search

weaveworks / weave-gitops

Weave GitOps provides insights into your application deployments, and makes continuous delivery with GitOps easier to adopt and scale across your teams.
https://docs.gitops.weave.works/
Apache License 2.0
929 stars 153 forks source link

Unable to see the replicasets and pods using admin user #4206

Open absnmohammedsedex opened 2 months ago

absnmohammedsedex commented 2 months ago

There are 2 different questions here,

  1. I can log in using basic username and password authentication, but I cannot see the replicasets and pods. Is it something not yet added to the dashboard or am I missing something here?
  2. I am using external ingress with OIDC authentication, it works fine and it takes me to the login page where it is asking for a username and password(admin user and password) then it allows me to login. I am not using the weave gitops OIDC config here. I can log in via both authentications but cannot see the replicasets and pods.

If I try to bypass the adminUser, the pod fails with CrashLoopRecovery.

Can I bypass the adminUser as I can login via AD OIDC? How can I see the replicasets, pods and pod logs?

I have checked the RBAC clusterRole and have allowed full access and added admin user to impersonationResourceNames list.

Environment

To Reproduce Steps to reproduce the behavior:

$ PASSWORD="averyverystrongpassword"
$ gitops create dashboard ww-gitops \
  --password=$PASSWORD \
  --export > ./clusters/ovh-fluxcd/weave/weave-gitops-dashboard.yaml

Expected behavior

Actual Behavior I'm not seeing any of these, except the deployments, helm releases.

Additional Context (screenshots, logs, etc)

absnmohammedsedex commented 2 months ago

I see the following errors in logs, 

2024-09-12T11:26:00.093Z    INFO    gitops.auth-server  auth/server.go:462  failed to get ID Token from request
2024-09-12T11:26:00.093Z    INFO    gitops  middleware/middleware.go:61 request error   {"uri": "/oauth2/userinfo", "status": 400}
2024-09-12T11:26:00.119Z    INFO    gitops.auth-server  auth/server.go:462  failed to get ID Token from request
2024-09-12T11:26:00.119Z    INFO    gitops  middleware/middleware.go:61 request error   {"uri": "/oauth2/userinfo", "status": 400}
[controller-runtime] log.SetLogger(...) was never called, logs will not be displayed:
goroutine 195 [running]:
runtime/debug.Stack()
    /usr/local/go/src/runtime/debug/stack.go:24 +0x7a
sigs.k8s.io/controller-runtime/pkg/log.eventuallyFulfillRoot()
    /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/log/log.go:59 +0xae
sigs.k8s.io/controller-runtime/pkg/log.(*delegatingLogSink).WithName(0xc0003a1040, {0x32940c3, 0x14})
    /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/log/deleg.go:147 +0x4f
github.com/go-logr/logr.Logger.WithName({{0x35a1580, 0xc0003a1040}, 0x0}, {0x32940c3, 0x14})
    /go/pkg/mod/github.com/go-logr/logr@v1.2.4/logr.go:336 +0x66
sigs.k8s.io/controller-runtime/pkg/client.newClient(0xc0022d0000, {0x0, 0xc0000b8070, {0x35a2e70, 0xc0021b3340}, 0x0, {0x0, 0x0}, 0x0})
    /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/client/client.go:120 +0x14b
sigs.k8s.io/controller-runtime/pkg/client.New(0xc0002eb440, {0x0, 0xc0000b8070, {0x35a2e70, 0xc0021b3340}, 0x0, {0x0, 0x0}, 0x0})
    /go/pkg/mod/sigs.k8s.io/controller-runtime@v0.15.1/pkg/client/client.go:101 +0xd8
github.com/weaveworks/weave-gitops/core/clustersmngr/cluster.getClientFromConfig(0xc0002eb440, 0xc0000b8070)
    /app/core/clustersmngr/cluster/single.go:68 +0x493
github.com/weaveworks/weave-gitops/core/clustersmngr/cluster.(*singleCluster).GetUserClient(0xc0006172c0, 0xc00185da10)
    /app/core/clustersmngr/cluster/single.go:93 +0x18d
github.com/weaveworks/weave-gitops/core/clustersmngr.(*clustersManager).getOrCreateClient(0xc0004f4140, 0xc00185da10, {0x35a2420, 0xc0006172c0})
    /app/core/clustersmngr/factory.go:627 +0x4b6
github.com/weaveworks/weave-gitops/core/clustersmngr.(*clustersManager).getUserClientWithNamespaces.func1({0x35a2420, 0xc0006172c0}, {0x358f980, 0xc0003126e0}, 0xc0007bbd40)
    /app/core/clustersmngr/factory.go:430 +0x105
created by github.com/weaveworks/weave-gitops/core/clustersmngr.(*clustersManager).getUserClientWithNamespaces
    /app/core/clustersmngr/factory.go:427 +0x416
gecube commented 2 months ago

Hi! I am not administrator, neither developer, nor consultant from Weave. So the below only my POV:

  1. The weave gitops shows only basic objects without any relation to downstream objects. It is not how ArgoCD works or luntry - they show the full chain of related objects. And for us it wasn't issue.
  2. don't got idea. So you want to set up OIDC and don't set up admin user, right?
absnmohammedsedex commented 2 months ago

@gecube, thank you for the comments. I can get it working using an external ingress with AWS Cognito integration, but I need to authenticate using the admin creds that log me in without access to the pods.

If weave gitops doesn't show the pods, then it's useless for us. By reading the documentation, they mentioned it shows the pods, replicasets, etc. I do see deployments and other k8s objects except pods and replicaset. I am assuming it might be due to the permission issue.

absnmohammedsedex commented 2 months ago

I can log in as admin but am unable to see pods for weave gitops as shown in the screenshot. I have checked the cluster permissions assigned to the admin user; it has Screenshot 2024-09-17 at 14 13 24 permission to list and show pods.

gecube commented 2 months ago

Hm. strange... maybe I am wrong.. I checked the docs for weave gitops... Please take a look

Here: https://github.com/weaveworks/weave-gitops/blob/main/doc/img/02-workload-detail.png

we don't see any rs and pods

but here:

https://github.com/weaveworks/weave-gitops/blob/main/doc/img/03-graph.png

we see.

It is very interesting, which permission do have weave gitops itself, as it utilises RBAC of k8s. Let's say you don't have for your OIDC user permission in RBAC of k8s to see deployments, and then weave gitops won't allow you to see them.

gecube commented 2 months ago

I think the issue is that it was compiled against old fluxcd library versions: https://github.com/weaveworks/weave-gitops/commit/591cc3d862f8c80d95a7db951aefb73a3a501061 and now we are using newer fluxcd 2.3.0 with NEW API for Helmreleases and kustomization

absnmohammedsedex commented 2 months ago

I understand as I have already upgraded the Flux version to 2.30, and I can see the helmrelease API version is v2 and the kustomize API version is v1, all latest.

kingdonb commented 2 months ago

Weave GitOps is in need of maintainers!

Thank you for the feedback, it is good to understand as an outsider (who does not use ArgoCD) what is it that people mean when they say "an Argo-style UI" - it's never been as clear to me as it is right now.

Is that the main feature you're looking for in a UI? The ability to see drill-down dependencies or parent-child relationships between objects, and to see (for example) the fact that a pod is stuck in crashloopbackoff?

absnmohammedsedex commented 2 months ago

It would be beneficial for developers to have a UI portal to manage helm releases, live deployments, and replicasets in addition to the Flux CLI.

kingdonb commented 2 months ago

I'm working with some Headlamp devs to get the Flux plugin into the catalog, it's making some excellent progress

It's currently a bit of a lift to get it installed, but if you're interested in trying it out, all of the information is here

It is heavily inspired by Weave GitOps (the flux parts, anyway)