Default user is unauthorized

[divad1196]

Bug description 🐞

I want to try terrakube. (The only explanation provide is using gitpod which I don't want to use).
I am unable to do any action using the default created user admin@exemple.com

Steps to reproduce

1. I installed a K8S cluster using k3d
2. I used the official helm chart as it is, without modifying it
3. I accessed the default host http://terrakube-ui.minikube.net and logged in using admin@exemple.com + admin combination
4. I opened the "create an organisation" menu, put a name and clicked "Create organisation"
5. Got silently refused with 401

Expected behavior

1. Use helm chart
2. Log using default user
3. Be able to do some operations from the UI.

Example repository

No response

Anything else?

As mentionned, I would prefer a documentation that is not related to any particular tool.
The "Getting started" should only rely on embedded UI and raw query example (e.g. using curl).

[alfespa17]

There are several ways you could test it.

For example you could use minikube, you can check the documentation here.

https://docs.terrakube.io/getting-started/deployment/minikube

The best way to test it is using https so you can use the terraform remote state locally like this:

https://docs.terrakube.io/getting-started/deployment/minikube-+-https

https://github.com/orgs/AzBuilder/discussions/548

I never used k3d but if you are receiving 401 maybe the error is related to your ingress, probably it is not forwarding the authorization header to the API.

For example when using minikube we add some configuration in the ingress to forward the authorization header like this:

https://github.com/AzBuilder/terrakube-helm-chart/blob/main/charts/terrakube/values.yaml#L226

## Ingress properties
ingress:
  useTls: false
  includeTlsHosts: true
  ui:
    enabled: true
    domain: "terrakube-ui.minikube.net"
    path: "/"
    pathType: "Prefix"
    tlsSecretName: tls-secret-ui-terrakube
    annotations:
      nginx.ingress.kubernetes.io/use-regex: "true"
  api:
    enabled: true
    domain: "terrakube-api.minikube.net"
    path: "/"
    pathType: "Prefix"
    tlsSecretName: tls-secret-api-terrakube
    annotations:
      nginx.ingress.kubernetes.io/use-regex: "true"
      nginx.ingress.kubernetes.io/configuration-snippet: "proxy_set_header Authorization $http_authorization;"
  registry:
    enabled: true
    domain: "terrakube-reg.minikube.net"
    path: "/"
    pathType: "Prefix"
    tlsSecretName: tls-secret-reg-terrakube
    annotations:
      nginx.ingress.kubernetes.io/use-regex: "true"
      nginx.ingress.kubernetes.io/configuration-snippet: "proxy_set_header Authorization $http_authorization;"
  dex:
    enabled: true
    path: "/dex/"
    pathType: "Prefix"
    annotations:
      nginx.ingress.kubernetes.io/use-regex: "true"
      nginx.ingress.kubernetes.io/configuration-snippet: "proxy_set_header Authorization $http_authorization;"

I hope this can help you

[alfespa17]

By the way I found that k3s is using traefik ingress, so in that case you will have to change the ingress annotations because by default it is using nginx ingress annotations.

[divad1196]

@alfespa17 Hi, thank you for the fast response.
You are probably right about k3d, so I switched for the minikube documentation which is the kind of documentation I wanted.

But there is an issue:

It seems to be related to this issue:
kubernetes/kubernetes#126811

Have you tried the minikube deployment recently?

[alfespa17]

Hello @divad1196

I am using the following and it is working without any issue:

user@pop-os:~$ minikube version
minikube version: v1.31.2
commit: fd7ecd9c4599bef9f04c0986c4a0187f98a4396e
user@pop-os:~$ minikube start
😄  minikube v1.31.2 on Debian bookworm/sid
✨  Using the virtualbox driver based on existing profile
👍  Starting control plane node minikube in cluster minikube
🔄  Restarting existing virtualbox VM for "minikube" ...
❗  Image was not built for the current minikube version. To resolve this you can delete and recreate your minikube cluster using the latest images. Expected minikube version: v1.30.1 -> Actual minikube version: v1.31.2
❗  This VM is having trouble accessing https://registry.k8s.io
💡  To pull new external images, you may need to configure a proxy: https://minikube.sigs.k8s.io/docs/reference/networking/proxy/
🐳  Preparing Kubernetes v1.27.4 on Docker 20.10.23 ...
🔗  Configuring bridge CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image registry.k8s.io/ingress-nginx/controller:v1.8.1
    ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
    ▪ Using image registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20230407
🔎  Verifying ingress addon...
🌟  Enabled addons: storage-provisioner, default-storageclass, ingress
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default
user@pop-os:~$ kubect get pods -n terrakube
kubect: command not found
user@pop-os:~$ kubectl get pods -n terrakube
NAME                                  READY   STATUS    RESTARTS      AGE
redis-external-master-0               1/1     Running   5 (76s ago)   23d
terrakube-api-8687c9cd4-nb5kr         0/1     Running   1 (76s ago)   23h
terrakube-dex-6f7875489f-lfqd5        1/1     Running   1 (76s ago)   23h
terrakube-executor-747f5c68d6-db5k8   0/1     Running   1 (76s ago)   23h
terrakube-minio-55d589b78b-z7gjv      1/1     Running   1 (76s ago)   23h
terrakube-openldap-765cb969f5-j7b9x   1/1     Running   1 (76s ago)   23h
terrakube-postgresql-0                1/1     Running   1 (76s ago)   23h
terrakube-redis-master-0              1/1     Running   1 (76s ago)   23h
terrakube-registry-6c5c6447cb-x5p7k   0/1     Running   1 (76s ago)   23h
terrakube-ui-7784849978-xjf7s         1/1     Running   1 (76s ago)   23h

[divad1196]

@alfespa17 I don't see the helm command in your response. This is when I use the helm chart that the error arise.

Also, I will check the minikube version but it may be newer than yours since I installed minikube yesterday

[alfespa17]

I used the same steps from the documentation:

The final command to install terrakube is the following:

helm install terrakube terrakube-repo/terrakube -n terrakube

[alfespa17]

I did some test with minikube v1.32.0, I found the same issue "Snippet directives are disabled by the Ingress administrator"

Edit ingres-nginx-controller configMap in namespace ingress-nginx and add the following "allow-snippet-annotations: 'true'"

I was able to fix the deployment after adding that option, it will look like this:

user@pop-os:~$ kubectl get configmap ingress-nginx-controller -n ingress-nginx -o yaml
apiVersion: v1
data:
  allow-snippet-annotations: "true"
  hsts: "false"
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"hsts":"false"},"kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"ingress-nginx","app.kubernetes.io/name":"ingress-nginx"},"name":"ingress-nginx-controller","namespace":"ingress-nginx"}}
  creationTimestamp: "2023-12-04T15:43:53Z"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/name: ingress-nginx
    k8slens-edit-resource-version: v1
  name: ingress-nginx-controller
  namespace: ingress-nginx
  resourceVersion: "2324"
  uid: 49f64d51-0245-4fd3-a122-35cc19c9770c

[divad1196]

@alfespa17 Hi. Thank you again.
Ultimately, I found how I could allow this on minikube, but the reason why it is disable is that snippet config are not safe.

It is okay for testing purpose, but the helm chart won't be usable in a production environment.
A more stable solution would be better.

[alfespa17]

Your are right I will try to find a better way to forward the auth token when deploying in minikube, I created a new issue for that.

I guess that will be only an issue when using nginx ingress because the default configuration can be override so you can use any other kubernetes ingress.

I think you were able to fix your initial issue using "allow-snippet-annotations" so I will close this issue, feel free to open a new one if you find any other problem.