Not able to access Openunison UI
prashanthkumar122 opened this issue · comments
Hi Tremolo team,
Not able to access Openunison portal connected with keycloak. After entering https://IP:port, It will redirect to keycloak.
and will not redirect back to Openunison portal.
Below is my values.yaml file
network:
openunison_host: "Master-node-IP"
dashboard_host: "https://Master-node-IP:30050"
api_server_host: "https://Master-node-IP:6443"
session_inactivity_timeout_seconds: 900
k8s_url: https://Master-node-IP:6443
createIngressCertificate: true
ingress_type: nginx
ingress_annotations:
kubernetes.io/ingress.class: nginx
cert_template:
ou: "Master-node-IP"
o: "MyOrg"
l: "Kubernetes"
st: "State of Cluster"
c: "MyCountry"
image: "docker.io/tremolosecurity/openunison-k8s-login-oidc:latest"
myvd_config_path: "WEB-INF/myvd.conf"
k8s_cluster_name: kubernetes
enable_impersonation: false
hosts:
- annotations:
- name: kubernetes.io/ingress.class
value: nginx
ingress_name: openunison
ingress_type: nginx
- name: kubernetes.io/ingress.class
dashboard:
namespace: "kubernetes-dashboard"
cert_name: "kubernetes-dashboard-certs"
label: "k8s-app=kubernetes-dashboard"
service_name: kubernetes-dashboard
certs:
use_k8s_cm: false
trusted_certs: []
monitoring:
prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s
oidc:
client_id: test-kubernetes
auth_url: https://Ingress-IP.nip.io/auth/
token_url: https://Ingress-IP.nip.io/auth/realms/master/protocol/openid-connect/token
user_in_idtoken: false
userinfo_url: https://Ingress-IP.nip.io/auth/realms/master/protocol/openid-connect/userinfo
domain: ""
scopes: openid email profile groups
claims:
sub: sub
email: email
given_name: given_name
family_name: family_name
display_name: name
groups: groups
network_policies:
enabled: false
ingress:
enabled: true
labels:
app.kubernetes.io/name: ingress-nginx
namespace: openunison
monitoring:
enabled: true
labels:
app.kubernetes.io/name: monitoring
apiserver:
enabled: false
labels:
app.kubernetes.io/name: kube-system
services:
enable_tokenrequest: false
token_request_audience: api
token_request_expiration_seconds: 600
node_selectors: []
pullSecret: ""
openunison:
replicas: 1
non_secret_data:
K8S_DB_SSO: oidc
secrets: []
openunison_host: "Master-node-IP"
dashboard_host: "https://Master-node-IP:30050"
The first issue is your openunison_host and dashboard_host need to be the URLs you want to connect to from your browser. see this graphic:
auth_url: https://Ingress-IP.nip.io/auth/
is your keycloak running in Kubernetes? Your URLs for this section should come from your discovery document. For Keycloak you can get that from https://host/<root>/auth/realms/{realm-name}/.well-known/openid-configuration
openunison_host: "Master-node-IP"
dashboard_host: "https://Master-node-IP:30050"The first issue is your
openunison_hostanddashboard_hostneed to be the URLs you want to connect to from your browser. see this graphic:
As Openunison-orchestra is not picking up Ingress LB IP address as openunison_host, so i provied master node IP for openunison_host. I have also tried to deploy on aws eks.
One more issue is Kubernetes dashboard will go off if I start orchestra template.
