Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Additional trusted CAs doesn't apply to keycloak oidc #43217

Closed
HoustonDad opened this issue Oct 19, 2023 · 4 comments
Closed

[BUG] Additional trusted CAs doesn't apply to keycloak oidc #43217

HoustonDad opened this issue Oct 19, 2023 · 4 comments
Assignees
@tomleb @dasarinaidu
Labels
area/certificate internal kind/bug Issues that are defects reported by users or that we know have reached a real release QA/M release-note Note this issue in the milestone's release notes status/release-note-added status/to-test team/collie the team that is responsible for auth and rbac within rancher [zube]: Done
Milestone
v2.8.3

Comments

@HoustonDad
Copy link

HoustonDad commented Oct 19, 2023
edited by MKlimuszka

Rancher Server Setup

  • Rancher version: 2.7.5

Information about the Cluster

  • Kubernetes version: 1.25.x
  • Cluster Type (Local/Downstream): Local

User Information

  • What is the role of the user logged in: Admin

Describe the bug
Customers following the following: https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc#configuration-reference

Will run into an issue where a self signed keycloak server will fail unles the full CA bundle is used. Meaning either the additional trusted CA's aren't passed properly, or the documentation needs to be updated to include the need for it with self signed certificates.

To Reproduce
Create cluster using private signed CA
Add CA to additional trusted CA's
Configure keycloak server that uses certificates signed by the same CA
Add just the client certificate, as CA is in additional trusted certs, and the documentation doesn't explicitly state that the full chain should be needed.
Workaround:
Is workararound available and implemented? yes
What is the workaround: above

Result
Needs full chain to function

Expected Result
Either respects additional trusted CAs or documentation reflects that it doesn't.

SURE-6675
@HoustonDad HoustonDad added the kind/bug Issues that are defects reported by users or that we know have reached a real release label Oct 19, 2023
@HoustonDad
Copy link
Author

This may be related to #42371

@ethanchowell ethanchowell mentioned this issue Oct 24, 2023
Merged
@samjustus samjustus added this to the 2024-v2.8x-Backlog milestone Oct 27, 2023
@zube zube bot removed the [zube]: To Triage label Nov 16, 2023
@tomleb tomleb self-assigned this Nov 17, 2023
@tomleb
Copy link
Contributor

tomleb commented Dec 5, 2023

Validation Template

Root Cause

The OS certificate bundle isn't used when a cert/key is provided to the keycloak auth provider configuration. This bundle contains the custom certs that user can specify during install.

What was fixed, or what change have occurred

We're now using the OS bundle when the cert/key is provided. So now the OS bundle is used whether or not the cert/key are provided.

Areas or cases that should be tested

  • P0 functionality for keycloak provider
  • Rancher can connect to a keycloak behind certs/keys from a trusted custom CA WITH certs/keys provided in the authconfig.

What areas could experience regressions

There might be regressions with the following properties when using the keycloak auth provider:

  • HTTP proxy
    • The HTTP proxy setting should be respected when no certs and keys are provided.
    • The HTTP proxy setting should NOT be respected when certs and keys are provided. (Will need another GH issue to fix this)
  • Custom CA certs
    • A keycloak instance should be trusted if the CA cert is part of the custom CAs when certs and keys are provided in auth config.
    • A keycloak instance should be trusted if the CA cert is part of the custom CAs when certs and keys are NOT provided in auth config.

Are the repro steps accurate/minimal?

N/A

@MKlimuszka MKlimuszka modified the milestones: v2.8-Next1, v2.8.2 Dec 14, 2023
@MKlimuszka MKlimuszka modified the milestones: v2.8.3, v2.9.0 Jan 8, 2024
@MKlimuszka MKlimuszka mentioned this issue Jan 11, 2024
Closed
@MKlimuszka MKlimuszka modified the milestones: v2.8.3, v2.8-Next1 Jan 22, 2024
@samjustus samjustus added team/collie the team that is responsible for auth and rbac within rancher and removed squad/auth-providers team/area3 labels Feb 1, 2024
@tomleb tomleb added the release-note Note this issue in the milestone's release notes label Mar 21, 2024
@tomleb
Copy link
Contributor

tomleb commented Mar 21, 2024

Release notes

Authentication

Behavior Changes

Rancher uses additional trusted CAs when establishing a secure connection to the keycloak OIDC authentication provider.

@dasarinaidu
Copy link
Contributor

Validated this issue on v2.8.3-rc3, looks good and closing this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tomleb tomleb

@dasarinaidu dasarinaidu

Labels
area/certificate internal kind/bug Issues that are defects reported by users or that we know have reached a real release QA/M release-note Note this issue in the milestone's release notes status/release-note-added status/to-test team/collie the team that is responsible for auth and rbac within rancher [zube]: Done
Projects
None yet
Milestone
v2.8.3
Development

No branches or pull requests
8 participants
@HoustonDad @btat @tomleb @gaktive @MKlimuszka @dasarinaidu @Priyashetty17 @samjustus