Re: External OIDC on GKE

jasonwang090311 · 04-05-2023 08:57 PM

Dear community,

I am trying to implement external OIDC on GKE with this document and faced a issue with certificate setting

[Documentation Link]:Use external identity providers to authenticate to GKE

I was wondering for OIDC_PROVIDER_CERTIFICATE what should I be filling in? I think I am facing

1. Format Error 2. Giving the wrong key (Root CA, Intermediate CA or even Private key? Don't think so)

For format error:

I tried every way of inserting different certificate, with or without (Begin Certificate), but both spit out different error.

With ----Begin Certificate: unable to load root certificates: unable to parse bytes as PEM block

Without ----Begin Certificate: illegal base64 data at input byte X

And for Giving the wrong key , could anyone with experience help to identify what certificate it is looking for?

Thank you for your response in advance!

garisingh

You need to base64 encode your PEM string data.
You can use something like https://www.base64encode.org/ if you don't feel like writing code. Just paste the PEM contents and encode!

jasonwang090311

Hi garisingh,

Thank you so much for the response. That did helped a lot, I am no longer getting format errors. However now I am experiencing an error "error: You must be logged in to the server (Unauthorized)". I used my Base64 encoded root CA as the OIDC_PROVIDER_CERTIFICATE. Am I making a mistake here? Also I was wondering if you know where I will be able to find more detail log for this error. Thanks you very much!

Addition:

I found this in my log in cloud logging, the query is:

resource.type="k8s_control_plane_component"

severity>=ERROR