Below is the values.yml which I tried to deploy on aws-eks, with gitlab
network:
openunison_host: "3.21.205.145"
dashboard_host: "https://a4feb48c357b24d9ca5475bad1bfc926-1184502140.us-east-2.elb.amazonaws.com"
api_server_host: "D508007F6E6D1FA97E81F4F2F86911D5.gr7.us-east-2.eks.amazonaws.com"
session_inactivity_timeout_seconds: 900
k8s_url: https://D508007F6E6D1FA97E81F4F2F86911D5.gr7.us-east-2.eks.amazonaws.com
createIngressCertificate: true
ingress_type: nginx
ingress_annotations:
kubernetes.io/ingress.class: nginx
cert_template:
ou: "Kubernetes"
o: "MyOrg"
l: "My Cluster"
st: "State of Cluster"
c: "MyCountry"
image: "docker.io/tremolosecurity/openunison-k8s-login-oidc:latest"
myvd_config_path: "WEB-INF/myvd.conf"
k8s_cluster_name: kubernetes
enable_impersonation: false
dashboard:
namespace: "kubernetes-dashboard"
cert_name: "kubernetes-dashboard-certs"
label: "k8s-app=kubernetes-dashboard"
service_name: kubernetes-dashboard
certs:
use_k8s_cm: false
trusted_certs: []
- name: idp
# pem_b64: SDFGSDFGHDFHSDFGSDGSDFGDS
monitoring:
prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s
oidc:
client_id: 71ff2a89ced5bfdd09a61ea54004a19b6242b16e092e6c609ae86a612898e207
auth_url: http://3.142.244.2:8080/oauth/authorize
token_url: http://3.142.244.2:8080/oauth/token
user_in_idtoken: false
userinfo_url: https://www.myoidc.com/oauth/userinfo
domain: ""
scopes: openid email profile groups
claims:
sub: sub
email: email
given_name: given_name
family_name: family_name
display_name: name
groups: groups
network_policies:
enabled: false
ingress:
enabled: true
labels:
app.kubernetes.io/name: ingress-nginx
monitoring:
enabled: true
labels:
app.kubernetes.io/name: monitoring
apiserver:
enabled: false
labels:
app.kubernetes.io/name: kube-system
services:
enable_tokenrequest: false
token_request_audience: api
token_request_expiration_seconds: 600
node_selectors: []
pullSecret: ""
openunison:
replicas: 1
non_secret_data: {}
secrets: []
auth_url: https://Ingress-IP.nip.io/auth/
is your keycloak running in Kubernetes? Your URLs for this section should come from your discovery document. For Keycloak you can get that from
https://host/<root>/auth/realms/{realm-name}/.well-known/openid-configuration
As Openunison-orchestra is not picking up Ingress LB IP address as openunison_host, so i provied master node IP for openunison_host. I have also tried to deploy on aws eks.
One more issue is Kubernetes dashboard will go off if I start orchestra template.
Below is the values.yml which I tried to deploy on aws-eks, with gitlab
The openunison_host and dashboard_host settings are what you want your browser to point to. They are the host names that will point to your load ballancer that is sitting in front of your cluster's ingress controller.
Hi Tremolo team,
Still facing redirection issue, After entering openunison portal url, redirecting to keycloak, and even after authenticating to keycloak, it is not redirecting to openunison portal. I have provided dns names for both k8s-db and openunison.
Below is the values.yml, and Ingress resource also creating. Please help to fix the issue.
network:
openunison_host: "openunison.Load-balancer-ip.nip.io"
dashboard_host: "k8sdb.Load-balancer-ip.nip.io"
api_server_host: "master-node:6443"
session_inactivity_timeout_seconds: 900
k8s_url: https://master-node:6443
createIngressCertificate: true
ingress_type: nginx
ingress_annotations:
kubernetes.io/ingress.class: nginx
cert_template:
ou: "openunison.Load-balancer-ip.nip.io"
o: "MyOrg"
l: "Kubernetes"
st: "State of Cluster"
c: "MyCountry"
image: "docker.io/tremolosecurity/openunison-k8s-login-oidc:latest"
myvd_config_path: "WEB-INF/myvd.conf"
k8s_cluster_name: kubernetes
enable_impersonation: false
hosts:
- annotations:
- name: kubernetes.io/ingress.class
value: nginx
ingress_name: openunison
ingress_type: nginx
- name: kubernetes.io/ingress.class
dashboard:
namespace: "kubernetes-dashboard"
cert_name: "kubernetes-dashboard-certs"
label: "k8s-app=kubernetes-dashboard"
service_name: kubernetes-dashboard
certs:
use_k8s_cm: false
trusted_certs: []
monitoring:
prometheus_service_account: system:serviceaccount:monitoring:prometheus-k8s
oidc:
client_id: openunison
auth_url: https://Load-balancer-ip.nip.io/auth/
token_url: https://Load-balancer-ip.nip.io/auth/realms/master/protocol/openid-connect/token
user_in_idtoken: false
userinfo_url: https://Load-balancer-ip.nip.io/auth/realms/master/protocol/openid-connect/userinfo
domain: ""
scopes: openid email profile groups
claims:
sub: sub
email: email
given_name: given_name
family_name: family_name
display_name: name
groups: groups
network_policies:
enabled: false
ingress:
enabled: true
labels:
app.kubernetes.io/name: ingress-nginx
namespace: openunison
monitoring:
enabled: true
labels:
app.kubernetes.io/name: monitoring
apiserver:
enabled: false
labels:
app.kubernetes.io/name: kube-system
services:
enable_tokenrequest: false
token_request_audience: api
token_request_expiration_seconds: 600
node_selectors: []
pullSecret: ""
openunison:
replicas: 1
non_secret_data:
K8S_DB_SSO: oidc
secrets: []
Hi Tremolo team,
Got any solution for above mentioned issue.??
