Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Headlamp OIDC with GKE #2643

Open
slitsevych opened this issue Dec 6, 2024 · 1 comment
Open

Headlamp OIDC with GKE #2643

slitsevych opened this issue Dec 6, 2024 · 1 comment
Labels
bug Something isn't working GKE Related to Google Kubernetes Engine keycloak Keycloak the Identity and Access Management app

Comments

@slitsevych
Copy link

slitsevych commented Dec 6, 2024
edited
Loading

After numerous and various attempts it does not seem that Headlamp OIDC is working with GKE Identity Service and the only way to login is to use service account token.

  1. Enabled Identity Service with GKE (https://cloud.google.com/kubernetes-engine/docs/how-to/oidc)
  2. Changed default ClientConfig to the following
apiVersion: authentication.gke.io/v2alpha1
kind: ClientConfig
metadata:
  name: default
  namespace: kube-public
spec:
  authentication:
  - name: oidc
    oidc:
      clientID: <<CLIENT_ID>>
      groupPrefix: 'oidc:'
      groupsClaim: groups
      issuerURI: https://<<KEYCLOACK_URL/realms/<<MY_REALM>>
      kubectlRedirectURI: http://localhost:8000/callback
      scopes: email,profile
      userClaim: email
      userPrefix: 'oidc:'
  certificateAuthorityData: <<certificateAuthorityData>>
  internalServer: ""
  name: <<CLUSTER_NAME>>
  server: https://<<IP_ADDRESS_OF_gke-oidc-envoy LB service>>:443

server is set to the IP address of the gke-oidc-envoy LB service in "anthos-identity-service" namespace

  1. Default login through kubectl oidc login --login-config=client-config.yaml --cluster=<<CLUSTER_NAME>>
    where client-config.yaml is the same client configuration as shown above + clientSecret - works just fine.
    I'm able to login with email that's mapped to "oidc:<<MY_EMAIL/USERNAME>>" and with clusterRoleBinding in place I'm able to gain the access.

  2. In Headlamp though, using the following config:

   clientID: <<CLIENT_ID>>
   clientSecret: <<CLIENT_SECRET>>
   issuerURL: https://<<KEYCLOACK_URL/realms/<<MY_REALM>>
   scopes: email,profile

I cannot get any permissions/access. Moreover I don't see any relevant logs in headlamp at all, only messages like
""events is forbidden: User "system:anonymous" cannot list resource "events" in API group "" at the cluster scope" appearing in the browser console

As such I have a couple of questions:

  1. Is there any working example of Headlamp OIDC with GKE (if any) or is it broken at this point and awaiting a fix?
  2. Is it possible to see/enable some debug logs of Headlamp OIDC flow with API server or at least any hints on that matter in logs?

And on a somewhat unrelated note, is there a way to suppress error message

{"level":"error","source":"/headlamp/backend/cmd/headlamp.go","line":757,"error":"expiry time not found or invalid","time":"2024-12-06T07:41:50Z","message":"failed to get expiry time"}

when using service token without expiry (set as a secret)?
@slitsevych slitsevych added the bug Something isn't working label Dec 6, 2024
@dosubot dosubot bot added GKE Related to Google Kubernetes Engine keycloak Keycloak the Identity and Access Management app labels Dec 6, 2024
@joaquimrocha
Copy link
Collaborator

cc/ @ashu8912

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working GKE Related to Google Kubernetes Engine keycloak Keycloak the Identity and Access Management app
Projects
Release Plan / Roadmap
Status: Queued
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joaquimrocha @slitsevych