Kubeflow 1.2 not working with AWS incognito complains about user pool client but worked with kubeflow 1.0

4/28/2021

I have an EKS cluster Kubernetes 1.17 with ALB ingress controller V2.0.0 and Kubeflow 1.0 & kfctl 1.0 . The able to get that working and ALB will be spinned up.

I upgraded to EKS cluster Kubernetes 1.18 with ALB ingress controller V2.1.3 and Kubeflow 1.2 & kfctl 1.2 ALB ingress works for a hello world app or 2048 sample app and I can see a new ALB. But when I do a kfctl apply -f kfctl-aws-cognito.yml it throws an error saying, not able to find user pool client in user pool. But the app clients exist.

oupARN\"},\"targetType\":\"instance\",\"serviceRef\":{\"name\":\"istio-ingressgateway\",\"port\":80},\"networking\":{\"ingress\":[{\"from\":{\"securityGroup\":{\"groupID\":{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"}}},\"ports\":{\"protocol\":\"TCP\"}}]}}}}}}}}"} {"level":"info","ts":1619614892.9054444,"logger":"controllers.ingress","msg":"creating listener rule","stackID":"test-apps","resourceID":"443:1"} {"level":"error","ts":1619614893.0066664,"logger":"controller","msg":"Reconciler error","controller":"ingress","name":"test-apps","namespace":"","error":"failed to create listener rule: InvalidLoadBalancerAction: The user pool client '35bad0v2ctvu9do5rktvfjud8g' does not exist in the provided user pool\n\tstatus code: 400, request id: 3536aee0-27e4-4262-8b1e-0fefe77c7db6"}

