:metadata":{"f:annotations":{".":{},"f:argocd.argoproj.io/sync-wave":{},"f:helm-update":{},"f:meta.helm.sh/release-name":{},"f:meta.helm.sh/release-namespace":{}},"f:labels":{".":{},"f:app.kubernetes.io/component":{},"f:app.kubernetes.io/instance":{},"f:app.kubernetes.io/managed-by":{},"f:app.kubernetes.io/name":{},"f:app.kubernetes.io/part-of":{}}},"f:spec":{".":{},"f:activemq_image":{},"f:deployment_data":{".":{},"f:liveness_probe_command":{},"f:node_selectors":{},"f:pull_secret":{},"f:readiness_probe_command":{},"f:tokenrequest_api":{".":{},"f:audience":{},"f:enabled":{},"f:expirationSeconds":{}}},"f:dest_secret":{},"f:enable_activemq":{},"f:hosts":{},"f:image":{},"f:key_store":{".":{},"f:key_pairs":{".":{},"f:create_keypair_template":{},"f:keys":{}},"f:static_keys":{},"f:trusted_certificates":{},"f:update_controller":{".":{},"f:days_to_expire":{},"f:image":{},"f:schedule":{}}},"f:myvd_configmap":{},"f:non_secret_data":{},"f:openunison_network_configuration":{".":{},"f:activemq_dir":{},"f:allowed_client_names":{},"f:ciphers":{},"f:client_auth":{},"f:force_to_secure":{},"f:open_external_port":{},"f:open_port":{},"f:path_to_deployment":{},"f:path_to_env_file":{},"f:quartz_dir":{},"f:secure_external_port":{},"f:secure_key_alias":{},"f:secure_port":{}},"f:replicas":{},"f:saml_remote_idp":{},"f:secret_data":{},"f:source_secret":{}}},"manager":"ouctl","operation":"Update","time":"2023-03-20T19:06:35Z"},{"apiVersion":"openunison.tremolo.io/v6","fieldsType":"FieldsV1","fieldsV1":{"f:status":{".":{},"f:conditions":{".":{},"f:lastTransitionTime":{},"f:status":{},"f:type":{}},"f:digest":{}}},"manager":"Apache-HttpClient","operation":"Update","subresource":"status","time":"2023-03-20T19:06:39Z"}],"name":"orchestra","namespace":"openunison","resourceVersion":"61002434","uid":"51b492e5-d184-461c-8e77-e2078735e807"},"spec":{"activemq_image":"docker.io/tremolosecurity/activemq-docker:latest","deployment_data":{"liveness_probe_command":["/usr/local/openunison/bin/check_alive.sh","https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration","issuer","https://127.0.0.1:8443/check_alive","alive"],"node_selectors":[],"pull_secret":"","readiness_probe_command":["/usr/local/openunison/bin/check_alive.sh","https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration","issuer","https://127.0.0.1:8443/check_alive","alive"],"tokenrequest_api":{"audience":"api","enabled":false,"expirationSeconds":600}},"dest_secret":"orchestra","enable_activemq":false,"hosts":[{"annotations":[],"ingress_name":"openunison","ingress_type":"nginx","names":[{"env_var":"OU_HOST","name":"k8sou..com"},{"env_var":"K8S_DASHBOARD_HOST","name":"k8sdb..com"}],"secret_name":"ou-tls-certificate"}],"image":"docker.io/tremolosecurity/openunison-k8s","key_store":{"key_pairs":{"create_keypair_template":[{"name":"ou","value":"Kubernetes"},{"name":"o","value":"MyOrg"},{"name":"l","value":"My Cluster"},{"name":"st","value":"State of Cluster"},{"name":"c","value":"MyCountry"}],"keys":[{"create_data":{"ca_cert":true,"key_size":2048,"server_name":"openunison-orchestra.openunison.svc","sign_by_k8s_ca":false,"subject_alternative_names":[]},"import_into_ks":"keypair","name":"unison-tls"},{"create_data":{"ca_cert":false,"key_size":2048,"server_name":"k8sou..com","sign_by_k8s_ca":false,"subject_alternative_names":["k8sdb..com"]},"import_into_ks":"certificate","name":"unison-ca","tls_secret_name":"ou-tls-certificate"},{"create_data":{"ca_cert":true,"delete_pods_labels":["k8s-app=kubernetes-dashboard"],"key_size":2048,"secret_info":{"cert_name":"dashboard.crt","key_name":"dashboard.key","type_of_secret":"Opaque"},"server_name":"kubernetes-dashboard.kubernetes-dashboard.svc","sign_by_k8s_ca":false,"subject_alternative_names":[],"target_namespace":"kubernetes-dashboard"},"import_into_ks":"certificate","name":"kubernetes-dashboard","replace_if_exists":true,"tls_secret_name":"kubernetes-dashboard-certs"},{"create_data":{"ca_cert":true,"key_size":2048,"server_name":"unison-saml2-rp-sig","sign_by_k8s_ca":false,"subject_alternative_names":[]},"import_into_ks":"keypair","name":"unison-saml2-rp-sig"},{"create_data":{"ca_cert":false,"key_size":2048,"server_name":"remote-k8s-idp-sig","sign_by_k8s_ca":false,"subject_alternative_names":[]},"import_into_ks":"keypair","name":"remote-k8s-idp-sig"}]},"static_keys":[{"name":"session-unison","version":1},{"name":"lastmile-oidc","version":1}],"trusted_certificates":[{"name":"okta-cert","pem_data":"=="}],"update_controller":{"days_to_expire":10,"image":"docker.io/tremolosecurity/kubernetes-artifact-deployment:1.1.0","schedule":"0 2 * * *"}},"myvd_configmap":"myvd","non_secret_data":[{"name":"K8S_URL","value":"https://vf11-vos-aks-prod-dns-a6211d47.hcp.eastus2.azmk8s.io:443"},{"name":"SESSION_INACTIVITY_TIMEOUT_SECONDS","value":"900"},{"name":"K8S_DASHBOARD_NAMESPACE","value":"kubernetes-dashboard"},{"name":"K8S_DASHBOARD_SERVICE","value":"kubernetes-dashboard"},{"name":"K8S_CLUSTER_NAME","value":"openunison-cp"},{"name":"OPENUNISON_PROVISIONING_ENABLED","value":"false"},{"name":"K8S_IMPERSONATION","value":"false"},{"name":"PROMETHEUS_SERVICE_ACCOUNT","value":"system:serviceaccount:monitoring:prometheus-k8s"},{"name":"OU_SVC_NAME","value":"openunison-orchestra.openunison.svc"},{"name":"K8S_TOKEN_TYPE","value":"legacy"},{"name":"K8S_DB_SSO","value":"saml2"},{"name":"PROMETHEUS_SERVICE_ACCOUNT","value":"system:serviceaccount:monitoring:prometheus-k8s"},{"name":"SHOW_PORTAL_ORGS","value":"false"}],"openunison_network_configuration":{"activemq_dir":"/tmp/amq","allowed_client_names":[],"ciphers":["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"],"client_auth":"none","force_to_secure":false,"open_external_port":80,"open_port":8080,"path_to_deployment":"/usr/local/openunison/work","path_to_env_file":"/etc/openunison/ou.env","quartz_dir":"/tmp/quartz","secure_external_port":443,"secure_key_alias":"unison-tls","secure_port":8443},"replicas":1,"saml_remote_idp":[{"mapping":{"encryption_cert_alias":"idp-saml2-enc","entity_id":"IDP_ENTITY_ID","logout_url":"IDP_LOGOUT","post_url":"IDP_POST","redirect_url":"IDP_REDIR","signing_cert_alias":"idp-saml2-sig"},"source":{"url":"http://www.okta.com/exks1krlvit4ylVFr1t7"}}],"secret_data":["AD_BIND_PASSWORD","K8S_DB_SECRET","unisonKeystorePassword"],"source_secret":"orchestra-secrets-source"},"status":{"conditions":{"lastTransitionTime":"2023-03-20 07:06:39UTC","status":"True","type":"Failed"},"digest":"yI8WXm3wfwYZVXBYxh0a62N3QG8QEOPjE3Cpei2e9IU="}}
}
Resource 61002411  has already been processed, skipping
No change, skipping
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
https://10.0.0.1:443/apis/openunison.tremolo.io/v6/namespaces/openunison/openunisons?watch=true&timeoutSeconds=30&allowWatchBookmarks=true&resourceVersion=61002434
network:
  openunison_host: "k8sou.example.com"
  dashboard_host: "k8sdb.example.com"
  api_server_host: "k8sapi.example.com"
  session_inactivity_timeout_seconds: 900
  k8s_url: https://kluster:443
  force_redirect_to_tls: false
  createIngressCertificate: true
  ingress_type: nginx
  ingress_annotations: {}

