Bug 1402251

Summary: GitLabIdentityProvider doesn't take care of "ca:" field
Product: OpenShift Container Platform Reporter: Kenjiro Nakayama <knakayam>
Component: apiserver-authAssignee: Jordan Liggitt <jliggitt>
Status: CLOSED CURRENTRELEASE QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.0CC: agoldste, aos-bugs, chuyu, tdawson, wsun
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-16 21:04:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Kenjiro Nakayama 2016-12-07 06:49:34 UTC 
Description of problem:
===
GitLabIdentityProvider doesn't take care of "ca:" field.

Version-Release number of selected component (if applicable):
===
OCP 3.3.1.5-1

How reproducible(Steps to Reproduce):
===
step-1. Configure GitLabIdentityProvider as below:

  ---
  oauthConfig:
    assetPublicURL: https://foo.example.com:8443/console/
    grantConfig:
      method: auto
    identityProviders:
    - challenge: false
      login: true
      mappingMethod: claim
      name: gitlab_auth
      provider:
        apiVersion: v1
        ca: /path/to/ca-bundle.crt
        clientID: xxxx
        clientSecret: xxxx
        kind: GitLabIdentityProvider
        url: https://gitlab.foo.example.com
  ---

step-2. Login

Actual results:
===
Failed to login with following error:

  Dec  5 04:34:44 ip-172-31-193-103 atomic-openshift-master-api: E1205 04:34:44.549405  121009 errorpage.go:30] AuthenticationError: Get https://git.foo.example.com/api/v3/user: x509: certificate signed by unknown authority

Expected results:
===
Login successfully

Additional info:
===
We confirmed that the ca.crt and ca-bundle.crt worked:

   $ curl --cacert /path/to/ca-bundle.crt https://git.foo.example.com
   $ curl --cacert /path/to/ca.crt https://git.foo.example.com

Also, after removing "ca: /path/to/ca-bundle.crt" from GitLabIdentityProvider, if we include the ca.crt into root cas, it the login worked well.

  # update-ca-trust enable
  # cp /path/to/ca.crt /etc/pki/ca-trust/source/anchors/
  # update-ca-trust extract

From this, most probably GitLabIdentityProvider doesn't take care of ca: field.
Comment 12 Chuan Yu 2016-12-08 05:53:25 UTC 
Checked with OSE v3.4.0.33, and got the correct ca-bundle.crt file, the issue was fixed.
# openshift version
openshift v3.4.0.33+71c05b2
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0
Comment 14 Troy Dawson 2017-02-16 21:04:18 UTC 
This bug was fixed with the latest OCP 3.4.0 that is already released.