[caasp-beta] Antw: kubeconfig download error with DEX internal server error , Login error

Ns, Rushi rushi.ns at sap.com
Tue Nov 21 09:07:08 MST 2017


Hi Rafael/Martin

Thank you. I have also filed this new bug below since I wasn’t able to access the bug you guys filed as I was getting “authorization error”

Bug 1069251 has been added to the database



Best Regards,
 
Rushi.
I MAY BE ONLY ONE PERSON, BUT I CAN BE ONE PERSON WHO MAKES A DIFFERENCE
 

On 11/21/17, 7:44 AM, "Rafael Fernández López" <rfernandezlopez at suse.de> wrote:

    Hello Rushi,
    
    On Tue, Nov 21, 2017 at 03:29:36PM +0000,  Ns, Rushi  wrote:
    > Hi Martin
    > 
    > Thank you. Yes I did , I used load balancer IP (lvsusekub8.pal.sap.corp) whichi s  out of the cluster node address. The host I’ve specified is not velum ip, not master ip and  not any of worker ip’s.
    
    We are studying the problem at the moment. From what I could see this is what's happening:
    
    - When the admin node starts it generates several certificates, based on the information of
      the machine in the moment of the boot (transient and static hostnames, machine attached
      ip addresses...). This hostnames get added to some initial certificates in their SAN
      extensions, as well as the attached IP addresses of the admin node.
    
    - When you enter the internal dashboard fqdn (first field on first page of the Velum setup),
      if you enter an external name not detected by this very first step (e.g. with cloud-init
      you chose as hostname `admin`, and in this field you write `admin.my.company`), the certificate
      used by LDAP won't contain `admin.my.company`, whereas Dex will try to connect to
      the LDAP instance in the admin node using `admin.my.company:389`.
    
    This effectively makes the TLS handshake to fail, and Dex is unable to authenticate the user
    against LDAP.
    
    More information will be added to the bug report, and we'll keep you updated.
    
    
    Thank you.
    
    
    -- 
    Cheers,
    Rafa.
    



More information about the caasp-beta mailing list