:wave: Hello, team! I am getting this error: "Igno...
# gooddata-cn
h
ūüĎč Hello, team! I am getting this error: "Ignoring ingress because of error while validating ingress class" ingress="gooddata-cn/managed-alpha-org" error="ingress does not contain a valid IngressClass" $kubectl -n ingress-nginx get svc ingress-nginx-controller NAME ¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†TYPE ¬†¬†¬†¬†¬†CLUSTER-IP ¬†¬†¬†EXTERNAL-IP¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†PORT(S)¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†AGE ingress-nginx-controller ¬†LoadBalancer ¬†172.20.141.216 ¬†<http://***-2.elb.amazonaws.com|***-2.elb.amazonaws.com> ¬†8032663/TCP,44330230/TCP ¬†13m Follow https://www.gooddata.com/developers/cloud-native/doc/1.1/installation/k8s/helm-chart-installation/ ----- # file name: customized-values-gooddata-cn.yaml deployRedisHA: true deployPostgresHA: true dex: ingress: authHost: 'auth.mydomain.com' tls: authSecretName: gooddata-cn-auth-tls license: key: "key/***" ----------- # helm-charts/helmfile-values/values-ingress.yaml controller: service: targetPorts: http: http https: http annotations: # SSL is terminated on ELB, so HTTP will be used downstram to our services service.beta.kubernetes.io/aws-load-balancer-backend-protocol: 'http' # only 'https' port will use SSL protocol service.beta.kubernetes.io/aws-load-balancer-ssl-ports: 'https' # keep connections open upto 1 hour service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600' #AMC AWS SSL service.beta.kubernetes.io/aws-load-balancer-ssl-cert: 'arnawsacm:us-****' # Disable TLS1.1 and lower protocols on TLS handshake service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: 'ELBSecurityPolicy-TLS-1-2-2017-01' publishService: enabled: true ------------------ #your-org-definition.yaml apiVersion: controllers.gooddata.com/v1 kind: Organization metadata: name: alpha-org spec: id: alpha name: "Alpha, Corp." hostname: gooddata.mydomain.com adminGroup: adminGroup adminUser: admin adminUserToken: "$5$O*****" tls: secretName: alpha-tls
r
Hello Hamid, could you please share more info regarding this issue? ‚ÄĘ version of your Kubernetes ‚ÄĘ version of ingress-nginx helm chart (esp. do you deployed from helm chart version 4.0.0 or higher?) ‚ÄĘ how many ingress controllers do you use? One or more? ‚ÄĘ does your deployment contain resources of ingressclass type? (check
kubectl get <http://ingressclasses.networking.k8s.io|ingressclasses.networking.k8s.io> -A
) I will try to simulate your problem and propose a solution
As a quick fix, you may try to add the following annotation to your customized-values-gooddata-cn.yaml:
Copy code
ingress:
  annotations:
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
(assuming your ingressclass is called
nginx
)
h
Thanks, Robert, the annotations solved the issue "ingress does not contain a valid IngressClass"
Copy code
kubectl get <http://ingressclasses.networking.k8s.io|ingressclasses.networking.k8s.io> -A
NAME  CONTROLLER       PARAMETERS  AGE
nginx  <http://k8s.io/ingress-nginx|k8s.io/ingress-nginx>  <none>    16h
I did some changes : Removed
Copy code
tls:
      authSecretName: gooddata-cn-auth-tls
Still having an issue with
Copy code
dex:
  ingress:
    authHost: '<http://auth.mydomain.com|auth.mydomain.com>'
    tls:
      authSecretName: gooddata-cn-auth-tls
What should be my  authHost:
Copy code
And do I need  tls:
since I am using TLS terminated on a Load Balancer
What should be auth.mydomain.com' point to
r
definitely not - if you're terminating TLS on your LB, you may remove
tls
section both in
dex.ingress
as well as in your organization custom resource (alpha-org).
<http://auth.mydomain.com|auth.mydomain.com>
is a hostname where the authentication endpoint lives - it's common for all organizations.
it should point to your LB as well
h
So two A record entry one for : gooddata.mydomin.com point to LB And auth.mydomain.com point to LB
https://auth.##.dev/dex/auth?response_type=code&client_id=###-a1b6-9f39653ce0b7&scope=openid%20profile&state=fF_###%3D&redirect_uri=http://gooddata.##.dev/login/oauth2/code/gooddata.##.dev&nonce=yKGPskLNavobnrh-fHWqQomuA5hOs1XZSLZQiSgdG8c
404 Not Found nginx
GET /oauth2/authorization/gooddata.##.dev
r
1. you should add the
<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
annotation also to
dex.ingress.annotations
2. make sure the
.<http://mydomin.com|mydomin.com>
is the same as
.##.dev
in your example 3. I can see
redirect_uri=http://...
