trouble setting up dex with a custom Kubernetes cluster

867 views
Skip to first unread message

Chris Jones

unread,
Nov 10, 2016, 12:53:17 PM11/10/16
to dex-dev
First, thanks for making this product. It's just what I want to connect my Kubernetes cluster to corporate LDAP for authentication. I'm having some trouble setting it up, though. Following are some notes:
  • Examples/k8s/deployment.yaml needed some tweaks.
    • image: quay.io/coreos/dex:v2.0.0-beta.1
    • command: [ "/usr/local/bin/dex", ... ] (was /dex)
    • Looks like it could support a /healthz livenessProbe or readinessProbe, but I didn't try to add that.
  • Examples/k8s/client.yaml doesn't match what I saw in the code. It looks like the OAuth2Client needs an id field when it's stored in Kubernetes. There's no id in the example client.yaml file, though. It looks like storage/kubernetes/client.go computes a hash of the name. So is there no way to manually add a valid client entry using kubectl? Is it only possible to add a client using the gRPC API?
  • I'm not able to get it to recognize a client.
    • I tried loading the client.yaml, both as-is and with an id field; but dex returns a 500 with "Invalid client_id ("myapp")."
    • I also tried configuring a static client in the configmap. I ultimately get almost the same error (Invalid client_id ("").) But in this case, it has an extra redirect. It first goes to dex/auth?client_id=myapp... and gets a 302, which sends it to dex/auth?req=... That page returns a 500 and the Invalid client_id (""). This makes me think loading the client.yaml didn't work at all, but the static client is almost working.
  • Dex itself isn't logging much. I get the initial startup messages about the third party resources, and then the listening message. There isn't any further logging happening; is there a way to turn up the debug level so it can give me a hint as to what I'm doing wrong?

Chris

Eric Chiang

unread,
Nov 10, 2016, 1:05:02 PM11/10/16
to Chris Jones, dex-dev
Chris,

Apologies, yes you're right that that document is outdated. I have a PR in the works with the deployment I demo'd at kubecon. Do you have a GitHub handle so I can cc you on that?


> Looks like it could support a /healthz livenessProbe or readinessProbe, but I didn't try to add that.

Yep, it's just `/healthz`, though this is an issue if dex is using HTTPS. We may split it out into it's own port.


> I'm not able to get it to recognize a client.

You can define clients statically in the configmap. See https://github.com/coreos/dex/blob/v2.0.0-beta.1/examples/config-dev.yaml#L36-L44


Dex itself isn't logging much.

Dex doesn't have leveled logging yet, only error logging. I've opened an issue to add that https://github.com/coreos/dex/issues/677

Eric


--
You received this message because you are subscribed to the Google Groups "dex-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dex-dev+unsubscribe@googlegroups.com.
To post to this group, send email to dex...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dex-dev/3080c5ff-c0ae-4c6c-ba3d-f200b90f0949%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Chris Jones

unread,
Nov 10, 2016, 1:17:21 PM11/10/16
to dex-dev
On Thursday, November 10, 2016 at 11:05:02 AM UTC-7, Eric Chiang wrote:
Apologies, yes you're right that that document is outdated. I have a PR in the works with the deployment I demo'd at kubecon. Do you have a GitHub handle so I can cc you on that?

Sure, it's cjyar.


> Looks like it could support a /healthz livenessProbe or readinessProbe, but I didn't try to add that.

Yep, it's just `/healthz`, though this is an issue if dex is using HTTPS. We may split it out into it's own port.

Great; would that be liveness, readiness, or both?
 

> I'm not able to get it to recognize a client.

You can define clients statically in the configmap. See https://github.com/coreos/dex/blob/v2.0.0-beta.1/examples/config-dev.yaml#L36-L44

Yep, I did that but something's still not right. As I said, it's hitting dex/auth?client_id=..., which redirects to dex/auth?req=..., which returns a 500 Invalid client_id (""). Any suggestions on debugging that? Or ideas on what I might have misconfigured?

Chris
 


Dex itself isn't logging much.

Dex doesn't have leveled logging yet, only error logging. I've opened an issue to add that https://github.com/coreos/dex/issues/677

Eric

On Thu, Nov 10, 2016 at 9:53 AM, Chris Jones <chris.j...@gmail.com> wrote:
First, thanks for making this product. It's just what I want to connect my Kubernetes cluster to corporate LDAP for authentication. I'm having some trouble setting it up, though. Following are some notes:
  • Examples/k8s/deployment.yaml needed some tweaks.
    • image: quay.io/coreos/dex:v2.0.0-beta.1
    • command: [ "/usr/local/bin/dex", ... ] (was /dex)
    • Looks like it could support a /healthz livenessProbe or readinessProbe, but I didn't try to add that.
  • Examples/k8s/client.yaml doesn't match what I saw in the code. It looks like the OAuth2Client needs an id field when it's stored in Kubernetes. There's no id in the example client.yaml file, though. It looks like storage/kubernetes/client.go computes a hash of the name. So is there no way to manually add a valid client entry using kubectl? Is it only possible to add a client using the gRPC API?
  • I'm not able to get it to recognize a client.
    • I tried loading the client.yaml, both as-is and with an id field; but dex returns a 500 with "Invalid client_id ("myapp")."
    • I also tried configuring a static client in the configmap. I ultimately get almost the same error (Invalid client_id ("").) But in this case, it has an extra redirect. It first goes to dex/auth?client_id=myapp... and gets a 302, which sends it to dex/auth?req=... That page returns a 500 and the Invalid client_id (""). This makes me think loading the client.yaml didn't work at all, but the static client is almost working.
  • Dex itself isn't logging much. I get the initial startup messages about the third party resources, and then the listening message. There isn't any further logging happening; is there a way to turn up the debug level so it can give me a hint as to what I'm doing wrong?

Chris

--
You received this message because you are subscribed to the Google Groups "dex-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dex-dev+u...@googlegroups.com.

Eric Chiang

unread,
Nov 10, 2016, 1:36:45 PM11/10/16
to Chris Jones, dex-dev
> Great; would that be liveness, readiness, or both?

both

> Any suggestions on debugging that? Or ideas on what I might have misconfigured?

My guess is that your yaml file might be slightly broken and missing a
field or something. But it's odd that you're triggering the initial
redirect from the dex page to the one with `?req=...`. Might be a bug
on our end, will look into this.

Would it be okay for you to provide your config (removing any
sensitive or organization specific fields)?

Eric
> https://groups.google.com/d/msgid/dex-dev/aa7b672e-fc60-41ba-9647-f30dbf7b1987%40googlegroups.com.

Eric Chiang

unread,
Nov 10, 2016, 1:54:32 PM11/10/16
to Chris Jones, dex-dev
> Yep, it's just `/healthz`, though this is an issue if dex is using HTTPS. We may split it out into it's own port.

Correction, it's /dex/healthz if you're listening at a non root path.

Eric
Reply all
Reply to author
Forward
0 new messages