Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Operator Helper fails to work with limited licenses #749

Open
tankbusta opened this issue Oct 19, 2023 · 2 comments
Open

Operator Helper fails to work with limited licenses #749

tankbusta opened this issue Oct 19, 2023 · 2 comments

Comments

@tankbusta
Copy link

In some instances, a LogScale license cannot create additional accounts. The code below attempts to locate the default user in a single org environment by looking for the username admin. However, by default (docs) the username is user and thus the helper code will attempt to create a user when the license prevents it.

humio-operator/images/helper/main.go

Lines 166 to 170 in c67d431

if user.Username == adminAccountUserName {
fmt.Printf("Found user ID using single-organization query.\n")
return user.Id, nil
}
}

This will lead to the helper spamming with the following error

Got err trying to obtain user ID of admin user: License does not allow adding users. Please contact Humio support.
Could not validate existing admin secret: Unable to validate if kubernetes secret logscale-admin-token holds a valid humio API token
Continuing to create/update token.
Got err trying to obtain user ID of admin user: License does not allow adding users. Please contact Humio support.
Could not validate existing admin secret: Unable to validate if kubernetes secret logscale-admin-token holds a valid humio API token
Continuing to create/update token.

You can work around this today by setting SINGLE_USER_USERNAME to admin but it might make sense to update this check to look for both admin & user.
@SaaldjorMike
Copy link
Member

FWIW this only affects clusters using single user auth mode. The goal is that #717 ends up completely removing the humio-auth sidecar we currently have.

@SaaldjorMike
Copy link
Member

With #717 merged, we no longer use the humio-auth sidecar, but we do still create a user with the username "admin" for now. Initially I thought we'd also remove that user as part of that work (hence linking to that PR from this issue), but we did not, so there's still some work left to do.

What we need to do here is to essentially replace all uses of that "admin" user for a HumioCluster resource with some permission token(s). Today, the way we create the "admin" user is using a bootstrap token, and we can probably just replace this with creating some permission token(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tankbusta @SaaldjorMike