Attempt to download kubeconfig using dex fails with {"error":"invalid_client","error_description":"Invalid client credentials."} in Tanzu Kubernetes Grid (TKG)
Article ID: 297287
Updated On:
Products
VMware Tanzu Kubernetes Grid
Issue/Introduction
In a TKG environment that is configured with Dex & Gangway backed by LDAP as the identity provider users might run into this error.
One of the reasons this error occurs is when the
{"error":"invalid_client","error_description":"Invalid client credentials."}
One of the reasons this error occurs is when the
clientSecret for secret used by gangway does not match the secret specified in the staticClients section of the dex configmap.
staticClients:
- id: workload
redirectURIs:
- 'https://<someIP>:30166/callback'
name: 'workload'
secret: VMware1!Environment
Product Version: 1.0
Resolution
Obtain the secret used by
Decode the secret:
After switching the
gangway:
kubectl get secrets gangway -n tanzu-system-auth -o 'go-template={{ index .data "clientSecret" }}'
Vk13Yxxxxxx
Decode the secret:
kubectl get secrets gangway -n tanzu-system-auth -o 'go-template={{ index .data "clientSecret" }}' | base64 -D
VMware1!
After switching the
kubectl context back to management cluster, confirm that the decoded secret is the same as specified in the staticClients section of the configmap used by dex. If not, please change it to match the decoded value.
kubectl get cm dex -n tanzu-system-auth -o 'go-template={{ index .data "config.yaml"}}' | grep -C5 secret
staticClients:
- id: workload
redirectURIs:
- 'https://<someIP>:30166/callback'
name: 'workload'
secret: VMware1!Feedback
Yes
No
Powered by
