[caasp-beta] dex - failure to rotate keys

Donaldson, Ian Ian.Donaldson at NGIC.COM
Wed Aug 7 23:53:04 MDT 2019 

Got it. Thank you!

We have teams starting to use the v4 cluster, even though Beta, so I’ve been trying not to disrupt them too much and didn’t get these updates as a result.

Thanks,

Ian

From: JenTing Hsiao <jenting.hsiao at suse.com>
Sent: Thursday, August 8, 2019 1:49 AM
To: Donaldson, Ian <Ian.Donaldson at NGIC.COM>
Cc: caasp-beta at lists.suse.com
Subject: Re: [caasp-beta] dex - failure to rotate keys

Hi Ian,
    The dex manifest is generated on `skuba cluster init`.
    Or you could edit the ClusterRole by `kubectl edit ClusterRole oidc-dex --namespace kube-system` and add update verb to resources signingkeies.

JenTing

Donaldson, Ian <Ian.Donaldson at ngic.com<mailto:Ian.Donaldson at ngic.com>> 於 2019年8月8日 週四 下午1:23寫道:
I upgraded to Beta 5 from Beta 4, but perhaps it didn’t install correctly?

How do I correct this?


Thanks,

Ian

From: JenTing Hsiao <jenting.hsiao at suse.com<mailto:jenting.hsiao at suse.com>>
Sent: Thursday, August 8, 2019 1:07 AM
To: Donaldson, Ian <Ian.Donaldson at NGIC.COM<mailto:Ian.Donaldson at NGIC.COM>>
Cc: caasp-beta at lists.suse.com<mailto:caasp-beta at lists.suse.com>
Subject: Re: [caasp-beta] dex - failure to rotate keys

WARNING:


This Message came from an external source. Please exercise caution when opening any attachments or clicking on links.

________________________________
Hi Ian,
    Thanks for your reporting. This issue was fixed at Beta 5.

JenTing
Donaldson, Ian <Ian.Donaldson at ngic.com<mailto:Ian.Donaldson at ngic.com>> 於 2019年8月7日 週三 下午10:55寫道:
Seeing a lot of these failure to rotate keys, due to forbidden status.

2019-08-07T14:52:25.529575+00:00 caasp-test-worker-02 k8s.pod/kube-system/oidc-dex-55fc689dc-vtvnh/oidc-dex 2019-08-07T10:52:25.529490058-04:00 stderr F time="2019-08-07T14:52:25Z" level=error msg="failed to rotate keys: PUT https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/signingkeies/openid-connect-keys<https://urldefense.proofpoint.com/v2/url?u=https-3A__10.96.0.1-3A443_apis_dex.coreos.com_v1_namespaces_kube-2Dsystem_signingkeies_openid-2Dconnect-2Dkeys&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=hM818mBHjLMwq7bicPrgy7C7VlNNLIlBbeqiUFZB9_Y&s=rCBq66phRtYCeV2MXR3ag0c1SBlNZaBxd-PxgkSSJ0E&e=> Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"signingkeies.dex.coreos.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__signingkeies.dex.coreos.com&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=hM818mBHjLMwq7bicPrgy7C7VlNNLIlBbeqiUFZB9_Y&s=K49ELr0f6xSSXkBPLHdpeFVUSQq47TXGnIgcrZ1Nobs&e=> \\"openid-connect-keys\\<file://%22openid-connect-keys/>" is forbidden: User \\"system:serviceaccount:kube-system:oidc-dex\\<file://%22system:serviceaccount:kube-system:oidc-dex/>" cannot update resource \\"signingkeies\\<file://%22signingkeies/>" in API group \\"dex.coreos.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__dex.coreos.com&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=hM818mBHjLMwq7bicPrgy7C7VlNNLIlBbeqiUFZB9_Y&s=Zz5Z67NrLqJtWgJPml8YioDoLG_4Pw4faf7swqIRgM8&e=>\\" in the namespace \\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"openid-connect-keys\",\"group\":\"dex.coreos.com\",\"kind\":\"signingkeies\"},\"code\":403}\<file://%22kube-system/%22/%22,/%22reason/%22:/%22Forbidden/%22,/%22details/%22:%7b/%22name/%22:/%22openid-connect-keys/%22,/%22group/%22:/%22dex.coreos.com/%22,/%22kind/%22:/%22signingkeies/%22%7d,/%22code/%22:403%7d/>""


Thanks,

Ian
________________________________
Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such
as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information
contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient,
or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution
or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying
to the message and deleting it from your computer. Thank you.
_______________________________________________
caasp-beta mailing list
caasp-beta at lists.suse.com<mailto:caasp-beta at lists.suse.com>
Check the mailing list archives or Unsubscribe at http://lists.suse.com/mailman/listinfo/caasp-beta<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.suse.com_mailman_listinfo_caasp-2Dbeta&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=hM818mBHjLMwq7bicPrgy7C7VlNNLIlBbeqiUFZB9_Y&s=0jSf0qZJQyWFTZTxIBiMz3ZKD_gnrXI200BxzeM2zR8&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.suse.com/pipermail/caasp-beta/attachments/20190808/f18517de/attachment.html>

More information about the caasp-beta mailing list