search

owncloud / ocis-charts

:chart_with_upwards_trend: Helm Charts for ownCloud's OCIS
https://owncloud.dev/ocis/deployment/kubernetes/
Apache License 2.0
46 stars 27 forks source link

Can't login as local admin - stuck in "access denied" loop #139

Closed 01000101 closed 1 year ago

01000101 commented 1 year ago

Problem

The deployment seems to go OK and I can reach the web UI using a LE-signed certificate. I get the login prompt and enter the credentials ("admin" and the password from secret). It logs me in but then immediately redirects to a brief "access denied" message before looping endlessly.

Technical Information

Kubernetes: v1.25.4 (microk8s, latest) Helm: v3.10.3 OCIS: v0.1.0 (git tag)

Install

$ helm install ocis ./charts/ocis --values ../values.yaml
NAME: ocis
LAST DEPLOYED: Thu Jan  5 20:16:44 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
You're now running

You can get the initial "admin" administrator user password by running:

kubectl -n <namespace> get secrets/admin-user --template='{{.data.password | base64decode}}'

values.yaml

externalDomain: owncloud.apps.k8s.example.com
ingress:
  enabled: true
  ingressClassName: nginx
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 1024m
    cert-manager.io/cluster-issuer: ingress-issuer
  tls:
  - hosts:
    - owncloud.apps.k8s.example.com
    secretName: owncloud-tls-secret

Web browser console output

2vendor-63563129.js:18 [UserManager] getUser: user not found in storage
vendor-63563129.js:18 [UserManager] signinRedirectCallback: success, signed in subject vn047YDEoJdbFHQ7@x0o8AjgeB8vaEK8M5rD1nIR359aUVKRXsY8LSSOCzV_8rJwROifQQAn9PxBxgomJlmPNEQ
vendor-63563129.js:18 [UserManager] getUser: user loaded
vendor-63563129.js:69          GET https://owncloud.apps.k8s.example.com/ocs/v1.php/cloud/user 401

(anonymous) @ oidc-callback?code=8SZsDYCDhI9Tr4sLHTFYE3Yzl5F-ZLkm&scope=email%20openid%20profile&session_state=3e9554d246b5d51a8b74198a6a0718353f6f8f1861d7c9fef14fe7557418dc00.uLU43RPb_o1qLypgjg2OyzvjkzL4qx-7qOg4mWBEVBg&state=65868ecd3490470bbe26eb37ac4f7d88:87

vendor-63563129.js:18 Uncaught (in promise) Error: Redirected when going from "/oidc-callback?code=8SZsDYCDhI9Tr4sLHTFYE3Yzl5F-ZLkm&scope=email%20openid%20profile&session_state=3e9554d246b5d51a8b74198a6a0718353f6f8f1861d7c9fef14fe7557418dc00.uLU43RPb_o1qLypgjg2OyzvjkzL4qx-7qOg4mWBEVBg&state=65868ecd3490470bbe26eb37ac4f7d88" to "/files/spaces/personal" via a navigation guard.
01000101 commented 1 year ago

I also tried disabling TLS validation as per the docs (and re-deploying fresh) but no change - 

insecure:
  oidcIdpInsecure: true
  ocisHttpApiInsecure: true
01000101 commented 1 year ago

Today I re-generated all secrets from scratch and updated the config to this - 

externalDomain: owncloud.apps.k8s.example.com
namespaceOverride: owncloud
ingress:
  enabled: true
  ingressClassName: nginx
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 1024m
    cert-manager.io/cluster-issuer: ingress-issuer
  tls:
  - hosts:
    - owncloud.apps.k8s.example.com
    secretName: owncloud-tls-secret
insecure:
  oidcIdpInsecure: true
  ocisHttpApiInsecure: true
features:
  basicAuthentication: true
  demoUsers: true
  externalUserManagement:
    enabled: false
logging:
  level: 'info'

In addition, I tried a fresh Kubernetes cluster hosted by Vultr (VKE) running Kubernetes v1.25.4. Exactly the same result - I login, it's successful, but then I'm sent into an "Access Denied" loop.

01000101 commented 1 year ago

I figured it out. The issue was that the public FQDN was not resolvable by 1.1.1.1 (Cloudflare, the default DNS resolver I guess) and was causing OAuth/OIDC to fail. I'll look into how to change the resolver later, but for now I'm up and running.