illegal base64 data at input byte 483

[deshifcodes]

Error description

The headlamp has configured OIDC authentication with Keycloak. Errors are constantly appearing in the logs of the headlamp pod:

The headlamp itself works when it does. Are these errors critical and how to get rid of them?

• Headlamp Version: 0.26.0
• K8S: 1.31 (bare metall)

HELM Chart Values:

fullnameOverride: headlamp
replicaCount: 1
service:
  type: ClusterIP
  port: 80

volumeMounts:
- mountPath: /etc/ssl/certs/ca-certificates.crt
  subPath: ca-certificates.crt
  name: ca-certs
  readOnly: true

volumes: 
- hostPath:
    path: /etc/ssl/certs
    type: Directory
  name: ca-certs

config:
  oidc:
    clientID: "headlamp"
    clientSecret: <SECRET>
    issuerURL: "https://iam.example.org/realms/<REALM>"
    scopes: "email,profile,groups"
    secret:
      create: true
      name: headlamp-oidc

ingress:
  enabled: true
  ingressClassName: internal
  hosts:
    - host: headlamp.example.org
      paths:
        - path: /
          type: Prefix
  tls:
    - secretName: eso.default-wildcard-tls-assets
      hosts:
        - headlamp.example.org

serviceAccount:
  create: true
  name: headlamp

clusterRoleBinding:
  create: true

[zivcex]

Hi @deshifcodes one question did you setup that kuberenetes API server configs as well? I mean have you done these configs as well: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server ?
We failed to set it up just with configs in values.yaml (getting constant re-logins and 403s)..

[zivcex]

getting these issues: #2614

[deshifcodes]

Hi @deshifcodes one question did you setup that kuberenetes API server configs as well? I mean have you done these configs as well: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server ? We failed to set it up just with configs in values.yaml (getting constant re-logins and 403s)..

I added this line to the kube-apiserver manifest

- --authentication-config=/etc/kubernetes/pki/auth-oidc.conf

and created the file /etc/kubernetes/pki/auth-oidc.conf`

auth-oidc.conf

apiVersion: apiserver.config.k8s.io/v1beta1
kind: AuthenticationConfiguration
jwt:
- issuer:

    # Same as --oidc-issuer-url
    url: https://iam.example.org/realms/k8s

     # Same as --oidc-client-id
    audiences:
    - kubernetes
    - headlamp
    - kiali
    audienceMatchPolicy: MatchAny

  claimMappings:
    # Same as --oidc-username-claim
    username:
      claim: "email"
      prefix: ""

    # Same as --oidc-groups-claim
    groups:
      claim: "groups"
      prefix: ""

ClusterRoleBinding

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: oidc-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: /kubernetes-admin

[zivcex]

Cool yeah we had this ClusterRoleBinding already it's just that this oidc.conf was missing...