search

canonical / oathkeeper-operator

Charmed Ory Oathkeeper
https://charmhub.io/oathkeeper
Apache License 2.0
1 stars 4 forks source link

Unable to connect after deploying and relating with jenkins-k8s #64

Open mthaddon opened 4 months ago

mthaddon commented 4 months ago

Bug Description

I've followed the instructions (as best I can tell) to deploy the identity bundle, configure it with the GitHub identity provider and relate it to jenkins-k8s, but when I go to the jenkins URL I get a spinning widget under the Canonical logo, and some 500s in the browser console.

To Reproduce

Here are the steps I've followed

# Bootstrap juju and microk8s
juju add-model iam
juju deploy identity-platform --trust --channel latest/edge
# Wait til that settles
# We're going to configure it with the github identity provider
juju run traefik-public/0 show-proxied-endpoints --format yaml 2>/dev/null | yq '."traefik-public/0".results."proxied-endpoints"' | yq '.kratos'
# something like `{"url": "https://10.64.140.43/iam-kratos"}` so our redirect
# URL is https://10.64.140.43/iam-kratos/self-service/methods/oidc/callback/github
# Create a client-id and client secret per https://docs.google.com/document/d/162tyixNWC25POqfh6VYMOCzfGB_JgApip2Nrud5bfDc/edit
juju config kratos-external-idp-integrator \
  provider=github \
  client_id=<client-id> \
  client_secret=<client-secret> \
  provider_id=github \
  scope=user:email
# Confirm you have a 'Provider is ready' message
juju config kratos dev=True

# Build the charm and rock from https://github.com/canonical/jenkins-k8s-operator/tree/support-for-oathkeeper-integration
juju deploy ./jenkins-k8s_ubuntu-22.04-amd64.charm --resource jenkins-image=localhost:32000/jenkins:test
# Wait til that settles to active/idle
juju deploy oathkeeper --channel edge --trust
juju integrate oathkeeper:certificates self-signed-certificates

juju config traefik-public enable_experimental_forward_auth=True
juju integrate oathkeeper traefik-public:experimental-forward-auth

juju integrate oathkeeper kratos

juju integrate jenkins-k8s:ingress traefik-public
juju integrate oathkeeper jenkins-k8s:auth-proxy

In my case, the URL I visited was https://10.64.140.43/iam-jenkins-k8s

Environment

Juju 3.1, running on Microk8s v1.28.7.

Here's the output of juju status to confirm charm revisions:

$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
iam    microk8s-localhost  microk8s/localhost  3.1.7    unsupported  13:47:06+01:00

App                                  Version  Status  Scale  Charm                                Channel        Rev  Address         Exposed  Message
hydra                                v2.2.0   active      1  hydra                                latest/edge    269  10.152.183.174  no       
identity-platform-login-ui-operator  0.11.3   active      1  identity-platform-login-ui-operator  latest/edge     79  10.152.183.214  no       
jenkins-k8s                          2.426.3  active      1  jenkins-k8s                                           0  10.152.183.77   no       
kratos                               v1.1.0   active      1  kratos                               latest/edge    393  10.152.183.172  no       
kratos-external-idp-integrator                active      1  kratos-external-idp-integrator       latest/edge    186  10.152.183.30   no       Provider is ready
oathkeeper                                    active      1  oathkeeper                           edge            35  10.152.183.149  no       
postgresql-k8s                       14.10    active      1  postgresql-k8s                       14/stable      193  10.152.183.72   no       Primary
self-signed-certificates                      active      1  self-signed-certificates             latest/edge     52  10.152.183.93   no       
traefik-admin                        2.10.5   active      1  traefik-k8s                          latest/stable  169  10.64.140.44    no       
traefik-public                       2.10.5   active      1  traefik-k8s                          latest/stable  169  10.64.140.43    no       

Unit                                    Workload  Agent  Address       Ports  Message
hydra/0*                                active    idle   10.1.129.145         
identity-platform-login-ui-operator/0*  active    idle   10.1.129.146         
jenkins-k8s/0*                          active    idle   10.1.129.161         
kratos-external-idp-integrator/0*       active    idle   10.1.129.148         Provider is ready
kratos/0*                               active    idle   10.1.129.156         
oathkeeper/0*                           active    idle   10.1.129.164         
postgresql-k8s/0*                       active    idle   10.1.129.151         Primary
self-signed-certificates/0*             active    idle   10.1.129.150         
traefik-admin/0*                        active    idle   10.1.129.154         
traefik-public/0*                       active    idle   10.1.129.155

Relevant log output

I'll attach these to the bug since there's quite a lot

Additional context

No response

syncronize-issues-to-jira[bot] commented 4 months ago

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/IAM-727.

This message was autogenerated

mthaddon commented 4 months ago

iam-logs.tar.gz

mthaddon commented 4 months ago

Per some follow up discussions it looks like the charms are going to active status before things are really ready. If I wait a few minutes and then navigate to https://10.64.140.43/iam-jenkins-k8s again it works fine.