your auth_url doesn't look right. What does your https://Load-balancer-ip.nip.io/auth/realms/master/protocol/openid-connect/.well-known/openid-configuration look like?
your
auth_urldoesn't look right. What does yourhttps://Load-balancer-ip.nip.io/auth/realms/master/protocol/openid-connect/.well-known/openid-configurationlook like?
After changing auth_url to this, https://LB-IP.nip.io/auth/realms/master/protocol/openid-connect/auth
below is the result, and this is the redirect url specified in keycloak, 'https://openunison.LB-IP.nip.io/auth/oidc'
It looks like you haven't configured keycloak with your correct redirect_uri. What did you use for your configuration in keycloak? It should be https://openunison.Load-balancer-ip.nip.io/auth/oidc
It looks like you haven't configured keycloak with your correct
redirect_uri. What did you use for your configuration in keycloak? It should behttps://openunison.Load-balancer-ip.nip.io/auth/oidc
yes that is what I mentioned in redirect url of keycloak 'https://openunison.Load-balancer-ip.nip.io/auth/oidc'
in your browser enable developer tools and turn on Network so you can see the individual urls being requested. you'll see one that looks like https://LB-IP.nip.io/auth/realms/master/protocol/openid-connect/auth?... one of the paramters will be redirect_uri, what is it?
in your browser enable developer tools and turn on
Networkso you can see the individual urls being requested. you'll see one that looks likehttps://LB-IP.nip.io/auth/realms/master/protocol/openid-connect/auth?...one of the paramters will beredirect_uri, what is it?
Below is the details from keycloak: https://Load-balancer-ip.nip.io/auth/realms/master/.well-known/openid-configuration
{"issuer":"https://Load-balancer-ip.nip.io/auth/realms/master","authorization_endpoint":"https://Load-balancer-ip.nip.io/auth/realms/master/protocol/openid-connect/auth","token_endpoint":"https://Load-balancer-ip.nip.io/auth/realms/master/protocol/openid-connect/token","introspection_endpoint":"https://Load-balancer-ip.nip.io/auth/realms/master/protocol/openid-connect/token/introspect","userinfo_endpoint":"https://Load-balancer-ip.nip.io/auth/realms/master/protocol/openid-connect/userinfo","end_session_endpoint":"https://Load-balancer-ip.nip.io/auth/realms/master/protocol/openid-connect/logout","jwks_uri":"https://Load-balancer-ip.nip.io/auth/realms/master/protocol/openid-connect/certs","check_session_iframe":"https://Load-balancer-ip.nip.io/auth/realms/master/protocol/openid-connect/login-status-iframe.html","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public","pairwise"],"id_token_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"id_token_encryption_alg_values_supported":["RSA-OAEP","RSA-OAEP-256","RSA1_5"],"id_token_encryption_enc_values_supported":["A256GCM","A192GCM","A128GCM","A128CBC-HS256","A192CBC-HS384","A256CBC-HS512"],"userinfo_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"request_object_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512","none"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"https://Load-balancer-ip.nip.io/auth/realms/master/clients-registrations/openid-connect","token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"token_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"claims_supported":["aud","sub","iss","auth_time","name","given_name","family_name","preferred_username","email","acr"],"claim_types_supported":["normal"],"claims_parameter_supported":true,"scopes_supported":["openid","address","email","microprofile-jwt","offline_access","phone","profile","roles","web-origins"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"code_challenge_methods_supported":["plain","S256"],"tls_client_certificate_bound_access_tokens":true,"revocation_endpoint":"https://Load-balancer-ip.nip.io/auth/realms/master/protocol/openid-connect/revoke","revocation_endpoint_auth_methods_supported":["private_key_jwt","client_secret_basic","client_secret_post","tls_client_auth","client_secret_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["PS384","ES384","RS384","HS256","HS512","ES256","RS256","HS384","ES512","PS256","PS512","RS512"],"backchannel_logout_supported":true,"backchannel_logout_session_supported":true}
now if i enter url: https://openunison.Load-balancer-ip.nip.io, it is is directly displaying error page
Can you please provide the logs from your openunison-orchestra pod?
