Closed jomojowo closed 3 years ago
primeroz
commented
3 years ago Hi @Josbrafe
We don't support , at the moment, to set "Skip tls verify" for security reasons. https://github.com/mintel/dex-k8s-authenticator/blob/master/main.go#L82
You should just add the CA Used to sign your dex.k8s.example.com to the trusted root of dex-k8s-authenticator using the trusted_root_ca flags as described https://github.com/mintel/dex-k8s-authenticator/blob/master/docs/config.md
jomojowo
commented
3 years ago Below is the sample of config.yaml file:
config.yaml: |- listen: http://0.0.0.0:5555 web_path_prefix: / debug: true clusters:
client_id: k8s-access client_secret: WMOUVOPBLnhtohpaoopbybpdm8K description: test cluster issuer: https://dex.kops.example.com k8s_master_uri: https://api.kops.example.com name: kops.example.com redirect_uri: https://login.kops.example.com/callback/kops.example.com short_description: test k8s Cluster trusted_root_ca:
| -----BEGIN CERTIFICATE-----
MOUOUBOPUBPOUPOUOPRUGBOPUYB2aempuopbuobpuspojjmpfajucoapubpoiaub dmembiduioubobuopspuspoubpuepamapuopapidmpgaopbypobpoaygpabypoay LMq9hZjJdgpfouaubpoypboyaopbyaaaaaaaaaaaaaaaaapybaopy4C1ANotDcEb MWPUOPUBOPBUOBMJROPUBFOPBMPOJBOPUOPUEDMOEUBPBUBPUBOPUBOPBUBOPUBu -----END CERTIFICATE-----
jomojowo
commented
3 years ago But the error still persists.
Currently, I am using the latest image.
bjethwan
commented
3 years ago I am facing the same issue
primeroz
commented
3 years ago @Josbrafe sorry i did not see your message from 2 weeks ago.
Can you check , or better post , the configmap / config file in its entirety or check the indentation ?
The one you posted does not look right especially the trusted_root_ca which should be :- rather than -|
Also please post the logs as well when using that configuration
@bjethwan same for you, can you please post your configuration and your logs ?
for example this is my live working configuration, using let's encrypt staging server
---
apiVersion: v1
kind: ConfigMap
metadata:
labels:
name: dex-auth
name: dex-auth
namespace: auth
data:
config.yaml: |
clusters:
- name: "cluster"
description: "A Kubernetes Cluster on Google Cloud Platform"
redirect_uri: https://auth.example.com/callback/cluster
k8s_master_uri: https://kubernetes
client_id: "cluster"
short_description: "Cluster"
client_secret: cluster
issuer: https://dex.example.com
listen: https://0.0.0.0:8443
tls_cert: /etc/dex-auth/ssl/tls.crt
tls_key: /etc/dex-auth/ssl/tls.key
trusted_root_ca: |-
-----BEGIN CERTIFICATE-----
MIIFATCCAumgAwIBAgIRAKc9ZKBASymy5TLOEp57N98wDQYJKoZIhvcNAQELBQAw
GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDMyMzIyNTM0NloXDTM2
MDMyMzIyNTM0NlowGjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+pYHvQw5iU3v2b3iNuYNKYgsWD6KU7aJ
diddtZQxSWYzUI3U0I1UsRPTxnhTifs/M9NW4ZlV13ZfB7APwC8oqKOIiwo7IwlP
xg0VKgyz+kT8RJfYr66PPIYP0fpTeu42LpMJ+CKo9sbpgVNDZN2z/qiXrRNX/VtG
