kubesphere 3.0 配置 OAuth2 失败

kiki

参考官方文档 OAuth2 Identity Provider，配置试用 GitHubIdentityProvider，
通过 kubectl -n kubesphere-system edit cm kubesphere-config 编辑的配置文件如下：

apiVersion: v1
data:
  kubesphere.yaml: |
    authentication:
      authenticateRateLimiterMaxTries: 10
      authenticateRateLimiterDuration: 10m0s
      loginHistoryRetentionPeriod: 168h
      maximumClockSkew: 10s
      multipleLogin: True
      kubectlImage: kubesphere/kubectl:v1.0.0
      jwtSecret: "*********"
      oauthOptions:
        accessTokenMaxAge: 1h
        accessTokenInactivityTimeout: 30m
        identityProviders:
        - name: github
          type: GitHubIdentityProvider
          mappingMethod: mixed
          provider:
            clientID: '147***bc6'
            clientSecret: '55d***c4d'
            endpoint:
              authURL: 'https://github.com/login/oauth/authorize'
              tokenURL: 'https://github.com/login/oauth/access_token'
            redirectURL: 'http://***:30880/oauth/redirect'
            scopes:
            - user

重启 ks-apiserver 更新配置，ks-apiserver 镜像版本为kubespheredev/ks-apiserver:latest

通过 Github 账户登录 KubeSphere，输入github 账号密码，验证完成后，界面提示：

Unauthorized: user.iam.kubesphere.io "fukiki" not found

查看 ks-apiserver 的日志如下：

E1218 17:19:12.879576       1 utils.go:75] /home/runner/work/kubesphere/kubesphere/pkg/kapis/oauth/handler.go:186 Unauthorized: user.iam.kubesphere.io "fukiki" not found
I1218 17:19:12.879638       1 apiserver.go:568] 10.233.70.99 - "GET /oauth/callback/github?code=27b53b89280c7b255956 HTTP/1.1" 401 56 3000ms

github 的认证已经成功，为什么还会提示用户找不到？kubesphere还需要创建对应用户吗？

hongming

kiki 正在更新文档，需要把 mappingMethod 改为 auto

kiki

@hongming 感谢您的回复
尝试过修改 mappingMethod 改为 auto，但是依旧会报错，界面提示Not Found，查看ks-apiserver
ks-apiserver 的日志，具体错误如下：

E1221 09:20:38.660326       1 login_recoder.go:71] LoginRecord.iam.kubesphere.io "system:pre-registration-hf8jt" is invalid: [metadata.generateName: Invalid value: "system:pre-registration-": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'), metadata.name: Invalid value: "system:pre-registration-hf8jt": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'), metadata.labels: Invalid value: "system:pre-registration": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')]
E1221 09:20:38.660360       1 handler.go:198] Failed to record successful login for user system:pre-registration, error: LoginRecord.iam.kubesphere.io "system:pre-registration-hf8jt" is invalid: [metadata.generateName: Invalid value: "system:pre-registration-": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'), metadata.name: Invalid value: "system:pre-registration-hf8jt": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'), metadata.labels: Invalid value: "system:pre-registration": a valid label must be an empty string or consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric character (e.g. 'MyValue',  or 'my_value',  or '12345', regex used for validation is '(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?')]
2020/12/21 09:20:39 http: panic serving 10.233.70.99:42678: assignment to entry in nil map
goroutine 2342 [running]:
net/http.(*conn).serve.func1(0xc000e66c80)
	/opt/hostedtoolcache/go/1.13.15/x64/src/net/http/server.go:1795 +0x139
panic(0x2d6b7e0, 0x38941e0)
	/opt/hostedtoolcache/go/1.13.15/x64/src/runtime/panic.go:679 +0x1b2
kubesphere.io/kubesphere/pkg/apiserver/auditing.(*auditing).LogRequestObject(0xc000b92d20, 0xc000c6d000, 0xc000da8930, 0x2b15c20)
	/home/runner/work/kubesphere/kubesphere/pkg/apiserver/auditing/types.go:187 +0x89a
kubesphere.io/kubesphere/pkg/apiserver/filters.WithAuditing.func1(0x393b1a0, 0xc002be7880, 0xc000c6d000)
	/home/runner/work/kubesphere/kubesphere/pkg/apiserver/filters/auditing.go:51 +0x100
net/http.HandlerFunc.ServeHTTP(0xc000b92d50, 0x393b1a0, 0xc002be7880, 0xc000c6d000)
	/opt/hostedtoolcache/go/1.13.15/x64/src/net/http/server.go:2036 +0x44
kubesphere.io/kubesphere/pkg/apiserver/filters.WithAuthorization.func1(0x393b1a0, 0xc002be7880, 0xc000c6d000)
	/home/runner/work/kubesphere/kubesphere/pkg/apiserver/filters/authorization.go:50 +0x37c
net/http.HandlerFunc.ServeHTTP(0xc000d2ea00, 0x393b1a0, 0xc002be7880, 0xc000c6d000)
	/opt/hostedtoolcache/go/1.13.15/x64/src/net/http/server.go:2036 +0x44
kubesphere.io/kubesphere/pkg/apiserver/filters.WithMultipleClusterDispatcher.func1(0x393b1a0, 0xc002be7880, 0xc000c6d000)
	/home/runner/work/kubesphere/kubesphere/pkg/apiserver/filters/dispatch.go:43 +0xd9
net/http.HandlerFunc.ServeHTTP(0xc000b93620, 0x393b1a0, 0xc002be7880, 0xc000c6d000)
	/opt/hostedtoolcache/go/1.13.15/x64/src/net/http/server.go:2036 +0x44
kubesphere.io/kubesphere/pkg/apiserver/filters.WithAuthentication.func1(0x393b1a0, 0xc002be7880, 0xc000c6d000)
	/home/runner/work/kubesphere/kubesphere/pkg/apiserver/filters/authentication.go:68 +0x5ce
net/http.HandlerFunc.ServeHTTP(0xc000d2eb40, 0x393b1a0, 0xc002be7880, 0xc000c6cf00)
	/opt/hostedtoolcache/go/1.13.15/x64/src/net/http/server.go:2036 +0x44
kubesphere.io/kubesphere/pkg/apiserver/filters.WithRequestInfo.func1(0x393b1a0, 0xc002be7880, 0xc000c6ce00)
	/home/runner/work/kubesphere/kubesphere/pkg/apiserver/filters/requestinfo.go:67 +0x3c5
net/http.HandlerFunc.ServeHTTP(0xc000b93dd0, 0x393b1a0, 0xc002be7880, 0xc000c6ce00)
	/opt/hostedtoolcache/go/1.13.15/x64/src/net/http/server.go:2036 +0x44
net/http.serverHandler.ServeHTTP(0xc0001aa540, 0x393b1a0, 0xc002be7880, 0xc000c6ce00)
	/opt/hostedtoolcache/go/1.13.15/x64/src/net/http/server.go:2831 +0xa4
net/http.(*conn).serve(0xc000e66c80, 0x394da20, 0xc001a67280)
	/opt/hostedtoolcache/go/1.13.15/x64/src/net/http/server.go:1919 +0x875
created by net/http.(*Server).Serve
	/opt/hostedtoolcache/go/1.13.15/x64/src/net/http/server.go:2957 +0x384

看错误提示，应该是创建用户时 system:pre-registration 出错，GitHubIdentityProvider 是默认支持插件，应该是已经适配好的，不用再有其他额外的设置吧？！

hongming

kiki 不好意思没有注意到镜像的问题，kubespheredev/ks-apiserver:latest 这个tag一直在更新有些新的特性merge 到master分支，3.0 中不能直接用了，可以用 kubespheredev/ks-apiserver:enable-oauth2 这个 image 试试。

GitHubIdentityProvider 是一个插件示例，在3.0 中默认没有启用，通常情况下 userInfo API 需要适配一下用户名字段，根据实际情况转换一下用户名（kubesphere 中对 username 有一些要求），3.1 中已经简化了这个流程。

kiki

@hongming 感谢您的回复！
确实是 ks-apiserver 镜像问题，替换为kubespheredev/ks-apiserver:enable-oauth2，使用 github 账号登录正常。

后续我们会定制自己的认证插件，目前master分支上ks-apiserver编译出来会有上述的问题，请问 ks-apiserver:enable-oauth2版本的源码哪里能下载？master分支何时能修复该问题？