Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC does not work with custom CA #66

Closed
djgilcrease opened this issue Nov 4, 2019 · 6 comments
Closed

OIDC does not work with custom CA #66

djgilcrease opened this issue Nov 4, 2019 · 6 comments

Comments

@djgilcrease
Copy link

Describe the bug
OIDC authentication does not work if idp-issuer-url uses custom CA. #59

Screenshots
image

Environment (please complete the following information):

  • Lens Version: v2.4.1
  • OS: linux
  • AppImage

Logs:

error: Failed to connect to cluster test-cluster: {"name":"AggregateError"}
RequestError: unable to verify the first certificate at ClientRequest.<anonymous> (/tmp/.mount_Lens-2kYjkXc/resources/app.asar/node_modules/got/index.js:182:22)

Kubeconfig:

apiVersion: v1
kind: Config
preferences: {}
clusters:
- cluster:
    certificate-authority-data: ...
    server: https://testcluster-api.company.local:443
  name: test-cluster
contexts:
- context:
    cluster: test-cluster
    user: gilcrease
  name: test-cluster
- name: gilcrease
  user:
    auth-provider:
      config:
        client-id: loginapp
        client-secret: ...
        id-token: ...
        idp-issuer-url: https://dex.company.local/dex
        refresh-token: ...
      name: oidc
@jakolehm
Copy link
Contributor

jakolehm commented Nov 5, 2019

@djgilcrease custom OIDC CA requires idp-certificate-authority (or idp-certificate-authority-data) set.

@djgilcrease
Copy link
Author

even when I set idp-certificate-authority: /etc/ssl/certs/ca-certificates.crt and verify kubectl still works lens does not

@djgilcrease
Copy link
Author

djgilcrease commented Nov 7, 2019
edited
Loading

... apparently Lens does not reread the kube config when it starts only when it adds the cluster.

Also of note you cannot use the same user for both kubectl and Lens otherwise you get Refresh token is invalid or has already been claimed by another client. (at least with dex) so I had to setup a context for lens and a context for kubectl

@jnummelin
Copy link
Contributor

apparently Lens does not reread the kube config when it starts only when it adds the cluster.

Yes, once you import clusters access config it becomes "disconnected" from the original. There should be better documentation on the "Add Cluster" page now in the latest releases.

even when I set idp-certificate-authority: /etc/ssl/certs/ca-certificates.crt and verify kubectl still works lens does not

hmm, we've been testing this with dex too with a self-signed CA & certs. Although in my tests I used: idp-certificate-authority-data: <base64 encoded pem CA cert> to set the dex custom CA. Maybe give that option a try if it works any better.

@djgilcrease
Copy link
Author

I did get it to work after re-importing it though I did need to use a separate user.

@jnummelin
Copy link
Contributor

ok. let's close this one then as everything seems to work as expected now and there's some helping docs on the topic too now on the "Add cluster" page in the app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jakolehm @djgilcrease @jnummelin