cert_template:
  ou: "Kubernetes"
  o: "MyOrg"
  l: "My Cluster"
  st: "State of Cluster"
  c: "MyCountry"

image: docker.io/tremolosecurity/openunison-k8s
myvd_config_path: "WEB-INF/myvd.conf"
k8s_cluster_name: openunison-cp
enable_impersonation: false

impersonation:
  use_jetstack: true
  jetstack_oidc_proxy_image: docker.io/tremolosecurity/kube-oidc-proxy:latest
  explicit_certificate_trust: true

dashboard:
  namespace: "kubernetes-dashboard"
  cert_name: "kubernetes-dashboard-certs"
  label: "k8s-app=kubernetes-dashboard"
  service_name: kubernetes-dashboard
  require_session: true

certs:
  use_k8s_cm: false

trusted_certs:
  - name: okta-cert
    pem_b64: "string"

monitoring:
  prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s

saml:
  idp_url: "http://www.okta.com/string"

network_policies:
  enabled: false
  ingress:
    enabled: true
    labels:
      app.kubernetes.io/name: ingress-nginx
  monitoring:
    enabled: true
    labels:
      app.kubernetes.io/name: monitoring
  apiserver:
    enabled: false
    labels:
      app.kubernetes.io/name: kube-system

services:
  enable_tokenrequest: false
  token_request_audience: api
  token_request_expiration_seconds: 600
  node_selectors: []

openunison:
  replicas: 1
  non_secret_data:
    K8S_DB_SSO: saml2
    PROMETHEUS_SERVICE_ACCOUNT: system:serviceaccount:monitoring:prometheus-k8s
    SHOW_PORTAL_ORGS: "false"
  secrets: []
  html:
    image: docker.io/tremolosecurity/openunison-k8s-html
  enable_provisioning: false
  use_standard_jit_workflow: true
mlbiam commented 1 year ago

I think the issue is saml.idp_url. That's going to be the URL for your metadata. When you put that url in your browser or run curl on it, you should get back XML. Also, you don't need okta's certificate. The SAML cert will get pulled in and okta's TLS cert is signed by a trusted CA

eyupdzhanY1 commented 1 year ago

Yes that was the issue thank you @mlbiam , but i am far from deploying still i think, getting tls errors now. idp.url structure : https://COMPANY.okta.com/app/STRING/sso/saml/metadata