Comments (7)
Hi, dex-secrets
is created by https://github.com/khuedoan/homelab/blob/master/platform/dex/templates/secret.yaml, could you please post the output of:
kubectl describe -n dex externalsecret dex-secrets
from homelab.
+ kubectl describe -n dex externalsecret dex-secrets
Name: dex-secrets
Namespace: dex
Labels: argocd.argoproj.io/instance=dex
Annotations: <none>
API Version: external-secrets.io/v1beta1
Kind: ExternalSecret
Metadata:
Creation Timestamp: 2024-04-18T09:48:36Z
Generation: 1
Resource Version: 51172
UID: 94eb9cd1-310b-4a3d-8574-7ed4b326de5c
Spec:
Data:
Remote Ref:
Conversion Strategy: Default
Decoding Strategy: None
Key: kanidm.dex
Metadata Policy: None
Property: client_id
Secret Key: KANIDM_CLIENT_ID
Remote Ref:
Conversion Strategy: Default
Decoding Strategy: None
Key: kanidm.dex
Metadata Policy: None
Property: client_secret
Secret Key: KANIDM_CLIENT_SECRET
Remote Ref:
Conversion Strategy: Default
Decoding Strategy: None
Key: dex.grafana
Metadata Policy: None
Property: client_secret
Secret Key: GRAFANA_SSO_CLIENT_SECRET
Remote Ref:
Conversion Strategy: Default
Decoding Strategy: None
Key: dex.gitea
Metadata Policy: None
Property: client_secret
Secret Key: GITEA_CLIENT_SECRET
Refresh Interval: 1h
Secret Store Ref:
Kind: ClusterSecretStore
Name: global-secrets
Target:
Creation Policy: Owner
Deletion Policy: Retain
Name: dex-secrets
Status:
Conditions:
Last Transition Time: 2024-04-18T09:48:36Z
Message: could not get secret data from provider
Reason: SecretSyncedError
Status: False
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning UpdateFailed 4m40s (x24 over 109m) external-secrets error retrieving secret at .data[0], key: kanidm.dex, err: secrets "kanidm.dex" not found
this is also affecting other deployment as well and for some reasons none of the secrets generated works when trying to login to the deployments
woodpecker pre-install-agent-secret-check-jsqrs 0/1 Completed 0 75m
woodpecker woodpecker-agent-5b6945cc7b-8c49l 0/1 CrashLoopBackOff 19 (2m41s ago) 75m
woodpecker woodpecker-agent-5b6945cc7b-nrmmf 0/1 CrashLoopBackOff 19 (2m52s ago) 75m
from homelab.
Same problem for me, I think the
kanidm.dex key is never creqted in the global-secrets ClusterSecretStore
from homelab.
kandim.dex
should be created by default in the post install script, could you try running make post-install
manually?
from homelab.
Well the postscript fails when calling the reset of users with the python k8s client. It doesn't return the expected json payload on the stdout as expected which causes an error on json deserialization.
When executing with a remote ssh into the container, I see the json paylod
bash-5.2# make postinstall
make: *** No rule to make target 'postinstall'. Stop.
bash-5.2# make post-install
Traceback (most recent call last):
File "/home/cklat/homelab/./scripts/hacks", line 256, in <module>
main()
File "/home/cklat/homelab/./scripts/hacks", line 247, in main
kanidm_login(["admin", "idm_admin"])
File "/home/cklat/homelab/./scripts/hacks", line 158, in kanidm_login
password = reset_kanidm_account_password(account)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/cklat/homelab/./scripts/hacks", line 152, in reset_kanidm_account_password
return json.loads(resp)['password']
^^^^^^^^^^^^^^^^
File "/nix/store/qp5zys77biz7imbk6yy85q5pdv7qk84j-python3-3.11.6/lib/python3.11/json/__init__.py", line 346, in loads
return _default_decoder.decode(s)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/nix/store/qp5zys77biz7imbk6yy85q5pdv7qk84j-python3-3.11.6/lib/python3.11/json/decoder.py", line 340, in decode
raise JSONDecodeError("Extra data", s, end)
json.decoder.JSONDecodeError: Extra data: line 1 column 2 (char 1)
Manual bash inside the container:
kanidmd recover-account --output json admin
00000000-0000-0000-0000-000000000000 WARN 🚧 [warn]: This is running as uid == 0 (root) which may be a security risk.
00000000-0000-0000-0000-000000000000 WARN 🚧 [warn]: permissions on /data/server.toml may not be secure. Should be readonly to running uid. This could be a security risk ...
00000000-0000-0000-0000-000000000000 WARN 🚧 [warn]: WARNING: /data/server.toml has 'everyone' permission bits in the mode. This could be a security risk ...
00000000-0000-0000-0000-000000000000 WARN 🚧 [warn]: WARNING: /data/server.toml owned by the current uid, which may allow file permission changes. This could be a security risk ...
00000000-0000-0000-0000-000000000000 WARN 🚧 [warn]: WARNING: DB folder /data has 'everyone' permission bits in the mode. This could be a security risk ...
00000000-0000-0000-0000-000000000000 INFO i [info]: Running account recovery ...
{"password":"VU29tSLcAqjccXWez12dQKhKNuPNWcJDcQ34NXK1gGGFSGwN"}
from homelab.
Related Issues (20)
- System-upgrade was removed HOT 1
- Add idm_admin creation to kanidm admin reset script? HOT 1
- gitea and 4 other services in a degraded state HOT 5
- Contact Point of AlertManager is absent HOT 5
- Adding a second dedicated network interface for longhorn replication HOT 4
- [Feature request] Add VPN egress HOT 3
- Kubernetes cluster unreachable: x509: certificate signed by unknown authority HOT 1
- Failed to install ArgoCD HOT 5
- Command: make tools, error HOT 2
- Getting errors on bootstrap phase with ApplicationSets HOT 1
- Cannot add master node HOT 3
- Add Infro PR Checks? HOT 1
- Not an Issue : Just a question about nodes HOT 1
- Question about cilium HOT 1
- cloudflare terraform deprecation and cloudflared failing HOT 1
- [Suggestion] Replace terraform with opentofu HOT 1
- Issues Global-Secret Generated Secrets HOT 1
- ArgoCD Manifest error
- Argocd Apply Manifests Error HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from homelab.