Troubleshooting registration and connection

This document gives troubleshooting guidance for issues you might encounter during registration and connection.

Invalid configuration

If Google Cloud console cannot read the OIDC configuration from your cluster, the LOGIN button is disabled.

Login URL not found

The following issue occurs when the Google Cloud console is not able to reach the identity provider.

An attempt to log in gets redirected to a page with "URL not found" error.

To resolve this issue:

  1. If the identity provider is not reachable over the public internet, then you need to enable the OIDC HTTP proxy to log in via Google Cloud console. In the authentication.oidc section of your cluster configuration file, set deployCloudConsoleProxyto true. If you have already created a cluster and want to turn on the proxy, you can edit the ClientConfig custom resource directly and set useHTTPProxy to true:

    kubectl --kubeconfig USER_CLUSTER_KUBECONFIG edit clientconfig default -n kube-public
    
  2. If the HTTP proxy is enabled and you are still seeing this error, there might have been an issue with the proxy starting up. To get the logs of the proxy:

    kubectl --kubeconfig USER_CLUSTER_KUBECONFIG logs deployment/clientconfig-operator -n kube-system

    Note that even if your identity provider has a well-known CA, for the HTTP proxy to start, you must provide a value for authentication.oidc.caPath in your cluster configuration file.

  3. If the authorization server prompts for consent, and you have not included the extraparam prompt=consent, then you might see this error. Edit the ClientConfig object, and add prompt=consent to extraparams:

    kubectl --kubeconfig USER_CLUSTER_KUBECONFIG edit clientconfig default -n kube-public
    

    Then try logging in again.

  4. If you have not done so already, try authenticating using the Authentication Plugin for Anthos. If you are seeing an authorization error logging in with the plugin as well, then follow the troubleshooting steps to resolve the issue with the plugin. Then try logging in via the Google Cloud console again.

  5. In some cases, if settings are changed on storage service, you might need to log out explicitly. In the Google Cloud console, go to the cluster details page, and click Log out. Then try logging in again.