[caasp-beta] Antw: kubeconfig download error with DEX internal server error , Login error
rushi.ns at sap.com
Tue Nov 21 09:07:08 MST 2017
Thank you. I have also filed this new bug below since I wasn’t able to access the bug you guys filed as I was getting “authorization error”
Bug 1069251 has been added to the database
I MAY BE ONLY ONE PERSON, BUT I CAN BE ONE PERSON WHO MAKES A DIFFERENCE
On 11/21/17, 7:44 AM, "Rafael Fernández López" <rfernandezlopez at suse.de> wrote:
On Tue, Nov 21, 2017 at 03:29:36PM +0000, Ns, Rushi wrote:
> Hi Martin
> Thank you. Yes I did , I used load balancer IP (lvsusekub8.pal.sap.corp) whichi s out of the cluster node address. The host I’ve specified is not velum ip, not master ip and not any of worker ip’s.
We are studying the problem at the moment. From what I could see this is what's happening:
- When the admin node starts it generates several certificates, based on the information of
the machine in the moment of the boot (transient and static hostnames, machine attached
ip addresses...). This hostnames get added to some initial certificates in their SAN
extensions, as well as the attached IP addresses of the admin node.
- When you enter the internal dashboard fqdn (first field on first page of the Velum setup),
if you enter an external name not detected by this very first step (e.g. with cloud-init
you chose as hostname `admin`, and in this field you write `admin.my.company`), the certificate
used by LDAP won't contain `admin.my.company`, whereas Dex will try to connect to
the LDAP instance in the admin node using `admin.my.company:389`.
This effectively makes the TLS handshake to fail, and Dex is unable to authenticate the user
More information will be added to the bug report, and we'll keep you updated.
More information about the caasp-beta