Open utterances-bot opened 2 years ago
Can you please tell me why there may be an error when executing scenario 2? oauth-proxy container not starting:(
oauth-proxy:
Container ID: cri-o://d2bbf6e5e3d07fd50017964902c705fd8f5be578efec2998df9e6bc3e67587e8
Image: quay.io/openshift/origin-oauth-proxy:4.1
Image ID: quay.io/openshift/origin-oauth-proxy@sha256:261f3493527614a764322ede2036065f3efc11a9bc6a29e06d37748929ff6f54
Port: 8888/TCP
Host Port: 0/TCP
Args:
--provider=openshift
--https-address=:8888
--http-address=
--email-domain=*
--upstream=http://localhost:8080
--tls-cert=/etc/tls/private/tls.crt
--tls-key=/etc/tls/private/tls.key
--client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
--cookie-secret-file=/etc/proxy/secrets/session_secret
--openshift-service-account=reversewords
--openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
--skip-auth-regex=^/metrics
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: Error
Exit Code: 1
Started: Wed, 31 Aug 2022 15:06:44 +0300
Finished: Wed, 31 Aug 2022 15:06:45 +0300
Ready: False
Restart Count: 3
Limits:
cpu: 1
memory: 750Mi
Requests:
cpu: 10m
memory: 64Mi
Environment: <none>
Mounts:
/etc/proxy/secrets from secret-reversewords-proxy (rw)
/etc/tls/private from secret-reversewords-tls (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-q9dlf (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
secret-reversewords-tls:
Type: Secret (a volume populated by a Secret)
SecretName: reversewords-tls
Optional: false
secret-reversewords-proxy:
Type: Secret (a volume populated by a Secret)
SecretName: reversewords-proxy
Optional: false
kube-api-access-q9dlf:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
ConfigMapName: openshift-service-ca.crt
ConfigMapOptional: <nil>
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/memory-pressure:NoSchedule op=Exists
node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 72s default-scheduler Successfully assigned maximvasil79-dev/reverse-words-74b5f7c9f9-lcbg7 to ip-10-0-202-251.ec2.internal
Warning FailedMount 69s (x4 over 73s) kubelet MountVolume.SetUp failed for volume "secret-reversewords-tls" : secret "reversewords-tls" not found
Normal AddedInterface 64s multus Add eth0 [10.129.3.40/23] from openshift-sdn
Normal Pulling 64s kubelet Pulling image "quay.io/mavazque/reversewords:latest"
Normal Pulled 63s kubelet Successfully pulled image "quay.io/mavazque/reversewords:latest" in 130.141107ms
Normal Created 63s kubelet Created container reverse-words
Normal Started 63s kubelet Started container reverse-words
Normal Pulled 21s (x4 over 63s) kubelet Container image "quay.io/openshift/origin-oauth-proxy:4.1" already present on machine
Normal Created 21s (x4 over 63s) kubelet Created container oauth-proxy
Normal Started 21s (x4 over 63s) kubelet Started container oauth-proxy
Warning BackOff 20s (x5 over 61s) kubelet Back-off restarting failed container
Hey @MaximusVasilenko it seems like you're missing the reversewords-tls
secret. Make sure that you have the correct annotation in the service definition: service.alpha.openshift.io/serving-cert-secret-name: reversewords-tls
.
Annotation has been specified Here are my current setups: Service
kind: Service
apiVersion: v1
metadata:
name: reverse-words
namespace: maximvasil79-dev
uid: 12605192-1edc-4a7a-b57a-cb578cbde11d
resourceVersion: '1649005017'
creationTimestamp: '2022-08-31T12:28:21Z'
labels:
name: reverse-words
annotations:
kubectl.kubernetes.io/last-applied-configuration: >
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"service.alpha.openshift.io/serving-cert-secret-name":"reversewords-tls"},"labels":{"name":"reverse-words"},"name":"reverse-words","namespace":"maximvasil79-dev"},"spec":{"ports":[{"name":"proxy","port":8888,"protocol":"TCP","targetPort":"oauth-proxy"},{"name":"app","port":8080,"protocol":"TCP","targetPort":"reverse-words"}],"selector":{"name":"reverse-words"},"sessionAffinity":"None","type":"ClusterIP"}}
service.alpha.openshift.io/serving-cert-secret-name: reversewords-tls
service.alpha.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1603422344
service.beta.openshift.io/serving-cert-signed-by: openshift-service-serving-signer@1603422344
managedFields:
- manager: Go-http-client
operation: Update
apiVersion: v1
time: '2022-08-31T12:28:21Z'
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:annotations':
'f:service.alpha.openshift.io/serving-cert-signed-by': {}
'f:service.beta.openshift.io/serving-cert-signed-by': {}
- manager: kubectl-client-side-apply
operation: Update
apiVersion: v1
time: '2022-08-31T12:28:21Z'
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:annotations':
.: {}
'f:kubectl.kubernetes.io/last-applied-configuration': {}
'f:service.alpha.openshift.io/serving-cert-secret-name': {}
'f:labels':
.: {}
'f:name': {}
'f:spec':
'f:internalTrafficPolicy': {}
'f:ports':
.: {}
'k:{"port":8080,"protocol":"TCP"}':
.: {}
'f:name': {}
'f:port': {}
'f:protocol': {}
'f:targetPort': {}
'k:{"port":8888,"protocol":"TCP"}':
.: {}
'f:name': {}
'f:port': {}
'f:protocol': {}
'f:targetPort': {}
'f:selector': {}
'f:sessionAffinity': {}
'f:type': {}
spec:
clusterIP: 172.30.188.114
ipFamilies:
- IPv4
ports:
- name: proxy
protocol: TCP
port: 8888
targetPort: oauth-proxy
- name: app
protocol: TCP
port: 8080
targetPort: reverse-words
internalTrafficPolicy: Cluster
clusterIPs:
- 172.30.188.114
type: ClusterIP
ipFamilyPolicy: SingleStack
sessionAffinity: None
selector:
name: reverse-words
status:
loadBalancer: {}
Deployment
kind: Deployment
apiVersion: apps/v1
metadata:
annotations:
deployment.kubernetes.io/revision: '1'
kubectl.kubernetes.io/last-applied-configuration: >
{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"name":"reverse-words"},"name":"reverse-words","namespace":"maximvasil79-dev"},"spec":{"replicas":1,"selector":{"matchLabels":{"name":"reverse-words"}},"template":{"metadata":{"labels":{"name":"reverse-words"}},"spec":{"containers":[{"image":"quay.io/mavazque/reversewords:latest","imagePullPolicy":"Always","name":"reverse-words","ports":[{"containerPort":8080,"name":"reverse-words","protocol":"TCP"}]},{"args":["--provider=openshift","--https-address=:8888","--http-address=","--email-domain=*","--upstream=http://localhost:8080","--tls-cert=/etc/tls/private/tls.crt","--tls-key=/etc/tls/private/tls.key","--client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token","--cookie-secret-file=/etc/proxy/secrets/session_secret","--openshift-service-account=reversewords","--openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt","--skip-auth-regex=^/metrics"],"image":"quay.io/openshift/origin-oauth-proxy:4.9.0","imagePullPolicy":"IfNotPresent","name":"oauth-proxy","ports":[{"containerPort":8888,"name":"oauth-proxy","protocol":"TCP"}],"volumeMounts":[{"mountPath":"/etc/tls/private","name":"secret-reversewords-tls"},{"mountPath":"/etc/proxy/secrets","name":"secret-reversewords-proxy"}]}],"serviceAccountName":"reversewords","volumes":[{"name":"secret-reversewords-tls","secret":{"defaultMode":420,"secretName":"reversewords-tls"}},{"name":"secret-reversewords-proxy","secret":{"defaultMode":420,"secretName":"reversewords-proxy"}}]}}}}
resourceVersion: '1649406669'
name: reverse-words
uid: d661a18d-52cf-499e-9629-fcf22eafbba7
creationTimestamp: '2022-08-31T12:28:05Z'
generation: 1
managedFields:
- manager: kubectl-client-side-apply
operation: Update
apiVersion: apps/v1
time: '2022-08-31T12:28:05Z'
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:annotations':
.: {}
'f:kubectl.kubernetes.io/last-applied-configuration': {}
'f:labels':
.: {}
'f:name': {}
'f:spec':
'f:progressDeadlineSeconds': {}
'f:replicas': {}
'f:revisionHistoryLimit': {}
'f:selector': {}
'f:strategy':
'f:rollingUpdate':
.: {}
'f:maxSurge': {}
'f:maxUnavailable': {}
'f:type': {}
'f:template':
'f:metadata':
'f:labels':
.: {}
'f:name': {}
'f:spec':
'f:volumes':
.: {}
'k:{"name":"secret-reversewords-proxy"}':
.: {}
'f:name': {}
'f:secret':
.: {}
'f:defaultMode': {}
'f:secretName': {}
'k:{"name":"secret-reversewords-tls"}':
.: {}
'f:name': {}
'f:secret':
.: {}
'f:defaultMode': {}
'f:secretName': {}
'f:containers':
'k:{"name":"oauth-proxy"}':
'f:image': {}
'f:volumeMounts':
.: {}
'k:{"mountPath":"/etc/proxy/secrets"}':
.: {}
'f:mountPath': {}
'f:name': {}
'k:{"mountPath":"/etc/tls/private"}':
.: {}
'f:mountPath': {}
'f:name': {}
'f:terminationMessagePolicy': {}
.: {}
'f:resources': {}
'f:args': {}
'f:terminationMessagePath': {}
'f:imagePullPolicy': {}
'f:ports':
.: {}
'k:{"containerPort":8888,"protocol":"TCP"}':
.: {}
'f:containerPort': {}
'f:name': {}
'f:protocol': {}
'f:name': {}
'k:{"name":"reverse-words"}':
.: {}
'f:image': {}
'f:imagePullPolicy': {}
'f:name': {}
'f:ports':
.: {}
'k:{"containerPort":8080,"protocol":"TCP"}':
.: {}
'f:containerPort': {}
'f:name': {}
'f:protocol': {}
'f:resources': {}
'f:terminationMessagePath': {}
'f:terminationMessagePolicy': {}
'f:dnsPolicy': {}
'f:serviceAccount': {}
'f:restartPolicy': {}
'f:schedulerName': {}
'f:terminationGracePeriodSeconds': {}
'f:serviceAccountName': {}
'f:securityContext': {}
- manager: kube-controller-manager
operation: Update
apiVersion: apps/v1
time: '2022-08-31T15:28:31Z'
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:annotations':
'f:deployment.kubernetes.io/revision': {}
'f:status':
'f:conditions':
.: {}
'k:{"type":"Available"}':
.: {}
'f:lastTransitionTime': {}
'f:lastUpdateTime': {}
'f:message': {}
'f:reason': {}
'f:status': {}
'f:type': {}
'k:{"type":"Progressing"}':
.: {}
'f:lastTransitionTime': {}
'f:lastUpdateTime': {}
'f:message': {}
'f:reason': {}
'f:status': {}
'f:type': {}
'f:observedGeneration': {}
'f:replicas': {}
'f:unavailableReplicas': {}
'f:updatedReplicas': {}
subresource: status
namespace: maximvasil79-dev
labels:
name: reverse-words
spec:
replicas: 1
selector:
matchLabels:
name: reverse-words
template:
metadata:
creationTimestamp: null
labels:
name: reverse-words
spec:
restartPolicy: Always
serviceAccountName: reversewords
schedulerName: default-scheduler
terminationGracePeriodSeconds: 30
securityContext: {}
containers:
- name: reverse-words
image: 'quay.io/mavazque/reversewords:latest'
ports:
- name: reverse-words
containerPort: 8080
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: Always
- resources: {}
terminationMessagePath: /dev/termination-log
name: oauth-proxy
ports:
- name: oauth-proxy
containerPort: 8888
protocol: TCP
imagePullPolicy: IfNotPresent
volumeMounts:
- name: secret-reversewords-tls
mountPath: /etc/tls/private
- name: secret-reversewords-proxy
mountPath: /etc/proxy/secrets
terminationMessagePolicy: File
image: 'quay.io/openshift/origin-oauth-proxy:4.9.0'
args:
- '--provider=openshift'
- '--https-address=:8888'
- '--http-address='
- '--email-domain=*'
- '--upstream=http://localhost:8080'
- '--tls-cert=/etc/tls/private/tls.crt'
- '--tls-key=/etc/tls/private/tls.key'
- >-
--client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
- '--cookie-secret-file=/etc/proxy/secrets/session_secret'
- '--openshift-service-account=reversewords'
- >-
--openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- '--skip-auth-regex=^/metrics'
serviceAccount: reversewords
volumes:
- name: secret-reversewords-tls
secret:
secretName: reversewords-tls
defaultMode: 420
- name: secret-reversewords-proxy
secret:
secretName: reversewords-proxy
defaultMode: 420
dnsPolicy: ClusterFirst
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
status:
observedGeneration: 1
replicas: 1
updatedReplicas: 1
unavailableReplicas: 1
conditions:
- type: Progressing
status: 'True'
lastUpdateTime: '2022-08-31T12:49:40Z'
lastTransitionTime: '2022-08-31T12:49:40Z'
reason: NewReplicaSetAvailable
message: ReplicaSet "reverse-words-8d68f47f7" has successfully progressed.
- type: Available
status: 'False'
lastUpdateTime: '2022-08-31T15:28:31Z'
lastTransitionTime: '2022-08-31T15:28:31Z'
reason: MinimumReplicasUnavailable
message: Deployment does not have minimum availability.
