search

mintel / dex-k8s-authenticator

A Kubernetes Dex Client Authenticator
MIT License
374 stars 146 forks source link

[Question] How to get Dex to reload config file into CRDs? #68

Closed luispollo closed 6 years ago

luispollo commented 6 years ago

Hi @nabadger, sorry to open an issue to ask a question, but I was hoping you may have experience with this scenario and might be able to point me in the right direction...

We've been using your charts for dex and dex-k8s-authenticator (thanks again for those!), and everything was working fine until we had to add a new OAuth2 Client in dex's config. We can't seem to make dex pick up new values in the file, and so are getting a "Redirect URL not registered" error during the authentication flow, or at least that's my theory... I've recreated the dex pod to force it to re-read config, but no luck.

I'm not very experienced with Kubernetes Custom Resource Definitions (which is the dex storage implementation I'm using), or with dex's internals, but when I query the API for OAuth2Clients I get an empty list:

$ kubectl get --raw "/apis/dex.coreos.com/v1/oauth2clients/"
{"apiVersion":"dex.coreos.com/v1","items":[],"kind":"OAuth2ClientList","metadata":{"continue":"","resourceVersion":"3326407","selfLink":"/apis/dex.coreos.com/v1/oauth2clients/"}}

...which can't be true because I'm still able to complete the flow for another client I had previously configured in the file.

Maybe there's something else I'm missing or messed up in my config. Was just curious if you ever came across this and could help me debug.

Feel free to close this whenever you like.

nabadger commented 6 years ago

@luispollo We had the same issue. As far as I'm aware it's not recommended to work with the Dex CRD's in this way (I'll try to dig up some documentation on that).

There was some hope that Dex would impl. wildcards for redirectURIs: https://github.com/coreos/dex/issues/991

but it's against the spec, so the issue got closed.

I ended up writing a client which interacts with Dex via gRPC to add static-clients dynamically.

https://github.com/mintel/dex-k8s-ingress-watcher

nabadger commented 6 years ago

My initial hope was that Dex would support sighup, but sadly it doesn't, so no way to get the config reloaded (it might be worth raising an issue with the CoreOS guys to see if that can be supported?)

luispollo commented 6 years ago

Thanks a lot for the quick feedback @nabadger. We just figured out what it was. It was our fault, actually. 😄

I had the wrong client ID encoded in a secret on the starting end of the flow (we're using oauth2_proxy in front of the Kubernetes Dashboard with dex as the IdP).

Closing this. Thanks again!

nabadger commented 6 years ago

:+1: