401 when configuring s3
aanogueira opened this issue · comments
Hi,
When deploying chartmuseum helm chart with following configuration:
Helm chart values (using 3.9.3):
podAnnotations:
eks.amazonaws.com/sts-regional-endpoints: "true"
extraArgs:
- --cache-interval=1m
env:
open:
AWS_SDK_LOAD_CONFIG: true
STORAGE: amazon
STORAGE_AMAZON_BUCKET: <BUCKET>
STORAGE_AMAZON_PREFIX:
STORAGE_AMAZON_REGION: <REGION>
CHART_POST_FORM_FIELD_NAME: chart
PROV_POST_FORM_FIELD_NAME: prov
DEPTH: 2
DEBUG: true
LOG_JSON: true
DISABLE_STATEFILES: true
ENABLE_METRICS: true
DISABLE_API: false
ALLOW_OVERWRITE: false
existingSecret: chartmuseum-creds
existingSecretMappings:
BASIC_AUTH_USER: username
BASIC_AUTH_PASS: password
service:
type: NodePort
serviceMonitor:
enabled: true
serviceAccount:
create: false
name: chartmuseum
ingress:
enabled: true
pathType: Prefix
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/certificate-arn: <ARN>
hosts:
- name: chartmuseum.<DOMAIN>
path: /
Serviceaccount:
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: <ROLE>
name: chartmuseum
namespace: default
Terraform resources:
resource "aws_s3_bucket" "chartmuseum" {
bucket = <BUCKET>
}
// <CUSTOM_K8S_IAM_ROLE_MODULE>
data "aws_iam_policy_document" "chartmuseum_policy" {
statement {
actions = [
"s3:ListBucket"
]
resources = [
"arn:aws:s3:::<BUCKET>"
]
}
statement {
actions = [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
]
resources = [
"arn:aws:s3:::<BUCKET>/*"
]
}
}
When the pod is running I'm getting a loop of 401, such as:
{"L":"DEBUG","T":"2023-03-13T18:05:10.227Z","M":"[723] Incoming request: /","reqID":"6e8395d4-98b5-4254-9646-454a15ff1b50"}
{"L":"ERROR","T":"2023-03-13T18:05:10.228Z","M":"[723] Request served","path":"/","comment":"","clientIP":"10.4.51.192","method":"GET","statusCode":401,"latency":"21.228µs","reqID":"6e8395d4-98b5-4254-9646-454a15ff1b50"}
Any suggestion on what the problem could be?
Thank you,
André Nogueira
@aanogueira It looks like that 401
is coming from a request sent to the root path "path":"/"
.
Since you have basic auth configured, the client sending that request needs to authenticate using the username/password you configured ChartMuseum with.
ingress:
enabled: true
pathType: Prefix
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/certificate-arn:
hosts:
- name: chartmuseum.
path: /
Any suggestion on what the problem could be?
Thank you, André Nogueira
Hi.
In my case in similar setup the problem was in ingress annotation - I had to add
- name: chartmuseum.<DOMAIN>
path: /
- name: chartmuseum.<DOMAIN>
path: /*
to solve the problem