Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dex fails to parse oidc relation's client_id when container is replanned #63

Open
natalian98 opened this issue Jun 24, 2022 · 0 comments
Open

Dex fails to parse oidc relation's client_id when container is replanned #63

natalian98 opened this issue Jun 24, 2022 · 0 comments
Labels
bug Something isn't working Kubeflow 1.7 This issue affects the Charmed Kubeflow 1.7 release

Comments

@natalian98
Copy link
Contributor

Concerns PR #62
When using container.replan() in a sidecar charm, oidc relation gets broken without being explicitly noted in juju logs.
Bundle deployed on microk8s 1.21/stable with dns storage rbac ingress metallb:10.64.140.43-10.64.140.49 enabled:

bundle: kubernetes
name: kubeflow
applications:
  dex-auth:
    charm: "/home/ubuntu/dex-auth-operator/dex-auth_ubuntu-20.04-amd64.charm"
    resources:
      oci-image: "dexidp/dex:v2.31.2"
    scale: 1
    trust: true
  istio-ingressgateway:          { charm: istio-gateway,           channel: 1.5/stable, scale: 1, trust: true}
  istio-pilot:                   { charm: istio-pilot,             channel: 1.5/stable, scale: 1, options: { default-gateway: "kubeflow-gateway" } }
  kubeflow-dashboard:            { charm: kubeflow-dashboard,      channel: latest/edge, scale: 1 }
  kubeflow-profiles:             { charm: kubeflow-profiles,       channel: latest/edge, scale: 1 }
  oidc-gatekeeper:               { charm: oidc-gatekeeper,         channel: latest/stable, scale: 1 }
relations:
- [dex-auth:oidc-client, oidc-gatekeeper:oidc-client]
- [istio-pilot:ingress, dex-auth:ingress]
- [istio-pilot:ingress, kubeflow-dashboard:ingress]
- [istio-pilot:ingress, oidc-gatekeeper:ingress]
- [istio-pilot:ingress-auth, oidc-gatekeeper:ingress-auth]
- [istio-pilot:istio-pilot, istio-ingressgateway:istio-pilot]
- [kubeflow-profiles, kubeflow-dashboard]

Charms get active, but the logon page shows info about invalid oidc client.
The following can be observed in dex container logs:

$ kubectl logs dex-auth-0 -c dex -n kubeflow
[...]
2022-06-24T13:50:14.025Z [dex] time="2022-06-24T13:50:14Z" level=error msg="Failed to parse authorization request: Invalid client_id (\"authservice-oidc\")."

However, when you inspect the config file to which that relation data is sent, the client id seems to be correct:

$ kubectl exec -it dex-auth-0 -c dex -n kubeflow -- cat /etc/dex/config.docker.yaml
connectors: null
enablePasswordDB: true
issuer: http://10.64.140.43.nip.io/dex
logger:
  format: text
  level: debug
oauth2:
  skipApprovalScreen: true
staticClients:
- id: authservice-oidc
  name: Ambassador Auth OIDC
  redirectURIs:
  - /authservice/oidc/callback
  secret: VAVFN2LPMVAUY577DULT42HXYR2SNL
staticPasswords:
- email: admin
  hash: $2b$12$vXZg1qLLMAqIXiXSYKSN5.ohyeQTbuLhCWvB.8wo9aML3CuR6zPi6
  userID: fdef551a-7377-4445-b070-5f2fdaa0b48b
  username: admin
storage:
  config:
    inCluster: true
  type: kubernetes
web:
  http: 0.0.0.0:5556

This is similar to issue #31.
This issue is not observed when container.restart() is used instead.
@ca-scribner ca-scribner added the bug Something isn't working label Jul 7, 2022
@DnPlas DnPlas added the Kubeflow 1.7 This issue affects the Charmed Kubeflow 1.7 release label Mar 13, 2023
@DnPlas DnPlas closed this as completed Mar 13, 2023
@DnPlas DnPlas reopened this Mar 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Kubeflow 1.7 This issue affects the Charmed Kubeflow 1.7 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@DnPlas @ca-scribner @natalian98