TkPV7a44fZ5bHHVruAxvDnylpQxJobtCBWlJSsbIRGFHMc2z88eUz9NmIOWUKGGj
EmP76x8OfRHpIpuxRSCjn0+i9+hR2siIOpcMOGd+40uVJxbRRP5ZXnUFa2fF5FWd
O0u0RPI8HON0ovhrwPJY+4eWKkQzyC611oLPYGQ4EbifRsTsCxUZqyUuStGyp8oa
aoSKfF6X0+KzGgwwnrjRTUpIl19A92KR0Noo6h622OX+4sZiO/JQdkuX5w/HupK0
A0M0WSMCvU6GOhjGotmh2VTEJwHHY4+TUk0iQYRtv1crONklyZoAQPD76hCrC8Cr
IbgsZLfTMC8TWUoMbyUDgvgYkHKMoPm0VGVVuwpRKJxv7+2wXO+pivrrUl2Q9fPe
Kk055nJLMV9yPUdig8othUKrRfSxli946AEV1eEOhxddfEwBE3Lt2xn0hhiIedbb
Ftf/5kEWFZkXyUmMJK8Ra76Kus2ABueUVEcZ48hrRr1Hf1N9n59VbTUaXgeiZA50
qXf2bymE6F8CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB
Af8wHQYDVR0OBBYEFMEmdKSKRKDm+iAo2FwjmkWIGHngMA0GCSqGSIb3DQEBCwUA
A4ICAQBCPw74M9X/Xx04K1VAES3ypgQYH5bf9FXVDrwhRFSVckria/7dMzoF5wln
uq9NGsjkkkDg17AohcQdr8alH4LvPdxpKr3BjpvEcmbqF8xH+MbbeUEnmbSfLI8H
sefuhXF9AF/9iYvpVNC8FmJ0OhiVv13VgMQw0CRKkbtjZBf8xaEhq/YqxWVsgOjm
dm5CAQ2X0aX7502x8wYRgMnZhA5goC1zVWBVAi8yhhmlhhoDUfg17cXkmaJC5pDd
oenZ9NVhW8eDb03MFCrWNvIh89DDeCGWuWfDltDq0n3owyL0IeSn7RfpSclpxVmV
/53jkYjwIgxIG7Gsv0LKMbsf6QdBcTjhvfZyMIpBRkTe3zuHd2feKzY9lEkbRvRQ
zbh4Ps5YBnG6CKJPTbe2hfi3nhnw/MyEmF3zb0hzvLWNrR9XW3ibb2oL3424XOwc
VjrTSCLzO9Rv6s5wi03qoWvKAQQAElqTYRHhynJ3w6wuvKYF5zcZF3MDnrVGLbh1
Q9ePRFBCiXOQ6wPLoUhrrbZ8LpFUFYDXHMtYM7P9sc9IAWoONXREJaO08zgFtMp4
8iyIYUyQAbsvx8oD2M8kRvrIRSrRJSl6L957b4AFiLIQ/GgV2curs0jje7Edx34c
idWw1VrejtwclobqNMVtG3EiPUIpJGpbMcJgbiLSmKkrvQtGng==
-----END CERTIFICATE-----
k -n dex logs dex-k8s-authenticator-66c4f5c6d5-kl6z7 2020/11/04 14:42:11 Using config file:%!(EXTRA string=/app/config.yaml) 2020/11/04 14:42:11 Creating new provider https://dex.xxxxxxxxxxxxxxx 2020/11/04 14:42:11 Failed to query provider "https://dex.xxxxxxxxxxxx.": Get https://dex.xxxxxxxxxxxxx/.well-known/openid-configuration: x509: certificate signed by unknown authority
primeroz
commented
3 years ago @bjethwan thanks, and /home/ubuntu/dex-k8s-authenticator/ssl/ca.pem is definetly correct for the certificate/keypair used on dex ?
Do you mind attaching the ca.pem ? is just the public certificate for a self-signed ca so it should not be a big issue
Otherwise we will need to add some debug around this because this is all very simple
https://github.com/mintel/dex-k8s-authenticator/blob/master/main.go#L128
We just append any certificate passed either inline or as a file to the store ... and it works on my local example :)
Do you mind escaping your configuration though in ``` so that i can see the indentation ?
remember that the trusted_root_ca_file is at the same level as the clusters ... but in your paste is impossible to understand what is where ( beauty of yaml )
bjethwan
commented
3 years ago @primeroz Thanks for being on top of it. I used your snippet but I couldn't get it to work, for the trusted root ca, I gave spaces. I used this self-signed ca, to generate the key+cert for both dex and dex-k8s-authenticator.
dexK8sAuthenticator:
port: 5555
debug: false
web_path_prefix: /
tlsCert: /home/ubuntu/dex-k8s-authenticator/ssl/cert.pem
tlsKey: /home/ubuntu/dex-k8s-authenticator/ssl/key.pem
trusted_root_ca: |-
-----BEGIN CERTIFICATE-----
MIIDBTCCAe2gAwIBAgIUZUPftcf5VIiNKhhUBiCL4VC7kegwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHa3ViZS1jYTAeFw0yMDExMDMxODE5MjZaFw0zMDExMDEx
ODE5MjZaMBIxEDAOBgNVBAMMB2t1YmUtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDutz/Pjdyr8cGO/6qAYukfO9UNEYPSMFuj8PdtVbrqPOGvt5gv
+RM1pbG1k6lkBMLzGgAQ2RUM6tzRfW6eDW65Vq+yx9dHn5mKiBSE1AWw/t++Ofyv
sfjnDBOSdO5vf/c8OOTiW8zdqBHiiHDyBHvUCiVDfmu66L7+ikT+evdSX/lbCJFh
1BRhkmq/NJeg2cY4w7z1TOvNSQIKwS5307uEwIK09BqDEuRIj3m/Pb3ex+hRrKSx
+4/oD+Qn19ZfmYmTqZ/csq15E1h8nD2yt6ZZO9BANKaIUn/er96xT1eoZ3U9GWXG
UOKZnhXGGn1X/6LJ2ViQ4X4uXXdre/jEJbFfAgMBAAGjUzBRMB0GA1UdDgQWBBQv
9g5Yvq4lZPH9rw+g5JAAhl21YTAfBgNVHSMEGDAWgBQv9g5Yvq4lZPH9rw+g5JAA
hl21YTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAx0crU9KYw
nKkV/xWAmeJXrlpA4HfYDZQvp4kPO1XaGdxEl2BXSXXxrZtRwl8ygexmOBDVjG3v
dYczpu7AsGh4lWkK29oXvDRGTvxrj72gWFOEJnkDyijcZreJJQZltI9GTLVvj/5A
MUpfgJ63bnLNul3PIsyCYrkvuwSVEMyMaVnn4HUH2iG2mbUTXkOIjNJEddVgXzje
urGfiMeFs1WR9gyI+1Lohk/8yOSmnOEJ//AgX0rLOk0N7ViBvG8FMk9h8wUvexP9
O/qnuFHoxLLyXst2moWWI+6S3tSuBjLwJ1M952ZSAHYulB8CuF83L1mt6m/+jAij
34MOfWVwhtss
-----END CERTIFICATE-----
clusters:
- name: my-cluster
short_description: "k8s1"
description: "k8s1"
client_secret: ZXhhbXBsZS1hcHAtc2VjcmV0
issuer: https://dex.xxxxxxxxxxxxxxxxxxx
k8s_master_uri: https://api.k8s1.xxxxxxxxxxxxxxxxx
client_id: example-app
redirect_uri: https://auth1.xxxxxxxxxxxxxxxxx/callback/my-cluster
scopes:
- email
- profile
- openid@bjethwan I just started dex-k8s-authenticator using your config and it worked ... ( make sure to destroy all of it once you are done and recreate from scratch especially now that you published your client_secret here )
$ cat Downloads/config.yml
listen: http://0.0.0.0:5555
debug: false
web_path_prefix: /
trusted_root_ca: |-
-----BEGIN CERTIFICATE-----
MIIDBTCCAe2gAwIBAgIUZUPftcf5VIiNKhhUBiCL4VC7kegwDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHa3ViZS1jYTAeFw0yMDExMDMxODE5MjZaFw0zMDExMDEx
ODE5MjZaMBIxEDAOBgNVBAMMB2t1YmUtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDutz/Pjdyr8cGO/6qAYukfO9UNEYPSMFuj8PdtVbrqPOGvt5gv
+RM1pbG1k6lkBMLzGgAQ2RUM6tzRfW6eDW65Vq+yx9dHn5mKiBSE1AWw/t++Ofyv
sfjnDBOSdO5vf/c8OOTiW8zdqBHiiHDyBHvUCiVDfmu66L7+ikT+evdSX/lbCJFh
1BRhkmq/NJeg2cY4w7z1TOvNSQIKwS5307uEwIK09BqDEuRIj3m/Pb3ex+hRrKSx
+4/oD+Qn19ZfmYmTqZ/csq15E1h8nD2yt6ZZO9BANKaIUn/er96xT1eoZ3U9GWXG
UOKZnhXGGn1X/6LJ2ViQ4X4uXXdre/jEJbFfAgMBAAGjUzBRMB0GA1UdDgQWBBQv
9g5Yvq4lZPH9rw+g5JAAhl21YTAfBgNVHSMEGDAWgBQv9g5Yvq4lZPH9rw+g5JAA
hl21YTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAx0crU9KYw
nKkV/xWAmeJXrlpA4HfYDZQvp4kPO1XaGdxEl2BXSXXxrZtRwl8ygexmOBDVjG3v
dYczpu7AsGh4lWkK29oXvDRGTvxrj72gWFOEJnkDyijcZreJJQZltI9GTLVvj/5A
MUpfgJ63bnLNul3PIsyCYrkvuwSVEMyMaVnn4HUH2iG2mbUTXkOIjNJEddVgXzje
urGfiMeFs1WR9gyI+1Lohk/8yOSmnOEJ//AgX0rLOk0N7ViBvG8FMk9h8wUvexP9
O/qnuFHoxLLyXst2moWWI+6S3tSuBjLwJ1M952ZSAHYulB8CuF83L1mt6m/+jAij
34MOfWVwhtss
-----END CERTIFICATE-----
