AWX k8s LDAP Active directory integration issues
326 views
Skip to first unread message
Vish M
Sep 18, 2023, 5:13:53 PM9/18/23
to AWX Project
Hello all,
awx-69c4767956-bnjw7 4/4 Running 0 212d
awx-69c4767956-d89s9 4/4 Running 0 212d
awx-operator-controller-manager-77c67cb7c6-qjq8s 2/2 Running 3 (60d ago) 102d
awx-postgres-13-0 1/1 Running 0 212d
I am using service_type: nodeport
http://10.26.48.153:30082 >>> is my awx instande
I am trying to integrate my awx 21.11.0 to active directory under settings > LDAP. But it is not working I have installed awx using awx-operator in k8s 2 node cluster.
pods: kubectl get pods -n awx
NAME READY STATUS RESTARTS AGEawx-69c4767956-bnjw7 4/4 Running 0 212d
awx-69c4767956-d89s9 4/4 Running 0 212d
awx-operator-controller-manager-77c67cb7c6-qjq8s 2/2 Running 3 (60d ago) 102d
awx-postgres-13-0 1/1 Running 0 212d
I am using service_type: nodeport
http://10.26.48.153:30082 >>> is my awx instande
I have enable debugging settings>loggin settings>Logging Aggregator Level Threshold > DEBUG
logs:
023-09-18 20:45:17,502 DEBUG [384d09659a15497da935e586b03c065b] awx.analytics.performance request: <WSGIRequest: GET '/api/login/'>, response_time: 0.053s
10.244.0.0 - - [18/Sep/2023:20:45:17 +0000] "GET /api/login/ HTTP/1.1" 200 5714 "http://10.26.48.153:30082/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
2023-09-18 20:45:17,686 WARNING [3d3485b5cd5b4498a47ed19edc410297] awx.api.generics Login failed for user user1 from 10.244.0.0
2023-09-18 20:45:17,690 DEBUG [3d3485b5cd5b4498a47ed19edc410297] awx.analytics.performance request: <WSGIRequest: POST '/api/login/'>, response_time: 0.158s
2023-09-18 20:45:17,690 WARNING [3d3485b5cd5b4498a47ed19edc410297] django.request Unauthorized: /api/login/
2023-09-18 20:45:17,690 WARNING [3d3485b5cd5b4498a47ed19edc410297] django.request Unauthorized: /api/login/
10.244.0.0 - - [18/Sep/2023:20:45:17 +0000] "GET /api/login/ HTTP/1.1" 200 5714 "http://10.26.48.153:30082/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
2023-09-18 20:45:17,686 WARNING [3d3485b5cd5b4498a47ed19edc410297] awx.api.generics Login failed for user user1 from 10.244.0.0
2023-09-18 20:45:17,690 DEBUG [3d3485b5cd5b4498a47ed19edc410297] awx.analytics.performance request: <WSGIRequest: POST '/api/login/'>, response_time: 0.158s
2023-09-18 20:45:17,690 WARNING [3d3485b5cd5b4498a47ed19edc410297] django.request Unauthorized: /api/login/
2023-09-18 20:45:17,690 WARNING [3d3485b5cd5b4498a47ed19edc410297] django.request Unauthorized: /api/login/
As per the logs i understood Login failed for user user1 from 10.244.0.0.
10.244.0.0 is not routable in my network, is this network internal to k8s ? what is this network.
I have tried same setting in k3s(minikube) ldap worked, so password is not a problem. I believe something specific to k8s is the issue. Please let me know if i have missed anything.
how can AD integration work? I am new to k8s.
how can AD integration work? I am new to k8s.
cat awx.yaml
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx
namespace: awx
spec:
# Set the replicas count to scale AWX pods
replicas: 2
admin_user: admin
admin_password_secret: awx-admin-password
service_type: nodeport
nodeport_port: 30082
postgres_configuration_secret: awx-postgres-configuration
postgres_storage_class: awx-postgres-volume
postgres_storage_requirements:
requests:
storage: 15Gi
projects_persistence: true
projects_existing_claim: awx-projects-claim
---
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx
namespace: awx
spec:
# Set the replicas count to scale AWX pods
replicas: 2
admin_user: admin
admin_password_secret: awx-admin-password
service_type: nodeport
nodeport_port: 30082
postgres_configuration_secret: awx-postgres-configuration
postgres_storage_class: awx-postgres-volume
postgres_storage_requirements:
requests:
storage: 15Gi
projects_persistence: true
projects_existing_claim: awx-projects-claim
Thanks
Vish
Vish M
Sep 19, 2023, 1:49:26 PM9/19/23
to AWX Project
Hello all,
Can anyone help me on this?
alex
Sep 20, 2023, 1:04:27 AM9/20/23
to AWX Project
try to pass your root certs through as a kube secret in the awx namespace. It took me awhile to get LDAP working on K8s. Below is from my values file.
ldap_cacert_secret: awx-ssl-ca-ldap
bundle_cacert_secret: awx-ssl-ca-custom
ldap_password_secret: awx-ldap-password
kubectl create secret generic awx-ssl-ca-custom --from-file=bundle-ca.crt=/etc/ssl/certs/ca-bundle.crt --namespace="awx"
kubectl create secret generic awx-ssl-ca-ldap --from-file=ldap-ca.crt=/etc/ssl/certs/ca-bundle.crt --namespace="awx"
kubectl create secret generic awx-ssl-ca-ldap --from-file=ldap-ca.crt=/etc/ssl/certs/ca-bundle.crt --namespace="awx"
Vish M
Sep 20, 2023, 12:50:30 PM9/20/23
to AWX Project
Hi Alex,
In minikube (k3s) i didn't do any certs, i went to AWX UI > Settings>ldap1 just enter ldap uri,bind password and groups also disabled TLS, that's it i am able to authenticate using my active directory credentials. So my guess is with tls off same configs should work in K8s too right ? or certs are mandatory for awx k8s version active directory integration?
Does these settings(ldap_password_secret,ldap_cacert_secret,bundle_cacert_secret) is needed in K8s even thought TLS is OFF/DISABLED under AWX UI > Settings>ldap1
In minikube (k3s) i didn't do any certs, i went to AWX UI > Settings>ldap1 just enter ldap uri,bind password and groups also disabled TLS, that's it i am able to authenticate using my active directory credentials. So my guess is with tls off same configs should work in K8s too right ? or certs are mandatory for awx k8s version active directory integration?
alex
Sep 26, 2023, 12:03:13 PM9/26/23
to AWX Project
If you have LDAPS or LDAP(389) with startTLS, you need it. I dont have a deep understanding of the differences of minikube, vs k3s, vs k8s. But in my case with K8s, it wasnt passing the certs from the OS in
/etc/ssl/certs, so i had to add them with a kubesecret.
/etc/ssl/certs, so i had to add them with a kubesecret.
Vishwanath
Sep 26, 2023, 4:23:06 PM9/26/23
to awx-p...@googlegroups.com
Thank you Alex. AD integration is working now.
Regards
VishOn Sep 26, 2023, at 9:03 AM, alex <jones...@gmail.com> wrote:
If you have LDAPS or LDAP(389) with startTLS, you need it. I dont have a deep understanding of the differences of minikube, vs k3s, vs k8s. But in my case with K8s, it wasnt passing the certs from the OS in
--
You received this message because you are subscribed to the Google Groups "AWX Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to awx-project...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/awx-project/0f48973a-4ec1-4615-a11c-1f69c6b8f012n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages