SCIM - Kubernetes Setup

wahyuen
wahyuen
Community Member

Hi,

I'm currently attempting to follow the examples given to setup the SCIM bridge to Azure AD by using Kubernetes. I've followed the instructions given, generated the scimsession file, deployed the op-scim and redis services, setup the DNS to point to the external IP of the load balancer that was created. I currently have this setup cluster created using Azure Kubernetes Service.

Upon attempting to verify by going to the https:///scim/Users endpoint, I'm unable to reach this either via the DNS or the direct IP itself. Pods seem to be in a running status and services setup. I've also tried deploying to the latest op-scim image (0.6.3) but this doesn't seem to have made any difference. Is there something I'm missing here? Is there possible debug/diagnostics that i could possibly run to help find what the issue is?

cheers
Wah

Comments

  • cohix
    cohix
    1Password Alumni

    @wahyuen It looks to me like the load balancer is forwarding ports 443 and 80 to 32361 and 30092. Are you using the kubernetes manifest files provided in https://github.com/1password/scim-examples? That should configure the service to forward 443:443 and 80:80 on the load balancer. I'm afraid I have no AKS experience, but on GKE the ports would map that way.

    Also, I want to confirm that the --letsencrypt-domain flag is set properly on the container spec in the op-scim deployment. That flag is required to ensure that the container is listening on 443 and 80 as required. That doesn't seem to be the issue here, but It's a good thing to double check.

  • wahyuen
    wahyuen
    Community Member

    @cohix it appears that the 32361 and 30092 are the nodeports that are assigned to the LoadBalancer. When i run kubectl describe service op-scim, it does show the target ports are set to 8443 and 8080. I've pretty much run the exact manifest files defined in the github example page that you linked, only changing op-scim-deployment.yaml to put in the correct domain name for the letsencrypt section.

    Of interest, I ran a quick test using GKE to see if I could rule out oddities in AKS vs GKE. I seem to be having the exact same issues.

    Attached is my service in GKE along with the port configuration.

    I then also ran it from the command line, and even in the GKE version, it will show the ports as being mapped to the nodeport

    Interestingly, when i run a curl command to the external IP, i only receive the following 302 response

    any other ideas in terms of what might be missing? Is the scim bridge tied to a specific version of kubernetes?

  • cohix
    cohix
    1Password Alumni

    Well ok that looks correct. If you cURL to https://[domain]/scim/Users, you should get a 401 error.

This discussion has been closed.