search

goharbor / harbor-operator

Kubernetes operator for Harbor service components
Apache License 2.0
343 stars 106 forks source link

Unable to config OIDC login using day-2 HarborConfiguration CR #1070

Closed Simonkz closed 10 months ago

Simonkz commented 10 months ago

harbor operator: v1.3.0 harbor: 2.5.1

Hi team, I'm trying to config OIDC login with day-2 config CR HarborConfiguration. After I applied my HarborConfiguration CR, I got 401 unauthorized error in exchange token step.

However, if I set the same settings in harbor Configuration UI page, I can login using OIDC without any issue.

my config example:

apiVersion: v1
kind: Secret
metadata:
  name: secret-oidc
  namespace: cluster-sample-ns
type: Opaque
data:
  oidc_client_secret: my-client-secret     # tried to use base64(my-client-secret), not working
---
apiVersion: goharbor.io/v1beta1
kind: HarborConfiguration
metadata:
  name: oidc-config
  namespace: cluster-sample-ns
spec:
  configuration:
    authMode: oidc_auth
    oidcClientId: my-oidc-client-id
    oidcClientSecret: secret-oidc
    oidcEndpoint: https://my-idp.com/oidc
    oidcName: harbor-test
    oidcScope: openid
    oidcVerifyCert: false
  harborClusterRef: harborcluster-sample
>  kc -n cluster-sample-ns get harborconfiguration        
NAME          HARBORCLUSTER          STATUS    AGE
oidc-config   harborcluster-sample   Success   42s

error log in harbor-core pod

2023-08-28T09:42:21Z [ERROR] [/core/controllers/oidc.go:93]: Failed to exchange token, error: oauth2: cannot fetch token: 401 Unauthorized
Response: {"error":"invalid_client"}

error in UI

GET https://<<ip>>.nip.io/c/oidc/callback?code=xxxxxxxxx&state=xxxxxxxxx
400  {"errors":[{"code":"BAD_REQUEST","message":"oauth2: cannot fetch token: 401 Unauthorized\nResponse: {\"error\":\"invalid_client\"}"}]}

One more thing I found: If I applied my HarborConfiguration first and then copy/paste/save my-client-secret in UI, the OIDC login works without any issue.

thcdrt commented 10 months ago

Hello,

Are you sure about the key oidc_client_secret in secret ?

Thomas

Simonkz commented 10 months ago

Hi Thomas,

I'm sure I can login if I copy the value of key oidc_client_secret and save it in harbor's Configuration UI.

But I'm not sure how it is configured with HarborConfiguration. I didn't find much document about it. I was using key name in oidc_client_secret

So my question is what could be wrong in my config or could it be a bug in harbor?

Thanks.

thcdrt commented 10 months ago

Indeed the secret key is oidc_client_secret as we can see here.

Looks more like an operator bug, wdyt @chlins ?

chlins commented 10 months ago

Yep, I think it's should be a bug, will try to reproduce it.

chlins commented 10 months ago

@Simonkz Hi, how did you encode your oidc_client_secret with base64? sometimes the extra '\n' at the end will cause the problem, I cannot reproduce the issue in my environment.

Simonkz commented 10 months ago

You are right. My local terminal echo *my-client-secret* | base64 -i - command produced different encoding result than kubectl create secret generic secret-oidc --from-literal=oidc_client_secret=*my-client-secret* in k8s cluster. The correct way to set secret is using kubectl cmd. After that, I can login successfully.