hera
hera copied to clipboard
argoproj-labs
Hera-SDK failing on custom service account
Facing issue while using custom roles in. k8s , all access related privilege seems okay as I am able to create, update and delete workflows using argoworkflow UI but using hera-sdk we are facing auth issue.
UnauthorizedException: (401) Reason: Unauthorized HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'Trailer': 'Grpc-Trailer-Content-Type', 'Date': 'Wed, 20 Jul 2022 08:00:59 GMT', 'Transfer-Encoding': 'chunked'}) HTTP response body: {"code":16,"message":"Unauthorized"}
The same token when used on argo workflow UI works perfectly. Not sure what is actually access level that is required by hera-sdk
Hi @smetal1! Thank you for submitting the bug. I will take a look at it this week. In the meantime, do you mind telling me more about the setup? Specifically:
- is the Unauthorized associated with your request from local to the Argo server? Does the infrastructure you are using have some auth interceptor that prevents your request from going through?
- does it work with the default/argo service account?
- are you generating the token similar to how it is generated in this example?
Hi @flaviuvadan I have used Kubernetes manifest to create the roles and fetched the access token using kubectl.
- I have create a k8s cluster on DigitalOcean and there is not interceptor. As I see in logs all the API calls are getting authenticated except
workflow.Workflows. There seems some issue while workflow creation. - Its not working with default/argo account .
- The following is the k8s manifest that I have used: `# give our webhook ap (as default:default) permissions to create workflows
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: argo-invocation namespace: argo rules:
- apiGroups:
- "argoproj.io" resources:
- "workflows" verbs:
- get
- list
- watch
- create
- update
- patch
- delete
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-default-invocation namespace: argo roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argo-invocation subjects:
- kind: ServiceAccount name: default namespace: argo
give workflows (as argo:default) permissions to run things
see https://github.com/argoproj/argo/blob/master/docs/workflow-rbac.md
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: argo-workflow namespace: argo rules:
pod get/watch is used to identify the container IDs of the current pod
pod patch is used to annotate the step's outputs back to controller (e.g. artifact location)
- apiGroups:
- "" resources:
- pods verbs:
- get
- watch
- patch
logs get/watch are used to get the pods logs for script outputs, and for log archival
- apiGroups:
- "" resources:
- pods/log verbs:
- get
- watch
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: argo-default-workflow namespace: argo roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argo-workflow subjects:
- kind: ServiceAccount name: default namespace: argo`
Hi @smetal1! Thank you for submitting the bug. I will take a look at it this week. In the meantime, do you mind telling me more about the setup? Specifically:
- is the Unauthorized associated with your request from local to the Argo server? Does the infrastructure you are using have some auth interceptor that prevents your request from going through?
- does it work with the default/argo service account?
- are you generating the token similar to how it is generated in this example?
Hi @flaviuvadan I have used Kubernetes manifest to create the roles and fetched the access token using kubectl.
- I have create a k8s cluster on DigitalOcean and there is not interceptor. As I see in logs all the API calls are getting authenticated except
workflow.Workflows. There seems some issue while workflow creation. - Its not working with default/argo account .
- The following is the k8s manifest that I have used:
`# give our webhook ap (as default:default) permissions to create workflows
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: argo-invocation namespace: argo rules:
- apiGroups:
- "argoproj.io" resources:
- "workflows" verbs:
- get
- list
- watch
- create
- update
- patch
- delete
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-default-invocation namespace: argo roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argo-invocation subjects:
- kind: ServiceAccount name: default namespace: argo
give workflows (as argo:default) permissions to run things
see https://github.com/argoproj/argo/blob/master/docs/workflow-rbac.md
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: argo-workflow namespace: argo rules:
pod get/watch is used to identify the container IDs of the current pod
pod patch is used to annotate the step's outputs back to controller (e.g. artifact location)
- apiGroups:
- "" resources:
- pods verbs:
- get
- watch
- patch
logs get/watch are used to get the pods logs for script outputs, and for log archival
- apiGroups:
- "" resources:
- pods/log verbs:
- get
- watch
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: argo-default-workflow namespace: argo roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: argo-workflow subjects:
- kind: ServiceAccount name: default namespace: argo`
Circling back to this after a very long time. Any chance you found a solution @smetal1? Was it, perhaps, a missing role binding? Or some permission on a role?
Going to close this one, feel free to reopen if this is still an issue!