Marc Boorshtein

> 2020/04/16 16:06:56 Successfully created certificates Did you make changes to the dashboard `Deployment`? it doesn't look like it sees the certificate secret. This line should say `Certificate already exists....

can you share your `Deployment` for the dashboard?

that all looks right. so why isn't the container pulling in the cert? going to see if we can get some help from the dashboard team...

can't reproduce this issue. Can you try updating the `arguments` to look like: ``` - --namespace=kubernetes-dashboard-system - --tls-cert-file=/dashboard.crt - --tls-key-file=/dashboard.key ``` ?

this is different > at com.tremolosecurity.unison.proxy.auth.openidconnect.OpenIDConnectAuthMech.doGet(OpenIDConnectAuthMech.java:206) ~[unison-auth-openidconnect-1.0.17.jar:?] This is openunison not being able to varify the certificate for `openunison.k8s.intra`. Since their on different domains and could be different servers OpenUnison...

Yes. take a look at https://github.com/TremoloSecurity/OpenUnison/wiki/troubleshooting#how-do-i-change-openunisons-certificates. Once the root ca certificate is added to `trusted_certs` you should get past this issue.

in the error on the dashboard, does it just say "unauthorized" or does it say something like "user https://yourhost#youruser doesn't have access to ..."?

if the error just says "Unauthorized", no additional information then the issue is that the API server isn't integrated into OpenUnison (https://github.com/OpenUnison/openunison-k8s-activedirectory#complete-sso-integration-with-kubernetes). If you're in a multi-api server environment you...

in your CR (`kubectl edit openunison orchestra -n openunison`) look for `AD_PORT` in `spec.non_secret_data`. It's likely blank. You need to set the port for AD (usually 636)

@rothgar from our Convo on discord, here's how OpenUnison does multi-cluster SSO https://openunison.github.io/multi_cluster_sso/