Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthenticated response in GetPackageRepositorySummaries #7276

Open
tomaszstachRA opened this issue Jan 4, 2024 · 2 comments
Open

Unauthenticated response in GetPackageRepositorySummaries #7276

tomaszstachRA opened this issue Jan 4, 2024 · 2 comments
Labels
awaiting-more-evidence Need more info to actually get it done. component/pinniped-proxy Issue related to kubeapps integration with pinniped-proxy kind/question An issue that reports a question about the project stale Automatic label to stale issues due inactivity to be closed if no further action
Milestone
Technical debt

Comments

@tomaszstachRA
Copy link

Describe the bug
I am using Dex (LDAP, redis) with PinnipedProxy. I can successfully login to kubeapps, do any actions with not involve using the Catalog. When I click on catalog it redirects me to the login page. The below logs are from kubeappapi container.

I1214 13:23:57.149140 1 server.go:466] "+helm GetInstalledPackageSummaries" cluster="default" namespace=""
I1214 13:23:57.728953 1 server.go:62] OK 580.060076ms /kubeappsapis.core.packages.v1alpha1.PackagesService/GetInstalledPackageSummaries
I1214 13:24:05.564226 1 repositories.go:116] "+core GetPackageRepositorySummaries" cluster="" namespace=""
I1214 13:24:05.564274 1 server.go:1134] +helm GetPackageRepositorySummaries [context:{}]
I1214 13:24:05.564684 1 repositories_resources.go:30] +helm getPkgRepositoryResource [&{0xc00011bd50 {kubeapps.com v1alpha1 apprepositories}}]
I1214 13:24:05.667652 1 server.go:62] Unauthenticated 103.415029ms /kubeappsapis.core.packages.v1alpha1.RepositoriesService/GetPackageRepositorySummaries

To Reproduce
Steps to reproduce the behavior:

  1. Login to kubeapps using Dex and pinniped-proxy
  2. Click on Catalog
  3. See not expected behaviour

Expected behavior
Catalog loading successfully

Desktop (please complete the following information):

  • Kubeapps Chart Version - 14.1.0
  • Kubernetes version - 1.26.6
  • helm

Additional context
Add any other context about the problem here.
@tomaszstachRA tomaszstachRA added the kind/bug An issue that reports a defect in an existing feature label Jan 4, 2024
@github-project-automation github-project-automation bot moved this to 🗂 Backlog in Kubeapps Jan 8, 2024
@antgamdia antgamdia added the component/pinniped-proxy Issue related to kubeapps integration with pinniped-proxy label Jan 8, 2024
@antgamdia antgamdia added this to the Technical debt milestone Jan 8, 2024
@antgamdia
Copy link
Contributor

Hi @tomaszstachRA, thanks for creating the issue. Just FTR, there is additional information on this public Slack thread.

I have just tested a brand new local environment with these values:

ingress:
  enabled: true
  hostname: localhost # set the hostname according to your needs
  tls: true
  selfSigned: true # as it is just for my local dev environment, I don't want to deal with certificates

authProxy:
  extraFlags:
    - --oidc-issuer-url=<my issuer>
  # If you are using a different ingress config, you might need to tweak these flags. More info in the "oauth2-proxy" official docs
  clientID: <my client id>
  clientSecret: <my client secret>
  cookieSecret: bm90LWdvb2Qtc2VjcmV0Cg==
  enabled: true
  provider: oidc

pinnipedProxy:
  enabled: true # if using Pinniped, you'll need to enable this option here

clusters:
  - name: default
    pinnipedConfig:
      enabled: true # if using Pinniped, you'll need to enable this option here

Plus a JWT authenticator:

apiVersion: authentication.concierge.pinniped.dev/v1alpha1
kind: JWTAuthenticator
metadata:
  name: jwt-authenticator
spec:
  audience: <my client id>
  claims:
    groups: groups
    username: email
  issuer: <my issuer>

Plus the proper RBAC, in this case, granting enough perms using the kubeapps-operator ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kubeapps-operator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: <my email>

All the requests are being served seamlessly, so I'm currently unable to reproduce the issue. I'm not using Dex, but another OIDC provider (Auth0)... but all our CI pipelines are using Dex.

I assume there is something wrong with the RBAC configuration then. This guide might be helpful to debug OIDC issues: https://kubeapps.dev/docs/latest/reference/developer/pinniped-proxy/#troubleshooting

@antgamdia antgamdia added kind/question An issue that reports a question about the project awaiting-more-evidence Need more info to actually get it done. and removed kind/bug An issue that reports a defect in an existing feature labels Jan 9, 2024
@stale Stale
Copy link

stale bot commented Mar 17, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale Automatic label to stale issues due inactivity to be closed if no further action label Mar 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting-more-evidence Need more info to actually get it done. component/pinniped-proxy Issue related to kubeapps integration with pinniped-proxy kind/question An issue that reports a question about the project stale Automatic label to stale issues due inactivity to be closed if no further action
Projects
Kubeapps
Status: 🗂 Backlog
Milestone
Technical debt
Development

No branches or pull requests
2 participants
@antgamdia @tomaszstachRA