search

armory / spinnaker-operator

Open Source Spinnaker Kubernetes Operator source code
Apache License 2.0
187 stars 70 forks source link

Azure ouath not working as expected #295

Closed swaroop1012 closed 1 year ago

swaroop1012 commented 1 year ago

I have set Oauth with Azure AD but when I open Spinnaker and login to my Microsoft account, I get the below error in the browser: {"timestamp":1693327786258,"status":401,"error":"Unauthorized","message":"Unauthorized"}

The gate pod log corresponding to that time says: 2023-08-29 16:25:35.156 WARN 1 --- [0.0-8084-exec-9] c.n.s.gate.filters.FiatSessionFilter : Authenticated user was not present in authenticated request. Check authentication settings.

Config:

apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
  name: spinnaker
spec:
  spinnakerConfig:
    service-settings: 
      gate:
        env:
          azureTenantId: xxxx
    config:
      security:
        authn:
          oauth2:
            enabled: true
            client:
              clientId: xxxx
              clientSecret: xxxx
              accessTokenUri: https://login.microsoftonline.com/xxxx/oauth2/token
              userAuthorizationUri: https://login.microsoftonline.com/xxxx/oauth2/authorize?resource=https://graph.windows.net
              clientAuthenticationScheme: query
              scope: profile
              preEstablishedRedirectUri: https://gate.com/login
              useCurrentUri: false
            userInfoRequirements: {}
            resource:
              userInfoUri: https://graph.windows.net/me?api-version=1.6
            userInfoMapping:
              email: userPrincipalName
              firstName: givenName
              lastName: surname
              username: userPrincipalName
            provider: OTHER
          saml:
            enabled: false
            userAttributeMapping: {}
          ldap:
            enabled: false
          x509:
            enabled: false
          iap:
            enabled: false
        authz:
          enabled: true
          groupMembership:
            service: EXTERNAL
            google:
              roleProviderType: GOOGLE
            github:
              roleProviderType: GITHUB
            file:
              roleProviderType: FILE
            ldap:
              roleProviderType: LDAP

Also tried the above config with provider: AZURE as well but got the same error. Does anyone know what's wrong with the config?

swaroop1012 commented 1 year ago

This is fixed. It turns out the client secret wasn't decoded properly (the trailing newline character had to be excluded) in the Kubernetes secret. It should be either - echo -n '<client_secret>' | base64 and then copy the output to a secret or kubectl -n spinnaker create secret generic spin-secrets --from-literal=oauth-client-secret-azure=<client_secret>

and not - echo '<client_secret>' | base64