Open benzht opened 1 year ago
mlbiam
commented
1 year ago where/how can I find out what ouctl is actually doing?
It generates the orchestra-secrets-source Secret and installs the three helm charts.
With the former, a pod fails to transition to 'ready', and with the latter I have all pods 'green' but instead of redirection to Keycloak I just see 403.
Can you provide the logs for the failed pod?
benzht
commented
1 year ago Thanks for the fast reaction! I've dropped the namespace and ran the commands from the second source again (switching creation of the namespace and applying the secret to it :-) ... and lo and behold, now it works! Sorry to bother - must have had some mistake with the previous runs.
Background: the reason why I am looking for the actual working steps is that I would like to integrate openunison in my gitops with argocd so that I can re-create my cluster from scratch from a git repo and using sealed secrets. The fewer external tools needed for this the better. The while loops seem to be the remaining issue because I could not yet convince argocd to wait ;-)
mlbiam
commented
1 year ago Background: the reason why I am looking for the actual working steps is that I would like to integrate openunison in my gitops with argocd so that I can re-create my cluster from scratch from a git repo and using sealed secrets.
Ah, we haven't documented it yet but we do have a special chart which combines the 3 charts (we already have waves setup):
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: openunison
namespace: argocd
spec:
project: default
ignoreDifferences:
- group: "admissionregistration.k8s.io"
kind: "ValidatingWebhookConfiguration"
jsonPointers:
- /webhooks/0/clientConfig/caBundle
- /webhooks/1/clientConfig/caBundle
- /webhooks/2/clientConfig/caBundle
- /webhooks/3/clientConfig/caBundle
- /webhooks/4/clientConfig/caBundle
syncPolicy:
syncOptions:
- RespectIgnoreDifferences=true
source:
repoURL: 'https://nexus.tremolo.io/repository/helm-betas'
targetRevision: 2.3.15
helm:
values: |-
{
"cert_template": {
"c": "xxxxxxxx",
"l": "xxxxxxxx",
"o": "dev",
"ou": "xxxxxxxx",
"st": "xxxxxxxx"
},
"enable_impersonation": true,
"image": "xxxxxxxx/openunison-k8s:xxxxxxxx",
"impersonation": {
"ca_secret_name": "xxxxxxxx",
"explicit_certificate_trust": true,
"jetstack_oidc_proxy_image": "xxxxxxxx/kube-oidc-proxy:xxxxxxxx",
"oidc_tls_secret_name": "tls-certificate",
"use_jetstack": true
},
"k8s_cluster_name": "xxxxxxxx",
"myvd_configmap": "",
"network": {
"api_server_host": "dev-ou-api.com",
"createIngressCertificate": false,
"dashboard_host": "dev-dashboard.com",
"ingress_annotations": {
"certmanager.k8s.io/cluster-issuer": "letsencrypt",
"kubernetes.io/ingress.class": "openunison"
},
"ingress_certificate": "",
"ingress_type": "none",
"k8s_url": "",
"openunison_host": "dev-login.com",
"session_inactivity_timeout_seconds": xxxxxxxx
},
"oidc": {
"auth_url": "https://xxxxxxxx",
"client_id": "xxxxxxxx",
"token_url": "https://xxxxxxxx",
"user_in_idtoken": xxxxxxxx,
"userinfo_url": "https://xxxxxxxx"
},
"openunison": {
"replicas": 2
},
"services": {
"pullSecret": "jfrog-auth",
"resources": {
"limits": {
"cpu": "500m",
"memory": "2048Mi"
},
"requests": {
"cpu": "200m",
"memory": "1024Mi"
}
},
"token_request_expiration_seconds": xxxxxxxx
},
"trusted_certs": [
{
"name": "xxxxxxxx",
"pem_b64": "xxxxxxxx"
}
],
"operator": {
"image":"xxxxxxxx/openunison-k8s-operator:xxxxxxxx"
}
}
chart: orchestra-login-portal-argocd
destination:
server: 'https://kubernetes.default.svc'
namespace: openunisonWe've got a few customers using it, but if you give it a try we'd appreciate any feedback.
benzht
commented
1 year ago Thanks. I'll give it a spin
benzht
commented
1 year ago So far, not working.
