Tanzu

 View Only
  • 1.  TMC Self-Managed Client authentication failed

    Posted Jan 24, 2024 07:06 PM

    Hello,

     

    I have installed TMC Self-Managed 1.1.0 on my demo cluster which is based on k8s v1.26 to test the features.

    I am using Microsoft Active Directory as IDP.

    The installation is successfull and all TMC Packages are Succeed.

    When I try to login I see the TMC main page. then  I click to login and I see the following error message:

    ```

    Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The requested OAuth 2.0 Client does not exist.

    ```

    I have checked the logs of the pinniped supervisor pods, I see following logs:

    ```
    {"level":"error","timestamp":"2024-01-24T18:53:48.184329Z","caller":"/root/go/pkg/mod/k8s.io/apiserver@v0.26.3/pkg/server/dynamiccertificates/tlsconfig.go:275$dynamiccertificates.(*DynamicServingCertificateController).processNextWorkItem","message":"key failed with : not loading an empty serving certificate from \"supervisor-serving-cert\"\n"}
    {"level":"error","timestamp":"2024-01-24T18:53:48.189928Z","caller":"/root/go/pkg/mod/k8s.io/apiserver@v0.26.3/pkg/server/dynamiccertificates/tlsconfig.go:275$dynamiccertificates.(*DynamicServingCertificateController).processNextWorkItem","message":"key failed with : not loading an empty serving certificate from \"supervisor-serving-cert\"\n"}
    {"level":"error","timestamp":"2024-01-24T18:53:48.200000Z","caller":"/root/go/pkg/mod/k8s.io/apiserver@v0.26.3/pkg/server/dynamiccertificates/tlsconfig.go:275$dynamiccertificates.(*DynamicServingCertificateController).processNextWorkItem","message":"key failed with : not loading an empty serving certificate from \"supervisor-serving-cert\"\n"}
    {"level":"error","timestamp":"2024-01-24T18:53:48.220409Z","caller":"/root/go/pkg/mod/k8s.io/apiserver@v0.26.3/pkg/server/dynamiccertificates/tlsconfig.go:275$dynamiccertificates.(*DynamicServingCertificateController).processNextWorkItem","message":"key failed with : not loading an empty serving certificate from \"supervisor-serving-cert\"\n"}
    {"level":"error","timestamp":"2024-01-24T18:53:48.260888Z","caller":"/root/go/pkg/mod/k8s.io/apiserver@v0.26.3/pkg/server/dynamiccertificates/tlsconfig.go:275$dynamiccertificates.(*DynamicServingCertificateController).processNextWorkItem","message":"key failed with : not loading an empty serving certificate from \"supervisor-serving-cert\"\n"}
    {"level":"info","timestamp":"2024-01-24T18:53:48.283297Z","caller":"/root/go/pkg/mod/k8s.io/client-go@v0.26.3/tools/cache/shared_informer.go:280$cache.WaitForNamedCacheSync","message":"Caches are synced for RequestHeaderAuthRequestController\n"}
    {"level":"info","timestamp":"2024-01-24T18:53:48.284663Z","caller":"/root/go/pkg/mod/k8s.io/client-go@v0.26.3/tools/cache/shared_informer.go:280$cache.WaitForNamedCacheSync","message":"Caches are synced for client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file\n"}
    {"level":"info","timestamp":"2024-01-24T18:53:48.284737Z","caller":"/root/go/pkg/mod/k8s.io/apiserver@v0.26.3/pkg/util/flowcontrol/apf_controller.go:366$flowcontrol.(*configController).Run","message":"Running API Priority and Fairness config worker\n"}
    {"level":"info","timestamp":"2024-01-24T18:53:48.284788Z","caller":"/root/go/pkg/mod/k8s.io/apiserver@v0.26.3/pkg/util/flowcontrol/apf_controller.go:369$flowcontrol.(*configController).Run","message":"Running API Priority and Fairness periodic rebalancing process\n"}
    {"level":"info","timestamp":"2024-01-24T18:53:48.284943Z","caller":"/root/go/pkg/mod/k8s.io/client-go@v0.26.3/tools/cache/shared_informer.go:280$cache.WaitForNamedCacheSync","message":"Caches are synced for client-ca::kube-system::extension-apiserver-authentication::client-ca-file\n"}
    {"level":"error","timestamp":"2024-01-24T18:53:48.285071Z","caller":"/root/go/pkg/mod/k8s.io/apiserver@v0.26.3/pkg/server/dynamiccertificates/tlsconfig.go:275$dynamiccertificates.(*DynamicServingCertificateController).processNextWorkItem","message":"key failed with : not loading an empty serving certificate from \"supervisor-serving-cert\"\n"}
    {"level":"error","timestamp":"2024-01-24T18:53:48.286560Z","caller":"/root/go/pkg/mod/k8s.io/apiserver@v0.26.3/pkg/server/dynamiccertificates/tlsconfig.go:275$dynamiccertificates.(*DynamicServingCertificateController).processNextWorkItem","message":"key failed with : not loading an empty serving certificate from \"supervisor-serving-cert\"\n"}
    {"level":"error","timestamp":"2024-01-24T18:53:48.342434Z","caller":"/root/go/pkg/mod/k8s.io/apiserver@v0.26.3/pkg/server/dynamiccertificates/tlsconfig.go:275$dynamiccertificates.(*DynamicServingCertificateController).processNextWorkItem","message":"key failed with : not loading an empty serving certificate from \"supervisor-serving-cert\"\n"}
    {"level":"info","timestamp":"2024-01-24T18:53:48.385788Z","caller":"/root/go/pkg/mod/k8s.io/client-go@v0.26.3/tools/leaderelection/leaderelection.go:248$leaderelection.(*LeaderElector).acquire","message":"attempting to acquire leader lease tmc-local/pinniped-supervisor...\n"}
    {"level":"info","timestamp":"2024-01-24T18:57:12.857732Z","caller":"/root/go/pkg/mod/k8s.io/client-go@v0.26.3/tools/leaderelection/leaderelection.go:258$leaderelection.(*LeaderElector).acquire.func1","message":"successfully acquired lease tmc-local/pinniped-supervisor\n"}
    ```

    There are some error messages but I don't think that cause the client not found issue.

    I have checked auth-manager-server pod logs, found following:

    ```

    time="2024-01-24T14:03:25Z" level=info msg="Getting Provider Metadata: https://pinniped-supervisor.tmc.domain.co/provider/pinniped/.well-known/openid-configuration" idp=oidc-pinniped
    2024/01/24 14:03:25 Serving olympus authentication manager at http://[::]:36015
    time="2024-01-24T14:03:25Z" level=info msg="loaded 1 session key(s)"
    time="2024-01-24T14:03:25Z" level=info msg="Session key loaded: Zhy..."
    time="2024-01-24T14:03:25Z" level=info msg="Getting Provider Metadata: https://pinniped-supervisor.tmc.domain.co/provider/pinniped/.well-known/openid-configuration" idp=oidc-pinniped
    2024/01/24 14:03:25 Serving olympus authentication manager at https://[::]:8443
    time="2024-01-24T18:37:10Z" level=info msg="finished HTTP call with code 307 Temporary Redirect" X-Request-ID=56c18dcd-c8bf-4d9d-bd1e-e4bc75646d31 http.host=auth.tmc.domain.co http.proto_major=2 http.request.length_bytes=0 http.request.method=GET http.request.referer= http.request.user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0" http.response.length_bytes=0 http.response.status=307 http.time_ms=0.47 http.url.path=/api/v1/login peer.address=192.0.3.210 peer.port=41030 span.kind=server system=http
    time="2024-01-24T18:56:14Z" level=info msg="finished HTTP call with code 307 Temporary Redirect" X-Request-ID=24372986-381f-4f76-b9f4-d24949c8a27e http.host=auth.tmc.domain.co http.proto_major=2 http.request.length_bytes=0 http.request.method=GET http.request.referer= http.request.user_agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0" http.response.length_bytes=0 http.response.status=307 http.time_ms=0.34 http.url.path=/api/v1/login peer.address=192.0.1.242 peer.port=34918 span.kind=server system=http

    ```

     

    I am wondering what can cause this issue? and how to troubleshoot.



  • 2.  RE: TMC Self-Managed Client authentication failed

    Broadcom Employee
    Posted Mar 01, 2024 07:53 PM

    In case you have not figured this out already, I suspect that you might have a typo or mismatch in the values file and a certificate is not being found. In my testing most of the errors I encountered have been cascading as a result of a cert issue.

     

    Here is a link to the troubleshooting docs for self-managed that explain common issues and a few places to check for problems.

     

     

    Regards,