search

armory / spinnaker-operator

Open Source Spinnaker Kubernetes Operator source code
Apache License 2.0
187 stars 70 forks source link

enabling authz causes Reconciler error #248

Closed reschenburgIDBS closed 2 years ago

reschenburgIDBS commented 2 years ago

Hi

we're trying to setup fiat/authz atm, with authn working fine (i.e. we can sign into spinnaker using github accounts)

The problem starts as soon as we have an authz section in the config:

{"level":"error","ts":1635948418.3120487,"logger":"controller-runtime.controller","msg":"Reconciler error","controller":"spinnakerservice-controller","request":"spinnaker/spinnaker","error":"got halyard response status 500, response: ","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/opt/spinnaker-operator/build/vendor/github.com/go-logr/zapr/zapr.go:128\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/opt/spinnaker-operator/build/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:218\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/opt/spinnaker-operator/build/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:192\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/opt/spinnaker-operator/build/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:171\nk8s.io/apimachinery/pkg/util/wait.JitterUntil.func1\n\t/opt/spinnaker-operator/build/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:152\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/opt/spinnaker-operator/build/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:153\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/opt/spinnaker-operator/build/vendor/k8s.io/apimachinery/pkg/util/wait/wait.go:88"}

with the important bit being: "error":"got halyard response status 500, response: ", - no actual response message.

We have tried spinnakerConfig.config.version: 1.26.6 as well as 1.23.7

There is no fiat pod spinning up as a result and other configuration chages are not applied until the authz section is removed from config.

this is our authn and authz section:

      security:
        authn:
          oauth2:
            enabled: true
            client:
              clientId: <removed>
              clientSecret: <removed>
              accessTokenUri: https://github.com/login/oauth/access_token
              userAuthorizationUri: https://github.com/login/oauth/authorize
              scope: user:email
            resource:
              userInfoUri: https://api.github.com/user
            userInfoRequirements:
              company: '<removed>'
            userInfoMapping:
              email: email
              firstName: ''
              lastName: name
              username: login
            provider: GITHUB
        authz:
          enabled: true
          groupMembership:
            service: GITHUB
            google:
              roleProviderType: GOOGLE
            github:
              roleProviderType: GITHUB
              baseUrl: https://api.github.com
              accessToken: <removed>
              organization: <removed>
            file:
              roleProviderType: FILE
            ldap:
              roleProviderType: LDAP

It would also be great to know what key/value pairs are available for userInfoRequirements.

Other possibly relevant info:

Any suggestions as to what might be going wrong here?

Thanks!

reschenburgIDBS commented 2 years ago

resolved. we had an indentation error in the authz section which was not immidiately obvious as we are using yq to inject secrets as part of a pipeline.