reversewords-proxy
kind: Secret
apiVersion: v1
metadata:
name: reversewords-proxy
namespace: maximvasil79-dev
uid: 1c0d47cb-bda4-4610-9c0d-dbe784c7f3f7
resourceVersion: '1648550189'
creationTimestamp: '2022-08-31T09:02:51Z'
managedFields:
- manager: kubectl-create
operation: Update
apiVersion: v1
time: '2022-08-31T09:02:51Z'
fieldsType: FieldsV1
fieldsV1:
'f:data':
.: {}
'f:session_secret': {}
'f:type': {}
data:
session_secret: ''
type: Opaque
reversewords-tls
kind: Secret
apiVersion: v1
metadata:
name: reversewords-tls
namespace: maximvasil79-dev
uid: 421a2060-6352-40d7-a9d1-c8b2bae5bf28
resourceVersion: '1649451757'
creationTimestamp: '2022-08-31T15:49:19Z'
annotations:
service.alpha.openshift.io/expiry: '2024-08-30T15:49:19Z'
service.alpha.openshift.io/originating-service-name: reverse-words
service.alpha.openshift.io/originating-service-uid: 12605192-1edc-4a7a-b57a-cb578cbde11d
service.beta.openshift.io/expiry: '2024-08-30T15:49:19Z'
ownerReferences:
- apiVersion: v1
kind: Service
name: reverse-words
uid: 12605192-1edc-4a7a-b57a-cb578cbde11d
managedFields:
- manager: Go-http-client
operation: Update
apiVersion: v1
time: '2022-08-31T15:49:19Z'
fieldsType: FieldsV1
fieldsV1:
'f:data':
.: {}
'f:tls.crt': {}
'f:tls.key': {}
'f:metadata':
'f:annotations':
.: {}
'f:service.alpha.openshift.io/expiry': {}
'f:service.alpha.openshift.io/originating-service-name': {}
'f:service.alpha.openshift.io/originating-service-uid': {}
'f:service.beta.openshift.io/expiry': {}
'f:ownerReferences':
.: {}
'k:{"uid":"12605192-1edc-4a7a-b57a-cb578cbde11d"}': {}
'f:type': {}
data:
tls.crt: >-
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ5akNDQXQ2Z0F3SUJBZ0lJQzluNG9pS1k5ZlV3RFFZSktvWklodmNOQVFFTEJRQXdOakUwTURJR0ExVUUKQXd3cmIzQmxibk5vYVdaMExYTmxjblpwWTJVdGMyVnlkbWx1WnkxemFXZHVaWEpBTVRZd016UXlNak0wTkRBZQpGdzB5TWpBNE16RXhOVFE1TVRoYUZ3MHlOREE0TXpBeE5UUTVNVGxhTUMweEt6QXBCZ05WQkFNVEluSmxkbVZ5CmMyVXRkMjl5WkhNdWJXRjRhVzEyWVhOcGJEYzVMV1JsZGk1emRtTXdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUEKQTRJQkR3QXdnZ0VLQW9JQkFRRGVjcnl0My80ZWIwS3FoYllqOCtCUWFmbDE0U29rZi9tdWpyaksraVVBNG9KNAptRHRTaysvdk5NQ2hSLzhrOEV4NzFYeXhIa083SDBBNzRLSVY1dktaZmZodGJPTCt4WVZ2OEVXYmZPaGtRYVRLCjg0N08wcHFTcXBmOGIrZFg3RFVObWJDV1JTUlU3OU4yTThJTlJFTE4rdTJ3THl5cTFKSE1LUGZvRjRwdGRmSWkKdGQyY3lnSHhxbVBCaEFGQmV2QkZONE9hUGRRdFd3andaNmRVNlNEV3V0UlRsZk1aZytzVDJDd0JXakRGcGhKdQpvem9mVGdNdWk0VVU3d2NWejJTUUdJRHdlUlc2ZXZ2QkRySGtSVkplaDh4bnR1VGo2S0pVV1NjOFlHbmwwYXhzCk50NmtZTlhGc2xBZmYwYTQ3c0RiLzEyUElybVlDUFFUOTJvQnNFMFZBZ01CQUFHamdnRVBNSUlCQ3pBT0JnTlYKSFE4QkFmOEVCQU1DQmFBd0V3WURWUjBsQkF3d0NnWUlLd1lCQlFVSEF3RXdEQVlEVlIwVEFRSC9CQUl3QURBZApCZ05WSFE0RUZnUVV3bldyQUR6Yk9FeTY0T1VRN285MHc2aXRlM0V3SHdZRFZSMGpCQmd3Rm9BVTF2SmJmaDhuClIzamxKQVRNcUZ0dmk5RDc3V0l3WHdZRFZSMFJCRmd3Vm9JaWNtVjJaWEp6WlMxM2IzSmtjeTV0WVhocGJYWmgKYzJsc056a3RaR1YyTG5OMlk0SXdjbVYyWlhKelpTMTNiM0prY3k1dFlYaHBiWFpoYzJsc056a3RaR1YyTG5OMgpZeTVqYkhWemRHVnlMbXh2WTJGc01EVUdDeXNHQVFRQmtnZ1JaQUlCQkNZVEpERXlOakExTVRreUxURmxaR010Ck5HRTNZUzFpTlRkaExXTmlOVGM0WTJKa1pURXhaREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBUStRdTM2Q2gKb0RaRTVsODlWRUt2c0tDSG5EeWJKcWJWS2YvbmdyQWVNdHppTWRaUTkvOVpzS0YzZ29QbEp3QjBOcFpMSVArZgpnZytDZTFPdi9pUVBjbzNEcXNnYkxBbGMyQWNQLzNKNEE5M1JpYWMrQlVQUy9sNFFPOEJpMWUrSFVDb2pYTVJNCkkyeFd5UFE1UnkwRzZlQzNMQS9Fa2xwRG1WOGVsblpOQVdkUkpKRjlLSnM3THZLSTBsZEV4VCsyMW1CckJOTWIKYUFKUFNoOWdRSXRTd25qN0drODd6Q081bmhya3BmMnpVWU9DNHd3dGNNTW56clg4TG5YNHRNSHY3NmdtYURjZQo3cWFHL29LK1RnZndROE9kNmZQZE9PSXF0dWEvUW8rM3BFY0dkM3VFeHJSWE1qUU5rODFSUW5sRm5PMEl4T0lOCjVZaHhhRUt2aUpLY0tBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRFVUQ0NBam1nQXdJQkFnSUlXVEsvd25PZVIrUXdEUVlKS29aSWh2Y05BUUVMQlFBd05qRTBNRElHQTFVRQpBd3dyYjNCbGJuTm9hV1owTFhObGNuWnBZMlV0YzJWeWRtbHVaeTF6YVdkdVpYSkFNVFl3TXpReU1qTTBOREFlCkZ3MHlNVEV4TWpJd016QTFORFZhRncweU5EQXhNakV3TXpBMU5EWmFNRFl4TkRBeUJnTlZCQU1NSzI5d1pXNXoKYUdsbWRDMXpaWEoyYVdObExYTmxjblpwYm1jdGMybG5ibVZ5UURFMk1ETTBNakl6TkRRd2dnRWlNQTBHQ1NxRwpTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDYjVCVXNtZzREa3F6MUdnc1diNjczbGkvZ3lXMEwrV0p0CjhtYmdsQWNHM1J6UTVVY3hvWVprK0dXWDdaQ1hiK1pEQkpYN1FaMTc5SzRYYXVLU2k3WjNaZDFYWjBJZ2doSWIKaWEzcE1xUDFrUHV5UkZ3UFRiTGJyWXJ0ekx3akQrUmdoQWxXTkFzQXdXdjMzN3l1bGQwRWF6S2pxWngvWmhXMwovV2FmU28yUy90enAwbVdPNGZZdUVrTzR6bjJMRTY4TmRvNCtuM2E2Z1pvWnJYeU1raUxKaE9HVkMwazViU01VClZENzB4TWFsMllBaHJWRWZkc0JxTW9jSE9wWk9sOXVvQnJTSXprTGpxTVFIcHZQZExkMEN6ekVFMWJPNHFyQ20KNFg5OFRJVnl1RllRQk1hb25kQ08vNlpJR3h3ak92TnVjQjFad3J5R1JjWSttajZjdTNkOUFnTUJBQUdqWXpCaApNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCVFc4bHQrCkh5ZEhlT1VrQk15b1cyK0wwUHZ0WWpBZkJnTlZIU01FR0RBV2dCVFc4bHQrSHlkSGVPVWtCTXlvVzIrTDBQdnQKWWpBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUJ0d1c5Y2xtajRJdTV0cUErR2FNV3pocStGdzd6VzM0RjFuMgoraEVpWWR6Tkhhby9ZUndCQXlzTUhhVmFkZi9Hbk1QNE1tVHFjRmFUYkpNaXFNSEFRZE1tN2wrVWUzNTFtb2EvCnQySTdZazNpTjBDaDAya0FRcC80cnE1ajJhb0M1Q1poOWdnaXlGU1E3RnlhQ1pJSUFaYUI1L0xDZmdtZXRwK00KNWpLam9QTEZmMzRSZ0JGenBCTXpSaS9rMVdoWE4xQnBPTnlNa2kvNUhKQTRSNmVZUjc3U2QydWJaanRicGV2KwpSbHhheDVXTDJCWHJNeDBKaGp3VVBhV2lGcHpXdGs0SXNpQko0OWllMmR5NTgzVWZvNmp5dHh2ejJBRUpXNHpCCmV6VWJZa2V0Ymg3SDdiRjljSFVqcGhKU1hQUHhZQkI3RnFHR0tNeVlTZEE0bzRmRDJRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRFVUQ0NBam1nQXdJQkFnSUlHZ21zSUFNVkovWXdEUVlKS29aSWh2Y05BUUVMQlFBd05qRTBNRElHQTFVRQpBd3dyYjNCbGJuTm9hV1owTFhObGNuWnBZMlV0YzJWeWRtbHVaeTF6YVdkdVpYSkFNVFl3TXpReU1qTTBOREFlCkZ3MHlNVEV4TWpJd016QTFORFZhRncweU5EQXhNakV3TXpBMU5EWmFNRFl4TkRBeUJnTlZCQU1NSzI5d1pXNXoKYUdsbWRDMXpaWEoyYVdObExYTmxjblpwYm1jdGMybG5ibVZ5UURFMk1ETTBNakl6TkRRd2dnRWlNQTBHQ1NxRwpTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDYjVCVXNtZzREa3F6MUdnc1diNjczbGkvZ3lXMEwrV0p0CjhtYmdsQWNHM1J6UTVVY3hvWVprK0dXWDdaQ1hiK1pEQkpYN1FaMTc5SzRYYXVLU2k3WjNaZDFYWjBJZ2doSWIKaWEzcE1xUDFrUHV5UkZ3UFRiTGJyWXJ0ekx3akQrUmdoQWxXTkFzQXdXdjMzN3l1bGQwRWF6S2pxWngvWmhXMwovV2FmU28yUy90enAwbVdPNGZZdUVrTzR6bjJMRTY4TmRvNCtuM2E2Z1pvWnJYeU1raUxKaE9HVkMwazViU01VClZENzB4TWFsMllBaHJWRWZkc0JxTW9jSE9wWk9sOXVvQnJTSXprTGpxTVFIcHZQZExkMEN6ekVFMWJPNHFyQ20KNFg5OFRJVnl1RllRQk1hb25kQ08vNlpJR3h3ak92TnVjQjFad3J5R1JjWSttajZjdTNkOUFnTUJBQUdqWXpCaApNQTRHQTFVZER3RUIvd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCVFc4bHQrCkh5ZEhlT1VrQk15b1cyK0wwUHZ0WWpBZkJnTlZIU01FR0RBV2dCUzBnMElzcGRLNTA1NFlxdWQ2UkRGOURwUG8KTVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWpXUUpNNTBvT2kwN1hWTkhhTWltQkgrK0NzZDQ0ajBrNTNJMQpKWnZLOVc3SEFoWmtnc3UBHTVdrMzFaMzBhWitDSnJaSmNKV1k3ZDV4S2w5CkZTZUppYjVjN0d6NFV2bjZKN0pQdkZBNm5JNXEvRFhVbXZnbXpvS0hQRVN5bVk5Uml3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: >-
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBM25LOHJkLytIbTlDcW9XMkkvUGdVR241ZGVFcUpILzVybzY0eXZvbEFPS0NlSmc3ClVwUHY3elRBb1VmL0pQQk1lOVY4c1I1RHV4OUFPK0NpRmVieW1YMzRiV3ppL3NXRmIvQkZtM3pvWkVHa3l2T08KenRLYWtxcVgvRy9uVit3MURabXdsa1VrVk8vVGRqUENEVVJDemZydHNDOHNxdFNSekNqMzZCZUtiWFh5SXJYZApuTW9COGFwandZUUJRWHJ3UlRlRG1qM1VMVnNJOEdlblZPa2cxcnJVVTVYekdZUHJFOWdzQVZvd3hhWVNicU02CkgwNERMb3VGRk84SEZjOWtrQmlBOEhrVnVucjd3UTZ4NUVWU1hvZk1aN2JrNCtpaVZGa25QR0JwNWRHc2JEYmUKcEdEVnhiSlFIMzlHdU83QTIvOWRqeUs1bUFqMEUvZHFBYkJORlFJREFRQUJBb0lCQVFDdzNSTU5QL25oSXQ4agppM3A4N1d0ZEpGVTJsMWNWZkRiOXhmWkJWRS9WZTBMM05UcDlkcWdmVFpjVzVKS0ZRUlhlbzZnbmZ3T2xKTHpDCm51RGdmeVpHU2ZVYXM2ZHJuNHB2ck43N09IM2hNSndnelRPdlY1MlVuVlNJWGtUWEVEUkNZdjhYQzFST3Yvd20Ka0JKcXorbzVzWmdJTEFuY3JYUmFtZnc1cVhYamZwYjNLeTdzbk1SZ2RtY05tMFdxVXc3K2tselVBSkNKN01tOQp1OUYwbEE5eWNjYjV2N05acUtRNkwxbTdrNW1QbUx4MDBpeUt2a0VDRUJ4ZkZKclRCcjJLaTlIN3ZtRG0vMFNrCitsdEIyVzcyV0Q4RkMybEpQTXpLa002S0JqdFF1Nk41ZUJvTmd3dzNZWkV6MWxCblpxclR1Y3JOdWRLTitla1cKTnV2M3lpc0JBb0dCQVBTUGhLNFpqaEdudllqYW9XOEpBcmozTzF5YWhlVlBIYy9wanhWeTBxT09lOTJ6bWZqQwpadjlnR2RvRUU2bkc3Wlp2TDBKV1NFUnNEVmxGSVRodGt4N1lrUGs3NHd3SDdGQjZpR25BQy8zUHhmZGl4V1J5CkNXKzVCdVdwbGN0amVuZlhJU0hLcEZwVGRpQ3h5d3dSM3pwRVIzOUV3MFZCN1lUZ2wvQWw0c3pWQW9HQkFPamEKYnpFVGNpeEZJdHNic3FZVXJoTkkyV0xmRnV3eXJuOXVraG9yL2JmVDIwMUFzYWR1cENhVWVYY213a3RMNityLwpxOFhFU0UxbXVsVk5BWkRhbGU1ak01TWdFenRiSFk4KzdKYVp2NkhSNzZFR0lWUHVIWkFRZHBLQmE1eE1hVVkyCjU4aTk1MSt1VWw2T2dCMjNjekJvVGhndGJyS3dGTHBWaGQvM1dwOUJBb0dCQVBBTG10amtmbjAzM3lMZ0xncDEKbHJXRS9rQkQ3OThIVENUU2hENHlTU3grNDNmV0hQQjlxR2xMbzdSSndoOG9BZlpoeGNwZ05HanNnaUc0YUFZaQpENEQ4WXpndm53a2xFY0JndFZyUFJUWG81ZENQbzE2WFRFbmNIRGY2dit3MkJYUnh0YlNjV2J2TEppeXJOcmp2CkplUGtOeVZsa2lGOXQ2eHdZdEkxN2FyTkFvR0FQWXFsd3BtNkhqc3ppQ2RjNHdvcUs4eWdMOEo0ZzNxdHBkNXEKWE9KdGp5MCtFNy9hZEQ4SXdXMlNZTXhzbzR2d1VVNjdibXgvRTMzb0YyMWYwWklEK0ZwZG9pL2pCVmdDaXY1OQpkeHd4aXFvNnBCdERxYlFRT2lndnZtN1lLeG9DNU56VUM3a3RNcHVYQjRpd0VhcVBsaWFySlRhMHdDTkxoo=
type: kubernetes.io/tls
@MaximusVasilenko which OCP version are you using? Could you share output for:
oc -n reverse-words get secret
Used OCP 4.10.28 I am using a different namespace since this is a tutorial project on RedHat Sandbox, I don't have permission to make a different Namespace.
oc -n maximvasil79-dev get secret
NAME TYPE DATA AGE
builder-dockercfg-lwz2d kubernetes.io/dockercfg 1 2d5h
builder-token-f6sxd kubernetes.io/service-account-token 4 2d5h
builder-token-ws7pv kubernetes.io/service-account-token 4 2d5h
default-dockercfg-v8v29 kubernetes.io/dockercfg 1 2d5h
default-token-th9lc kubernetes.io/service-account-token 4 2d5h
default-token-v5mlv kubernetes.io/service-account-token 4 2d5h
deployer-dockercfg-7ldpw kubernetes.io/dockercfg 1 2d5h
deployer-token-9z2vw kubernetes.io/service-account-token 4 2d5h
deployer-token-l2ggt kubernetes.io/service-account-token 4 2d5h
reversewords-dockercfg-j95xg kubernetes.io/dockercfg 1 7h57m
reversewords-proxy Opaque 1 8h
reversewords-tls kubernetes.io/tls 2 79m
reversewords-token-66b9s kubernetes.io/service-account-token 4 7h57m
reversewords-token-msp6f kubernetes.io/service-account-token 4 7h57m
The secret is there, it seems the container is crashing. What do the logs say?
oc -n maximvasil79-dev logs deployment/reverse-words --all-containers
2022/08/31 12:28:39 Starting Reverse Api v0.0.25 Release: NotSet
2022/08/31 12:28:39 Listening on port 8080
2022/08/31 17:41:20 provider.go:128: Defaulting client-id to system:serviceaccount:maximvasil79-dev:reversewords
2022/08/31 17:41:20 provider.go:133: Defaulting client-secret to service account token /var/run/secrets/kubernetes.io/serviceaccount/token
2022/08/31 17:41:20 main.go:140: Invalid configuration:
missing setting: cookie-secret
Thank you very much! I figured it out. The problem was creating:
oc -n reverse-words create secret generic reversewords-proxy --from-literal=session_secret=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c43)
Error:
tr: Illegal byte sequence
It helped:
oc -n maximvasil79-dev create secret generic reversewords-proxy --from-literal=session_secret=$(export LC_ALL=C; head /dev/urandom | tr -dc A-Za-z0-9 | head -c43)
Could you be so kind to explain how to access service guarded by OAuth Proxy from the command line of other pod?
Hey @ostero I just added a fourth scenario covering that.
Hope that helps!
Yes , thank you! "Authorization: Bearer $(oc get serviceaccounts get-token ...)" Is what I was looking for.
This guide is a real saviour! Thanks!
My Oauth is throwing the error 2023/06/20 11:13:51 server.go:2753: http: TLS handshake error from 172.17.34.39:42002: remote error: tls: internal error
when implementing step 2.
I find it very challenging to debug because it gives so little info about what is going wrong.
I do notice that the TLS certificate points to this DNS: DNS:doc-service.documentation.svc.cluster.local And the URL itself is : documentation-authenticated-documentation.dsp01-b28f24b6e72e7e5cc659c2395b8d4252-0000.eu-de.containers.appdomain.cloud
Any idea what could be the issue?
@aufbakanleitung make sure you're annotating the serviceaccount properly. Also check your upstream config, is it an http or an https endpoint?
I think so, annotations are always a bit magical to me, but I did what your guide suggests.
kind: ServiceAccount
apiVersion: v1
metadata:
name: documentation
namespace: documentation
uid: 2953919e-4271-4c5e-ba46-c1f6ca78acb8
resourceVersion: '37172018'
creationTimestamp: '2023-06-19T09:32:52Z'
annotations:
serviceaccounts.openshift.io/oauth-redirectreference.documentation: >-
{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"documentation-authenticated"}}
secrets:
- name: documentation-dockercfg-kts4s
imagePullSecrets:
- name: cr-pull-secret
- name: documentation-dockercfg-kts4s
As to my upstream config, its http and I just took over the localhost in your guide. Is that correct?
Deployment yaml args look like this (9090 is the containerport of my Nginx webpage)
- image: openshift/oauth-proxy
name: oauth-proxy
args:
- -provider=openshift
- -https-address=:8888
- -http-address=
- -email-domain=*
- -upstream=http://localhost:9090
- -tls-cert=/etc/tls/private/tls.crt
- -tls-key=/etc/tls/private/tls.key
Does anything jump out to you?
@aufbakanleitung I'd say you're missing some arguments for the oauth-proxy container. I don't see these defined:
- -cookie-secret-file=/etc/proxy/secrets/session_secret
- -openshift-service-account=documentation
- -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- -skip-auth-regex=^/metrics
I have all those args actually. Not sure why I didn't copy them in that post... I guess I didn't want to overwhelm with too much info like with posting the entire deployment yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth-documentation
namespace: documentation
labels:
name: oauth-documentation
spec:
replicas: 1
selector:
matchLabels:
name: documentation
template:
metadata:
labels:
name: documentation
spec:
containers:
- image: de.icr.io/moddsp/documentation_page
name: documentation-page
ports:
- containerPort: 9090
# This config is necessary to comply to Openshift security constrains
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
# Explicitly adding all the volumeMounts is necessary because the pod
# doesn't run as root. So it can't create these volumes itself
volumeMounts:
- mountPath: /var/cache/nginx
name: nginx-cache
- mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
name: nginx-config
- mountPath: /var/run
name: nginx-pid
- image: openshift/oauth-proxy
name: oauth-proxy
args:
- -provider=openshift
- -https-address=:8888
- -http-address=
- -email-domain=*
- -upstream=http://localhost:9090
- -tls-cert=/etc/tls/private/tls.crt
- -tls-key=/etc/tls/private/tls.key
- -cookie-secret-file=/etc/proxy/secrets/session_secret
- -openshift-service-account=documentation
- -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- -skip-auth-regex=^/metrics
- -openshift-service-account=documentation
- -openshift-sar={"resource":"namespaces","resourceName":"documentation","namespace":"documentation","verb":"get"}
# image: quay.io/openshift/origin-oauth-proxy:4.13
ports:
- name: oauth-proxy
containerPort: 8888
protocol: TCP
# Mount also have to be added manually
volumeMounts:
- mountPath: /etc/tls/private
name: secret-documentation-tls
- mountPath: /etc/proxy/secrets
name: secret-documentation-proxy
# This config is necessary to comply to Openshift security constrains
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
env:
- name: OAUTH_PROXY_LOG_LEVEL
value: debug
- name: OAUTH_PROXY_LOG_HTTP_BODY
value: "true"
serviceAccountName: documentation
# These volumes match the volumeMounts above
volumes:
- name: secret-documentation-tls
secret:
defaultMode: 420
secretName: documentation-tls
- name: secret-documentation-proxy
secret:
defaultMode: 420
secretName: documentation-proxy
- name: nginx-cache
- name: nginx-config
configMap:
name: nginx-config
- name: nginx-pid
emptyDir: { }
@aufbakanleitung Are you getting redirected when accessing the documentation app route? If so, are you presented with the login screen?
You get below error when login with user and password?
2023/06/20 11:13:51 server.go:2753: http: TLS handshake error from 172.17.34.39:42002: remote error: tls: internal error
Using OpenShift OAuth Proxy to secure your Applications on OpenShift | Linuxera
What is OAuth Proxy A reverse proxy and static file server that provides authentication and authorization to an OpenShift OAuth server or Kubernetes master supporting the 1.6+ remote authorization endpoints to validate access to content. It is intended for use withing OpenShift clusters to make it easy to run both end-user and infrastructure services that do not provider their own authentication. [Source] Securing an Application with OAuth Proxy In this blog post we are going to deploy OAuth Proxy in front of a simple application.
https://linuxera.org/oauth-proxy-secure-applications-openshift/