Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC configuration not working on fresh install or update/upgrade #11990

Open
Zuzuske opened this issue Feb 23, 2025 · 1 comment
Open

OIDC configuration not working on fresh install or update/upgrade #11990

Zuzuske opened this issue Feb 23, 2025 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@Zuzuske
Copy link

Zuzuske commented Feb 23, 2025
edited
Loading

What happened?

OIDC configuration is not applied to /etc/kubernetes/manifests/kube-apiserver.yaml on fresh install or second run/upgrade.

What did you expect to happen?

this:

    - --oidc-issuer-url=[REDACTED]
    - --oidc-client-id=kubernetes
    - --oidc-username-claim=email
    - '--oidc-username-prefix=oidc:'
    - --oidc-groups-claim=groups
    - '--oidc-groups-prefix=oidc:'

appear in /etc/kubernetes/manifests/kube-apiserver.yaml

when ~/kubespray/[env]/group_vars/k8s_cluster/k8s-cluster.yml is:

kube_oidc_url: "[REDACTED]"
kube_oidc_client_id: kubernetes
## Optional settings for OIDC
# kube_oidc_ca_file: "{{ kube_cert_dir }}/ca.pem"
kube_oidc_username_claim: email
kube_oidc_username_prefix: 'oidc:'
kube_oidc_groups_claim: groups
kube_oidc_groups_prefix: 'oidc:'

How can we reproduce it (as minimally and precisely as possible)?

install cluster with OIDC settings

OS

HOST: Darwin 24.3.0 x86_64

TARGET:

root@master1:~# printf "$(uname -srm)\n$(cat /etc/os-release)\n"
Linux 6.8.0-52-generic aarch64
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

Version of Ansible

ansible [core 2.16.10]

Version of Python

Python 3.12.2

Version of Kubespray (commit)

release 2.27.0

Network plugin used

calico

Full inventory with variables

[all]
master1 ansible_host=live_master_1 etcd_member_name=etcd1
master2 ansible_host=live_master_2 etcd_member_name=etcd2
worker1 ansible_host=live_worker_1 etcd_member_name=etcd3

[kube_control_plane]
master1
master2

[kube_node]
master1
master2
worker1

[etcd]
master1
master2
worker1

[calico_rr]

[k8s_cluster:children]
kube_control_plane
kube_node
calico_rr

Command used to invoke ansible

ansible-playbook -i inventory/live/hosts.yaml --user root --become --become-user=root cluster.yml

Output of ansible run

sorry, no, only in private conversations.

Anything else we need to know

Its just a regular install on a fresh system. OIDC setting are not appearing in /etc/kubernetes/manifests/kube-apiserver.yaml

manually adding these:

    - --oidc-issuer-url=[REDACTED]
    - --oidc-client-id=kubernetes
    - --oidc-username-claim=email
    - '--oidc-username-prefix=oidc:'
    - --oidc-groups-claim=groups
    - '--oidc-groups-prefix=oidc:'

OIDC then starts to work
@Zuzuske Zuzuske added the kind/bug Categorizes issue or PR as related to a bug. label Feb 23, 2025
@Zuzuske
Copy link
Author

Zuzuske commented Mar 1, 2025

?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Zuzuske