Following tutorial, cannot hit openid-configuration endpoint from outside kubernetes cluster, results in 401/Unauthorized

djarvis · December 20, 2021, 3:54pm

Using kOps to deploy a kubernetes cluster to AWS, I’m trying to configure an external Hashicorp Vault to use JWT/OIDC auth. Following the tutorial at OIDC Provider Setup - Auth Methods | Vault by HashiCorp, from the vault, I try to issue:

vault write auth/jwt/config oidc_discovery_url="${ISSUER}" oidc_discovery_ca_pem=@ca.crt

But it comes back with a 401/Unauthorized. Prior to this on the kubernetes cluster I did:

kubectl create clusterrolebinding oidc-reviewer --clusterrole=system:service-account-issuer-discovery --group=system:unauthenticated

To supposedly ensure that the OIDC discovery URLs do not require authentication.

From the external vault machine, I simply try to:

curl --cacert ca.crt $ISSUER/.well-known/openid-configuration

And I also get a 401/Unauthorized. It is reaching the server OK so it’s not a cert issue or anything, just something to do with the kubernetes/API configuration.

Additionally I changed the kOps deployment to supposedly AlwaysAllow API calls with:

apiVersion: kops.k8s.io/v1alpha2
kind:Cluster
spec:
  api:
    dns: { }
  authorization:
    alwaysAllow: { }

But this didn’t make any differene.

Does anyone have an idea of what I could be missing?

I can otherwise create a kubectl proxy and hit the endpoint from there just fine.

aram · December 20, 2021, 8:41pm

Sounds like your token is not set or it doesn’t have the right policy. You do need to have a vault-admin or proper token (your root token if you have one available) set to use this, but it makes it easier to see what’s wrong with a new token/policy:

Check your token and it’s capabilities:

$ vault token capabilities s.29384839293 auth/jwt/config
create, delete, list, read, sudo, update

djarvis · December 21, 2021, 2:45pm

But shouldn’t the /.well-known/openid-configuration endpoint be completely open without using any token? The tutorial says I should just be able to issue this without a token:

vault write auth/jwt/config oidc_discovery_url=“${ISSUER}” oidc_discovery_ca_pem=@ca.crt

Is it wrong? What command line arguments can be used to supply a token?

djarvis · December 21, 2021, 8:43pm

Update: It started working. Not exactly sure how but I can retrace my steps and see what’s what.

Thanks!

martinnirtl · August 23, 2022, 6:41am

Hi @djarvis!

any idea what caused the problem? unfortunately experiencing the same issue