hello here I have a question that may sound basic but for wh rancher-users #general

Title

# general

worried-electrician-89379

03/21/2023, 1:47 PM

hello here I have a question that may sound basic, but for which I can't find the answer: where does Rancher persist information about the calls made to Rancher API when Rancher server is installed on a pre-existing kubernetes cluster (e.g. thanks to the official Helm chart documented https://ranchermanager.docs.rancher.com/v2.5/reference-guides/installation-references/helm-chart-options) ? there are things which are backed by a kubernetes custom resource, so for those the answer is obvious ...but what about Rancher API resources that are not backed by a k8s CRD ?

big-hydrogen-97240

03/21/2023, 1:49 PM

Can you give an example of a Rancher API CRUD operation that doesn't result in a Kubernetes custom resource being created/retrieved/modified?

worried-electrician-89379

03/21/2023, 1:50 PM

I'm looking specifically at this API call:

/v3/keyCloakOIDCConfigs/keycloakoidc

note that I'm not sure that there is no CRD behind that, I just didn't find any obvious candidate

big-hydrogen-97240

03/21/2023, 1:55 PM

The fact that

/v3

is prepended there means, to me, there is a keycloakoidcconfig.management.cattle.io` CRD being CRUD-ed there. Here is the type in Rancher's code: https://github.com/rancher/rancher/blob/release/v2.7/pkg/apis/management.cattle.io/v3/authn_types.go#L438

I guess the bottom line is that Rancher uses Kubernetes to store its state. I think that is universally true.

worried-electrician-89379

03/21/2023, 1:57 PM

@big-hydrogen-97240 hmm, I can't find no such CRD registered (

kubectl get crds | grep ...

) what component would define that CRD ?

big-hydrogen-97240

03/21/2023, 1:58 PM

Rancher would. I'm not sure what configuration would need to be enabled to start that controller.

worried-electrician-89379

03/21/2023, 2:00 PM

hmm, ok, thanks for the information on what I should expect! I'll keep digging to find out what CRD is behind that ...

big-hydrogen-97240

03/21/2023, 2:03 PM

I'm pretty sure I have the correct CRD kind above. Do you get any GVK information from navigating to

https://<RANCHER_SERVER_URL>/v3/keyCloakOIDCConfigs

in your browser?

Maybe it should be plural:

<http://keycloakoidcconfigs.management.cattle.io|keycloakoidcconfigs.management.cattle.io>

worried-electrician-89379

03/21/2023, 2:09 PM

at this URL, what I get is this:

Copy code

{
  "baseType": "error",
  "code": "MethodNotAllow",
  "message": "Method GET not supported",
  "status": 405,
  "type": "error"
}

big-hydrogen-97240

03/21/2023, 2:10 PM

So your current cluster is not able to CRUD to that URL at all. This means that there is some configuration not set. Like Keycloak is not turned on. Once this is turned on, then you should see something at that URL and see the CRD.

I should say that this is my understanding of how the Rancher API works.

worried-electrician-89379

03/21/2023, 2:28 PM

well, this URL works with a call that does a PUT on

$RANCHER_URL/v3/keyCloakOIDCConfigs/keycloakoidc?action=testAndApply

but indeed, it's possible that I need to toggle something to get this to be possible

/dashboard/c/c-m-4d6zn929/auth/config/keycloakoidc

I see "The Keycloak authentication provider is currently disabled."

14 Views