Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-43469

Azure Session for Client Certificate Credential Should Set Options to Send Certificate Chain

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      With the newer azure-sdk-for-go replacing go-autorest, there was a change to use ClientCertificateCredential that did not include the `SendCertificateChain` option by default that used to be there.  The ARO team requires this be set otherwise the 1p integration for SNI will not work.  
      
      Old version: https://github.com/Azure/go-autorest/blob/f7ea664c9cff3a5257b6dbc4402acadfd8be79f1/autorest/adal/token.go#L262-L264
      
      New version: https://github.com/openshift/installer-aro/pull/37/files#diff-da950a4ddabbede621d9d3b1058bb34f8931c89179306ee88a0e4d76a4cf0b13R294
      
          

      Version-Release number of selected component (if applicable):

      This was introduced in the OpenShift installer PR: https://github.com/openshift/installer/pull/6003    

      How reproducible:

      Every time we authenticate using SNI in Azure.  
      

      Steps to Reproduce:

          1.  Configure a service principal in the Microsoft tenant using SNI
          2.  Attempt to run the installer using client-certificate credentials to install a cluster with credentials mode in manual
          

      Actual results:

      Installation fails as we're unable to authenticate using SNI.  
          

      Expected results:

      We're able to authenticate using SNI.  
          

      Additional info:

      This should not have any affect on existing non-SNI based authentication methods using client certificate credentials.  It was previously set in autorest for golang, but is not defaulted to in the newer azure-sdk-for-go.  
      
      
      Note that only first party Microsoft services will be able to leverage SNI in Microsoft tenants.  The test case for this on the installer side would be to ensure it doesn't break manual credential mode installs using a certificate pinned to a service principal.  

       

       

      All we would need changed is to this  pass the ` SendCertificateChain: true,` option only on client certificate credentials.  Ideally we could back-port this as well to all openshift versions which received the migration from AAD to Microsoft Graph changes. 

              jhixson_redhat John Hixson
              bvesel@redhat.com Benjamin Vesel
              Jinyun Ma Jinyun Ma
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: