Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

401 when configuring s3 #673

Closed
aanogueira opened this issue Mar 13, 2023 · 2 comments
Closed

401 when configuring s3 #673

aanogueira opened this issue Mar 13, 2023 · 2 comments

Comments

@aanogueira
Copy link

Hi,

When deploying chartmuseum helm chart with following configuration:

Helm chart values (using 3.9.3):

podAnnotations:
  eks.amazonaws.com/sts-regional-endpoints: "true"

extraArgs:
  - --cache-interval=1m

env:
  open:
    AWS_SDK_LOAD_CONFIG: true
    STORAGE: amazon
    STORAGE_AMAZON_BUCKET: <BUCKET>
    STORAGE_AMAZON_PREFIX:
    STORAGE_AMAZON_REGION: <REGION>
    CHART_POST_FORM_FIELD_NAME: chart
    PROV_POST_FORM_FIELD_NAME: prov
    DEPTH: 2
    DEBUG: true
    LOG_JSON: true
    DISABLE_STATEFILES: true
    ENABLE_METRICS: true
    DISABLE_API: false
    ALLOW_OVERWRITE: false
  existingSecret: chartmuseum-creds
  existingSecretMappings:
    BASIC_AUTH_USER: username
    BASIC_AUTH_PASS: password

service:
  type: NodePort

serviceMonitor:
  enabled: true

serviceAccount:
  create: false
  name: chartmuseum

ingress:
  enabled: true
  pathType: Prefix
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/certificate-arn: <ARN>
  hosts:
    - name: chartmuseum.<DOMAIN>
      path: /

Serviceaccount:

apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: <ROLE>
  name: chartmuseum
  namespace: default

Terraform resources:

resource "aws_s3_bucket" "chartmuseum" {
  bucket = <BUCKET>
}

// <CUSTOM_K8S_IAM_ROLE_MODULE>

data "aws_iam_policy_document" "chartmuseum_policy" {
  statement {
    actions = [
      "s3:ListBucket"
    ]
    resources = [
      "arn:aws:s3:::<BUCKET>"
    ]
  }
  statement {
    actions = [
      "s3:DeleteObject",
      "s3:GetObject",
      "s3:PutObject"
    ]
    resources = [
      "arn:aws:s3:::<BUCKET>/*"
    ]
  }
}

When the pod is running I'm getting a loop of 401, such as:

{"L":"DEBUG","T":"2023-03-13T18:05:10.227Z","M":"[723] Incoming request: /","reqID":"6e8395d4-98b5-4254-9646-454a15ff1b50"}
{"L":"ERROR","T":"2023-03-13T18:05:10.228Z","M":"[723] Request served","path":"/","comment":"","clientIP":"10.4.51.192","method":"GET","statusCode":401,"latency":"21.228µs","reqID":"6e8395d4-98b5-4254-9646-454a15ff1b50"}

Any suggestion on what the problem could be?

Thank you,
André Nogueira
@aanogueira aanogueira mentioned this issue Mar 13, 2023
Closed
@cbuto
Copy link
Contributor

cbuto commented Mar 24, 2023

@aanogueira It looks like that 401 is coming from a request sent to the root path "path":"/".

Since you have basic auth configured, the client sending that request needs to authenticate using the username/password you configured ChartMuseum with.

@bober2000
Copy link

ingress:
enabled: true
pathType: Prefix
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/certificate-arn:
hosts:
- name: chartmuseum.
path: /

Any suggestion on what the problem could be?

Thank you, André Nogueira

Hi.
In my case in similar setup the problem was in ingress annotation - I had to add

    - name: chartmuseum.<DOMAIN>
      path: /
    - name: chartmuseum.<DOMAIN>
      path: /*

to solve the problem

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bober2000 @cbuto @aanogueira