Google Cloud SCIM Bridge Upgrade

xeomonk · May 2023

Hi,
I'm following these instructions to upgrade our SCIM bridge in GCP https://support.1password.com/scim-update/#google-cloud-platform but I am running into an issue when I set the image.

ty@cloudshell:~ (it-gag)$ kubectl set image deploy/op-scim-bridge-3-op-scim-bridge op-scim-bridge-3-op-scim-bridge=1password/scim:v2.8.1 -n 1password
error: unable to find container named "op-scim-bridge-3-op-scim-bridge"
ty@cloudshell:~ (tt-gag)$

The container exists, but I'm not sure why I am getting this error.

ty@cloudshell:~ (it-gag)$ kubectl get deployments -n 1password
NAME                              READY   UP-TO-DATE   AVAILABLE   AGE
op-scim-bridge-3-op-scim-bridge   1/1     1            1           59d
op-scim-bridge-3-op-scim-redis    1/1     1            1           59d
ty@cloudshell:~ (it-gag)$

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

hemal.g_1p · May 2023

Hi @xeomonk ,

Thank you for reaching out.
You would need to modify your command slightly.
To get your container name, use this command: "kubectl describe deployment {deployment-name}"
Then run command "kubectl set image deploy/op-scim-bridge-1-op-scim-bridge {container_Name}=1password/scim:v2.8.1 -n 1password"

Give this a try and let us know how it goes.

xeomonk · May 2023

The commands you suggested did not work. When I enter in "kubectl describe deployment op-scim-bridge-3-op-scim-bridge", this is the output below.

ty@cloudshell:~ (it-gag)$ kubectl describe deployment op-scim-bridge-3-op-scim-bridge
Error from server (NotFound): deployments.apps "op-scim-bridge-3-op-scim-bridge" not found
ty@cloudshell:~ (it-gag)$

In order to get that command to work I would need to call the 1password namespace. which would be "kubectl describe deployment op-scim-bridge-3-op-scim-bridge -n 1password"

ty@cloudshell:~ (it-gag)$ kubectl describe deployment op-scim-bridge-3-op-scim-bridge -n 1password
Name:               op-scim-bridge-3-op-scim-bridge
Namespace:          1password
CreationTimestamp:  Tue, 02 Nov 2021 21:56:00 +0000
Labels:             app=op-scim-bridge-3-op-scim-bridge
                    app.kubernetes.io/component=op-scim-bridge
                    app.kubernetes.io/name=op-scim-bridge-3
Annotations:        deployment.kubernetes.io/revision: 1
Selector:           app=op-scim-bridge-3-op-scim-bridge,app.kubernetes.io/component=op-scim-bridge,app.kubernetes.io/name=op-scim-bridge-3
Replicas:           1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType:       Recreate
MinReadySeconds:    0
Pod Template:
  Labels:  app=op-scim-bridge-3-op-scim-bridge
           app.kubernetes.io/component=op-scim-bridge
           app.kubernetes.io/name=op-scim-bridge-3
  Init Containers:
   scimuser-permissions:
    Image:      alpine:3.13
    Port:       <none>
    Host Port:  <none>
    Command:
      /bin/sh
      -c
    Args:
      mkdir -p /home/scimuser && chown -R 999 /home/scimuser
    Environment:  <none>
    Mounts:
      /home from op-scim-bridge-3-scimsession (rw)
  Containers:
   op-scim-bridge:
    Image:       gcr.io/cloud-marketplace/agilebits-public/op-scim-bridge:2.2.1
    Ports:       8080/TCP, 8443/TCP
    Host Ports:  0/TCP, 0/TCP
    Command:
      /op-scim/op-scim
    Environment:
      OP_PORT:       8080
      OP_SESSION:    /home/xxxx/scimsession
      OP_REDIS_URL:  redis://op-scim-bridge-3-op-scim-redis-svc:6379
      OP_ONE_CLICK:  true
      OP_DOMAIN:     xxxxxx.1password.com
    Mounts:
      /home from op-scim-bridge-3-scimsession (rw)
  Volumes:
   op-scim-bridge-3-scimsession:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  op-scim-bridge-3-op-scim-bridge-pvc
    ReadOnly:   false
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Progressing    True    NewReplicaSetAvailable
  Available      True    MinimumReplicasAvailable
OldReplicaSets:  <none>
NewReplicaSet:   op-scim-bridge-3-op-scim-bridge-76fb9597b6 (1/1 replicas created)
Events:          <none>
ty@cloudshell:~ (it-gag)$

