Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-4.2] Bug 1768785: RequestHeaders IdP: fix TLS handshake #21

Merged
merged 1 commit into from Nov 11, 2019
Merged

[release-4.2] Bug 1768785: RequestHeaders IdP: fix TLS handshake #21

merged 1 commit into from Nov 11, 2019

Conversation

openshift-cherrypick-robot
Copy link

This is an automated cherry-pick of #19

/assign stlaz

@stlaz
RequestHeaders IdP: fix TLS handshake
df2ceb1 
OAuth server uses the APIServer wrapping for its endpoints. This
wrapping has its own RequestHeader IdP for the cluster admin login
with client cert. As a part of that, before the RequestHeader is
set, DelegatingAuthenticationOptions() adds its own ClientCA to
the serving info config.

The result of the above behavior is that during TLS handshake, when
the names for acceptable client certificate CAs are announced, the
CAs of the above mentioned apiserver RequestHeader IdP are announced.

When users configure their own RequestHeader IdP to be used in
OpenShift for the oauth-server to try to retrieve the users from,
oauth-server was not adding this RequestHeader's client CA name
among the acceptable client certificate CA names mentioned above.

This commit adds the client CA data from the user specified
RequestHeader IdP to 'GenericConfig.SecureServing.ClientCA',
which is later converted to tlsConfig object which defines the
data to be used in TLS handshakes.
@openshift-ci-robot openshift-ci-robot added the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Nov 5, 2019
@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Nov 5, 2019
Merged
@openshift-ci-robot
Copy link
Contributor

@openshift-cherrypick-robot: This pull request references Bugzilla bug 1764558, which is invalid:

  • expected the bug to target the "4.2.z" release, but it targets "4.3.0" instead
  • expected the bug to be in one of the following states: NEW, ASSIGNED, ON_DEV, POST, POST, but it is ON_QA instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

[release-4.2] Bug 1764558: RequestHeaders IdP: fix TLS handshake

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Nov 5, 2019
@stlaz
Copy link
Member

stlaz commented Nov 5, 2019

/retitle [release-4.2] Bug 1768785: RequestHeaders IdP: fix TLS handshake

@openshift-ci-robot openshift-ci-robot changed the title [release-4.2] Bug 1764558: RequestHeaders IdP: fix TLS handshake [release-4.2] Bug 1768785: RequestHeaders IdP: fix TLS handshake Nov 5, 2019
@openshift-ci-robot
Copy link
Contributor

@openshift-cherrypick-robot: This pull request references Bugzilla bug 1768785, which is invalid:

  • expected dependent Bugzilla bug 1764558 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), but it is ON_QA instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

[release-4.2] Bug 1768785: RequestHeaders IdP: fix TLS handshake

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@stlaz
Copy link
Member

stlaz commented Nov 7, 2019

/bugzilla refresh

@openshift-ci-robot openshift-ci-robot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Nov 7, 2019
@openshift-ci-robot
Copy link
Contributor

@stlaz: This pull request references Bugzilla bug 1768785, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot removed the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Nov 7, 2019
@deads2k
Copy link
Contributor

deads2k commented Nov 7, 2019

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Nov 7, 2019
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, openshift-cherrypick-robot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 7, 2019
@derekwaynecarr
Copy link
Member

/bugzilla refresh

@openshift-ci-robot
Copy link
Contributor

@derekwaynecarr: This pull request references Bugzilla bug 1768785, which is valid.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@derekwaynecarr derekwaynecarr added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Nov 11, 2019
@openshift-merge-robot openshift-merge-robot merged commit 3ac077f into openshift:release-4.2 Nov 11, 2019
@openshift-ci-robot
Copy link
Contributor

@openshift-cherrypick-robot: All pull requests linked via external trackers have merged. Bugzilla bug 1768785 has been moved to the MODIFIED state.

In response to this:

[release-4.2] Bug 1768785: RequestHeaders IdP: fix TLS handshake

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@mrogers950 mrogers950 Awaiting requested review from mrogers950

Assignees

@stlaz stlaz

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@openshift-cherrypick-robot @openshift-ci-robot @stlaz @deads2k @derekwaynecarr @openshift-merge-robot