search

kubecost / features-bugs

A public repository for filing of Kubecost feature requests and bugs. Please read the issue guidelines before filing an issue here.
0 stars 0 forks source link

[Bug] Leader Follower doesn't work with SAML enabled #30

Closed passionInfinite closed 1 month ago

passionInfinite commented 11 months ago

Kubecost Helm Chart Version

v1.107.1

Kubernetes Version

v1.27

Kubernetes Platform

AKS

Description

We have SAML working previously without leader follower. We tried enabling the leader follower with StatedulSet option but that still doesn't work. The login keeps redirecting with infinite loop.

Steps to reproduce

  1. Enable leader-follower with replica count of 2.
  2. Have SAML with correct settings and with RBAC enabled.
  3. Visit the kubecost url to access dashboard.
  4. It redirects to login with SAML once logged in it keeps redirecting.

Expected behavior

Dashboard must be visible correctly in addition to SAML working.

Impact

Kubecost dashboard not visible.

Screenshots

No response

Logs

No response

Slack discussion

No response

Troubleshooting

chipzoller commented 11 months ago

Can you show the values overrides you used?

passionInfinite commented 11 months ago

Sure @chipzoller 

   kubecostDeployment:
      statefulSet:
        enabled: true
      replicas: 2
      leaderFollower:
        enabled: true
 saml:
      enabled: true
      secretName: "kubecost-sso"
      idpMetadataURL: "FEDERATION_METADATA_URL?appid=APP_ID"
      appRootURL: "https://kubecost.test.com"
      authTimeout: 1440
      nameIDFormat: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
      audienceURI: "https://kubecost.test.com"
      rbac:
        enabled: true
        groups:
          - name: admin
            enabled: true # if admin is disabled, all SAML users will be able to make configuration changes to the kubecost frontend
            assertionName: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" # a SAML Assertion, one of whose elements has a value that matches on of the values in assertionValues
            assertionValues:
              - "admin"

          - name: readonly
            enabled: false # if readonly is disabled, all users authorized on SAML will default to readonly
            assertionName: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
      customGroups:
        - assertionName: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
mmurph3 commented 11 months ago

@passionInfinite Tracking this in JIRA for more visibility (not publicly accessible). I'll send you an email with link.

chipzoller commented 11 months ago

@mmurph3 is this a Helm issue?

mmurph3 commented 11 months ago

@chipzoller I'm not sure yet. I'm assuming it may be an issue when enabling the Leader + follower (HA). https://docs.kubecost.com/install-and-configure/advanced-configuration/high-availability#leader-+-follower

chipzoller commented 11 months ago

I've transferred to features-bugs for now until it can be determined where the issue is here.

dwbrown2 commented 11 months ago

@mmurph3 @chipzoller need help triaging or have we determined this to be a bug?

chipzoller commented 1 month ago

Hello, in an effort to consolidate our bug and feature request tracking, we are deprecating using GitHub to track tickets. If this issue is still outstanding and you have not done so already, please raise a request at https://support.kubecost.com/.