Bug 1493276

Summary: Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert popups in browser when hitting console
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: InstallerAssignee: Andrew Butcher <abutcher>
Status: CLOSED ERRATA QA Contact: Gaoyun Pei <gpei>
Severity: medium Docs Contact:
Priority: high    
Version: 3.6.0CC: aos-bugs, jiajliu, jliggitt, jokerman, mmccomas, sdodson
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 22:11:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Howe 2017-09-19 19:27:00 UTC 
Description of problem:

If a Company CA is added to namedcertificates, the CA is added to ca-bundle.crt as well. This can cause client cert popups when using IE,Safari or Chrome if the user has client certs configured via the browser. 

OpenShift is making a request for client certificates but will ignore if there is none are presented.

3.4-5
https://github.com/kubernetes/kubernetes/blob/release-1.5/pkg/genericapiserver/serve.go#L80
3.6
https://github.com/kubernetes/apiserver/blob/release-1.6/pkg/server/serve.go#L71-L77


We only need the clientCA to be set to the Internal OpenShift CA used "ca.crt" not the bundle. 

https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L106


Version-Release number of the following components:
Latest 


How reproducible:
100% 

Steps to reproduce: 

Add client certs that are signed by a ca referenced in the ca-bundle.crt to chrome. Then access OpenShift console.
Comment 1 Ryan Howe 2017-09-19 19:30:31 UTC 
*** Bug 1259029 has been marked as a duplicate of this bug. ***
Comment 2 Scott Dodson 2017-09-19 19:54:20 UTC 
Jordan can you validate that not using the ca-bundle.crt which includes the nameCertificates CA is the correct thing to do here?
Comment 3 Jordan Liggitt 2017-09-19 20:18:42 UTC 
Yes, just the internal CA should be set for client cert CA, not the full bundle populated for named certificates
Comment 4 openshift-github-bot 2017-10-09 21:28:19 UTC 
Commit pushed to master at https://github.com/openshift/openshift-ansible

https://github.com/openshift/openshift-ansible/commit/60c770af09aaf5572b61d6d71ddda88db2dd7de2
Merge pull request #5698 from abutcher/servinginfo-client-ca

Automatic merge from submit-queue.

Bug 1493276: Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert popups in browser when hitting console

https://bugzilla.redhat.com/show_bug.cgi?id=1493276
Comment 6 Gaoyun Pei 2017-10-12 08:04:27 UTC 
Verify this bug with openshift-ansible-3.7.0-0.148.0.git.0.b35eb14.el7.noarch

For fresh install ocp-3.7 cluster, servingInfo.clientCA was set to ca.crt by default now.

For old env which was using ca-bundle.crt as servingInfo.clientCA, after running /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml playbook, it could be changed to ca.crt.
Comment 10 errata-xmlrpc 2017-11-28 22:11:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188