Hi. I’m still looking at this and am curious, can you post an example jwt token that you receive from your keycloak server so I can compare the fields you have with what I’m producing? @tdockendorf
If it’s a matter of just making something up to make Rancher happy, I’m willing to give it a try. I’m just not sure what needs to be in the ‘spec’ object.
In looking at that go code, it shows that the two parts of the token it’s looking for are the accesskey and secretkey which I don’t even see in the jwt output.
We configure Keycloak and Kubernetes on the Kubernetes side by passing flags to Kubernetes API server. We use kubeadm setup cluster so this is our cluster config section for api server:
Thanks, that was good info, I was able to duplicate what you have here for my environment and confirmed I’m getting the same data back from keycloak…and getting the same error back on the kubernetes cluster I’ve been getting (with the found 1 parts of token). I’m going to try a different kubernetes install and see if I get different results.
getting close now. I decided to blow away the rke1 installation and went with k3s (I’m still looking for something that can be managed ultimately by Rancher as it allows us a good insight into multiple clusters that we run). Setting up K3s manually I was able to get the oidc settings in there and was able to get a test user + a domain user to use kubectl to get info, so that’s a start.
This is just for information (in case anyone else looks at this)
I was also using ‘kubelogin’ to test with to verify that it would pop up a browser and use my domain credentials properly, I then did verify in the audit log that RBAC was acting on behalf of my email address.
Next step is to go back to my ondemand system and try to get those pieces working since now I’m confident the back-end will work.
there’s a couple of typos and stuff in the Kubernetes documentation page that might make things a little clearer:
Boot strapping the “Kuberenetes” cluster - typo in the word kubernetes (not a big deal)
In the deploy hooks section, you mention needing an /etc/ood/config/hooks.env file (with an ‘s’) and the name of the file is hook.env (without the s), assuming it’d be without?
You mention needing PUN pre hooks, but don’t really get into what that should be set to based on your example, or where it should go, etc…
another typo further down in OIDC Authentication, the type is listed as ‘odic’ (not a big deal, just pointing it out)
I think I might be about 92% of the way there now. I have a generated $HOME/.kube/config file that has a token in it which is good, but notice that there’s no clusters or contexts defined in it, but I’ve got the OIDC stuff in there, so I must have missed something. I don’t see in the set-k8s-creds anything with the cluster info being added to the kube config. Is that done anywhere else?
I’ve confirmed that the namespace gets created and the permissions are set on it. I authenticated externally to the kubernetes api and tried to create a new namespace as my username and got a permission denied, but if I created something like a secret in the namespace that OOD created, that worked, so I think it’s just about there if I can get the cluster/cert info into the $HOME/.kube/config
The ood_core package that handles interfacing with Kubernetes is what deploys the majority of the kubeconfig for each user. The set-k8s-creds only does the OIDC part since it has to access the token from the OnDemand session startup.
The config is pulled from Kubernetes cluster YAML on the OnDemand host, example what OSC uses:
Nice, now I’m at 99% done…I just don’t have anything to run yet, but I confirmed that the cluster data is populated, the cert is ok and if I run on the cli:
kubectl --context=ondemand create secret generic stuff -n ood-username, it creates something, so I think this is the end of the road here. I’ll have to work through the sample thing of getting a simple job running and see what happens. I’ll post the entire instruction list once I get it all sorted.