k8s-keystone-auth pod is failing with domain-scoped token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Kubernetes Control Plane Charm |
Fix Released
|
High
|
Felipe Reyes |
Bug Description
I am following
https:/
After relating keystone and kubernetes-master, the kube-keystone.sh file generated on master unit is based on
https:/
and the generated token is domain scoped, for my admin user looks like this:
export OS_PROJECT_
export OS_DOMAIN_
export OS_USERNAME=admin
export OS_PASSWORD=
If I use this TOKEN with k8s-keystone-auth pod
(Image ID: rocks.canonical
this way
$ cat <<EOF | curl -ks -XPOST -d @- https:/
> {
> "apiVersion": "authentication
> "kind": "TokenReview",
> "metadata": {
> "creationTimest
> },
> "spec": {
> "token": "TOKEN"
> }
> }
> EOF
Response
--------
No JSON object could be decoded
--------
and the pod fails with the following error in the log:
$ kubectl -n kube-system logs pod/k8s-
I0827 10:23:20.066076 1 keystone.go:186] Authorization policy updated.
I0827 10:24:37.540965 1 log.go:181] http2: panic serving 10.1.50.0:45430: runtime error: invalid memory address or nil pointer dereference
goroutine 13 [running]:
net/http.
/usr/local/
panic(0x148b7a0, 0x2083ce0)
/usr/local/
k8s.io/
/home/
I0827 10:30:12.156739 1 log.go:181] http2: panic serving 10.1.50.0:45566: runtime error: invalid memory address or nil pointer dereference
-------
I believe the issue is go client just returns nil instead of project is case if token is domain scoped
https:/
After I generate the token with project scope the following way instead of generated kube-keystone.sh
The pod works ok and has a response from keystone, nothing is failing in logs
curl -si -d @token-request.json -H "Content-type: application/json" http://<keystone-
cat token-request.json
{
"auth": {
"identity": {
],
}
}
},
"scope": {
},
}
}
}
}
Some logs: https:/
Expected result: charm generates kube-keystone.sh which generates usable tokens for k8s-keystone-auth
(and possibly k8s-keystone-auth is not failing with invalid memory address or nil pointer dereference but that's other topic)
description: | updated |
description: | updated |
Changed in cdk-addons: | |
importance: | Undecided → High |
Changed in charm-kubernetes-master: | |
importance: | Undecided → High |
Changed in cdk-addons: | |
status: | New → Triaged |
Changed in charm-kubernetes-master: | |
status: | New → Triaged |
tags: | added: sts |
no longer affects: | cdk-addons |
Changed in charm-kubernetes-master: | |
assignee: | nobody → George Kraft (cynerva) |
Changed in charm-kubernetes-master: | |
status: | In Progress → Fix Committed |
milestone: | none → 1.19+ck1 |
tags: | added: backport-needed |
tags: | removed: backport-needed |
Changed in charm-kubernetes-master: | |
status: | Fix Committed → Fix Released |
subscribed ~field-high