With the container name identified as "op-scim-bridge". I modified your command and added the container name. "kubectl set image deploy/op-scim-bridge-1-op-scim-bridge op-scim-bridge=1password/scim:v2.8.1 -n 1password" and it still failed to run

ty@cloudshell:~ (it-gag)$ kubectl set image deploy/op-scim-bridge-1-op-scim-bridge op-scim-bridge=1password/scim:v2.8.1 -n 1password
Error from server (NotFound): deployments.apps "op-scim-bridge-1-op-scim-bridge" not found
ty@cloudshell:~ (it-gag)$

I have an open case with support. That case is 137107

hemal.g_1p · May 2023

Hi there,
Sorry to know the commands didn't work.
Could you please try "kubectl set image deployment/op-scim-bridge-3-op-scim-bridge op-scim-bridge=1password/scim:v2.8.1 -n 1password"

xeomonk · May 2023

That worked. Now the second part of the upgrade. I can't get the command to work either.

kubectl patch applications.app.k8s.io op-scim-bridge -p='[{"op":"replace", "path":"/spec/descriptor/version", "value":"2.8.1"}]' -n 1password --type='json'

ty@cloudshell:~ (it-gag)$ kubectl patch applications.app.k8s.io op-scim-bridge -p='[{"op":"replace", "path":"/spec/descriptor/version", "value":"2.8.1"}]' -n 1password --type='json'
Error from server (NotFound): applications.app.k8s.io "op-scim-bridge" not found
ty@cloudshell:~ (it-gag)$

hemal.g_1p · May 2023

For that you'd need to modify command with full name of deployment.
Try "kubectl patch applications.app.k8s.io op-scim-bridge-3-op-scim-bridge -p='[{"op":"replace", "path":"/spec/descriptor/version", "value":"2.8.1"}]' -n 1password --type='json' "

xeomonk · May 2023

I tried that as well and it didn't work. Below is the output.

ty@cloudshell:~ (it-gag)$ kubectl patch applications.app.k8s.io op-scim-bridge-3-op-scim-bridge -p='[{"op":"replace", "path":"/spec/descriptor/version", "value":"2.8.1"}]' --type='json'
Error from server (NotFound): applications.app.k8s.io "op-scim-bridge-3-op-scim-bridge" not found
ty@cloudshell:~ (it-gag)$

hemal.g_1p · May 2023

Ok. Error is related to Kubernetes and not Scim.
Let us first confirm SCIM bridge is successfully updated.
Could you run "kubectl describe deployment --namespace 1password" ? Under deployment you may look for "Image: 1password/scim:v2.8.1" . Then confirm you're connected with cluster where your SCIM bridge lives and rerun "kubectl patch applications.app.k8s.io {your-deploymnet-name} -p='[{"op":"replace", "path":"/spec/descriptor/version", "value":"2.8.1"}]' --type='json' --namespace 1password"

xeomonk · May 2023

Below is the output of "kubectl describe deployment --namespace 1password" and I am connected to the correct cluster. The Image does show "Image: 1password/scim:v2.8.1" so that's correct.

ty@cloudshell:~ (it-gag)$  kubectl describe deployment --namespace 1password
Name:               op-scim-bridge-3-op-scim-bridge
Namespace:          1password
CreationTimestamp:  Tue, 02 Nov 2021 15:56:00 -0600
Labels:             app=op-scim-bridge-3-op-scim-bridge
                    app.kubernetes.io/component=op-scim-bridge
                    app.kubernetes.io/name=op-scim-bridge-3
Annotations:        deployment.kubernetes.io/revision: 3
Selector:           app=op-scim-bridge-3-op-scim-bridge,app.kubernetes.io/component=op-scim-bridge,app.kubernetes.io/name=op-scim-bridge-3
Replicas:           1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType:       Recreate
MinReadySeconds:    0
Pod Template:
  Labels:  app=op-scim-bridge-3-op-scim-bridge
           app.kubernetes.io/component=op-scim-bridge
           app.kubernetes.io/name=op-scim-bridge-3
  Init Containers:
   scimuser-permissions:
    Image:      alpine:3.13
    Port:       <none>
    Host Port:  <none>
    Command:
      /bin/sh
      -c
    Args:
      mkdir -p /home/scimuser && chown -R 999 /home/scimuser
    Environment:  <none>
    Mounts:
      /home from op-scim-bridge-3-scimsession (rw)
  Containers:
   op-scim-bridge:
    Image:       1password/scim:v2.8.1
    Ports:       8080/TCP, 8443/TCP
    Host Ports:  0/TCP, 0/TCP
    Command:
      /op-scim/op-scim
    Environment:
      OP_PORT:       8080
      OP_SESSION:    /home/scim/scimsession
      OP_REDIS_URL:  redis://op-scim-bridge-3-op-scim-redis-svc:6379
      OP_ONE_CLICK:  true
      OP_DOMAIN:     xxxxxx.1password.com
    Mounts:
      /home from op-scim-bridge-3-scimsession (rw)
  Volumes:
   op-scim-bridge-3-scimsession:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  op-scim-bridge-3-op-scim-bridge-pvc
    ReadOnly:   false
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Available      True    MinimumReplicasAvailable
  Progressing    True    NewReplicaSetAvailable
OldReplicaSets:  op-scim-bridge-3-op-scim-bridge-76fb9597b6 (0/0 replicas created), op-scim-bridge-3-op-scim-bridge-694cc8cd65 (0/0 replicas created)
NewReplicaSet:   op-scim-bridge-3-op-scim-bridge-bb4f65b7 (1/1 replicas created)
Events:          <none>


Name:                   op-scim-bridge-3-op-scim-redis
Namespace:              1password
CreationTimestamp:      Tue, 02 Nov 2021 15:56:00 -0600
Labels:                 app.kubernetes.io/component=op-scim-redis
                        app.kubernetes.io/name=op-scim-bridge-3
Annotations:            deployment.kubernetes.io/revision: 1
Selector:               app.kubernetes.io/component=op-scim-redis,app.kubernetes.io/name=op-scim-bridge-3
Replicas:               1 desired | 1 updated | 1 total | 1 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:  app.kubernetes.io/component=op-scim-redis
           app.kubernetes.io/name=op-scim-bridge-3
  Containers:
   op-scim-redis:
    Image:        gcr.io/cloud-marketplace/agilebits-public/op-scim-bridge/redis:2.2.1
    Port:         6379/TCP
    Host Port:    0/TCP
    Environment:  <none>
    Mounts:       <none>
  Volumes:        <none>
Conditions:
  Type           Status  Reason
  ----           ------  ------
  Progressing    True    NewReplicaSetAvailable
  Available      True    MinimumReplicasAvailable
OldReplicaSets:  <none>
NewReplicaSet:   op-scim-bridge-3-op-scim-redis-69c76787fd (1/1 replicas created)
Events:          <none>
ty@cloudshell:~ (it-gag)$

I would assume that the deployment name is op-scim-bridge-3-op-scim-bridge and taking the command "kubectl patch applications.app.k8s.io op-scim-bridge-3-op-scim-bridge -p='[{"op":"replace", "path":"/spec/descriptor/version", "value":"2.8.1"}]' --type='json' --namespace 1password" Outputs the same error.

ty@cloudshell:~ (it-gag)$ kubectl patch applications.app.k8s.io op-scim-bridge-3-op-scim-bridge -p='[{"op":"replace", "path":"/spec/descriptor/version", "value":"2.8.1"}]' --type='json' --namespace 1password
Error from server (NotFound): applications.app.k8s.io "op-scim-bridge-3-op-scim-bridge" not found
ty@cloudshell:~ (it-gag)$

xeomonk · May 2023

@hemal.g_1p

Any ideas on what the next steps are to resolving this issue?

hemal.g_1p · May 2023

Hey,
Sorry to hear it didn't work. Let's confirm the application name in GCP by "kubectl get all --namespace 1password".
In result to above command it will show up as a resource of type "applications.app.k8s.io". This can also be confirmed through GCP GUI.
You can then run the previous command with the app name found.
Let us know if that helps.

xeomonk · May 2023

That worked!

Thanks for all the help @hemal.g_1p

Google Cloud SCIM Bridge Upgrade

Comments