Open rrobe53 opened 2 years ago
@rrobe53 can you try asking on the mailing list too and report back here if you find the answer?
Added it to the mailing list.
I also duplicated this test on my Mac using Minikube and hyperkit with the same results, to take K3S out of the equation.
Could you share your LDAP configuration? And also specify the version of operator and awx that you are using? I got ldap setup worked via extra setting with awx 19.4.0 and operator built from my PR.
You can checkout my branch in this PR for reference. It did work on my Azure AKS with the ldap ca cert synced from Azure Keyvault.
Using 19.4.0 and 0.14.0 in the initial test, just tried again with the k3s environment and 19.5.0 and 0.15.0 with the same result.
I'm using the same LDAP setup that's working on a much older version (8.0.0). I'm not applying it with extra settings, just the bare deploy above. I'm able to get the LDAP failure message by configuring essentially nothing but the LDAP server name in the LDAP settings. However I've copied everything else. I use the same ca.crt in curl and https://ldapserver:636 and it works (past the ssl handshake at least).
I had a very similar issue with CA certs. I had to provide the entire CA chain as the input to the secrets. If I provided just the CA cert, I had the same error as you. When I provided the CA and the root CA certificate, things magically started to work.
@rrobe53 you've provided a lot of information however I cannot see the results from container. Are certs properly propagated?
I've reproduced that on k3s - certificate is not getting properly updated in the container and that leads to 'unable to verify the first certificate issue' and when trying to use ldaps:
SERVER_DOWN({'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [],
do you have solution @rrobe53 ? i know issue is old, but it is not marked as done
EDIT: I found solution, maybe it is simple, but it wasn't easy to find to make LDAPS work, beside settings right path so ldaps://url:port you need to insert, starting from top ldap-ca.crt: root, inter, ldap certs same as for bundle bundle-ca.crt: root, inter, server cert
I have a .crt file for an internal CA that I can call against an internal resource, using
curl --cafile ca.crt ldaps://xyz:636
, and that works in terms of verifying the certificate. However, adding it as a secret and referencing it in the manifest continues to show errors. Running this in k3s.Creating the secret
kubectl -n awx create secret generic awx-custom-certs --from-file=ldap-ca.crt=./ca.crt --from-file=bundle-ca.crt=./ca.crt
Basic deploy
After deploy I see this in the manager logs, no errors:
kubectl -n awx logs deployments/awx-operator-controller-manager -c manager
awx-custom-certs in same namespace, again expected since I didn't get any errors from the operator.
kubectl -n awx get awx,all,ingress,secrets,persistentvolume
Yet LDAPS still doesn't function
kubectl -n awx logs awx-559fcd895-tfxl9 -c awx-web