clusters:
- name: my-cluster
short_description: "k8s1"
description: "k8s1"
client_secret: ZXhhbXBsZS1hcHAtc2VjcmV0
issuer: https://dex.bjethwan.xyz
k8s_master_uri: https://api.k8s1.bjethwan.xyz/
client_id: example-app
redirect_uri: https://auth1.bjethwan.xyz//callback/my-cluster
scopes:
- email
- profile
- openiddocker run --entrypoint sh -v ~/:/tmp/config -v /tmp/test3:/tmp/ca.pem -t -i --rm mintel/dex-k8s-authenticator:1.2.0
/app/bin/dex-k8s-authenticator --config /tmp/config/Downloads/config.yml
2020/11/04 15:50:09 Using config file:%!(EXTRA string=/tmp/config/Downloads/config.yml)
2020/11/04 15:50:09 Creating new provider https://dex.bjethwan.xyz
2020/11/04 15:50:10 Verifying client example-app
2020/11/04 15:50:10 Registered callback handler at: //callback/my-cluster
2020/11/04 15:50:10 Registered login handler at: /login/my-cluster
2020/11/04 15:50:10 Registered static assets handler at: /static/
2020/11/04 15:50:10 Listening on http://0.0.0.0:5555@bjethwan do you have any update after my last comment ?
@Josbrafe are you able to provide the info i asked ?
I just don't want to keep this open forever :) thanks
DANic-git
commented
3 years ago I've the same trouble
I can't see where in helm templet used value trusted_root_ca
in configmap.yaml there is not
primeroz
commented
3 years ago @germetist The Chart does not indeed support that option, we don't use Helm and so we tend to not keep that as up-to-date as it should be. PR are welcome of course.
I am trying to understand if there are issues when the configmap does contain the trusterd_root_ca key
bjethwan
commented
3 years ago @primeroz I think we were missing the caCerts element, it worked only when I added the trailing part in the values.yml, as shown below.
global:
deployEnv: dev
replicaCount: 1
image:
repository: mintel/dex-k8s-authenticator
tag: 1.2.0
pullPolicy: Always
dexK8sAuthenticator:
port: 5555
debug: true
web_path_prefix: /
trusted_root_ca_file: kube-ca.crt
clusters:
- name: my-cluster
short_description: "k8s1"
description: "k8s1"
client_id: <<FILL_YOURS>
client_secret: <<FILL_YOURS>>
issuer: <<FILL_YOURS>>
k8s_master_uri: <<FILL_YOURS>>
redirect_uri: <<FILL_YOURS>>
scopes:
- email
- profile
- openid
service:
annotations: {}
type: LoadBalancer
port: 80
targetPort: http
caCerts:
enabled: true
secrets:
- name: kube-ca
filename: kube-ca.crt
value: LS0tLS1....
# Array of Self Signed Certificates
# cat CA.crt | base64 -w 0@bjethwan glad to know it worked for you :)
CLosing this
Error: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping 2020/09/26 23:43:26 Using config file: /app/config.yaml 2020/09/26 23:43:26 Creating new provider https://dex.k8s.example.com 2020/09/26 23:43:26 Failed to query provider "https://dex.k8s.example.com": Get https://dex.k8s.example.com/.well-known/openid-configuration: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "dex")
current version of authenticator: latest current version of dex: 2.11.0
image: repository: mintel/dex-k8s-authenticator tag: latest pullPolicy: Always
when the helm chart is deployed the container never comes up, ends in CrashLoopBackOff