401 when configuring s3

Question

401 when configuring s3

aanogueira opened this issue 2 years ago · comments

Hi,

When deploying chartmuseum helm chart with following configuration:

Helm chart values (using 3.9.3):

podAnnotations:
  eks.amazonaws.com/sts-regional-endpoints: "true"

extraArgs:
  - --cache-interval=1m

env:
  open:
    AWS_SDK_LOAD_CONFIG: true
    STORAGE: amazon
    STORAGE_AMAZON_BUCKET: <BUCKET>
    STORAGE_AMAZON_PREFIX:
    STORAGE_AMAZON_REGION: <REGION>
    CHART_POST_FORM_FIELD_NAME: chart
    PROV_POST_FORM_FIELD_NAME: prov
    DEPTH: 2
    DEBUG: true
    LOG_JSON: true
    DISABLE_STATEFILES: true
    ENABLE_METRICS: true
    DISABLE_API: false
    ALLOW_OVERWRITE: false
  existingSecret: chartmuseum-creds
  existingSecretMappings:
    BASIC_AUTH_USER: username
    BASIC_AUTH_PASS: password

service:
  type: NodePort

serviceMonitor:
  enabled: true

serviceAccount:
  create: false
  name: chartmuseum

ingress:
  enabled: true
  pathType: Prefix
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/certificate-arn: <ARN>
  hosts:
    - name: chartmuseum.<DOMAIN>
      path: /

Serviceaccount:

apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: <ROLE>
  name: chartmuseum
  namespace: default

Terraform resources:

resource "aws_s3_bucket" "chartmuseum" {
  bucket = <BUCKET>
}

// <CUSTOM_K8S_IAM_ROLE_MODULE>

data "aws_iam_policy_document" "chartmuseum_policy" {
  statement {
    actions = [
      "s3:ListBucket"
    ]
    resources = [
      "arn:aws:s3:::<BUCKET>"
    ]
  }
  statement {
    actions = [
      "s3:DeleteObject",
      "s3:GetObject",
      "s3:PutObject"
    ]
    resources = [
      "arn:aws:s3:::<BUCKET>/*"
    ]
  }
}

When the pod is running I'm getting a loop of 401, such as:

{"L":"DEBUG","T":"2023-03-13T18:05:10.227Z","M":"[723] Incoming request: /","reqID":"6e8395d4-98b5-4254-9646-454a15ff1b50"}
{"L":"ERROR","T":"2023-03-13T18:05:10.228Z","M":"[723] Request served","path":"/","comment":"","clientIP":"10.4.51.192","method":"GET","statusCode":401,"latency":"21.228µs","reqID":"6e8395d4-98b5-4254-9646-454a15ff1b50"}

Any suggestion on what the problem could be?

Thank you,
André Nogueira

Casey Buto · Answer 1 · Fri Mar 24 2023 23:13:53 GMT+0800 (China Standard Time)

@aanogueira It looks like that 401 is coming from a request sent to the root path "path":"/".

Since you have basic auth configured, the client sending that request needs to authenticate using the username/password you configured ChartMuseum with.

Vitalii Morvaniuk · Answer 2 · Wed Sep 06 2023 04:57:00 GMT+0800 (China Standard Time)

ingress:
enabled: true
pathType: Prefix
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/certificate-arn:
hosts:
- name: chartmuseum.
path: /

Any suggestion on what the problem could be?

Thank you, André Nogueira

Hi.
In my case in similar setup the problem was in ingress annotation - I had to add

    - name: chartmuseum.<DOMAIN>
      path: /
    - name: chartmuseum.<DOMAIN>
      path: /*

to solve the problem