<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div dir="ltr">Hi Ian,
<div>    The dex manifest is generated on `skuba cluster init`.</div>
<div>    Or you could edit the ClusterRole by `kubectl edit ClusterRole oidc-dex --namespace kube-system` and add update verb to resources signingkeies.</div>
<div><br>
</div>
<div>JenTing</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Donaldson, Ian <<a href="mailto:Ian.Donaldson@ngic.com">Ian.Donaldson@ngic.com</a>> 於 2019年8月8日 週四 下午1:23寫道：<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_8014071156623287703WordSection1">
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">I upgraded to Beta 5 from Beta 4, but perhaps it didn’t install correctly?
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">How do I correct this?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><br>
Thanks,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><br>
Ian<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span style="font-size:11pt;font-family:Calibri,sans-serif"> JenTing Hsiao <<a href="mailto:jenting.hsiao@suse.com" target="_blank">jenting.hsiao@suse.com</a>>
<br>
<b>Sent:</b> Thursday, August 8, 2019 1:07 AM<br>
<b>To:</b> Donaldson, Ian <<a href="mailto:Ian.Donaldson@NGIC.COM" target="_blank">Ian.Donaldson@NGIC.COM</a>><br>
<b>Cc:</b> <a href="mailto:caasp-beta@lists.suse.com" target="_blank">caasp-beta@lists.suse.com</a><br>
<b>Subject:</b> Re: [caasp-beta] dex - failure to rotate keys<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<table class="gmail-m_8014071156623287703MsoNormalTable" border="0" cellspacing="4" cellpadding="0">
<tbody>
<tr>
<td style="padding:0.75pt">
<p class="MsoNormal"><span style="color:red">WARNING:</span><u></u><u></u></p>
</td>
</tr>
</tbody>
</table>
<table class="gmail-m_8014071156623287703MsoNormalTable" border="0" cellspacing="4" cellpadding="0">
<tbody>
<tr>
<td style="padding:0.75pt">
<p class="MsoNormal"><span style="color:black">This Message came from an external source. Please exercise caution when opening any attachments or clicking on links.
</span><u></u><u></u></p>
</td>
</tr>
</tbody>
</table>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="4" width="100%" align="center">
</div>
<div>
<div>
<p class="MsoNormal">Hi Ian,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">    Thanks for your reporting. This issue was fixed at Beta 5.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">JenTing<u></u><u></u></p>
</div>
<div>
<div>
<p class="MsoNormal">Donaldson, Ian <<a href="mailto:Ian.Donaldson@ngic.com" target="_blank">Ian.Donaldson@ngic.com</a>>
<span style="font-family:"MS Gothic"">於</span> 2019<span style="font-family:"MS Gothic"">年</span>8<span style="font-family:"MS Gothic"">月</span>7<span style="font-family:"MS Gothic"">日</span>
<span style="font-family:"MS Gothic"">週三</span> <span style="font-family:"MS Gothic"">
下午</span>10:55<span style="font-family:"MS Gothic"">寫道：</span><u></u><u></u></p>
</div>
<blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Seeing a lot of these failure to rotate keys, due to forbidden status.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">2019-08-07T14:52:25.529575+00:00 caasp-test-worker-02 k8s.pod/kube-system/oidc-dex-55fc689dc-vtvnh/oidc-dex 2019-08-07T10:52:25.529490058-04:00 stderr F time="2019-08-07T14:52:25Z" level=error msg="failed to rotate keys: PUT
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__10.96.0.1-3A443_apis_dex.coreos.com_v1_namespaces_kube-2Dsystem_signingkeies_openid-2Dconnect-2Dkeys&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=hM818mBHjLMwq7bicPrgy7C7VlNNLIlBbeqiUFZB9_Y&s=rCBq66phRtYCeV2MXR3ag0c1SBlNZaBxd-PxgkSSJ0E&e=" target="_blank">
https://10.96.0.1:443/apis/dex.coreos.com/v1/namespaces/kube-system/signingkeies/openid-connect-keys</a> Forbidden: response from server \"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__signingkeies.dex.coreos.com&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=hM818mBHjLMwq7bicPrgy7C7VlNNLIlBbeqiUFZB9_Y&s=K49ELr0f6xSSXkBPLHdpeFVUSQq47TXGnIgcrZ1Nobs&e=" target="_blank">signingkeies.dex.coreos.com</a>
<a>\\"openid-connect-keys\\</a>" is forbidden: User <a>\\"system:serviceaccount:kube-system:oidc-dex\\</a>" cannot update resource
<a>\\"signingkeies\\</a>" in API group \\"<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__dex.coreos.com&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=hM818mBHjLMwq7bicPrgy7C7VlNNLIlBbeqiUFZB9_Y&s=Zz5Z67NrLqJtWgJPml8YioDoLG_4Pw4faf7swqIRgM8&e=" target="_blank">dex.coreos.com</a>\\"
 in the namespace <a>\\"kube-system\\"\",\"reason\":\"Forbidden\",\"details\":{\"name\":\"openid-connect-keys\",\"group\":\"dex.coreos.com\",\"kind\":\"signingkeies\"},\"code\":403}\</a>""<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal"><br>
Ian<u></u><u></u></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="4" width="100%" align="center">
</div>
<p class="MsoNormal">Note: Please be aware that unencrypted electronic mail is not secure. For this reason, please do not send any sensitive personal information such
<br>
as your address, driver license, policy number, Social Security Number, or claims information by unencrypted electronic mail. The information
<br>
contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient,
<br>
or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution
<br>
or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying
<br>
to the message and deleting it from your computer. Thank you.<u></u><u></u></p>
</div>
<p class="MsoNormal">_______________________________________________<br>
caasp-beta mailing list<br>
<a href="mailto:caasp-beta@lists.suse.com" target="_blank">caasp-beta@lists.suse.com</a><br>
Check the mailing list archives or Unsubscribe at <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.suse.com_mailman_listinfo_caasp-2Dbeta&d=DwMGaQ&c=eX9KRkvDm-KpLMQpCehyR8jZgBp9CE2JNMo9X4BhLFU&r=XL_zjqroomktb1qzCDuhym3JVbyITBCYnbJ2SbM3PwA&m=hM818mBHjLMwq7bicPrgy7C7VlNNLIlBbeqiUFZB9_Y&s=0jSf0qZJQyWFTZTxIBiMz3ZKD_gnrXI200BxzeM2zR8&e=" target="_blank">
http://lists.suse.com/mailman/listinfo/caasp-beta</a><u></u><u></u></p>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</body>
</html>