[OCPBUGS-31498] Separate oidc certificate authority and cluster certificate authority

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: 4.16.0
Affects Version/s: 4.15.z, 4.16.0
Component/s: oc
Labels:
- pre-merge-tested

Severity:
Moderate
Regression:
No
Epic Link:
oc login without oauth
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Type:
Release Note Not Required
Release Note Status:
Done
Target Version:

4.16.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

Separate oidc certificate authority and cluster certificate authority.

Version-Release number of selected component (if applicable):

oc 4.16 / 4.15

How reproducible:

Always

Steps to Reproduce:

1. Launch HCP external OIDC cluster. The external OIDC uses keycloak. The keycloak server is created outside of the cluster and its serving certificate is not trusted, its CA is separate than cluster's any CA.

2. Test oc login
$ curl -sSI --cacert $ISSUER_CA_FILE $ISSUER_URL/.well-known/openid-configuration | head -n 1
HTTP/1.1 200 OK

$ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email,profile --callback-port=8080 --certificate-authority $ISSUER_CA_FILE
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): n

error: The server uses a certificate signed by unknown authority. You may need to use the --certificate-authority flag to provide the path to a certificate file for the certificate authority, or --insecure-skip-tls-verify to bypass the certificate check and use insecure connections.

Actual results:

2. oc login with --certificate-authority pointing to $ISSUER_CA_FILE fails.

The reason is, oc login not only communicates with the oidc server, but also communicates the test cluster's kube-apiserver which is also self signed. Need more action for the --certificate-authority flag, i.e. need combine test cluster's kube-apiserver's CA and $ISSUER_CA_FILE:
$ grep certificate-authority-data $KUBECONFIG | grep -Eo "[^ ]+$" | base64 -d > hostedcluster_kubeconfig_ca.crt

$ cat $ISSUER_CA_FILE hostedcluster_kubeconfig_ca.crt > combined-ca.crt
$ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email,profile --callback-port=8080 --certificate-authority combined-ca.crt
Please visit the following URL in your browser: http://localhost:8080

Expected results:

For step 2, per https://redhat-internal.slack.com/archives/C060D1W96LB/p1711624413149659?thread_ts=1710836566.326359&cid=C060D1W96LB discussion, separate trust like:

$ oc login api-server --oidc-certificate-auhority=$ISSUER_CA_FILE [--certificate-authority=hostedcluster_kubeconfig_ca.crt]

The [--certificate-authority=hostedcluster_kubeconfig_ca.crt] should be optional if it is included in $KUBECONFIG's certificate-authority-data already.

blocks

OCPBUGS-31879 Separate oidc certificate authority and cluster certificate authority

Closed

is cloned by

OCPBUGS-31879 Separate oidc certificate authority and cluster certificate authority

Closed

is documented by

OCPBUGS-27859 [Doc] Document BYO oc login needs to explicitly set --oidc-certificate-authority flag if external OIDC certificate is not publicly trusted

Closed

links to

openshift/oc#1720: OCPBUGS-31498: Add OIDC specific certificate authority bundle flag

RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

Errata Tool added a comment - 2024/06/27 11:44 AM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (Critical: OpenShift Container Platform 4.16.0 bug fix and security update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:0041

Errata Tool added a comment - 2024/06/27 11:44 AM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Critical: OpenShift Container Platform 4.16.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:0041

OpenShift Jira Bot added a comment - 2024/04/08 7:58 PM

Hi aguclu@redhat.com,

Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.

OpenShift Jira Bot added a comment - 2024/04/08 7:58 PM Hi aguclu@redhat.com , Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.

Xingxing Xia added a comment - 2024/04/02 6:30 AM

Pre-merge tested PR as below. Works well.

$ cd /data/src/github.com/openshift/oc
Fetch PR branch. Then compile:
$ make cross-build-linux-amd64
$ mv _output/bin/linux_amd64/oc ~/bin # ~/bin is in $PATH

Login to the HCP external OIDC cluster which sets issuerCertificateAuthority using keycloak as OIDC that is exposed as a secure route in any other cluster different than the HCP cluster as below.

$ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email --callback-port=8080 --oidc-certificate-authority router-ca/ca-bundle.crt
Please visit the following URL in your browser: http://localhost:8080
Logged into "https://a72e8c73xxxxxxxx.elb.ap-northeast-2.amazonaws.com:6443" as "oidc-user-test:xxia@redhat.com" from an external oidc issuer.

You don't have any projects. Contact your system administrator to request a project.

Login succeeds. The new separate flag --oidc-certificate-authority works well.

Xingxing Xia added a comment - 2024/04/02 6:30 AM Pre-merge tested PR as below. Works well. $ cd /data/src/github.com/openshift/oc Fetch PR branch. Then compile: $ make cross-build-linux-amd64 $ mv _output/bin/linux_amd64/oc ~/bin # ~/bin is in $PATH Login to the HCP external OIDC cluster which sets issuerCertificateAuthority using keycloak as OIDC that is exposed as a secure route in any other cluster different than the HCP cluster as below. $ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email --callback-port=8080 --oidc-certificate-authority router-ca/ca-bundle.crt Please visit the following URL in your browser: http: //localhost:8080 Logged into "https: //a72e8c73xxxxxxxx.elb.ap-northeast-2.amazonaws.com:6443" as "oidc-user-test:xxia@redhat.com" from an external oidc issuer. You don't have any projects. Contact your system administrator to request a project. Login succeeds. The new separate flag --oidc-certificate-authority works well.

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Errata Tool added a comment - 2024/06/27 11:44 AM

Expand comment: Errata Tool added a comment - 2024/06/27 11:44 AM

Collapse comment: OpenShift Jira Bot added a comment - 2024/04/08 7:58 PM

Expand comment: OpenShift Jira Bot added a comment - 2024/04/08 7:58 PM

Collapse comment: Xingxing Xia added a comment - 2024/04/02 6:30 AM

Expand comment: Xingxing Xia added a comment - 2024/04/02 6:30 AM

People

Dates