Can you please provide the logs from your
openunison-orchestrapod?
Hi Tremolo team,
It is working for gitlab and okta, If i configure for keycloak, i am getting below error
[2021-03-30 11:11:52,033][XNIO-1 task-1] ERROR OpenIDConnectAuthMech - Could not retrieve token : 400 / Bad Request
[2021-03-30 11:11:52,033][XNIO-1 task-1] INFO AccessLog - [AuFail] - scale - https://openunison.LoadBalancer-IP.nip.io/auth/oidc - cn=none - enterprise_idp [10.0.14.203] - [f6e0b22e853fd4370d2640c7031a836c38e258ea0]
[2021-03-30 11:11:52,097][XNIO-1 task-1] INFO AccessLog - [Error] - scale - https://openunison.LoadBalancer-IP.nip.io/auth/oidc - uid=Anonymous,o=Tremolo - NONE [10.0.14.203] - [f6e0b22e853fd4370d2640c7031a836c38e258ea0]
[2021-03-30 11:11:52,097][XNIO-1 task-1] ERROR ConfigSys - Could not process request
javax.servlet.ServletException: Could not load user data
at com.tremolosecurity.unison.proxy.auth.openidconnect.OpenIDConnectAuthMech.doGet(OpenIDConnectAuthMech.java:248) ~[unison-auth-openidconnect-1.0.21.jar:?]
at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:191) ~[unison-server-core-1.0.21.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.21.jar:?]
at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:89) ~[unison-sdk-1.0.21.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:111) ~[unison-server-core-1.0.21.jar:?]
at com.tremolosecurity.proxy.auth.AuthSys.doAuth(AuthSys.java:118) ~[unison-server-core-1.0.21.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:105) ~[unison-server-core-1.0.21.jar:?]
at com.tremolosecurity.proxy.ConfigSys.doConfig(ConfigSys.java:296) [unison-server-core-1.0.21.jar:?]
at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:93) [unison-server-core-1.0.21.jar:?]
at com.tremolosecurity.filter.UnisonServletFilter.doFilter(UnisonServletFilter.java:290) [unison-server-core-1.0.21.jar:?]
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) [undertow-core-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) [undertow-core-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:269) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:78) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:133) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:130) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:249) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:78) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:99) [undertow-servlet-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:387) [undertow-core-2.2.5.Final.jar:2.2.5.Final]
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:841) [undertow-core-2.2.5.Final.jar:2.2.5.Final]
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) [jboss-threads-2.3.3.Final.jar:2.3.3.Final]
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982) [jboss-threads-2.3.3.Final.jar:2.3.3.Final]
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) [jboss-threads-2.3.3.Final.jar:2.3.3.Final]
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) [jboss-threads-2.3.3.Final.jar:2.3.3.Final]
at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1280) [xnio-api-3.8.4.Final.jar:3.8.4.Final]
at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: java.lang.Exception: Could not retrieve token : 401 / Unauthorized
at com.tremolosecurity.unison.proxy.auth.openidconnect.loadUser.LoadAttributesFromWS.loadUserAttributesFromIdP(LoadAttributesFromWS.java:55) ~[unison-auth-openidconnect-1.0.21.jar:?]
at com.tremolosecurity.unison.proxy.auth.openidconnect.OpenIDConnectAuthMech.doGet(OpenIDConnectAuthMech.java:246) ~[unison-auth-openidconnect-1.0.21.jar:?]
... 44 more
Take a look at the keycloak logs, does it complain about invalid scopes?
Take a look at the keycloak logs, does it complain about invalid scopes?
yes it has error logs of invalid scopes.
06:43:31,686 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
06:43:33,880 INFO [org.keycloak.keys.DefaultKeyManager] (default task-2) No keys found for realm=master and algorithm=RS256 for use=SIG. Generating keys.
06:43:34,192 INFO [org.keycloak.keys.DefaultKeyManager] (default task-1) No keys found for realm=master and algorithm=RS256 for use=SIG. Generating keys.
06:43:34,305 INFO [org.keycloak.keys.DefaultKeyManager] (default task-3) No keys found for realm=master and algorithm=RS256 for use=SIG. Generating keys.
04:50:22,720 WARN [org.jboss.as.domain.management.security] (default I/O-2) WFLYDM0113: Generated self signed certificate at /opt/jboss/keycloak/standalone/configuration/application.keystore. Please note that self signed certificates are not secure, and should only be used for testing purposes. Do not use this self signed certificate in production.
SHA-1 fingerprint of the generated key is 73:a5:f4:5a:8f:c6:90:f6:16:e2:27:1a:18:1e:62:e4:33:64:a4:bc
SHA-256 fingerprint of the generated key is 77:14:54:24:c2:87:f8:fe:0b:7a:80:ba:6e:ed:4d:f5:6b:e5:11:b0:d2:15:5f:d4:bf:70:5d:bd:c3:df:56:59
04:51:20,743 INFO [org.keycloak.keys.DefaultKeyManager] (default task-10) No keys found for realm=master and algorithm=HS256 for use=SIG. Generating keys.
09:40:23,236 ERROR [org.keycloak.services] (default task-30) KC-SERVICES0093: Invalid parameter value for: scope
09:40:23,237 WARN [org.keycloak.events] (default task-30) type=LOGIN_ERROR, realmId=master, clientId=open-kube, userId=null, ipAddress=10.81.232.30, error=invalid_request, response_type=code, redirect_uri=https://openunison.10.0.14.251.nip.io/auth/oidc, response_mode=query
09:40:29,241 WARN [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (default task-30) Invalid format of the code
09:40:29,254 WARN [org.keycloak.events] (default task-30) type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=open-kube, userId=null, ipAddress=192.168.33.22, error=invalid_code, grant_type=authorization_code, client_auth_method=client-secret
09:40:29,316 WARN [org.keycloak.events] (default task-30) type=USER_INFO_REQUEST_ERROR, realmId=master, clientId=null, userId=null, ipAddress=192.168.33.22, error=invalid_token, auth_method=validate_access_token
After this i removed groups in scope, login works, but it shows unauthourized while executing get pods
kubectl get pods
error: You must be logged in to the server (Unauthorized)
It looks like Keycloak doesn't support the groups scope. To support keycloak:
- In
values.yamlchangeoidc.scopesfromopenid email profile groupstoopenid email profile - Update your helm deployment -
helm upgrade orchestra tremolo/openunison-k8s-login-oidc --namespace openunison -f ~/path/to/values-k8s-login-oidc-kc.yaml - In Keycloak, if you want to add groups to your
id_token, click on Mappers for your client and click on the Create button. Fill in per the screenshot:
Out of the box, keycloak assigns group names as the name of the group after a "/". So in your RBAC bindings you'll use that instead of just the name of the group. For instance if you have a group called group1 your RBAC binding would look like:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: activedirectory-cluster-admins
subjects:
- kind: Group
name: /group1
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
It looks like Keycloak doesn't support the
groupsscope. To support keycloak:
- In
values.yamlchangeoidc.scopesfromopenid email profile groupstoopenid email profile- Update your helm deployment -
helm upgrade orchestra tremolo/openunison-k8s-login-oidc --namespace openunison -f ~/path/to/values-k8s-login-oidc-kc.yaml- In Keycloak, if you want to add groups to your
id_token, click on Mappers for your client and click on the Create button. Fill in per the screenshot:
Out of the box, keycloak assigns group names as the name of the group after a "/". So in your RBAC bindings you'll use that instead of just the name of the group. For instance if you have a group called
group1your RBAC binding would look like:kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: activedirectory-cluster-admins subjects: - kind: Group name: /group1 roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io
Hi ,
I followed instructions, copied the token from openunison UI, but I am getting below error if I execute 'kubectl get pods'
kubectl get pods
error: You must be logged in to the server (Unauthorized)
error: You must be logged in to the server (Unauthorized)
this generally means you either didn't complete the integration between the API server and OpenUnison or it's misconfigured. Take a look at the API server logs for what the issue is.
