How to edit a configuration file in helm with Azure AKS cluster

ntt03 · April 8, 2021, 7:05pm

I am trying to use Azure AD for authentication with gitlab app. I had set up Gitlab in Azure AKS cluster.
I have register gitlab apps with Azure. I need to know how you edit the configuration file using Helm chart?
this is the code needed to be add into the configuration file.
gitlab_rails[‘omniauth_providers’] = [
{
“name” => “azure_oauth2”,
“args” => {
“client_id” => “CLIENT ID”,
“client_secret” => “CLIENT SECRET”,
“tenant_id” => “TENANT ID”,
}
}
]

balonik · April 9, 2021, 8:22am

Hi @ntt03
you need to create a Secret that contains the configuration of the provider.
you need to specify name of the Secret in the omniauth section of the values file that you use for your deployment.

The value in the Secret for Azure AD should look like this in YAML format

name: azure_activedirectory_v2
label: 'Azure AD'
args:
  client_id: "CLIENT ID"
  client_secret: "CLIENT SECRET"
  tenant_id: "TENANT ID"

and the values file snippet

omniauth:
  ...other-options...
  providers:
    - secret: name-of-my-azure-ad-config-secret

ntt03 · April 9, 2021, 1:23pm

Hi @balonik
first thank you for the instruction. I had created secret file called azuresecret.yaml and and snippet file called omniauthsnippet.yaml. How do you load it into Azure AKS cluster?

Thanks

balonik · April 9, 2021, 2:33pm

You can use kubectl apply -n your-gitlab-namespace -f azuresecret.yaml.
I suppose you have used helm to deploy GitLab to AKS cluster. So after you changed the values file do helm upgrade gitlab gitlab/gitlab -f your_values.yaml to update the config.

ntt03 · April 9, 2021, 2:42pm

@balonik
yes, I used helm to deploy Gitlab to AKS cluster. I am newbee to this stuff. I am sorry I have to ask again about this. you also told me to run ‘helm upgrade’ with the file your_values.yaml. what file you are referring to?

balonik · April 9, 2021, 2:49pm

no problem
I assume your helm release name is gitlab, if not change the commands accordingly.
execute helm get values gitlab > gitlab.yaml which should fetch your current GitLab configuration.
Edit the gitlab.yaml you just created, find the omniauth: section and edit it to include the snippet in my previous post. If it’s not there add it to the end of the file.

omniauth:
  enabled: true
  providers:
    - secret: name-of-my-azure-ad-config-secret

after that execute helm upgrade gitlab gitlab/gitlab -f gitlab.yaml which will push the new config.

ntt03 · April 12, 2021, 2:48pm

Hi @balonik
I applied all the setting as you told me to do so. I can’t login with AAD username. Is there any configuration/setting I need to able?

thanks,

balonik · April 12, 2021, 2:53pm

The usual username/password login form is used only for LDAP and internal accounts.
If your SSO config is applied you will get a button ‘Azure AD’ under the usual username/password login form you need to click.
You can use other available omniauth properties to control auto login and so on.

PS: don’t forget to include allowSingleSignOn: ['azure_activedirectory_v2'] under your omniauth section.

ntt03 · April 12, 2021, 3:27pm

here is my configuration file

helm get values gitlab
USER-SUPPLIED VALUES:
USER-SUPPLIED VALUES: null
certmanager-issuer:
email: test@microsoft.com
global:
hosts:
domain: mydomain
omniauth:
allowSingleSignOn: azure_activedirectory_v2
autolinkldapuser: true
blockautocreatedusers: true
providers:

secret: /home/tn/azuresecret.yaml

Secrets file
name: azure_activedirectory_v2
label: ‘Azure AD’
args:
client_id: “xxxxxxxxxxxxxxx”
client_secret: “xxxxxxxxxxxxx”
tenant_id: “xxxxxxxxxxxx”

balonik · April 12, 2021, 3:45pm

Kubernetes Secret resource defined in your /home/tn/azuresecret.yaml should look like this:

apiVersion: v1
kind: Secret
metadata:
  name: my-azure-ad-v2-provider
type: Opaque
stringData:
  provider:
    name: azure_activedirectory_v2
    label: ‘Azure AD’
    args:
      client_id: “xxxxxxxxxxxxxxx”
      client_secret: “xxxxxxxxxxxxx”
      tenant_id: “xxxxxxxxxxxx”

The secret cannot be a path on your filesystem. You need to create it in Kubernetes as I have pointed out before kubectl apply -n your-gitlab-namespace -f /home/tn/azuresecret.yaml

and the providers block should look like:

omniauth:
  providers:
    - secret: my-azure-ad-v2-provider

ntt03 · April 12, 2021, 4:25pm

i got the following error when i try to apply the secrets
$ kubectl apply -n default -f /home/tn/azuresecret.yaml
error: error validating “/home/tn/azuresecret.yaml”: error validating data: ValidationError(Secret.stringData.provider): invalid type for io.k8s.api.core.v1.Secret.stringData: got “map”, expected “string”; if you choose to ignore these errors, turn validation off with --validate=false

$ kubectl apply -n default -f /home/tn/azuresecret.yaml --validate=false
Error from server (BadRequest): error when creating “/home/tn/azuresecret.yaml”: Secret in version “v1” cannot be handled as a Secret: v1.Secret.StringData: ReadString: expects " or n, but found {, error found in #10 byte of …|rovider":{“args”:{“c|…, bigger context …|,“namespace”:“default”},“stringData”:{“provider”:{“args”:{“client_id”:”“337adf8f-9b93-4ac9-8aff-81|…

balonik · April 12, 2021, 5:19pm

You are right, I have it wrong.

/home/tn/azuresecret.yaml should be just

name: azure_activedirectory_v2
label: ‘Azure AD’
args:
  client_id: “xxxxxxxxxxxxxxx”
  client_secret: “xxxxxxxxxxxxx”
  tenant_id: “xxxxxxxxxxxx”

and then run kubectl create secret generic -n my-gitlab-namespace my-azure-ad-v2-provider --from-file=provider=/home/tn/azuresecret.yaml to create your secret.

ntt03 · April 12, 2021, 6:31pm

I ran the kubectl create secret generic -n namespace my-azure-ad-v2-provider --from-file=providers=azuresecret.ymal and
helm upgrade gitlab gitlab/gitlab -f gitlab.yaml

I still couldn’t log in with Azure AD’s username. Is there any log files that I can check to see its working or not?