Full ALB ingress controller logs

{"level":"info","ts":1619612888.4898257,"logger":"controllers.ingress","msg":"creating listener rule","stackID":"test-apps","resourceID":"443:1"} {"level":"error","ts":1619612888.5878866,"logger":"controller","msg":"Reconciler error","controller":"ingress","name":"test-apps","namespace":"","error":"failed to create listener rule: InvalidLoadBalancerAction: The user pool client '35bad0v2ctvu9do5rktvfjud8g' does not exist in the provided user pool\n\tstatus code: 400, request id: 29cbd1c1-a255-4886-9904-bf5b9d5d1558"} {"level":"info","ts":1619613888.849858,"logger":"controllers.ingress","msg":"successfully built model","model":"{\"id\":\"test-apps\",\"resources\":{\"AWS::EC2::SecurityGroup\":{\"ManagedLBSecurityGroup\":{\"spec\":{\"groupName\":\"k8s-testapps-00e85f9aab\",\"description\":\"k8s Managed SecurityGroup for LoadBalancer\",\"ingress\":[{\"ipProtocol\":\"tcp\",\"fromPort\":443,\"toPort\":443,\"ipRanges\":{\"cidrIP\":\"0.0.0.0/0\"}}]}}},\"AWS::ElasticLoadBalancingV2::Listener\":{\"443\":{\"spec\":{\"loadBalancerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN\"},\"port\":443,\"protocol\":\"HTTPS\",\"defaultActions\":{\"type\":\"fixed-response\",\"fixedResponseConfig\":{\"contentType\":\"text/plain\",\"statusCode\":\"404\"}},\"certificates\":{\"certificateARN\":\"arn:aws:acm:us-east-1:Accountnum:certificate/b3a7856e-fbc8-44a5-a01e-a7a25dd273fd\"},\"sslPolicy\":\"ELBSecurityPolicy-2016-08\"}}},\"AWS::ElasticLoadBalancingV2::ListenerRule\":{\"443:1\":{\"spec\":{\"listenerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::Listener/443/status/listenerARN\"},\"priority\":1,\"actions\":[{\"type\":\"authenticate-cognito\",\"authenticateCognitoConfig\":{\"onUnauthenticatedRequest\":\"authenticate\",\"scope\":\"openid\",\"sessionCookieName\":\"AWSELBAuthSessionCookie\",\"sessionTimeout\":604800,\"userPoolARN\":\"arn:aws:cognito-idp:us-east-1:Accountnum:userpool/us-east-1_UHDE4Hvi\",\"userPoolClientID\":\"35bad0v2ctvu9do5rktvfjud8g\",\"userPoolDomain\":\"verisk-vdas-kf.auth.us-east-1.amazoncognito.com\"}},{\"type\":\"forward\",\"forwardConfig\":{\"targetGroups\":{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/istio-system/istio-ingress-istio-ingressgateway:80/status/targetGroupARN\"}}}}],\"conditions\":[{\"field\":\"path-pattern\",\"pathPatternConfig\":{\"values\":\"/*\"}}]}}},\"AWS::ElasticLoadBalancingV2::LoadBalancer\":{\"LoadBalancer\":{\"spec\":{\"name\":\"k8s-testapps-65ef24686e\",\"type\":\"application\",\"scheme\":\"internal\",\"ipAddressType\":\"ipv4\",\"subnetMapping\":{\"subnetID\":\"subnet-088b51fcbedda663a\"},{\"subnetID\":\"subnet-0bae2da7f02a573d2\"},\"securityGroups\":{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"}}}},\"AWS::ElasticLoadBalancingV2::TargetGroup\":{\"istio-system/istio-ingress-istio-ingressgateway:80\":{\"spec\":{\"name\":\"k8s-istiosys-istioing-20863fac8a\",\"targetType\":\"instance\",\"port\":31380,\"protocol\":\"HTTP\",\"protocolVersion\":\"HTTP1\",\"healthCheckConfig\":{\"port\":\"traffic-port\",\"protocol\":\"HTTP\",\"path\":\"/\",\"matcher\":{\"httpCode\":\"200\"},\"intervalSeconds\":15,\"timeoutSeconds\":5,\"healthyThresholdCount\":2,\"unhealthyThresholdCount\":2}}}},\"K8S::ElasticLoadBalancingV2::TargetGroupBinding\":{\"istio-system/istio-ingress-istio-ingressgateway:80\":{\"spec\":{\"template\":{\"metadata\":{\"name\":\"k8s-istiosys-istioing-20863fac8a\",\"namespace\":\"istio-system\",\"creationTimestamp\":null},\"spec\":{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/istio-system/istio-ingress-istio-ingressgateway:80/status/targetGroupARN\"},\"targetType\":\"instance\",\"serviceRef\":{\"name\":\"istio-ingressgateway\",\"port\":80},\"networking\":{\"ingress\":[{\"from\":{\"securityGroup\":{\"groupID\":{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"}}},\"ports\":{\"protocol\":\"TCP\"}}]}}}}}}}}"} {"level":"info","ts":1619613890.8417456,"logger":"controllers.ingress","msg":"creating listener rule","stackID":"test-apps","resourceID":"443:1"} {"level":"error","ts":1619613890.934571,"logger":"controller","msg":"Reconciler error","controller":"ingress","name":"test-apps","namespace":"","error":"failed to create listener