All containers are green, but argocd sync fails and openunison-openunison
[2023-01-24 10:30:15,911][XNIO-1 task-4] INFO AccessLog - [AzSuccess] - CheckAlive - https://127.0.0.1:8443/check_alive - uid=Anonymous,o=Tremolo - [127.0.0.1] - [fa6a3c9e0e4cc3a5feeb4c1a4fcb75b455a59e707] [2023-01-24 10:30:15,925][XNIO-1 task-5] INFO AccessLog - [Error] - UNKNOWN - https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration - cn=none - NONE [127.0.0.1] - [f5855fa93039b315ad11b01c9a33d5966566e95e5] [2023-01-24 10:30:15,925][XNIO-1 task-5] ERROR ConfigSys - Could not process request javax.servlet.ServletException: Unknown URI : /auth/idp/k8sIdp/.well-known/openid-configuration at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:116) ~[unison-server-core-1.0.32.jar:?] at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.32.jar:?] at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:89) ~[unison-sdk-1.0.32.jar:?]
Argocd reports
one or more objects failed to apply, reason: Internal error occurred: failed calling webhook "authmechs-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/authmechs?timeout=5s": service "openunison-orchestra" not found,Internal error occurred: failed calling webhook "authchains-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/authchains?timeout=5s": service "openunison-orchestra" not found,Internal error occurred: failed calling webhook "workflows-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/workflows?timeout=5s": service "openunison-orchestra" not found,Internal error occurred: failed calling webhook "applications-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/applications?timeout=5s": service "openunison-orchestra" not found
mlbiam
commented
1 year ago [2023-01-24 10:30:15,911][XNIO-1 task-4] INFO AccessLog - [AzSuccess] - CheckAlive - https://127.0.0.1:8443/check_alive - uid=Anonymous,o=Tremolo - [127.0.0.1] - [fa6a3c9e0e4cc3a5feeb4c1a4fcb75b455a59e707] [2023-01-24 10:30:15,925][XNIO-1 task-5] INFO AccessLog - [Error] - UNKNOWN - https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration - cn=none - NONE [127.0.0.1] - [f5855fa93039b315ad11b01c9a33d5966566e95e5] [2023-01-24 10:30:15,925][XNIO-1 task-5] ERROR ConfigSys - Could not process request javax.servlet.ServletException: Unknown URI : /auth/idp/k8sIdp/.well-known/openid-configuration at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:116) ~[unison-server-core-1.0.32.jar:?] at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.32.jar:?] at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:89) ~[unison-sdk-1.0.32.jar:?]
this means the tremolo/orchestra-login-portal chart didn't deploy.
one or more objects failed to apply, reason: Internal error occurred: failed calling webhook "authmechs-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/authmechs?timeout=5s": service "openunison-orchestra" not found,Internal error occurred: failed calling webhook "authchains-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/authchains?timeout=5s": service "openunison-orchestra" not found,Internal error occurred: failed calling webhook "workflows-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/workflows?timeout=5s": service "openunison-orchestra" not found,Internal error occurred: failed calling webhook "applications-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/applications?timeout=5s": service "openunison-orchestra" not found
Can you post your Application? It looks like you're yaml isn't rendering as expected.
Hi, where/how can I find out what
ouctlis actually doing? Deployment withoutctis working, but I am failing to reproduce this following either Manual Deployment or the short-hand here. With the former, a pod fails to transition to 'ready', and with the latter I have all pods 'green' but instead of redirection to Keycloak I just see 403.My test deployment is on a managed k8s (digitalocean) with Keycloak.
Thanks in advance Hartmut