Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run authentik using ArgoCD raise validation - geoip #205

Open
lukasz18dg opened this issue Oct 24, 2023 · 0 comments
Open

Run authentik using ArgoCD raise validation - geoip #205

lukasz18dg opened this issue Oct 24, 2023 · 0 comments

Comments

@lukasz18dg
Copy link

lukasz18dg commented Oct 24, 2023

Scenario:

  1. Exist private repository where Argo will be read information about aplication. Argo intalled on Oracle VPS => Kubernetes.
    In my case I had one application, which read other aplication in specific folder => apps
    Definition:
project: default
source:
  repoURL: '[email protected]:<censored>'
  path: apps
  targetRevision: HEAD
  directory:
    recurse: true
    jsonnet: {}
destination:
  server: 'https://kubernetes.default.svc'
  namespace: argocd
syncPolicy:
  automated:
    prune: true
    selfHeal: true
  syncOptions:
    - CreateNamespace=true
    - Validate=true
    - PruneLast=true
    - RespectIgnoreDifferences=false
    - ApplyOutOfSyncOnly=false
    - ServerSideApply=true
    - Replace=false
  retry:
    limit: 3
    backoff:
      duration: 60s
      factor: 2
      maxDuration: 3m0s

  1. In apss I had folder with: authentik
    That folder have several files like:
    Chart.yaml
apiVersion: v2
name: goauthentik
description: An Umbrella Helm chart
type: application
version: 0.1.0
appVersion: "1.0"

dependencies:
- name: authentik
  version: 2023.*
  repository: https://charts.goauthentik.io/

aplication.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: authentik
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: authentik
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  destination:
    name: ''
    namespace: authentik
    server: 'https://kubernetes.default.svc'
  source:
    path: apps/authentik
    repoURL: '[email protected]:<censored>'
    targetRevision: HEAD
    helm:
      valueFiles:
      - values.yaml
  sources: []
  project: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - PrunePropagationPolicy=foreground

values.yaml

replicas: 1
priorityClassName:
securityContext: {}

worker:
  replicas: 1
  priorityClassName:
  securityContext: {}

image:
  repository: ghcr.io/goauthentik/server
  digest: ""
  pullPolicy: IfNotPresent
  pullSecrets: []

initContainers: {}

additionalContainers: {}

ingress:
  enabled: false
  ingressClassName: "traefik-ingress"
  annotations: {
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
  }
  labels: {}
  hosts:
    - host: <censored my domain>
      paths:
        - path: "/"
          pathType: Prefix
  tls: []

annotations: {}

podAnnotations: {}

authentik:
  log_level: error
  secret_key: "<censored some value>"
  geoip: /geoip/GeoLite2-City.mmdb
  email:
    host: ""
    port: 587
    username: ""
    password: ""
    use_tls: false
    use_ssl: false
    timeout: 30
    from: ""
  outposts:
    container_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
  error_reporting:
    enabled: false
    environment: "k8s"
    send_pii: false
  redis:
    host: "{{ .Release.Name }}-redis-master"
    password: ""

blueprints: []

#secret to avoid add information about DB
envFrom:
  - secretRef:
       name: authentik-secret

envValueFrom: {}

service:
  enabled: true
  type: ClusterIP
  port: 80
  name: http
  protocol: TCP
  labels: {}
  annotations: {}

volumes: []

volumeMounts: []

affinity: {}

tolerations: []

nodeSelector: {}

resources:
  server: {}
  worker: {}

autoscaling:
  server:
    enabled: false
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 50
  worker:
    enabled: false
    minReplicas: 1
    maxReplicas: 5
    targetCPUUtilizationPercentage: 80

livenessProbe:
  enabled: true
  httpGet:
    path: /-/health/live/
    port: http
  initialDelaySeconds: 5
  periodSeconds: 10

startupProbe:
  enabled: true
  httpGet:
    path: /-/health/live/
    port: http
  failureThreshold: 60
  periodSeconds: 5

readinessProbe:
  enabled: true
  httpGet:
    path: /-/health/ready/
    port: http
  periodSeconds: 10

serviceAccount:
  create: true
  annotations: {}
  serviceAccountSecret:
    enabled: false

geoip:
  enabled: false

prometheus:
  serviceMonitor:
    create: false
    interval: 30s
    scrapeTimeout: 3s
    labels: {}
  rules:
    create: false
    labels: {}

postgresql:
  enabled: false

redis:
  enabled: true

Be aware I added geoip in main object, similar like was described in those places:
https://artifacthub.io/packages/helm/goauthentik/authentik
https://github.com/goauthentik/helm/blob/main/charts/authentik/values.yaml

  1. Commit changes and look if argo correctly run authenik.

Reality: No, finished with error:

ComparisonError: Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = Manifest generation error (cached): `helm template . --name-template authentik --namespace authentik --kube-version 1.27 --values <path to cached source>/apps/authentik/values.yaml --api-versions admissionregistration.k8s.io/v1 --api-versions admissionregistration.k8s.io/v1/MutatingWebhookConfiguration --api-versions admissionregistration.k8s.io/v1/ValidatingWebhookConfiguration --api-versions apiextensions.k8s.io/v1 --api-versions apiextensions.k8s.io/v1/CustomResourceDefinition --api-versions apiregistration.k8s.io/v1 --api-versions apiregistration.k8s.io/v1/APIService --api-versions apps/v1 --api-versions apps/v1/ControllerRevision --api-versions apps/v1/DaemonSet --api-versions apps/v1/Deployment --api-versions apps/v1/ReplicaSet --api-versions apps/v1/StatefulSet --api-versions argoproj.io/v1alpha1 --api-versions argoproj.io/v1alpha1/AppProject --api-versions argoproj.io/v1alpha1/Application --api-versions argoproj.io/v1alpha1/ApplicationSet --api-versions autoscaling/v1 --api-versions autoscaling/v1/HorizontalPodAutoscaler --api-versions autoscaling/v2 --api-versions autoscaling/v2/HorizontalPodAutoscaler --api-versions batch/v1 --api-versions batch/v1/CronJob --api-versions batch/v1/Job --api-versions bitnami.com/v1alpha1 --api-versions bitnami.com/v1alpha1/SealedSecret --api-versions certificates.k8s.io/v1 --api-versions certificates.k8s.io/v1/CertificateSigningRequest --api-versions coordination.k8s.io/v1 --api-versions coordination.k8s.io/v1/Lease --api-versions discovery.k8s.io/v1 --api-versions discovery.k8s.io/v1/EndpointSlice --api-versions events.k8s.io/v1 --api-versions events.k8s.io/v1/Event --api-versions flowcontrol.apiserver.k8s.io/v1beta2 --api-versions flowcontrol.apiserver.k8s.io/v1beta2/FlowSchema --api-versions flowcontrol.apiserver.k8s.io/v1beta2/PriorityLevelConfiguration --api-versions flowcontrol.apiserver.k8s.io/v1beta3 --api-versions flowcontrol.apiserver.k8s.io/v1beta3/FlowSchema --api-versions flowcontrol.apiserver.k8s.io/v1beta3/PriorityLevelConfiguration --api-versions helm.cattle.io/v1 --api-versions helm.cattle.io/v1/HelmChart --api-versions helm.cattle.io/v1/HelmChartConfig --api-versions k3s.cattle.io/v1 --api-versions k3s.cattle.io/v1/Addon --api-versions longhorn.io/v1beta1 --api-versions longhorn.io/v1beta1/BackingImage --api-versions longhorn.io/v1beta1/BackingImageDataSource --api-versions longhorn.io/v1beta1/BackingImageManager --api-versions longhorn.io/v1beta1/Backup --api-versions longhorn.io/v1beta1/BackupTarget --api-versions longhorn.io/v1beta1/BackupVolume --api-versions longhorn.io/v1beta1/Engine --api-versions longhorn.io/v1beta1/EngineImage --api-versions longhorn.io/v1beta1/InstanceManager --api-versions longhorn.io/v1beta1/Node --api-versions longhorn.io/v1beta1/RecurringJob --api-versions longhorn.io/v1beta1/Replica --api-versions longhorn.io/v1beta1/Setting --api-versions longhorn.io/v1beta1/ShareManager --api-versions longhorn.io/v1beta1/Volume --api-versions longhorn.io/v1beta2 --api-versions longhorn.io/v1beta2/BackingImage --api-versions longhorn.io/v1beta2/BackingImageDataSource --api-versions longhorn.io/v1beta2/BackingImageManager --api-versions longhorn.io/v1beta2/Backup --api-versions longhorn.io/v1beta2/BackupTarget --api-versions longhorn.io/v1beta2/BackupVolume --api-versions longhorn.io/v1beta2/Engine --api-versions longhorn.io/v1beta2/EngineImage --api-versions longhorn.io/v1beta2/InstanceManager --api-versions longhorn.io/v1beta2/Node --api-versions longhorn.io/v1beta2/Orphan --api-versions longhorn.io/v1beta2/RecurringJob --api-versions longhorn.io/v1beta2/Replica --api-versions longhorn.io/v1beta2/Setting --api-versions longhorn.io/v1beta2/ShareManager --api-versions longhorn.io/v1beta2/Snapshot --api-versions longhorn.io/v1beta2/SupportBundle --api-versions longhorn.io/v1beta2/SystemBackup --api-versions longhorn.io/v1beta2/SystemRestore --api-versions longhorn.io/v1beta2/Volume --api-versions longhorn.io/v1beta2/VolumeAttachment --api-versions metallb.io/v1alpha1 --api-versions metallb.io/v1alpha1/AddressPool --api-versions metallb.io/v1beta1 --api-versions metallb.io/v1beta1/AddressPool --api-versions metallb.io/v1beta1/BFDProfile --api-versions metallb.io/v1beta1/BGPAdvertisement --api-versions metallb.io/v1beta1/BGPPeer --api-versions metallb.io/v1beta1/Community --api-versions metallb.io/v1beta1/IPAddressPool --api-versions metallb.io/v1beta1/L2Advertisement --api-versions metallb.io/v1beta2 --api-versions metallb.io/v1beta2/BGPPeer --api-versions networking.k8s.io/v1 --api-versions networking.k8s.io/v1/Ingress --api-versions networking.k8s.io/v1/IngressClass --api-versions networking.k8s.io/v1/NetworkPolicy --api-versions node.k8s.io/v1 --api-versions node.k8s.io/v1/RuntimeClass --api-versions policy/v1 --api-versions policy/v1/PodDisruptionBudget --api-versions postgresql.cnpg.io/v1 --api-versions postgresql.cnpg.io/v1/Backup --api-versions postgresql.cnpg.io/v1/Cluster --api-versions postgresql.cnpg.io/v1/Pooler --api-versions postgresql.cnpg.io/v1/ScheduledBackup --api-versions rbac.authorization.k8s.io/v1 --api-versions rbac.authorization.k8s.io/v1/ClusterRole --api-versions rbac.authorization.k8s.io/v1/ClusterRoleBinding --api-versions rbac.authorization.k8s.io/v1/Role --api-versions rbac.authorization.k8s.io/v1/RoleBinding --api-versions scheduling.k8s.io/v1 --api-versions scheduling.k8s.io/v1/PriorityClass --api-versions storage.k8s.io/v1 --api-versions storage.k8s.io/v1/CSIDriver --api-versions storage.k8s.io/v1/CSINode --api-versions storage.k8s.io/v1/CSIStorageCapacity --api-versions storage.k8s.io/v1/StorageClass --api-versions storage.k8s.io/v1/VolumeAttachment --api-versions traefik.containo.us/v1alpha1 --api-versions traefik.containo.us/v1alpha1/IngressRoute --api-versions traefik.containo.us/v1alpha1/IngressRouteTCP --api-versions traefik.containo.us/v1alpha1/IngressRouteUDP --api-versions traefik.containo.us/v1alpha1/Middleware --api-versions traefik.containo.us/v1alpha1/MiddlewareTCP --api-versions traefik.containo.us/v1alpha1/ServersTransport --api-versions traefik.containo.us/v1alpha1/TLSOption --api-versions traefik.containo.us/v1alpha1/TLSStore --api-versions traefik.containo.us/v1alpha1/TraefikService --api-versions traefik.io/v1alpha1 --api-versions traefik.io/v1alpha1/IngressRoute --api-versions traefik.io/v1alpha1/IngressRouteTCP --api-versions traefik.io/v1alpha1/IngressRouteUDP --api-versions traefik.io/v1alpha1/Middleware --api-versions traefik.io/v1alpha1/MiddlewareTCP --api-versions traefik.io/v1alpha1/ServersTransport --api-versions traefik.io/v1alpha1/ServersTransportTCP --api-versions traefik.io/v1alpha1/TLSOption --api-versions traefik.io/v1alpha1/TLSStore --api-versions traefik.io/v1alpha1/TraefikService --api-versions v1 --api-versions v1/ConfigMap --api-versions v1/Endpoints --api-versions v1/Event --api-versions v1/LimitRange --api-versions v1/Namespace --api-versions v1/Node --api-versions v1/PersistentVolume --api-versions v1/PersistentVolumeClaim --api-versions v1/Pod --api-versions v1/PodTemplate --api-versions v1/ReplicationController --api-versions v1/ResourceQuota --api-versions v1/Secret --api-versions v1/Service --api-versions v1/ServiceAccount --include-crds` failed exit status 1: Error: template: goauthentik/charts/authentik/templates/worker-deployment.yaml:28:43: executing "goauthentik/charts/authentik/templates/worker-deployment.yaml" at <include (print $.Template.BasePath "/secret.yaml") .>: error calling include: template: goauthentik/charts/authentik/templates/secret.yaml:13:10: executing "goauthentik/charts/authentik/templates/secret.yaml" at <$.Values.geoip.enabled>: can't evaluate field enabled in type interface {} Use --debug flag to render out invalid YAML

Seems like most important information is:

<include (print $.Template.BasePath "/secret.yaml") .>: error calling include: template: goauthentik/charts/authentik/templates/secret.yaml:13:10: executing "goauthentik/charts/authentik/templates/secret.yaml" at <$.Values.geoip.enabled>: can't evaluate field enabled in type interface {} Use --debug flag to render out invalid YAML

And As far I understood in this place:
https://github.com/goauthentik/helm/blob/9faeb471a4be825b617443ffb3b2c1f9f8f14f51/charts/authentik/templates/secret.yaml#L12C1-L12C1
we add information from: Values.authentik and include to secret.yaml
In line 13 we tried to read information from values, however geoip is outside: authentik "object" and that is reason why error is raised?

@lukasz18dg lukasz18dg changed the title Run authentik using ArgoCD raise validation Run authentik using ArgoCD raise validation - geoip Oct 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant