Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-31498

Separate oidc certificate authority and cluster certificate authority

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Undefined Undefined
    • 4.16.0
    • 4.15.z, 4.16.0
    • oc
    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None
    • Release Note Not Required
    • Done

      Description of problem:

      Separate oidc certificate authority and cluster certificate authority.

      Version-Release number of selected component (if applicable):

      oc 4.16 / 4.15

      How reproducible:

      Always

      Steps to Reproduce:

      1. Launch HCP external OIDC cluster. The external OIDC uses keycloak. The keycloak server is created outside of the cluster and its serving certificate is not trusted, its CA is separate than cluster's any CA.
      
      2. Test oc login
      $ curl -sSI --cacert $ISSUER_CA_FILE $ISSUER_URL/.well-known/openid-configuration | head -n 1
      HTTP/1.1 200 OK
      
      $ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email,profile --callback-port=8080 --certificate-authority $ISSUER_CA_FILE
      The server uses a certificate signed by an unknown authority.
      You can bypass the certificate check, but any data you send to the server could be intercepted by others.
      Use insecure connections? (y/n): n
      
      error: The server uses a certificate signed by unknown authority. You may need to use the --certificate-authority flag to provide the path to a certificate file for the certificate authority, or --insecure-skip-tls-verify to bypass the certificate check and use insecure connections.
      

      Actual results:

      2. oc login with --certificate-authority pointing to $ISSUER_CA_FILE fails.
      
      The reason is, oc login not only communicates with the oidc server, but also communicates the test cluster's kube-apiserver which is also self signed. Need more action for the --certificate-authority flag, i.e. need combine test cluster's kube-apiserver's CA and $ISSUER_CA_FILE:
      $ grep certificate-authority-data $KUBECONFIG | grep -Eo "[^ ]+$" | base64 -d > hostedcluster_kubeconfig_ca.crt
      
      $ cat $ISSUER_CA_FILE hostedcluster_kubeconfig_ca.crt > combined-ca.crt
      $ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email,profile --callback-port=8080 --certificate-authority combined-ca.crt
      Please visit the following URL in your browser: http://localhost:8080
      

      Expected results:

      For step 2, per https://redhat-internal.slack.com/archives/C060D1W96LB/p1711624413149659?thread_ts=1710836566.326359&cid=C060D1W96LB discussion, separate trust like:

      $ oc login api-server --oidc-certificate-auhority=$ISSUER_CA_FILE [--certificate-authority=hostedcluster_kubeconfig_ca.crt]
      

      The [--certificate-authority=hostedcluster_kubeconfig_ca.crt] should be optional if it is included in $KUBECONFIG's certificate-authority-data already.

            [OCPBUGS-31498] Separate oidc certificate authority and cluster certificate authority

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (Critical: OpenShift Container Platform 4.16.0 bug fix and security update), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHSA-2024:0041

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Critical: OpenShift Container Platform 4.16.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:0041

            Hi aguclu@redhat.com,

            Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.

            OpenShift Jira Bot added a comment - Hi aguclu@redhat.com , Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.

            Pre-merge tested PR as below. Works well.

            $ cd /data/src/github.com/openshift/oc
            Fetch PR branch. Then compile:
            $ make cross-build-linux-amd64
            $ mv _output/bin/linux_amd64/oc ~/bin # ~/bin is in $PATH
            

            Login to the HCP external OIDC cluster which sets issuerCertificateAuthority using keycloak as OIDC that is exposed as a secure route in any other cluster different than the HCP cluster as below.

            $ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email --callback-port=8080 --oidc-certificate-authority router-ca/ca-bundle.crt
            Please visit the following URL in your browser: http://localhost:8080
            Logged into "https://a72e8c73xxxxxxxx.elb.ap-northeast-2.amazonaws.com:6443" as "oidc-user-test:xxia@redhat.com" from an external oidc issuer.
            
            You don't have any projects. Contact your system administrator to request a project.
            

            Login succeeds. The new separate flag --oidc-certificate-authority works well.

            Xingxing Xia added a comment - Pre-merge tested PR as below. Works well. $ cd /data/src/github.com/openshift/oc Fetch PR branch. Then compile: $ make cross-build-linux-amd64 $ mv _output/bin/linux_amd64/oc ~/bin # ~/bin is in $PATH Login to the HCP external OIDC cluster which sets issuerCertificateAuthority using keycloak as OIDC that is exposed as a secure route in any other cluster different than the HCP cluster as below. $ oc login --exec-plugin=oc-oidc --issuer-url=$ISSUER_URL --client-id=$CLI_CLIENT_ID --extra-scopes=email --callback-port=8080 --oidc-certificate-authority router-ca/ca-bundle.crt Please visit the following URL in your browser: http: //localhost:8080 Logged into "https: //a72e8c73xxxxxxxx.elb.ap-northeast-2.amazonaws.com:6443" as "oidc-user-test:xxia@redhat.com" from an external oidc issuer. You don't have any projects. Contact your system administrator to request a project. Login succeeds. The new separate flag --oidc-certificate-authority works well.

              aguclu@redhat.com Arda Guclu
              xxia-1 Xingxing Xia
              Xingxing Xia Xingxing Xia
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: