When you ran oc cluster up, did you explicitly set the master to run on 127.0.0.1, or did it select that address for you?
OAuth won’t work when the master is set to 127.0.0.1 (nor will a number of other functions) On Dec 11, 2017, at 6:38 AM, Simon Pasquier <[email protected]> wrote: Hi, I've played with oauth-proxy [1] on my local OpenShift cluster (eg oc cluster up). The first thing I've tried was the sidecar example [2] in the contrib directory but to make it work, I had to tweak the CLI arguments of the proxy. In practice, I've added the following options: --redeem-url=https://openshift.default.svc/oauth/token --validate-url= https://openshift.default.svc/apis/user.openshift.io/v1/users/~ --openshift-review-url= https://openshift.default.svc/apis/authorization.openshift.io/v1/subjectaccessreviews (the last one is only required to use openshift-sar) <https://mojo.redhat.com/external-link.jspa?url=https%3A%2F%2Fopenshift.default.svc%2Fapis%2Fauthorization.openshift.io%2Fv1%2Fsubjectaccessreviews> Without these changes, the oauth proxy couldn't authenticate clients because there is a discrepancy between the OAuth endpoints exposed by the Openshift API and the public certificate (see oauth logs at [3]). <https://mojo.redhat.com/external-link.jspa?url=https%3A%2F%2Fopenshift.default.svc%2Fapis%2Fauthorization.openshift.io%2Fv1%2Fsubjectaccessreviews> Is that expected? Did I miss some documentation? Thanks! Simon [1] https://github.com/openshift/oauth-proxy [2] https://github.com/openshift/oauth-proxy/blob/master/contrib/sidecar.yaml [3] https://pastebin.com/Fk1h1a7v _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