error: You must be logged in to the server (Unauthorized)
this generally means you either didn't complete the integration between the API server and OpenUnison or it's misconfigured. Take a look at the API server logs for what the issue is.
hi, already added this in kube-api-serv
- --oidc-issuer-url=https://openunison.load-Blancer.nip.io/auth/idp/k8sIdp
- --oidc-client-id=kubernetes
- --oidc-username-claim=sub
- --oidc-groups-claim=groups
- --oidc-ca-file=/etc/kubernetes/pki/ou-ca.pem
and also ou-ca.pem i got it from openunison gui
What do the API server logs say?
What do the API server logs say?
I0413 18:01:34.275908 1 client.go:360] parsed scheme: "passthrough"
I0413 18:01:34.275952 1 passthrough.go:48] ccResolverWrapper: sending update to cc: {[{https://127.0.0.1:2379 0 }] }
I0413 18:01:34.275964 1 clientconn.go:948] ClientConn switching balancer to "pick_first"
E0413 18:01:37.367907 1 oidc.go:224] oidc authenticator: initializing plugin: Get "https://openunison.Load-Balancer-IP.nip.io/auth/idp/k8sIdp/.well-known/openid-configuration": x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "openunison.Load-Balancer-IP.nip.io")
E0413 18:01:37.367907 1 oidc.go:224] oidc authenticator: initializing plugin: Get "https://openunison.Load-Balancer-IP.nip.io/auth/idp/k8sIdp/.well-known/openid-configuration": x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "openunison.Load-Balancer-IP.nip.io")
does your load balancer have it's own certificate?
No, it doesnot have.
When you login to the openunison UI and you look at the certificate in your browser, what does it say?
When you login to the openunison UI and you look at the certificate in your browser, what does it say?
And below is the openunison-orcheshtra logs
[2021-04-20 11:12:41,362][XNIO-1 task-10] INFO AccessLog - [AzSuccess] - k8sIdp - https://openunison.10.0.14.251.nip.io/auth/idp/k8sIdp/token - uid=x-56-xx-51-xdex-52-xx-56-xfd-x-49-xcx-50-xx-48-x-x-52-xx-51-xx-49-xa-x-57-xx-51-xx-57-xx-57-x-x-57-xx-55-xx-50-xx-53-xcx-53-xcdx-52-xx-48-xcx-48-x,ou=shadow,o=Tremolo - NONE [10.0.14.203] - [fa812ecf9b7db09230d7bf0e16b10e56dc4e2bd18]
and kube-apiserver logs
E0420 11:42:17.367198 1 oidc.go:224] oidc authenticator: initializing plugin: Get "https://openunison.10.0.14.251.nip.io/auth/idp/k8sIdp/.well-known/openid-configuration": x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "openunison.LoadBalancer-IP.nip.io")
But it was working fine when i connect with gitlab on http
HI any update on the above issue
is the certificate hash for the certificate you're displaying the same as what your API server is trusting? If there have been multiple redeployments the wrong cert may be trusted now.
is the certificate hash for the certificate you're displaying the same as what your API server is trusting? If there have been multiple redeployments the wrong cert may be trusted now.
I have redeployed by deleting the 'openunison' namespace. I have update the ou-ca.pem also
Still same error.
error: You must be logged in to the server (Unauthorized)
hi ,
I have upgraded the cluster to 21.0.0, and redeployed, but still same output,
error: You must be logged in to the server (Unauthorized)
But kubeapi server error logs got changed
E0427 10:54:43.584868 1 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, Token has been invalidated]"
E0427 10:54:45.511535 1 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, Token has