rule: InvalidLoadBalancerAction: The user pool client '35bad0v2ctvu9do5rktvfjud8g' does not exist in the provided user pool\n\tstatus code: 400, request id: 0f1286ac-90f3-41fa-9099-244301eaa0d2"} {"level":"info","ts":1619614891.2960463,"logger":"controllers.ingress","msg":"successfully built model","model":"{\"id\":\"test-apps\",\"resources\":{\"AWS::EC2::SecurityGroup\":{\"ManagedLBSecurityGroup\":{\"spec\":{\"groupName\":\"k8s-testapps-00e85f9aab\",\"description\":\"k8s Managed SecurityGroup for LoadBalancer\",\"ingress\":[{\"ipProtocol\":\"tcp\",\"fromPort\":443,\"toPort\":443,\"ipRanges\":{\"cidrIP\":\"0.0.0.0/0\"}}]}}},\"AWS::ElasticLoadBalancingV2::Listener\":{\"443\":{\"spec\":{\"loadBalancerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN\"},\"port\":443,\"protocol\":\"HTTPS\",\"defaultActions\":{\"type\":\"fixed-response\",\"fixedResponseConfig\":{\"contentType\":\"text/plain\",\"statusCode\":\"404\"}},\"certificates\":{\"certificateARN\":\"arn:aws:acm:us-east-1:AccountNum:certificate/b3a7856e-fbc8-44a5-a01e-a7a25dd273fd\"},\"sslPolicy\":\"ELBSecurityPolicy-2016-08\"}}},\"AWS::ElasticLoadBalancingV2::ListenerRule\":{\"443:1\":{\"spec\":{\"listenerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::Listener/443/status/listenerARN\"},\"priority\":1,\"actions\":[{\"type\":\"authenticate-cognito\",\"authenticateCognitoConfig\":{\"onUnauthenticatedRequest\":\"authenticate\",\"scope\":\"openid\",\"sessionCookieName\":\"AWSELBAuthSessionCookie\",\"sessionTimeout\":604800,\"userPoolARN\":\"arn:aws:cognito-idp:us-east-1:184842432656:userpool/us-east-1_UHDE4Hvi\",\"userPoolClientID\":\"35bad0v2ctvu9do5rktvfjud8g\",\"userPoolDomain\":\"verisk-vdas-kf.auth.us-east-1.amazoncognito.com\"}},{\"type\":\"forward\",\"forwardConfig\":{\"targetGroups\":{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/istio-system/istio-ingress-istio-ingressgateway:80/status/targetGroupARN\"}}}}],\"conditions\":[{\"field\":\"path-pattern\",\"pathPatternConfig\":{\"values\":\"/*\"}}]}}},\"AWS::ElasticLoadBalancingV2::LoadBalancer\":{\"LoadBalancer\":{\"spec\":{\"name\":\"k8s-testapps-65ef24686e\",\"type\":\"application\",\"scheme\":\"internal\",\"ipAddressType\":\"ipv4\",\"subnetMapping\":{\"subnetID\":\"subnet-088b51fcbedda663a\"},{\"subnetID\":\"subnet-0bae2da7f02a573d2\"},\"securityGroups\":{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"}}}},\"AWS::ElasticLoadBalancingV2::TargetGroup\":{\"istio-system/istio-ingress-istio-ingressgateway:80\":{\"spec\":{\"name\":\"k8s-istiosys-istioing-20863fac8a\",\"targetType\":\"instance\",\"port\":31380,\"protocol\":\"HTTP\",\"protocolVersion\":\"HTTP1\",\"healthCheckConfig\":{\"port\":\"traffic-port\",\"protocol\":\"HTTP\",\"path\":\"/\",\"matcher\":{\"httpCode\":\"200\"},\"intervalSeconds\":15,\"timeoutSeconds\":5,\"healthyThresholdCount\":2,\"unhealthyThresholdCount\":2}}}},\"K8S::ElasticLoadBalancingV2::TargetGroupBinding\":{\"istio-system/istio-ingress-istio-ingressgateway:80\":{\"spec\":{\"template\":{\"metadata\":{\"name\":\"k8s-istiosys-istioing-20863fac8a\",\"namespace\":\"istio-system\",\"creationTimestamp\":null},\"spec\":{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/istio-system/istio-ingress-istio-ingressgateway:80/status/targetGroupARN\"},\"targetType\":\"instance\",\"serviceRef\":{\"name\":\"istio-ingressgateway\",\"port\":80},\"networking\":{\"ingress\":[{\"from\":{\"securityGroup\":{\"groupID\":{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"}}},\"ports\":{\"protocol\":\"TCP\"}}]}}}}}}}}"} {"level":"info","ts":1619614892.9054444,"logger":"controllers.ingress","msg":"creating listener rule","stackID":"test-apps","resourceID":"443:1"} {"level":"error","ts":1619614893.0066664,"logger":"controller","msg":"Reconciler error","controller":"ingress","name":"test-apps","namespace":"","error":"failed to create listener rule: InvalidLoadBalancerAction: The user pool client '35bad0v2ctvu9do5rktvfjud8g' does not exist in the provided user pool\n\tstatus code: 400, request id: 3536aee0-27e4-4262-8b1e-0fefe77c7db6"}

-- dheeraj
amazon-cognito
kubeflow
kubernetes
kubernetes-ingress

1 Answer

4/28/2021

Nevermind, the userpool ARN has a typo.

-- dheeraj
Source: StackOverflow