Fiat service fails readiness probe in kubernetes installation


#1

I am able to deploy spinnaker on kubernetes and enable ldap authentication. However when I enable authz using a custom fiat.yml file the fiat service starts but fails the readiness probe. Note: the same configs work when deployed on an Ubuntu vm.

The deployment is successful until I enable authorization. When authz is enabled the spin-fiat pod is deployed but is not passing the readiness probe. Below are the errors I see in the logs for the spin-fiat pod, looks like it fails to query redis. To test connection I installed redis in the fiat container and was able to access the redis service using the spin-redis.spinnaker:6379 address. Looks like unrestricted_user key can not be found in redis.

Logs:

ERROR 1 — [ main] c.n.s.f.p.RedisPermissionsRepository : Storage exception reading unrestricted_user entry.

Caused by: java.net.ConnectException: Connection refused (Connection refused) at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at redis.clients.jedis.Connection.connect(Connection.java:184)…

redis.clients.jedis.exceptions.JedisConnectionException: Could not get a resource from the pool at redis.clients.util.Pool.getResource(Pool.java:53) at redis.clients.jedis.JedisPool.getResource(JedisPool.java:226) at redis.clients.jedis.JedisPool.getResource(JedisPool.java:16)… ERROR 1 — [ main] c.n.s.f.p.RedisPermissionsRepository : Storage exception reading unrestricted_user entry. Caused by: java.net.ConnectException: Connection refused (Connection refused) at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at redis.clients.jedis.Connection.connect(Connection.java:184)…

Custom fiat.yml file that works when deployed on Ubuntu

auth:
groupMembership:
service: ldap
ldap:
enabled: true
url: ldap:///DC=<>,DC=<>
managerDn: CN=<>,OU=<>,DC=<>,DC=<>
managerPassword:
userSearchBase:
userSearchFilter: (sAMAccountName={0})
groupSearchBase: OU=BaseGroups
groupSearchFilter: (member={0})
groupRoleAttribute: cn