search

litmuschaos / litmus

Litmus helps SREs and developers practice chaos engineering in a Cloud-native way. Chaos experiments are published at the ChaosHub (https://hub.litmuschaos.io). Community notes is at https://hackmd.io/a4Zu_sH4TZGeih-xCimi3Q
https://litmuschaos.io
Apache License 2.0
4.43k stars 693 forks source link

Dex and Azure AD Connector Configuration #4080

Open bolanlesd opened 1 year ago

bolanlesd commented 1 year ago

Hello folks, I need your help with integrating dex with chaos litmus. I am using an Azure AD connector and also an ingress instead of NodePort. My ingress is using an existing ALB hence used the group name and name of the existing ALB.

I am getting the error when i visit https://chaos.my-domain.com/auth/dex/login.

Bad Request User session error.

Any help will be appreciated, thanks in advance.

Below is my yaml "dex-deployment.yaml": 

---
# ConfigMap for DexServer
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: dex-server-admin-config
  namespace: litmus
data:
  config.yaml: |
    issuer: http://chaos.my-domain.com
    storage:
      type: kubernetes
      config:
        inCluster: true

    web:
      http: 0.0.0.0:5556

    staticClients:
      - id: LitmusPortalAuthBackend
        redirectURIs:
          - '/auth/dex/callback'
          - 'http://localhost:8080/auth/dex/callback' # Included for local testing purposes
          - 'https://chaos.my-domain.com/auth/dex/callback'
        name: 'LitmusPortalAuthBackend'
        secret: my-client-secret-value

    oauth2:
        skipApprovalScreen: true

    connectors:
      - type: oidc
        id: azure
        name: Azure
        config:
          issuer: https://login.microsoftonline.com/xxxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx/v2.0
          clientID: xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx
          clientSecret: xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx
          redirectURI: https://chaos.my-domain.com/callback
          scopes:
          - openid
          - profile
          - email
          - "https://graph.microsoft.com/Group.Read.All"

---
# ClusterRole for DexServer
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: litmus-dex-server
rules:
- apiGroups: [dex.coreos.com]
  resources: [authcodes, authrequests, connectors, devicerequests, connectors, devicerequests, devicetokens, oauth2clients, offlinesessionses, passwords, refreshtokens, signingkeies]
  verbs: [delete, deletecollection, get, list, patch, create, update, watch]
---
# ClusterRoleBinding for DexServer
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: litmus-dex-server-crb
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: litmus-dex-server
subjects:
- kind: ServiceAccount
  name: litmus-server-account
  namespace: litmus
---
# Deployment for DexServer
apiVersion: apps/v1
kind: Deployment
metadata:
  name: litmusportal-dex-server
  namespace: litmus
  labels:
    component: litmusportal-dex-server
spec:
  replicas: 1
  selector:
    matchLabels:
      component: litmusportal-dex-server
  template:
    metadata:
      labels:
        component: litmusportal-dex-server
    spec:
      serviceAccountName: litmus-server-account
      containers:
      - name: litmus-dex
        imagePullPolicy: IfNotPresent
        image: litmuschaos/litmusportal-dex-server:ci
        command: [/usr/local/bin/dex, serve, /etc/dex/cfg/config.yaml]
        ports:
        - containerPort: 5556
        volumeMounts:
        - name: config
          mountPath: /etc/dex/cfg
      volumes:
      - name: config
        configMap:
          name: dex-server-admin-config
          items:
          - key: config.yaml
            path: config.yaml
---
# Exposed service for DexServer
apiVersion: v1
kind: Service
metadata:
  name: litmusportal-dex-service
  namespace: litmus
spec:
  type: ClusterIP
  ports:
  - name: dex-server
    port: 5556
    protocol: TCP
    targetPort: 5556
  selector:
    component: litmusportal-dex-server

---
# Ingress for DexServer
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dex-ingress
  namespace: litmus
  annotations:
    alb.ingress.kubernetes.io/group.name: my-alb
    alb.ingress.kubernetes.io/load-balancer-name: eks-ingress-alb
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/healthcheck-path: /.well-known/openid-configuration
spec:
  ingressClassName: alb
  rules:
  - host: chaos.my-domain.com
    http:
      paths:
      - path: /*
        pathType: ImplementationSpecific
        backend:
          service:
            name: litmusportal-dex-service
            port:
              number: 5556

Also i configured my chaos-litmus-auth-server with:

kubectl set env deployment/chaos-litmus-auth-server -n litmus --containers="auth-server" DEX_ENABLED=true OIDC_ISSUER=https://chaos.my-domain.com DEX_OAUTH_CALLBACK_URL=https://chaos.my-domain.com/auth/dex/callback DEX_OAUTH_CLIENT_ID=LitmusPortalAuthBackend DEX_OAUTH_CLIENT_SECRET=my-client-secret-value

Calvinaud commented 8 months ago

Hello,

Do you have the logs of the auth-server/dex-server when you have this issue ? Also you will probably need this option at one point: insecureSkipEmailVerified: true.