-
Notifications
You must be signed in to change notification settings - Fork 532
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC auth does not handle custom CA certs #360
Comments
We'd be happy to take a PR to add this support. Thanks! |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle-stale |
fwiw, I looked into the oidc client library here: And I don't think that the library supports custom Certificate Authorities. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/lifecycle frozen |
It does. Any valid |
@panva can you give a code sample of how to pass that through? The last time I looked at the code path I didn't see a way to pass that through from the OIDC client interface in the library. |
@brendandburns i'm not sure what you're asking. How to pipe those options through kubernetes-client? I have no idea, i just maintain |
Looking at the Go client implementation, one is able to use trusted IDP certs with
idp-certificate-authority
oridp-certificate-authority-data
attributes. See: https://github.com/kubernetes/kubernetes/blob/a3ccea9d8743f2ff82e41b6c2af6dc2c41dc7b10/staging/src/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go#L41-L42Currently the OIDC auth implementation does not handle those attributes at all which means the oidc auth will fail when the idp uses custom CA. (custom == something not bundled in node itself).
For pure node clients one could use
NODE_EXTRA_CA_CERTS
to point to local CA bundle file with the idp CA in it. For us this does not work as we're building an Electron based app that does no allow one to extend the CA bundles at all. :(The text was updated successfully, but these errors were encountered: