moon
moon copied to clipboard
aerokube
getting 401 when trying to configure moon2 users
Hi,
I have deployed moon2 using the helm chart, and I have created users and quotas by following the documentation (which, by the way is absurdly difficult to understand, mixing moon 1 and 2 references).
I have tried to set basic authentication for ingress and now when I go to moon I am getting 401.
Also I do not see X-Moon-Quota header being added to the request but only Authorisation: Basic
This is my ingress config:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
field.cattle.io/publicEndpoints: '...'
meta.helm.sh/release-name: moon2
meta.helm.sh/release-namespace: moon
nginx.ingress.kubernetes.io/auth-realm: Authentication Required - Moon realm
nginx.ingress.kubernetes.io/auth-secret: moon2-basic-auth
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/configuration-snippet: proxy_set_header X-Moon-Quota
$remote_user;
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 128m
nginx.ingress.kubernetes.io/proxy-connect-timeout: "1900"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1900"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1900"
creationTimestamp: "2022-03-15T16:09:52Z"
generation: 3
labels:
app.kubernetes.io/managed-by: Helm
managedFields:
- apiVersion: networking.k8s.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:status:
f:loadBalancer:
f:ingress: {}
manager: nginx-ingress-controller
operation: Update
time: "2022-03-15T16:10:38Z"
- apiVersion: extensions/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
f:field.cattle.io/publicEndpoints: {}
manager: rancher
operation: Update
time: "2022-03-15T16:10:38Z"
- apiVersion: networking.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:meta.helm.sh/release-name: {}
f:meta.helm.sh/release-namespace: {}
f:nginx.ingress.kubernetes.io/auth-realm: {}
f:nginx.ingress.kubernetes.io/auth-secret: {}
f:nginx.ingress.kubernetes.io/proxy-body-size: {}
f:nginx.ingress.kubernetes.io/proxy-connect-timeout: {}
f:nginx.ingress.kubernetes.io/proxy-read-timeout: {}
f:nginx.ingress.kubernetes.io/proxy-send-timeout: {}
f:labels:
.: {}
f:app.kubernetes.io/managed-by: {}
f:spec:
f:ingressClassName: {}
f:rules: {}
manager: Go-http-client
operation: Update
time: "2022-03-29T08:49:52Z"
- apiVersion: networking.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
f:nginx.ingress.kubernetes.io/auth-type: {}
f:nginx.ingress.kubernetes.io/configuration-snippet: {}
f:nginx.ingress.kubernetes.io/force-ssl-redirect: {}
f:spec:
f:tls: {}
manager: agent
operation: Update
time: "2022-03-29T09:26:13Z"
name: moon2
namespace: moon
resourceVersion: "104443355"
uid: 3a092290-e4fc-4754-9804-78990ed27392
spec:
ingressClassName: nginx
rules:
- host: moon.dnsname.int
http:
paths:
- backend:
service:
name: moon2
port:
number: 8080
path: /
pathType: Prefix
- backend:
service:
name: moon2
port:
number: 4444
path: /wd/hub/session
pathType: Exact
- backend:
service:
name: moon2
port:
number: 4444
path: /cypress
pathType: Prefix
- backend:
service:
name: moon2
port:
number: 4444
path: /playwright
pathType: Prefix
- backend:
service:
name: moon2
port:
number: 4444
path: /devtools
pathType: Prefix
- backend:
service:
name: moon2
port:
number: 4444
path: /metrics
pathType: Prefix
tls:
- hosts:
- moon.dnsname.int
status:
loadBalancer:
ingress:
@johnqa in our example we are using moon-basic-auth secret name with htpasswd contents, you have moon2-basic-auth. Do you really have a Kubernetes secret like this?
Moon header will be added only after successful authenthication. 401 means you are using wrong credentials l.
вт, 29 мар. 2022 г., 12:49 Ivan Krutov @.***>:
@johnqa https://github.com/johnqa in our example we are using moon-basic-auth secret name with htpasswd contents, you have moon2-basic-auth. Do you really have a Kubernetes secret like this?
— Reply to this email directly, view it on GitHub https://github.com/aerokube/moon/issues/317#issuecomment-1081661959, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAKY23IRV3UKVW4QZDHEFOTVCLG2LANCNFSM5R52JDWA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
I have corrected the secret, and now I am getting: 503 Service Temporarily Unavailable
Well, i kind of solved the issue, but I cannot stress enough update/rewrite your documentation.
In your documentation is written that if you have multiple users you need multiple quotas. So I created a htpasswd file for users and added to my values.yaml files the quotas. But it seems that when deploying, due to these defined quotas, for each of them a password file is created and a secret with all of them (moon2-basic-auth) , so I was trying to login with my passwords instead of using the generated password.
I still don't understand what is the normal flow for the application, as I would like to have multiple users with multiple quotas on the same namespace, using the passwords I provide.
What is the proper way to change the generated passwords with the one I want?
@johnqa it's documented here: https://aerokube.com/moon/latest/#multiple-namespaces
Yes, and I saw that in the end, but I don't want multiple namespaces, I want multiple quotas on the same namespace, using quotas for monitoring purposes.
And again, why was that to the end of the documentation and not in the same place where quotas are discussed.
This makes configuration of moon a very frustrating experience.
@johnqa using one namespace for all users can be configured by using just the same namespace field value in values.yaml for every user. So this is a special case of multiple namespaces configuration. Anyway thank you for your feedback. We'll update our documentation accordingly.