Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.17.z
Component/s: kube-apiserver
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

When a custom serviceAccountIssuer is set on the Authentication CR, the service-account-jwks-uri argument in the KubeAPIServer CR will no longer be set to https://<API_URL>/openid/v1/jwks. 

This means that the jwks_uri field from the /.well-known/openid-configurations endpoint will now be set to https://<MASTER_NODE_IP>:6443/openid/v1/jwks. The problem is that even if the client machine is configured to trust the master node's certificate CA, there will still be an error because the certificate's SAN does not include the master node's IP.

Version-Release number of selected component (if applicable):

4.17.6

How reproducible:

This is a reproducible issue

Steps to Reproduce:

1. Patch the authentication CR with a custom serviceAccountIssuer.
~~~
oc patch authentication cluster --type merge --patch '{"spec": {"serviceAccountIssuer": "https://test.com"}}'
~~~

2. Wait for any rollouts to complete as seen with oc get co. If any pods go into CrashLoopBackOff then delete them with this command:
~~~
oc get pods --all-namespaces | grep CrashLoopBackOff | awk '{print "--namespace " $1 " " $2}' | xargs -L 1 oc delete pod
~~~

3. Check the value of jwks_uri from the well-known endpoint:
~~~
oc get --raw /.well-known/openid-configuration | jq -r '.jwks_uri'
https://<MASTER_NODE_IP>:6443/openid/v1/jwks
~~~     

4. Trust the master node certificate CA which appears to be kube-apiserver-service-network-signer by default.
~~~
oc extract secret/service-network-serving-signer -n openshift-kube-apiserver-operator

sudo cp tls.crt /etc/pki/ca-trust/source/anchors/tls.crt
sudo update-ca-trust
~~~

5. Curl the master node IP.
~~~
curl https://<MASTER_NODE_IP>:6443
curl: (60) SSL: no alternative certificate subject name matches target host name '<MASTER_NODE_IP>'
~~~

6. Check the SAN of the master node's certificate.
~~~
openssl s_client -connect <MASTER_NODE_IP>:6443 -showcerts 2>&1 | openssl x509 -text | grep 'Subject Alternative Name' -A 1
            X509v3 Subject Alternative Name: 
                DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:openshift, DNS:openshift.default, DNS:openshift.default.svc, DNS:openshift.default.svc.cluster.local, DNS:172.30.0.1, IP Address:172.30.0.1
~~~

Actual results:

The value of jwks_uri is not accessible with TLS.

Expected results:

The value of jwks_uri is accessible with TLS.

Additional info:

 The customer is not looking for a specific solution so for example, they will be ok with any of the following solutions:
   - Allow for jwks_uri to be configured to a custom value.
   - Add the master node IP to the SAN of its certificate.
   - Set jwks_uri to https://<API_URL>/openid/v1/jwks even if the issuer is changed

links to

openshift/cluster-kube-apiserver-operator#1919: OCPBUGS-46086: Always set service-account-jwks-uri to LB URL even with custom issuer

Assignee:: Shaza Aldawamneh

Reporter:: Clark Uthayakumar

Need Info From:: None

Contributors:: None

QA Contact:: Ke Wang

Doc Contact:: None

Votes:: 2 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/12/12 5:02 AM

Updated:: 2025/09/24 8:35 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide