When configuring a Dex LDAP connector in the Kommander UI, the dex pod keeps crashing because the CA certificate is incorrectly formatted.
To confirm whether this issue has been encountered, please confirm that the dex pod is crash-looping:
> k get pods -lapp=dex -n kubeaddons NAME READY STATUS RESTARTS AGE dex-kubeaddons-85d58ccbb8-qfd5m 0/1 CrashLoopBackOff 3 70sAnd check the logs to verify that a message stating that a certificate cannot be found in the CA file, as can be seen below:
> k logs -lapp=dex -n kubeaddons time="2021-03-10T22:40:07Z" level=info msg="checking if custom resource connectors.dex.coreos.com has been created already..." ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: time="2021-03-10T22:40:07Z" level=info msg="config skipping approval screen" failed to initialize server: server: Failed to open connector dex-controller-ldap-identity-provider-p7ggh: failed to open connector: failed to create connector dex-controller-ldap-identity-provider-p7ggh: ldap: no certs found in ca file
To fix the issue, the user should follow these steps:
1. Determine the connector name:
> kubectl get connector.dex.mesosphere.io -n kubeaddons NAME ENABLED DISPLAYNAME TYPE ldap-identity-provider-p7ggh true LDAP Sadielo Network ldap
2. Locate the secret storing the certificate:
> kubectl get connector.dex.mesosphere.io -n kubeaddons ldap-identity-provider-p7ggh -ojsonpath='{.spec.ldap.rootCASecretRef.name}' connector-ldap-rootcasecret-pkkw2
3. Inspect the certificate to confirm the malformed certificate. Specifically, there is a bug where all line breaks were removed:
> kubectl get secret $(kubectl get connector.dex.mesosphere.io -n kubeaddons ldap-identity-provider-p7ggh -ojsonpath='{.spec.ldap.rootCASecretRef.name}') -ojsonpath="{.data.tls\.crt}" -n kubeaddons | base64 --decode
4. To fix the malformed certificate, a local file called tls.crt, storing the CA cert, should be created to be used to update the secret with the correctly formatted cert with the following command:
> kubectl create secret generic \ $(kubectl get connector.dex.mesosphere.io -n kubeaddons ldap-identity-provider-k55pv \ -ojsonpath='{.spec.ldap.rootCASecretRef.name}') \ -n kubeaddons \ --save-config --dry-run=client \ --from-file=./tls.crt -o yaml | kubectl apply -f -
5. The following command can be used to confirm that the certificate in the secret is valid:
> kubectl get secret $(kubectl get connector.dex.mesosphere.io -n kubeaddons ldap-identity-provider-k55pv -ojsonpath='{.spec.ldap.rootCASecretRef.name}') -n kubeaddons -ojsonpath="{.data.tls\.crt}" | base64 --decode | openssl x509 -text -noout
6. To ensure dex picked up the new CA cert, dex must be restarted:
> kubectl delete po -n kubeaddons -lapp=dex && sleep 30
7. Finally, the Ops-portal and Kommander UI must be restarted. This may take ~2-3 minutes:
> kubectl delete pod -n kommander -lapp=kommander-kubeaddons-kommander-ui > kubectl delete pod -n kubeaddons -lapp=opsportal-kubeaddons-kommander-ui