search

weaveworks / weave-gitops

Weave GitOps provides insights into your application deployments, and makes continuous delivery with GitOps easier to adopt and scale across your teams.
https://docs.gitops.weave.works/
Apache License 2.0
905 stars 151 forks source link

OIDC integration with Azure fails "NO DATA" once impersonated #4202

Open rlaflamme opened 4 months ago

rlaflamme commented 4 months ago

OIDC integration with Azure fails due to missing 'groups' scope

Environment

Weave-Gitops Version 0.38.0 Flux Version 2.2.3 Kubernetes versionv 1.27.10-eks-508b6b3 To Reproduce Steps to reproduce the behavior:

Create a new App Registration in Azure Active Directory Configure oidc in helm chart Deploy Attempt to login via OIDC

image

No data ...

Still having issue with the no data message when usinc ODCI and AzureAD

I read and apply recomendations from this thread [(https://github.com/weaveworks/weave-gitops/issues/2507)]

Group is set in optional claims and I can see them in the token. I can see the logged username and its groups in the JWT token. 

Found principal    {"user": "***", "groups": ["***"], "tokenLength": 0, "method": "*auth.JWTCookiePrincipalGetter"}

Another observation: I had to impersonate both the user AND it's group. Otherwhise I get the message 

"error": "user namespace access: groups \"a5cce412-2d6f-4cce-******************\" is forbidden: User \"system:serviceaccount:sbx-00:weave-gitops\"   cannot impersonate resource \"groups\" in API group \"\" at the cluster scope"}

Content of oidc-auth secret:

        Client ID:      {{ .client_id }}
        Client Secret:  {{ .client_secret }}
        Custom Scopes:  openid,profile,offline_access,email
        Issuer URL:     https://login.microsoftonline.com/bfce736f-*****/v2.0
        Redirect URL:   https://weave-gitops.sbx-00.001.wcld.************/oauth2/callback

I can see the data using the "admin" user (basic authentifcation, no OIDC)

Anyone have any ideas how to solve this issue once for all ?

Thank you !

Regards

Robert

olegenii commented 2 weeks ago

@rlaflamme did you create corresponding ClusterRoleBinding also?

allenyinx commented 1 week ago

same here. Any progress from your side? @rlaflamme

rlaflamme commented 1 week ago

I finally managed it outside the app by securing the endpoint using an api Gateway (Kong) with their oidc plugin.

I did the same with an open source solution using apisix gateway and their oidc plugin.

Robert Laflamme

3926419 Canada inc. 73 rue Richard Pointe-Aux-Trembles, QC H1A 4C7 (514) 212-3844

Le mer. 4 sept. 2024 à 05:02, AllenYin @.***> a écrit :

same here. Any progress from your side? @rlaflamme https://github.com/rlaflamme

— Reply to this email directly, view it on GitHub https://github.com/weaveworks/weave-gitops/issues/4202#issuecomment-2328308671, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF3VXR7T623VL5WFA6SJMSDZU3EDLAVCNFSM6AAAAABGKGGVTGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRYGMYDQNRXGE . You are receiving this because you were mentioned.Message ID: @.***>