OIDC auth does not handle custom CA certs #360
Comments
|
We'd be happy to take a PR to add this support. Thanks! |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle-stale |
|
fwiw, I looked into the oidc client library here: And I don't think that the library supports custom Certificate Authorities. |
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
/lifecycle frozen |
k8s-ci-robot
added
lifecycle/frozen
It does. Any valid |
|
@panva can you give a code sample of how to pass that through? The last time I looked at the code path I didn't see a way to pass that through from the OIDC client interface in the library. |
|
@brendandburns i'm not sure what you're asking. How to pipe those options through kubernetes-client? I have no idea, i just maintain |
Looking at the Go client implementation, one is able to use trusted IDP certs with
idp-certificate-authorityoridp-certificate-authority-dataattributes. See: https://github.com/kubernetes/kubernetes/blob/a3ccea9d8743f2ff82e41b6c2af6dc2c41dc7b10/staging/src/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go#L41-L42Currently the OIDC auth implementation does not handle those attributes at all which means the oidc auth will fail when the idp uses custom CA. (custom == something not bundled in node itself).
For pure node clients one could use
NODE_EXTRA_CA_CERTSto point to local CA bundle file with the idp CA in it. For us this does not work as we're building an Electron based app that does no allow one to extend the CA bundles at all. :(The text was updated successfully, but these errors were encountered: