Integration with traefik ingressroute

[ddellarocca]

Hi,
I'm trying to deploy openunison in an eks cluster with traefik ingressroute and a certificate signed with cert-manager.
The ingressroute config is the following:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: openunison
  namespace: openunison
spec:
  entryPoints:
    - websecure
  routes:
  - kind: Rule
    match: Host(`ou.example.com`)
    services:
    - name: openunison-orchestra
      port: 443
  - kind: Rule
    match: Host(`ds.example.com`)
    services:
    - name: openunison-orchestra
      port: 443
  - kind: Rule
    match: Host(`api.example.com`)
    services:
    - name: openunison-orchestra
      port: 443
  tls:
    secretName: openunison-tls-certificate

With this configuration if i reach to https://ou.example.com/ i get Internal Server Error, if i change the port in each rule from 443 to 80 i can reach openunison dashboard correctly but i can't use kubectl because of this error 2021/05/28 15:39:27 http: panic serving 127.0.0.1:54726: oidc: issuer did not match the issuer returned by provider, expected "https://ou.example.com/auth/idp/k8s-login-cli" got "http://ou.example.com/auth/idp/k8s-login-cli".

I'm guessing that the problem is related to traefik refusing to expose an endpoint if the service certificate is invalid (self signed in this case) when using https to connect to the service.

I've also tested in a local cluster with kind and if i set insecureskipverify in traefik it works correctly but i can't set that flag on the production cluster.
Is there a way to workaround this issue?

PS. the secret openunison-tls-certificate is the certificate created by cert-manager and it is valid.

[mlbiam]

With this configuration if i reach to https://ou.example.com/ i get Internal Server Error

Is that coming from OpenUnison or trafaek? If it's from OpenUnison is there a stack trace in the pod's logs?

oidc: issuer did not match the issuer returned by provider, expected "https://ou.example.com/auth/idp/k8s-login-cli" got "http://ou.example.com/auth/idp/k8s-login-cli"

This is a known issue that is has been fixed in 1.0.23 (should be released by tuesday) TremoloSecurity/OpenUnison#549

[ddellarocca]

Is that coming from OpenUnison or trafaek? If it's from OpenUnison is there a stack trace in the pod's logs?

It's coming from traefik, the pod never gets the request, if i set up traefik with insecureskipverify flag it correctly forward to openunison pod and all works, as i mentioned before i think the problem is relative to traefik refusing openunison's self signed cert.

This is a known issue that is has been fixed in 1.0.23 (should be released by tuesday) TremoloSecurity/OpenUnison#549

Great news, i'll test as soon as it gets released then

[mlbiam]

It's coming from traefik, the pod never gets the request, if i set up traefik with insecureskipverify flag it correctly forward to openunison pod and all works, as i mentioned before i think the problem is relative to traefik refusing openunison's self signed cert

Can you tell traefik to trust the unison-tls Secret in the openunison namespace?

[ddellarocca]

Can you tell traefik to trust the unison-tls Secret in the openunison namespace?

Unfortunately i didn't find any options to do that

[mlbiam]

Assuming traefik adds the X-Forwarded-Proto header you can now add networking.force_redirect_to_tls: false to your values.yaml and after updating your local helm repo upgrade, then upgrade your openunison and orchestra repo deployments.

[ddellarocca]

In the end we switched to kube-oidc-proxy because we would enable that anyway in openunison.