ouctl (working) vs Manual Deployment (failing)

[benzht]

Hi,
where/how can I find out what ouctl is actually doing?
Deployment with outct is working, but I am failing to reproduce this following either Manual Deployment or the short-hand here.
With the former, a pod fails to transition to 'ready', and with the latter I have all pods 'green' but instead of redirection to Keycloak I just see 403.

My test deployment is on a managed k8s (digitalocean) with Keycloak.

Thanks in advance
Hartmut

[mlbiam]

where/how can I find out what ouctl is actually doing?

It generates the orchestra-secrets-source Secret and installs the three helm charts.

With the former, a pod fails to transition to 'ready', and with the latter I have all pods 'green' but instead of redirection to Keycloak I just see 403.

Can you provide the logs for the failed pod?

[benzht]

Thanks for the fast reaction! I've dropped the namespace and ran the commands from the second source again (switching creation of the namespace and applying the secret to it :-)
... and lo and behold, now it works!
Sorry to bother - must have had some mistake with the previous runs.

Background: the reason why I am looking for the actual working steps is that I would like to integrate openunison in my gitops with argocd so that I can re-create my cluster from scratch from a git repo and using sealed secrets.
The fewer external tools needed for this the better. The while loops seem to be the remaining issue because I could not yet convince argocd to wait ;-)

[mlbiam]

Background: the reason why I am looking for the actual working steps is that I would like to integrate openunison in my gitops with argocd so that I can re-create my cluster from scratch from a git repo and using sealed secrets.

Ah, we haven't documented it yet but we do have a special chart which combines the 3 charts (we already have waves setup):

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: openunison
  namespace: argocd
spec:
  project: default
  ignoreDifferences:
  - group: "admissionregistration.k8s.io"
    kind: "ValidatingWebhookConfiguration"
    jsonPointers:
    - /webhooks/0/clientConfig/caBundle
    - /webhooks/1/clientConfig/caBundle
    - /webhooks/2/clientConfig/caBundle
    - /webhooks/3/clientConfig/caBundle
    - /webhooks/4/clientConfig/caBundle
  syncPolicy:
    syncOptions:
    - RespectIgnoreDifferences=true
  source:
    repoURL: 'https://nexus.tremolo.io/repository/helm-betas'
    targetRevision: 2.3.15
    helm:
      values: |-
        {
          "cert_template": {
            "c": "xxxxxxxx",
            "l": "xxxxxxxx",
            "o": "dev",
            "ou": "xxxxxxxx",
            "st": "xxxxxxxx"
          },
          "enable_impersonation": true,
          "image": "xxxxxxxx/openunison-k8s:xxxxxxxx",
          "impersonation": {
            "ca_secret_name": "xxxxxxxx",
            "explicit_certificate_trust": true,
            "jetstack_oidc_proxy_image": "xxxxxxxx/kube-oidc-proxy:xxxxxxxx",
            "oidc_tls_secret_name": "tls-certificate",
            "use_jetstack": true
          },
          "k8s_cluster_name": "xxxxxxxx",
          "myvd_configmap": "",
          "network": {
            "api_server_host": "dev-ou-api.com",
            "createIngressCertificate": false,
            "dashboard_host": "dev-dashboard.com",
            "ingress_annotations": {
              "certmanager.k8s.io/cluster-issuer": "letsencrypt",
              "kubernetes.io/ingress.class": "openunison"
            },
            "ingress_certificate": "",
            "ingress_type": "none",
            "k8s_url": "",
            "openunison_host": "dev-login.com",
            "session_inactivity_timeout_seconds": xxxxxxxx
          },
          "oidc": {
            "auth_url": "https://xxxxxxxx",
            "client_id": "xxxxxxxx",
            "token_url": "https://xxxxxxxx",
            "user_in_idtoken": xxxxxxxx,
            "userinfo_url": "https://xxxxxxxx"
          },
          "openunison": {
            "replicas": 2
          },
          "services": {
            "pullSecret": "jfrog-auth",
            "resources": {
              "limits": {
                "cpu": "500m",
                "memory": "2048Mi"
              },
              "requests": {
                "cpu": "200m",
                "memory": "1024Mi"
              }
            },
            "token_request_expiration_seconds": xxxxxxxx
          },
          "trusted_certs": [
            {
              "name": "xxxxxxxx",
              "pem_b64": "xxxxxxxx"
            }
          ],
          "operator": {
            "image":"xxxxxxxx/openunison-k8s-operator:xxxxxxxx"
          }
        }
    chart: orchestra-login-portal-argocd
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: openunison

We've got a few customers using it, but if you give it a try we'd appreciate any feedback.

[benzht]

Thanks. I'll give it a spin

[benzht]

So far, not working.
All containers are green, but argocd sync fails and openunison-openunison
[2023-01-24 10:30:15,911][XNIO-1 task-4] INFO AccessLog - [AzSuccess] - CheckAlive - https://127.0.0.1:8443/check_alive - uid=Anonymous,o=Tremolo - [127.0.0.1] - [fa6a3c9e0e4cc3a5feeb4c1a4fcb75b455a59e707] [2023-01-24 10:30:15,925][XNIO-1 task-5] INFO AccessLog - [Error] - UNKNOWN - https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration - cn=none - NONE [127.0.0.1] - [f5855fa93039b315ad11b01c9a33d5966566e95e5] [2023-01-24 10:30:15,925][XNIO-1 task-5] ERROR ConfigSys - Could not process request javax.servlet.ServletException: Unknown URI : /auth/idp/k8sIdp/.well-known/openid-configuration at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:116) ~[unison-server-core-1.0.32.jar:?] at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.32.jar:?] at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:89) ~[unison-sdk-1.0.32.jar:?]
Argocd reports

one or more objects failed to apply, reason: Internal error occurred: failed calling webhook "authmechs-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/authmechs?timeout=5s": service "openunison-orchestra" not found,Internal error occurred: failed calling webhook "authchains-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/authchains?timeout=5s": service "openunison-orchestra" not found,Internal error occurred: failed calling webhook "workflows-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/workflows?timeout=5s": service "openunison-orchestra" not found,Internal error occurred: failed calling webhook "applications-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/applications?timeout=5s": service "openunison-orchestra" not found

[mlbiam]

[2023-01-24 10:30:15,911][XNIO-1 task-4] INFO AccessLog - [AzSuccess] - CheckAlive - https://127.0.0.1:8443/check_alive - uid=Anonymous,o=Tremolo - [127.0.0.1] - [fa6a3c9e0e4cc3a5feeb4c1a4fcb75b455a59e707] [2023-01-24 10:30:15,925][XNIO-1 task-5] INFO AccessLog - [Error] - UNKNOWN - https://127.0.0.1:8443/auth/idp/k8sIdp/.well-known/openid-configuration - cn=none - NONE [127.0.0.1] - [f5855fa93039b315ad11b01c9a33d5966566e95e5] [2023-01-24 10:30:15,925][XNIO-1 task-5] ERROR ConfigSys - Could not process request javax.servlet.ServletException: Unknown URI : /auth/idp/k8sIdp/.well-known/openid-configuration at com.tremolosecurity.proxy.auth.AuthMgrSys.doAuthMgr(AuthMgrSys.java:116) ~[unison-server-core-1.0.32.jar:?] at com.tremolosecurity.embedd.NextEmbSys.nextSys(NextEmbSys.java:126) ~[unison-server-core-1.0.32.jar:?] at com.tremolosecurity.proxy.auth.AzSys.doAz(AzSys.java:89) ~[unison-sdk-1.0.32.jar:?]

this means the tremolo/orchestra-login-portal chart didn't deploy.

one or more objects failed to apply, reason: Internal error occurred: failed calling webhook "authmechs-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/authmechs?timeout=5s": service "openunison-orchestra" not found,Internal error occurred: failed calling webhook "authchains-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/authchains?timeout=5s": service "openunison-orchestra" not found,Internal error occurred: failed calling webhook "workflows-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/workflows?timeout=5s": service "openunison-orchestra" not found,Internal error occurred: failed calling webhook "applications-openunison.tremolo.io": failed to call webhook: Post "https://openunison-orchestra.openunison.svc:443/k8s/webhooks/v1/applications?timeout=5s": service "openunison-orchestra" not found

Can you post your Application? It looks like you're yaml isn't rendering as expected.