How to authenticate Headlamp with Azure AKS? Also tried using DEX as middleware.

[Pree-byte]

I am able to login via Dex in Headlamp, but kubeconfig file is not getting generated, hence the cluster in not being loaded.

Can anyone please help me?

Sharing my config here:

dex-values.yaml

image: tag: ""

config: issuer: 'https://dex.poc.xxxxx.net' storage: type: kubernetes config: inCluster: true web: http: 0.0.0.0:5556 allowedOrigins: ['*'] connectors:

• type: microsoft id: microsoft name: Microsoft config: clientID: XXXXXXX clientSecret: XXXXXXXX tenant: organizations redirectURI: "https://dex.poc.XXXXt.net/callback" scopes:
  • openid
  • profile
  • email staticClients:
• id: headlamp redirectURIs:
  • 'https://headlamp.poc.xxxx.net/oidc-callback' name: Headlamp Dashboard secret: XXXXXXXXXXXXX enablePasswordDB: true
    oauth2: responseTypes: ["code", "token", "id_token"] skipApprovalScreen: true

headlamp-values.yaml

config: oidc: clientID: headlamp clientSecret: XXXXXXXXXXXXXXX issuerURL: 'https://dex.poc.xxxxx.net' scopes: "openid email profile groups"

--> DEX dialog box

--> 401 unauthorized, not loading anything.

-->headlamp pod logs

Please help me figure this out.

[joaquimrocha]

Maybe @yolossn knows.

[Pree-byte]

@yolossn, please help me here..

[yolossn]

@Pree-byte Can you check these two things and share what you see?

1. Open Network tab in Headlamp and copy the Bearer Token that is used in the failed requests. Use any JWT debugger like jwt.io to check if the scopes are properly added to the token that is used.
2. Do you see any authentication logs in the kubernetes api server? If you see error logs with "user:anonymous" it is because the kubernetes api server is not able to identify the user with the bearer token, if you see other errors related to authorization then you will need to provide access to the user.

[Pree-byte]

"sub": "CiRlOTRiZWQ5NC02NDcwLTQ2ZDMtOTEzMy04NjNjY2ZiYTBmYmESCW1pY3Jvc29mdA", "aud": "headlamp", "exp": 1730282947, "iat": 1730196547, "at_hash": "7vOMym9U8e_0Qt7Ac5EPig", "c_hash": "8plRy2X_07nasXIcJh9DTg", "email": "preet.b@exxat.com", "email_verified": true, "name": "Preet Haresh Buhecha" }

@yolossn, I am getting this in JWT debugger and also we are using AKS, so can't see the logs of the authentication.

[yolossn]

Which Authentication and Authorization method does your cluster use?

[Pree-byte]

Hello @yolossn, Please check this, we have mapped one group to the cluster-role binding and we normally add people to the particular groups from Entra ID and people gets the access to the cluster.

[yolossn]

The Group ID displayed in the pic is not part of the token so the k8s cluster will not be able to authenticate the user.

[Pree-byte]

@yolossn So how can I overcome this? I want to authenticate my user if he is added in this group

[yolossn]

the last time I checked I was not able to find the Entra ID URL for OIDC to configure in Headlamp. @illume I remember that you also gave this a try. Were you able to integrate Headlamp Incluster with AKS + Entra ID.

[Pree-byte]

@illume, Please help me..

Also @yolossn, is there any way I can achieve this in AKS?