[caasp-beta] Antw: kubeconfig download error with DEX internal server error , Login error

Rafael Fernández López rfernandezlopez at suse.de
Tue Nov 21 08:44:27 MST 2017

Hello Rushi,

On Tue, Nov 21, 2017 at 03:29:36PM +0000,  Ns, Rushi  wrote:
> Hi Martin
> Thank you. Yes I did , I used load balancer IP (lvsusekub8.pal.sap.corp) whichi s  out of the cluster node address. The host I’ve specified is not velum ip, not master ip and  not any of worker ip’s.

We are studying the problem at the moment. From what I could see this is what's happening:

- When the admin node starts it generates several certificates, based on the information of
  the machine in the moment of the boot (transient and static hostnames, machine attached
  ip addresses...). This hostnames get added to some initial certificates in their SAN
  extensions, as well as the attached IP addresses of the admin node.

- When you enter the internal dashboard fqdn (first field on first page of the Velum setup),
  if you enter an external name not detected by this very first step (e.g. with cloud-init
  you chose as hostname `admin`, and in this field you write `admin.my.company`), the certificate
  used by LDAP won't contain `admin.my.company`, whereas Dex will try to connect to
  the LDAP instance in the admin node using `admin.my.company:389`.

This effectively makes the TLS handshake to fail, and Dex is unable to authenticate the user
against LDAP.

More information will be added to the bug report, and we'll keep you updated.

Thank you.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20171121/d2981545/attachment.sig>

More information about the caasp-beta mailing list