403 error when installing with ouctl and -n for a custom namespace

[brandan-schmitz]

I have installed OpenUnison in my k8s cluster (1.27.1 - kubeadm) using ouctl and the openunison orchestra pods are unable to startup due to the following error:

Exception in thread "main" jakarta.servlet.ServletException: com.tremolosecurity.provisioning.core.ProvisioningException: Could not load CRDs
    at com.tremolosecurity.filter.UnisonServletFilter.init(UnisonServletFilter.java:400)
    at com.tremolosecurity.openunison.OpenUnisonServletFilter.init(OpenUnisonServletFilter.java:118)
    at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:111)
    at io.undertow.servlet.core.ManagedFilter.createFilter(ManagedFilter.java:86)
    at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:598)
    at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:559)
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:605)
    at com.tremolosecurity.openunison.undertow.OpenUnisonOnUndertow.main(OpenUnisonOnUndertow.java:353)
Caused by: com.tremolosecurity.provisioning.core.ProvisioningException: Could not load CRDs
    at com.tremolosecurity.k8s.watch.K8sWatcher.initalRun(K8sWatcher.java:176)
    at com.tremolosecurity.provisioning.targets.LoadTargetsFromK8s.loadDynamicTargets(LoadTargetsFromK8s.java:223)
    at com.tremolosecurity.provisioning.core.ProvisioningEngineImpl.generateTargets(ProvisioningEngineImpl.java:887)
    at com.tremolosecurity.provisioning.core.ProvisioningEngineImpl.<init>(ProvisioningEngineImpl.java:482)
    at com.tremolosecurity.config.util.UnisonConfigManagerImpl.initialize(UnisonConfigManagerImpl.java:484)
    at com.tremolosecurity.filter.UnisonServletFilter.init(UnisonServletFilter.java:369)
    ... 9 more
Caused by: java.io.IOException: Unexpected result calling 'https://10.96.0.1:443/apis/openunison.tremolo.io/v1/namespaces/openunison/targets' - 403 / {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"targets.openunison.tremolo.io is forbidden: User \"system:serviceaccount:auth-services:openunison-orchestra\" cannot list resource \"targets\" in API group \"openunison.tremolo.io\" in the namespace \"openunison\"","reason":"Forbidden","details":{"group":"openunison.tremolo.io","kind":"targets"},"code":403}

I believe the cause of this is that for some reason it is still trying to make calls on the default openunison namespace and not the auth-services namespace I have created and specified using the -n flag with ouctl. I used the following command to install OpenUnison, with the client-secret-auth being a file containing my Keycloak client secret an the openunison-values.yaml file containing my modified values from the default file downloaded from the documentation page links.

ouctl install-auth-portal -n auth-services -s client-secret-auth openunison-values.yaml

I have verified that the CRD's have been installed and that the service accounts have been created within the auth-services namespace.

[mlbiam]

Please run a helm repo update and try re-running ouctl again? this should now be fixed

[mlbiam]

closing due to inactivity