Re: oc cluster up and oauth-proxy

2017-12-11 Thread Simon Pasquier 
On Mon, Dec 11, 2017 at 3:19 PM, Simon Pasquier  wrote:

> Ah thanks! oc cluster up picked it up for me. I guess I need to use the
> --public-hostname option to override it?
>

Indeed this fixed my problem.


>
> On Mon, Dec 11, 2017 at 3:10 PM, Clayton Coleman 
> wrote:
>
>> When you ran oc cluster up, did you explicitly set the master to run on
>> 127.0.0.1, or did it select that address for you?
>>
>> OAuth won’t work when the master is set to 127.0.0.1 (nor will a number
>> of other functions)
>>
>> On Dec 11, 2017, at 6:38 AM, Simon Pasquier  wrote:
>>
>> Hi,
>>
>> I've played with oauth-proxy [1] on my local OpenShift cluster (eg oc
>> cluster up). The first thing I've tried was the sidecar example [2] in the
>> contrib directory but to make it work, I had to tweak the CLI arguments of
>> the proxy. In practice, I've added the following options:
>>
>> --redeem-url=https://openshift.default.svc/oauth/token
>> --validate-url=https://openshift.default.svc/apis/user.
>> openshift.io/v1/users/~
>> --openshift-review-url=https://openshift.default.svc/apis/au
>> thorization.openshift.io/v1/subjectaccessreviews
>>
>> (the last one is only required to use openshift-sar)
>>
>>
>> 
>> Without these changes, the oauth proxy couldn't authenticate clients
>> because there is a discrepancy between the OAuth endpoints exposed by the
>> Openshift API and the public certificate (see oauth logs at [3]).
>>
>>
>> 
>> Is that expected? Did I miss some documentation?
>>
>> Thanks!
>> Simon
>>
>> [1] https://github.com/openshift/oauth-proxy
>> [2] https://github.com/openshift/oauth-proxy/blob/master/contrib
>> /sidecar.yaml
>> [3] https://pastebin.com/Fk1h1a7v
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: oc cluster up and oauth-proxy

2017-12-11 Thread Simon Pasquier 
Ah thanks! oc cluster up picked it up for me. I guess I need to use the
--public-hostname option to override it?

On Mon, Dec 11, 2017 at 3:10 PM, Clayton Coleman 
wrote:

> When you ran oc cluster up, did you explicitly set the master to run on
> 127.0.0.1, or did it select that address for you?
>
> OAuth won’t work when the master is set to 127.0.0.1 (nor will a number of
> other functions)
>
> On Dec 11, 2017, at 6:38 AM, Simon Pasquier  wrote:
>
> Hi,
>
> I've played with oauth-proxy [1] on my local OpenShift cluster (eg oc
> cluster up). The first thing I've tried was the sidecar example [2] in the
> contrib directory but to make it work, I had to tweak the CLI arguments of
> the proxy. In practice, I've added the following options:
>
> --redeem-url=https://openshift.default.svc/oauth/token
> --validate-url=https://openshift.default.svc/apis/
> user.openshift.io/v1/users/~
> --openshift-review-url=https://openshift.default.svc/apis/
> authorization.openshift.io/v1/subjectaccessreviews
>
> (the last one is only required to use openshift-sar)
>
>
> 
> Without these changes, the oauth proxy couldn't authenticate clients
> because there is a discrepancy between the OAuth endpoints exposed by the
> Openshift API and the public certificate (see oauth logs at [3]).
>
>
> 
> Is that expected? Did I miss some documentation?
>
> Thanks!
> Simon
>
> [1] https://github.com/openshift/oauth-proxy
> [2] https://github.com/openshift/oauth-proxy/blob/master/
> contrib/sidecar.yaml
> [3] https://pastebin.com/Fk1h1a7v
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: oc cluster up and oauth-proxy

2017-12-11 Thread Clayton Coleman 
When you ran oc cluster up, did you explicitly set the master to run on
127.0.0.1, or did it select that address for you?

OAuth won’t work when the master is set to 127.0.0.1 (nor will a number of
other functions)

On Dec 11, 2017, at 6:38 AM, Simon Pasquier  wrote:

Hi,

I've played with oauth-proxy [1] on my local OpenShift cluster (eg oc
cluster up). The first thing I've tried was the sidecar example [2] in the
contrib directory but to make it work, I had to tweak the CLI arguments of
the proxy. In practice, I've added the following options:

--redeem-url=https://openshift.default.svc/oauth/token
--validate-url=
https://openshift.default.svc/apis/user.openshift.io/v1/users/~
--openshift-review-url=
https://openshift.default.svc/apis/authorization.openshift.io/v1/subjectaccessreviews

(the last one is only required to use openshift-sar)


Without these changes, the oauth proxy couldn't authenticate clients
because there is a discrepancy between the OAuth endpoints exposed by the
Openshift API and the public certificate (see oauth logs at [3]).


Is that expected? Did I miss some documentation?

Thanks!
Simon

[1] https://github.com/openshift/oauth-proxy
[2]
https://github.com/openshift/oauth-proxy/blob/master/contrib/sidecar.yaml
[3] https://pastebin.com/Fk1h1a7v

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

oc cluster up and oauth-proxy

2017-12-11 Thread Simon Pasquier 
Hi,

I've played with oauth-proxy [1] on my local OpenShift cluster (eg oc
cluster up). The first thing I've tried was the sidecar example [2] in the
contrib directory but to make it work, I had to tweak the CLI arguments of
the proxy. In practice, I've added the following options:

--redeem-url=https://openshift.default.svc/oauth/token
--validate-url=
https://openshift.default.svc/apis/user.openshift.io/v1/users/~
--openshift-review-url=
https://openshift.default.svc/apis/authorization.openshift.io/v1/subjectaccessreviews

(the last one is only required to use openshift-sar)


Without these changes, the oauth proxy couldn't authenticate clients
because there is a discrepancy between the OAuth endpoints exposed by the
Openshift API and the public certificate (see oauth logs at [3]).


Is that expected? Did I miss some documentation?

Thanks!
Simon

[1] https://github.com/openshift/oauth-proxy
[2]
https://github.com/openshift/oauth-proxy/blob/master/contrib/sidecar.yaml
[3] https://pastebin.com/Fk1h1a7v
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users