Skip to content

Headlamp OIDC with GKE #2643

New issue
New issue
Open
Open
Headlamp OIDC with GKE#2643
Assignees
yolossn
Labels
GKERelated to Google Kubernetes EnginebackendIssues related to the backendkeycloakKeycloak the Identity and Access Management appkind/bugCategorizes issue or PR as related to a bug.kind/regressionCategorizes issue or PR as related to a regression from a prior release.oidcIssue related to OIDC
Milestone
v0.38.0
@slitsevych

Description

@slitsevych
slitsevych
opened on Dec 6, 2024

After numerous and various attempts it does not seem that Headlamp OIDC is working with GKE Identity Service and the only way to login is to use service account token.

  1. Enabled Identity Service with GKE (https://cloud.google.com/kubernetes-engine/docs/how-to/oidc)
  2. Changed default ClientConfig to the following
apiVersion: authentication.gke.io/v2alpha1
kind: ClientConfig
metadata:
  name: default
  namespace: kube-public
spec:
  authentication:
  - name: oidc
    oidc:
      clientID: <<CLIENT_ID>>
      groupPrefix: 'oidc:'
      groupsClaim: groups
      issuerURI: https://<<KEYCLOACK_URL/realms/<<MY_REALM>>
      kubectlRedirectURI: http://localhost:8000/callback
      scopes: email,profile
      userClaim: email
      userPrefix: 'oidc:'
  certificateAuthorityData: <<certificateAuthorityData>>
  internalServer: ""
  name: <<CLUSTER_NAME>>
  server: https://<<IP_ADDRESS_OF_gke-oidc-envoy LB service>>:443

server is set to the IP address of the gke-oidc-envoy LB service in "anthos-identity-service" namespace

  1. Default login through kubectl oidc login --login-config=client-config.yaml --cluster=<<CLUSTER_NAME>>
    where client-config.yaml is the same client configuration as shown above + clientSecret - works just fine.
    I'm able to login with email that's mapped to "oidc:<<MY_EMAIL/USERNAME>>" and with clusterRoleBinding in place I'm able to gain the access.

  2. In Headlamp though, using the following config:

   clientID: <<CLIENT_ID>>
   clientSecret: <<CLIENT_SECRET>>
   issuerURL: https://<<KEYCLOACK_URL/realms/<<MY_REALM>>
   scopes: email,profile

I cannot get any permissions/access. Moreover I don't see any relevant logs in headlamp at all, only messages like
""events is forbidden: User "system:anonymous" cannot list resource "events" in API group "" at the cluster scope" appearing in the browser console

As such I have a couple of questions:

  1. Is there any working example of Headlamp OIDC with GKE (if any) or is it broken at this point and awaiting a fix?
  2. Is it possible to see/enable some debug logs of Headlamp OIDC flow with API server or at least any hints on that matter in logs?

And on a somewhat unrelated note, is there a way to suppress error message

{"level":"error","source":"/headlamp/backend/cmd/headlamp.go","line":757,"error":"expiry time not found or invalid","time":"2024-12-06T07:41:50Z","message":"failed to get expiry time"}

when using service token without expiry (set as a secret)?

Metadata

Metadata

Assignees

Labels

GKERelated to Google Kubernetes EnginebackendIssues related to the backendkeycloakKeycloak the Identity and Access Management appkind/bugCategorizes issue or PR as related to a bug.kind/regressionCategorizes issue or PR as related to a regression from a prior release.oidcIssue related to OIDC

Type

No type

Projects

Headlamp Release Plan / Roadmap

Status

Queued

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions