Oauth problems and ansible
When deploying the helm chart for oauth by bitnami using ansible:
- name: install oauth2 in each namespace
kubernetes.core.helm:
kubeconfig: /etc/rancher/k3s/k3s.yaml
name: oauth2
chart_ref: "oci://registry-1.docker.io/bitnamicharts/oauth2-proxy"
release_namespace: "{{ item }}"
values: "{{ lookup('template', '../files/oauth2-values.yaml') | from_yaml }}"
loop: "{{ oauth_namespaces }}"
secrets deployment looks like this:
- include_vars: ../secrets/oauth.yml
- name: define secrets for oauth2
k8s:
kubeconfig: /etc/rancher/k3s/k3s.yaml
namespace: "{{ item }}"
definition: "{{ lookup('template', '../files/oauth2-secret.yaml.j2') | from_yaml }}"
loop: "{{ oauth_namespaces }}"
and the secrets file contains secrets that are dynamicaly converted to b64:
apiVersion: v1
data:
client-id: {{ secrets_google_oauth_client_id | b64encode }}
client-secret: {{ secrets_google_oauth_client_secret | b64encode }}
cookie-secret: {{ secrets_google_oauth_cookie_secret | b64encode }}
kind: Secret
metadata:
name: oauth2-secret
type: Opaque
DO NOT echo "secret" | base64 --encode on your machine again, this leads to hard-to-debug errors like:
Error redeeming code during OAuth2 callback: unexpected status "401":
{
"error": "invalid_client",
"error_description": "Unauthorized"
}
a pointer towards such a problem is when you look at your secret and you see things like:
client_id: XXXXXXXXXXXXXXXXXXXXXXXXXXX
client_secret: |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
cookie_secret: XXXXXXXXXXXXXXXXXXXXX