no such authenticator

[lknite]

Troubleshooting an initial concierge-only pinniped setup.

Everything looks good yet a browser is not being launched to gather credentials. If I add --skip-browser the error message remains the same without providing a url for me to access to login to. I see this in the concierge log:

[pinniped-concierge-75989848d4-4h7bv] I0623 18:03:48.158746       1 trace.go:205] Trace[1433546369]: "create" kind:TokenCredentialRequest (23-Jun-2022 18:03:48.158) (total time: 0ms):
[pinniped-concierge-75989848d4-4h7bv] Trace[1433546369]: ---"failure" failureType:token authentication,msg:no such authenticator 0ms (18:03:48.158)
[pinniped-concierge-75989848d4-4h7bv] Trace[1433546369]: [22.003µs] [22.003µs] END

There is an authenticator though, or I believe I've done this right:

$ k get jwtauthenticators.authentication.concierge.pinniped.dev 
NAME          ISSUER                                                   AUDIENCE     AGE
oidc-config   https://keycloak.k.home.net/auth/realms/home.net         kubernetes   5d20h

I'm using this script to test with (same error when using this setup via .kube/config):

#!/bin/bash

/usr/local/bin/pinniped login oidc \
      --enable-concierge \
      --concierge-api-group-suffix=pinniped.dev \
      --concierge-authenticator-name=oidc-config \
      --concierge-authenticator-type=jwt \
      --concierge-endpoint=https://<kubernetes_kubeapi_ip>:6443 \
      --concierge-ca-bundle-data=LS0t<snip> \
      --issuer=https://keycloak.k.home.net/auth/realms/home.net \
      --client-id=kubernetes \
      --scopes=openid,email,offline_access \
      --listen-port=8000 \
      --request-audience=kubernetes \
      --ca-bundle /home/lknite/ca-bundle.crt \
      --skip-browser

In what environment did you see this bug?

• lastest install as of last week
• kubernetes version:
  Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.0+vmware.wcp.2", GitCommit:"d5bb17833505d15ce5f40815bb14fede978fe8c1", GitTreeState:"clean", BuildDate:"2021-08-14T16:46:51Z", GoVersion:"go1.16.1", Compiler:"gc", Platform:"linux/amd64"}
  Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.12+vmware.1", GitCommit:"768a3bbd17406f20f51df36cbd12695c8293392d", GitTreeState:"clean", BuildDate:"2021-11-01T22:45:04Z", GoVersion:"go1.15.15", Compiler:"gc", Platform:"linux/amd64"}

Additional
jwt oidc config:

apiVersion: authentication.concierge.pinniped.dev/v1alpha1
kind: JWTAuthenticator
metadata:
  name: oidc-config
spec:
  issuer: https://keycloak.k.home.net/auth/realms/home.net
  audience: kubernetes
  claims:
    username: preferred_username
    groups: groups

[lknite]

The answer was I needed to add certificateAuthorityData to the JWTAuthenticator. Perhaps a debug message could be added to the log file to make this easier to figure out?

kind: JWTAuthenticator
metadata:
  name: oidc-config
spec:
  issuer: https://keycloak.k.home.net/auth/realms/home
  audience: kubernetes
  claims:
    username: preferred_username
    groups: groups
  tls:
    certificateAuthorityData: |
      .....base64encoded_ca-bundle_goes-here