https://rancher.com/ logo
#epinio
Title
b

busy-teacher-96897

10/06/2022, 5:37 PM
HI @cuddly-holiday-9089 @broad-dream-81849 Not sure if this is really a bug on dex, but here u go: https://github.com/epinio/epinio/issues/1781
👍 1
b

broad-dream-81849

10/06/2022, 7:44 PM
Hi Fred, thanks for testing and reporting this. I'm just guessing but I'm pretty sure that is a DNS issue, with the Epinio pod not able to resolve correctly the local IP address. I didn't hit in my tests because k3d use a different IP. I'll try tomorrow with Rancher Desktop, I'm pretty sure it will occur.
b

busy-teacher-96897

10/06/2022, 8:18 PM
no problem... glad i can help to improve the product
c

cuddly-holiday-9089

10/07/2022, 6:35 AM
I replied on the ticket. I had the same problem yesterday
b

broad-dream-81849

10/07/2022, 6:37 AM
Yes, I was actually thinking the same. It doesn't make sense of reaching Dex from the outside world. We should fix it going through the dex k8s service directly.
c

cuddly-holiday-9089

10/07/2022, 6:38 AM
I have a feeling that there is some validation that requires the provider url to match the one that was used when the token was issued. I may be wrong though
b

busy-teacher-96897

10/07/2022, 3:48 PM
Just one additional clarification. If we are using the host IP address, would this work ? Sounds like it would. If so, i believe this is an
invalid
test. If so, we should not need to fix it... and i can change my way of testing it.
let me verify later if i can run it using a real DNS with SSL. We have a script for that too. Just that i need to do manual step of creating entries in route53 (cannot run on local) Or, do you mean... the slip.io would also work if we use the non-localhost IP address.
i just verify... if i use a proper domain... it worked!
c

cuddly-holiday-9089

10/10/2022, 5:54 AM
yes, the problem is that dex needs to be accessible on that domain both from the cli and from the epinio server side, so localhost "resolves" to a different thing in these 2 cases. Still, localhost is useful in some cases so we will still try to find a workaround if possible
b

busy-teacher-96897

10/10/2022, 5:22 PM
hmm, i am not sure if auth or epinio.127.0.0.1.sslip.io would ever work in this case since it will resolve to localhost especially if this is a call from inside a pod...
not sure what u can do... I can try if i use the dockerip to see if it works
b

broad-dream-81849

10/10/2022, 6:04 PM
We need to have a look and play a bit with it. The unfortunate thing is that the verification of the jwt is done checking the same address, so probably we cannot use easily the internal k8s dns
b

busy-teacher-96897

10/11/2022, 4:27 PM
i saw the PR ! Thanks
b

broad-dream-81849

10/11/2022, 4:29 PM
Aha, you're welcome. I hope to merge it tomorrow
1
b

busy-teacher-96897

10/25/2022, 4:41 AM
Just test the latest 1.4 using the default settings and oidc with slip.io now works good. However, if i install epinio and change the password.. i was not able to login. Below is the code, i was not able to login via epinio login (with -oidc flag)
Copy code
helm install epinio -n epinio --create-namespace --version ${EPINIO_SERVER_VERSION} epinio/epinio \
		--set global.domain=${DOMAIN} \
		--set global.tlsIssuer=${TLS_ISSUER} \
		--set api.users[0].role=admin \
		--set api.users[0].username=${ADM_USR} \
		--set api.users[0].passwordBcrypt="$(echo ${ADM_PWD_ENCRYPT})" \
		--set api.users[1].role=user \
		--set api.users[1].username=${DEV_USR} \
		--set api.users[1].passwordBcrypt="$(echo ${DEV_PWD_ENCRYPT})"
		
	kubectl rollout status deployment epinio-server -n epinio --timeout=480s
does something changed ? do i need to add new parameters ?
b

broad-dream-81849

10/25/2022, 6:47 AM
No, nothing new. Could you write down exactly the steps to reproduce the issue, and which is the error? I guess that the problem is about some "dirty" credentials, you should try to delete your Epinio settings file
just to add one more insight if you login with the --oidc flag you will have the jwt token in your settings file, and it has priority over the user/pass in it (if any) 🙂
b

busy-teacher-96897

10/26/2022, 4:30 AM
I think you could be right... i just redo it again... and now it works fine.
We figure out the issue on the user creation side. It used to worked when we pass 'HASHPASSWORD' (with single quote) but now it is not. We need to remove the single quote
b

broad-dream-81849

10/27/2022, 8:35 PM
🤦‍♂️ and now that you tell me I know what this is about. There was a bugfix in the helm chart, that added the quoting to the username/passwords that were failing when they were numbers.. I'm sorry but I really haven't linked the two..
b

busy-teacher-96897

10/28/2022, 6:10 AM
no worries... i remember i read that issue... so that make sense. It should be apparent to me when i was transferring code for the Makefile (for u to test)... it is one of the stuff that i changed... it was not apparent to me as well! So that make both of us ;-)
11 Views