[DEX] - On OS X cluster authentication flow does not work

[zimny]

Issue Type

Bug

Description

When testing instructions for Dex configuration, there's an issue with authenticating. As a user after running kubectl --user=oidc get pods as per instructions the call times out with following error:

error: get-token: authentication error: oidc error: oidc discovery error: Get "https://dex.kube.local/.well-known/openid-configuration": dial tcp 172.18.255.200:443: connect: operation timed out
I0130 13:29:58.519861   69629 helpers.go:240] Connection error: Get https://127.0.0.1:60024/api/v1/pods?limit=500: getting credentials: exec: executable kubectl failed with exit code 1

In the logs of istio-ingress pod (with debug level) we can see:

--
2023-01-30T12:47:09.061046Z	debug	envoy pool	[C18] destroying stream: 0 remaining
2023-01-30T12:47:09.061272Z	debug	envoy connection	[C933] write flush complete
2023-01-30T12:47:09.061288Z	debug	envoy connection	[C933] closing socket: 1
2023-01-30T12:47:09.061333Z	debug	envoy conn_handler	[C933] adding to cleanup list
2023-01-30T12:47:09.469591Z	debug	envoy filter	tls inspector: new connection accepted
2023-01-30T12:47:09.469924Z	debug	envoy filter	tls:onServerName(), requestedServerName: dex.kube.local
2023-01-30T12:47:09.470012Z	debug	envoy conn_handler	[C934] new connection from 10.244.0.1:52739
2023-01-30T12:47:09.472347Z	debug	envoy connection	[C934] remote address:10.244.0.1:52739,TLS error: 268436498:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE
2023-01-30T12:47:09.473267Z	debug	envoy connection	[C934] closing socket: 0
2023-01-30T12:47:09.473491Z	debug	envoy connection	[C934] remote address:10.244.0.1:52739,TLS error: 268436498:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE
2023-01-30T12:47:09.473535Z	debug	envoy conn_handler	[C934] adding to cleanup list

Detailed steps

OSX Monterey
Rancher Desktop or Colima with 4 core 8 GB of ram

Follow instructions from `docs/DEX_GITHUB_INTEGRATION.md`. The error occurs when trying to get the pods with the new `oidc` user.

Screenshots

n/a

Logs

kubectl --user=oidc get pods -A

error: get-token: authentication error: oidc error: oidc discovery error: Get "https://dex.kube.local/.well-known/openid-configuration": dial tcp 172.18.255.200:443: connect: operation timed out
I0130 13:29:58.519861   69629 helpers.go:240] Connection error: Get https://127.0.0.1:60024/api/v1/pods?limit=500: getting credentials: exec: executable kubectl failed with exit code 1

istio-ingress logs

--
2023-01-30T12:47:09.061046Z	debug	envoy pool	[C18] destroying stream: 0 remaining
2023-01-30T12:47:09.061272Z	debug	envoy connection	[C933] write flush complete
2023-01-30T12:47:09.061288Z	debug	envoy connection	[C933] closing socket: 1
2023-01-30T12:47:09.061333Z	debug	envoy conn_handler	[C933] adding to cleanup list
2023-01-30T12:47:09.469591Z	debug	envoy filter	tls inspector: new connection accepted
2023-01-30T12:47:09.469924Z	debug	envoy filter	tls:onServerName(), requestedServerName: dex.kube.local
2023-01-30T12:47:09.470012Z	debug	envoy conn_handler	[C934] new connection from 10.244.0.1:52739
2023-01-30T12:47:09.472347Z	debug	envoy connection	[C934] remote address:10.244.0.1:52739,TLS error: 268436498:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE
2023-01-30T12:47:09.473267Z	debug	envoy connection	[C934] closing socket: 0
2023-01-30T12:47:09.473491Z	debug	envoy connection	[C934] remote address:10.244.0.1:52739,TLS error: 268436498:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE
2023-01-30T12:47:09.473535Z	debug	envoy conn_handler	[C934] adding to cleanup list