- it should use the https scheme. It seems that you're accessing http endpoint and http->https redirect is not in place. Try adding
<http://nginx.ingress.kubernetes.io/force-ssl-redirect|nginx.ingress.kubernetes.io/force-ssl-redirect>: "true"
to ingress.annotations in customized-values-gooddata-cn.yaml
h
deployRedisHA: true deployPostgresHA: true ingress: annotations: kubernetes.io/ingress.class: nginx kubernetes.io/force-ssl-redirect: true dex: ingress: authHost: 'auth.##.dev' annotations: kubernetes.io/ingress.class: nginx kubernetes.io/force-ssl-redirect: true
Still going to http
https://auth.##.dev/dex/auth?response_type=code&client_id=##&scope=openid%20profile&state=##&redirect_uri=http://gooddata.##.dev/login/oauth2/code/gooddata.##.dev&nonce=0VD74I0fOwx8WHAJ
helm3 upgrade --version 1.1.1 gooddata-cn gooddata/gooddata-cn -f customized-values-gooddata-cn.yaml -n gooddata-cn && kubectl rollout restart deploy -n ingress-nginx
Not help
Is this correct on LB: controller: service: targetPorts: http: http https: http
ERR_TOO_MANY_REDIRECTS When set
<http://nginx.ingress.kubernetes.io/force-ssl-redirect|nginx.ingress.kubernetes.io/force-ssl-redirect>: "true"
Copy code
# file name: customized-values-gooddata-cn.yaml
deployRedisHA: true
deployPostgresHA: true
ingress:
  annotations:
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
    <http://nginx.ingress.kubernetes.io/force-ssl-redirect|nginx.ingress.kubernetes.io/force-ssl-redirect>: "true"
dex:
  ingress:
    authHost: 'auth.##.dev'
    annotations:
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
license:
  key: "key/egggg
r
Hi Hamid, it seems that your ingress controller doesn't respect X-Forwarded-* headers coming from your load balancer. Please add the following to helm chart values of ingress-nginx:
Copy code
controller:
  config:
    # use X-Forwarded-* received from ELB
    use-forwarded-headers: 'true'
    # This should improve performance
    client-body-buffer-size: '1m'
    # This should resolve possible issue with big headers
    proxy-buffer-size: '16k'
Then, redeploy ingress-nginx, perform rollout restart. You should then remove the Organization resource (kubectl -n yournamespace delete org -f your-org-definition.yaml) to clean old data from Gooddata.CN internal databases. One note - I can see you're still running old release 1.1.1 - I suggest upgrading to 1.3.0. If you don't have any data yet, perform a fresh install. Ortherwise follow upgrade procedures described in documentation. It seems that the nginx config snippet above is missing in our documentation. I will update it.
Screen Shot 2021-08-30 at 8.53.31 AM.png
Copy code
helm3 upgrade --version 1.3.0 gooddata-cn gooddata/gooddata-cn -f customized-values-gooddata-cn.yaml -n gooddata-cn
r
great, the issue with http schema in redirect_url is resolved. now please check the Ingress for the Dex (gooddata-cn-dex) if it is OK (it has proper hostname, tls, assigned address pointing to proper load balancer, it has
<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
annotation)
h
Copy code
# file name: customized-values-gooddata-cn.yaml
deployRedisHA: true
deployPostgresHA: true
ingress:
  annotations:
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
    <http://nginx.ingress.kubernetes.io/force-ssl-redirect|nginx.ingress.kubernetes.io/force-ssl-redirect>: "true"
dex:
  ingress:
    authHost: 'auth.atheer.dev'
    annotations:
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
license:
  key: "key/eyJ
404 Not Found nginx
still same issue
r
you have wrong indentation in yaml:
Copy code
dex:
  ingress:
    authHost: 'auth.atheer.dev'
    annotations:
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
should be:
Copy code
dex:
  ingress:
    authHost: 'auth.atheer.dev'
    annotations:
      <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
h
Thanks @Robert Moucha It works. Now ask for email and password
What should be the Email/Password , I don't set any on installation
r
I'm glad to hear you managed to finish installation. As you already have created the first Organization, it's time to configure authentication. Follow the steps in our documentation
h
Unable to resolve Configuration with the provided Issuer of \"https://oauth2.googleapis.com/token\"
Hi @Robert Moucha Can you please look at this issue
Copy code
{
  "title": "Not Found",
  "status": 404,
  "detail": "404 NOT_FOUND \"User is not registered\"",
  "traceId": "d2c69f02831f516f"
}
r
Hi, the provided Issuer "https://oauth2.googleapis.com/token" is not valid. It should be set to "https://accounts.google.com"
h
I correct that
Now I see it going to Sign in with Google page
When I choose my id it says
Copy code
{
  "title": "Not Found",
  "status": 404,
  "detail": "404 NOT_FOUND \"User is not registered\"",
  "traceId": "361874644453adf6"
}
I do create users with curl command and Map a User in the Identity Provider to the Organization
Copy code
curl --request POST \
 --header "Authorization: Bearer $GDC_API_TOKEN" \
 --header 'Content-Type: application/vnd.gooddata.api+json' \
 --data '{
   "data": {
    "id": "Atheer",
    "type": "user",
    "attributes": {
     "authenticationId": "<mailto:hnarimani@atheerair.com|hnarimani@atheerair.com>"
    },
    "relationships": {
     "userGroups": {
      "data": [ {
       "id": "adminGroup",
       "type": "userGroup"
      } ]
     }
    }
   }
}' <https://gooddata.atheer.dev/api/entities/users>
{"detail":"Entity of ID 'StockId(apiId=Atheer, scope=OrganizationScope(organization=alpha))' is already stored in database.","status":400,"title":"Bad Request","traceId":"449837b6e90b5e3c"}%
Copy code
<https://gooddata.atheer.dev/appLogin?redirectTo=%2F>
Copy code
{
  "title": "Not Found",
  "status": 404,
  "detail": "404 NOT_FOUND \"User is not registered\"",
  "traceId": "9d02460143404c3a"
}
r
authenticationId needs to be set to the value of "sub" claim of your authentication provider. In case of google, you may use People API to get google's unique user Id
If you want to get your own id, use
people.get
method and set resourceName to
people/me
ūüôĆ 1
h
Thank You, Finally works
r
Great, glad to help.