search

mintel / dex-k8s-authenticator

A Kubernetes Dex Client Authenticator
MIT License
374 stars 146 forks source link

helm installation of Dex does not deploy functional Dex server #46

Closed praveendhac closed 6 years ago

praveendhac commented 6 years ago

Deployed Dex using

$ helm upgrade --install --namespace dex-server-ns --values dex-server.yaml dex-server-helm charts/dex
Release "dex-server-helm" does not exist. Installing it now.
NAME:   dex-server-helm
LAST DEPLOYED: Wed Jul 11 17:18:32 2018
NAMESPACE: dex-server-ns
STATUS: DEPLOYED

RESOURCES:
==> v1/Secret
NAME             TYPE    DATA  AGE
dex-server-helm  Opaque  7     0s

==> v1beta1/Ingress
NAME             HOSTS                                        ADDRESS  PORTS  AGE
dex-server-helm  dex.ingress.dex-server.example.com  80, 443  0s

==> v1/Pod(related)
NAME                              READY  STATUS             RESTARTS  AGE
dex-server-helm-75f46d4cf9-9jbdp  0/1    ContainerCreating  0         0s

==> v1/ConfigMap
NAME             DATA  AGE
dex-server-helm  1     0s

==> v1/ServiceAccount
NAME              SECRETS  AGE
dex-sa-server-pd  1        0s

==> v1beta1/ClusterRole
NAME             AGE
dex-server-helm  0s

==> v1beta1/ClusterRoleBinding
NAME             AGE
dex-server-helm  0s

==> v1beta1/Role
NAME             AGE
dex-server-helm  0s

==> v1beta1/RoleBinding
NAME             AGE
dex-server-helm  0s

==> v1/Service
NAME             TYPE       CLUSTER-IP    EXTERNAL-IP  PORT(S)   AGE
dex-server-helm  ClusterIP  10.8.0.58  <none>       5556/TCP  0s

==> v1/Deployment
NAME             DESIRED  CURRENT  UP-TO-DATE  AVAILABLE  AGE
dex-server-helm  1        1        1           0          0s

NOTES:
1. Get the application URL by running these commands:
  https://dex.ingress.dex-server.example.com/

Accessing https://dex.ingress.dex-server.example.com/ in the browser thrown 404 error Accessing https://dex.ingress.dex-server.example.com/callback in the browser throws error "Bad Request. User session error." Accessing https://dex.ingress.dex-server.example.com/healthz in the browser works fine, "Health check passed in 24.320217ms"

Processes running on Pod and running config.yaml

$ kubectl exec dex-server-helm-75f46d4cf9-9jbdp -n dex-server-ns -- ps aux
PID   USER     TIME   COMMAND
    1 root       0:01 /usr/local/bin/dex serve /etc/dex/config.yaml

$ kubectl exec dex-server-helm-75f46d4cf9-9jbdp -n dex-server-ns -- cat /etc/dex/config.yaml
issuer: https://dex.ingress.dex-server.example.com

storage:
  type: kubernetes
  config:
    inCluster: true

web:
  http: 0.0.0.0:5556

frontend:
  theme: "coreos"
  issuer: "PD Company"
  issuerUrl: "https://dex.ingress.dex-server.example.com"
  #logoUrl: https://dex-server.example.com/images/logo-250x25.png

expiry:
  signingKeys: "6h"
  idTokens: "24h"

logger:
  level: debug
  format: json

oauth2:
  responseTypes: ["code", "token", "id_token"]
  skipApprovalScreen: true

# Remember you can have multiple connectors of the same 'type' (with different 'id's)
# If you need e.g. logins with groups for two different Microsoft 'tenants'
connectors:
# Microsoft App Dev account, 'Add an app'
# 'Application Secrets' -> 'Generate new password'
# 'Platforms' -> 'Add Platform' -> 'Web', add the callback URL
# https://apps.dev.microsoft.com/
- type: microsoft
  id: microsoft
  name: Microsoft
  config:
    clientID: AzureAD-ServerWebAppReg-id
    clientSecret: AzureAD-ServerWebAppReg-secret
    redirectURI: https://dex.ingress.dex-server.example.com/callback

enablePasswordDB: True
staticPasswords:
- email: "admin@dex-server.example.com"
  # bcrypt hash of the string "password"
  hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
  username: "admin"
  userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

API Server Config

- --oidc-issuer-url=https://dex.ingress.dex-server.example.com
- --oidc-client-id=AzureAD-ServerWebAppReg-id

Deployment status

$ kubectl get ns
NAME            STATUS    AGE
default         Active    2h
dex-server-ns   Active    1h
kube-public     Active    2h
kube-system     Active    2h

$ kubectl get all -n dex-server-ns
NAME                                   READY     STATUS    RESTARTS   AGE
pod/dex-server-helm-75f46d4cf9-9jbdp   1/1       Running   1          1h

NAME                      TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
service/dex-server-helm   ClusterIP   10.8.0.58   <none>        5556/TCP   1h

NAME                              DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/dex-server-helm   1         1         1            1           1h

NAME                                         DESIRED   CURRENT   READY     AGE
replicaset.apps/dex-server-helm-75f46d4cf9   1         1         1         1h

Configured dex using https://github.com/coreos/dex/blob/master/Documentation/connectors/microsoft.md. Executing kubectl prompts for https://microsoft.com/devicelogin instead of https://dex.ingress.dex-server.example.com

nabadger commented 6 years ago

I can take a closer look tomorrow, but my initial thoughts are that this is expected behaviour.

Dex provides a set of URL handlers, but nothing listening at '/` - think of it like an api-gateway.

Can you confirm the below URL returns a 200:

https://dex.ingress.dex-server.example.com/.well-known/openid-configuration

In order to authenticate via dex, you initiate the request against the ingress configured for dex-k8s-authenticator (so just browse to the ingress configured for that chart).

nabadger commented 6 years ago

Also, I think you need to configure staticClients in the dex config (which links back to the dex-k8s-authenticator app) using the shared secret.

You can refer to these examples:

example dex-k8s-authenticator config example dex config

praveendhac commented 6 years ago

Is it mandatory to deploy dex-k8s-authenticator.

Below URL is returning 200, Dex Server is running fine. https://dex.ingress.dex-server.example.com/.well-known/openid-configuration

Is this expected, accessing https://dex.ingress.dex-server.example.com/callback in the browser throws error "Bad Request. User session error."?

Also, execution of kubectl prompts for https://microsoft.com/devicelogin instead of https://dex.ingress.dex-server.example.com

nabadger commented 6 years ago

It's worth reading this - https://github.com/coreos/dex/blob/master/Documentation/kubernetes.md

This repo simply providers a web-ui that mimics what the example-app described in the above url does, but also provides a web-interface for it and makes it easier to integrate with kubectl

Just to clarify, this repo. is not associated with the official Dex project.

The key task that this helper performs is to fetch an ID token from Dex. It then provides a helper web-page that lets you configure your kubernetes kubeconfig with the correct credentials for the selected cluster, using the ID token provided by Dex. It would also let get a kubeconfig for different clusters, which could have different authentication backends.

Without such a tool, the flow is pretty painful to mimic by hand (think bash-scripts, and cURL),

So to clarify, if you want to use kubectl to authenticate via Dex, a tool like this (or similar as there are others) is usually needed.

Also, we provide the 'Dex' chart as a helper as we find people will deploy both Dex and dex-k8s-authenticator together. You certainly do not need to use our Dex chart - there is now a more recent official one, or you could roll your own (they generally tend to end up being very similar).

nabadger commented 6 years ago

I believe this is resolved now, if not, feel free to open (related to #47)