Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-31498

Separate oidc certificate authority and cluster certificate authority


    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • 4.16.0
    • 4.15.z, 4.16.0
    • oc
    • Moderate
    • No
    • False
    • Hide


    • Release Note Not Required
    • Done

      Description of problem:

      Separate oidc certificate authority and cluster certificate authority.

      Version-Release number of selected component (if applicable):

      oc 4.16 / 4.15

      How reproducible:


      Steps to Reproduce:

      1. Launch HCP external OIDC cluster. The external OIDC uses keycloak. The keycloak server is created outside of the cluster and its serving certificate is not trusted, its CA is separate than cluster's any CA.
      2. Test oc login
      $ curl -sSI --cacert $ISSUER_CA_FILE $ISSUER_URL/.well-known/openid-configuration | head -n 1
      HTTP/1.1 200 OK
      $ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email,profile --callback-port=8080 --certificate-authority $ISSUER_CA_FILE
      The server uses a certificate signed by an unknown authority.
      You can bypass the certificate check, but any data you send to the server could be intercepted by others.
      Use insecure connections? (y/n): n
      error: The server uses a certificate signed by unknown authority. You may need to use the --certificate-authority flag to provide the path to a certificate file for the certificate authority, or --insecure-skip-tls-verify to bypass the certificate check and use insecure connections.

      Actual results:

      2. oc login with --certificate-authority pointing to $ISSUER_CA_FILE fails.
      The reason is, oc login not only communicates with the oidc server, but also communicates the test cluster's kube-apiserver which is also self signed. Need more action for the --certificate-authority flag, i.e. need combine test cluster's kube-apiserver's CA and $ISSUER_CA_FILE:
      $ grep certificate-authority-data $KUBECONFIG | grep -Eo "[^ ]+$" | base64 -d > hostedcluster_kubeconfig_ca.crt
      $ cat $ISSUER_CA_FILE hostedcluster_kubeconfig_ca.crt > combined-ca.crt
      $ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email,profile --callback-port=8080 --certificate-authority combined-ca.crt
      Please visit the following URL in your browser: http://localhost:8080

      Expected results:

      For step 2, per https://redhat-internal.slack.com/archives/C060D1W96LB/p1711624413149659?thread_ts=1710836566.326359&cid=C060D1W96LB discussion, separate trust like:

      $ oc login api-server --oidc-certificate-auhority=$ISSUER_CA_FILE [--certificate-authority=hostedcluster_kubeconfig_ca.crt]

      The [--certificate-authority=hostedcluster_kubeconfig_ca.crt] should be optional if it is included in $KUBECONFIG's certificate-authority-data already.

            aguclu@redhat.com Arda Guclu
            xxia-1 Xingxing Xia
            Xingxing Xia Xingxing Xia
            0 Vote for this issue
            6 Start watching this issue