[incubator/openvpn] Can't log in in VPN client

[fredsted]

Hi,

I've managed to install the chart and make it work with the latest letsencrypt (had to create RBAC stuff and set the letsencrypt_ca to https://acme-v02.api.letsencrypt.org/directory to avoid an "ACME V1" error), but I can't seem to log in in my VPN client.

The certificate is created as simon even though my github username is fredsted, not sure if that has anything to do with it.

Here's some output from the openvpn pod:

Fri Jan 24 13:50:30 2020 172.21.48.88:7254 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Jan 24 13:50:30 2020 172.21.48.88:7254 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
Fri Jan 24 13:50:30 2020 172.21.48.88:7254 TLS Auth Error: Auth Username/Password verification failed for peer
Fri Jan 24 13:50:30 2020 172.21.48.88:7254 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Fri Jan 24 13:50:30 2020 172.21.48.88:7254 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Jan 24 13:50:30 2020 172.21.48.88:7254 [simon] Peer Connection Initiated with [AF_INET]172.21.48.88:7254

I'm using Google Authenticator for Github, so I've tried several combinations of simon/fredsted and with/without my Google Authenticator code.

I can also see that the link to "Github PAM" does not work, so I can't investigate that part further. https://github.com/cloudposse/github-pam

Is it possible to just delete the password authentication from the VPN? I can make do with the oauth sign-in-to-download-vpn-config part.

@alebabai @osterman

[natcohen]

@fredsted Were you able to find a solution? Could you please share your RBAC file you created, that would be awesome!

Thanks!

[fredsted]

Hi @natcohen

I added these to my adaptation of the openvpn chart here:

templates/letsencrypt.role.yaml

{{ if .Values.ui.ssl.enabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: {{ template "fullname_letsencrypt" . }}-role
  labels:
    app: "{{ .Chart.Name }}"
    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
rules:
- apiGroups:      ['']
  resources:      ['secrets']
  verbs:          ["get", "watch", "list", "create", "update", "patch"]
{{- end }}

templates/letsencrypt.rolebinding.yaml

{{ if .Values.ui.ssl.enabled }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: {{ template "fullname_letsencrypt" . }}-rolebinding
  labels:
    app: "{{ .Chart.Name }}"
    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ template "fullname_letsencrypt" . }}-role
subjects:
- kind: ServiceAccount
  name: {{ template "fullname_letsencrypt" . }}-sa
{{- end -}}

I wasn't able to find a solution. We initially considered this to allow developers access to a central K8s cluster, but we are now using Teleport for this purpose, which also has an Oauth access flow.

[natcohen]

Thank you so much, that is extremely helpful!

[natcohen]

@fredsted Sorry to bother but how did you integrate those files into the current project? Do I have to add them into the letsencrypt jobs-pre-install file? If yes, how? Thanks again

[fredsted]

@natcohen I basically copied all the files from the chart on this repo and made my own helm chart with the changes :)

[natcohen]

@fredsted I did the same but the problem is I don't know where to add these two files into the deployment process... Adding them to the chart doesn't seem to work.

[fredsted]

Did you set the value .Values.ui.ssl.enabled?

[natcohen]

yes I did...

[natcohen]

I created the two files and added them into the same folder and rebuilt the package. But it seems that it's not deploying the RBAC files on pre-install.