https://rancher.com/ logo
Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Powered by
Title
w

worried-electrician-89379

03/21/2023, 1:47 PM
hello here I have a question that may sound basic, but for which I can't find the answer: where does Rancher persist information about the calls made to Rancher API when Rancher server is installed on a pre-existing kubernetes cluster (e.g. thanks to the official Helm chart documented https://ranchermanager.docs.rancher.com/v2.5/reference-guides/installation-references/helm-chart-options) ? there are things which are backed by a kubernetes custom resource, so for those the answer is obvious ...but what about Rancher API resources that are not backed by a k8s CRD ?
b

big-hydrogen-97240

03/21/2023, 1:49 PM
Can you give an example of a Rancher API CRUD operation that doesn't result in a Kubernetes custom resource being created/retrieved/modified?
w

worried-electrician-89379

03/21/2023, 1:50 PM
I'm looking specifically at this API call: 
/v3/keyCloakOIDCConfigs/keycloakoidc
note that I'm not sure that there is no CRD behind that, I just didn't find any obvious candidate
b

big-hydrogen-97240

03/21/2023, 1:55 PM
The fact that 
/v3
is prepended there means, to me, there is a keycloakoidcconfig.management.cattle.io` CRD being CRUD-ed there. Here is the type in Rancher's code: https://github.com/rancher/rancher/blob/release/v2.7/pkg/apis/management.cattle.io/v3/authn_types.go#L438
I guess the bottom line is that Rancher uses Kubernetes to store its state. I think that is universally true.
w

worried-electrician-89379

03/21/2023, 1:57 PM
@big-hydrogen-97240 hmm, I can't find no such CRD registered (
kubectl get crds | grep ...
) what component would define that CRD ?
b

big-hydrogen-97240

03/21/2023, 1:58 PM
Rancher would. I'm not sure what configuration would need to be enabled to start that controller.
w

worried-electrician-89379

03/21/2023, 2:00 PM
hmm, ok, thanks for the information on what I should expect! I'll keep digging to find out what CRD is behind that ...
b

big-hydrogen-97240

03/21/2023, 2:03 PM
I'm pretty sure I have the correct CRD kind above. Do you get any GVK information from navigating to 
https://<RANCHER_SERVER_URL>/v3/keyCloakOIDCConfigs
in your browser?
Maybe it should be plural: 
<http://keycloakoidcconfigs.management.cattle.io|keycloakoidcconfigs.management.cattle.io>
w

worried-electrician-89379

03/21/2023, 2:09 PM
at this URL, what I get is this: 
{
  "baseType": "error",
  "code": "MethodNotAllow",
  "message": "Method GET not supported",
  "status": 405,
  "type": "error"
}
b

big-hydrogen-97240

03/21/2023, 2:10 PM
So your current cluster is not able to CRUD to that URL at all. This means that there is some configuration not set. Like Keycloak is not turned on. Once this is turned on, then you should see something at that URL and see the CRD.
I should say that this is my understanding of how the Rancher API works.
w

worried-electrician-89379

03/21/2023, 2:28 PM
well, this URL works with a call that does a PUT on 
$RANCHER_URL/v3/keyCloakOIDCConfigs/keycloakoidc?action=testAndApply
but indeed, it's possible that I need to toggle something to get this to be possible
at 
/dashboard/c/c-m-4d6zn929/auth/config/keycloakoidc
I see "The Keycloak authentication provider is currently disabled."
#generalJoin Slack
Powered by