Bug 1614414

Summary: OpenShift 3.10 Missing CA for LDAP Config
Product: OpenShift Container Platform Reporter: Matthew Robson <mrobson>
Component: InstallerAssignee: Vadim Rutkovsky <vrutkovs>
Status: CLOSED CURRENTRELEASE QA Contact: Gaoyun Pei <gpei>
Severity: high Docs Contact:
Priority: high    
Version: 3.10.0CC: aos-bugs, dmoessne, erich, jokerman, jtudelag, mmccomas, mrobson, scuppett, vhernand, vlaad
Target Milestone: ---   
Target Release: 3.10.z   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1639589 (view as bug list) Environment:
Last Closed: 2018-10-08 11:55:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1639589    

Description Matthew Robson 2018-08-09 14:26:12 UTC 
Description of problem:

The same ldap config from 3.9 no longer works correctly in 3.10 without adding ca: instead of using openshift_master_ldap_ca_file.

openshift_master_identity_providers=[{'name':'my_ldap_provider','challenge':'true','login':'true','kind':'LDAPPasswordIdentityProvider','attributes':{'id':['dn'],'email':['mail'],'name':['displayName'],'preferredUsername':['sAMAccountName']},'insecure':'false','bindDN':'CN=my_auth,OU=MyAccounts,OU=Generic,OU=My_Integration,DC=my,DC=com','bindPassword':'password','url':'ldaps://myldap.my.com:636/DC=my,DC=com?sAMAccountName?sub?(&(objectClass=person)(objectClass=user))'}]
# Configuring the ldap ca certificate 
openshift_master_ldap_ca_file=/etc/pki/ca-trust/source/anchors/my-ca.pem


This results in a LDAP config like:

oauthConfig:
  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: my_ldap_provider
    provider:
      apiVersion: v1
      attributes:
        email:
        - mail
        id:
        - dn
        name:
        - displayName
        preferredUsername:
        - sAMAccountName
      bindDN: CN=my_auth,OU=MyAccounts,OU=Generic,OU=My_Integration,DC=my,DC=com
      bindPassword: password
      insecure: false
      kind: LDAPPasswordIdentityProvider
      url: ldaps://myldap.my.com:636/DC=my,DC=com?sAMAccountName?sub?(&(objectClass=person)(objectClass=user))
      ca:

Which results in:

E0809 13:00:57.977574       1 login.go:187] Error authenticating "user" with provider "my_ldap_provider": LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority
E0809 13:00:59.750261       1 login.go:187] Error authenticating "user" with provider "my_ldap_provider": LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority
E0809 13:01:01.384381       1 login.go:187] Error authenticating "user" with provider "my_ldap_provider": LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority
E0809 13:01:03.144610       1 login.go:187] Error authenticating "user" with provider "my_ldap_provider": LDAP Result Code 200 "Network Error": x509: certificate signed by unknown authority


Needed to manually edit the config to add if you do not use it during the install:

ca: ldap_ca.crt


Version-Release number of the following components:

3.10 

How reproducible:

Always

Steps to Reproduce:
1. Use above ldap config 

Actual results:
LDAP does not work with the same config as 3.9


Expected results:

Should still work correctly
Comment 1 Matthew Robson 2018-08-09 15:03:56 UTC 
Reported here as well:

https://github.com/openshift/openshift-ansible/issues/9397
Comment 2 Scott Dodson 2018-08-14 12:54:49 UTC 
I think this is happening because ldap_ca gets set via openshift_master_facts by a file lookup on openshift_master_ldap_ca_file but I don't think that openshift_master_facts role has been called.
Comment 3 Vadim Rutkovsky 2018-08-15 10:30:30 UTC 
>The same ldap config from 3.9 no longer works correctly in 3.10 without adding ca: instead of using openshift_master_ldap_ca_file.

This is expected - previously API server ran as a systemd service thus it was sharing CA store with the host. Setting 'openshift_master_ldap_ca_file=/etc/pki/ca-trust/..' copied the file to the host and added this CA to the store automatically. As a result there is no need to set 'ca:' there

In 3.10 several changes were introduced:
* API servers now run in static pods, so they don't share CA store with the host anymore
* Mounts to API server container are limited to /etc/origin/master

So in 3.10 the user can't replace container CA store entirely. openshift_master_ldap_ca_file would be copied to the host and mounted in /etc/origin/master/<basename>. As a result 'ca:' is required to be set if openshift_master_ldap_ca_file is used.

Matthew, could you verify openshift_master_ldap_ca_file is being copied correctly on host and works with 'ca:' set?
Comment 4 Matthew Robson 2018-08-15 17:22:10 UTC 
Thanks for the info. I guess we should document it because it's a change in behaviour customers may not expect.

I confirmed that when setting openshift_master_ldap_ca_file it is correctly copied into the master directory and all that was necessary was to set the ca: value.
Comment 5 Eric Rich 2018-08-20 17:46:28 UTC 
Will doing so put us into a situation where we hit https://bugzilla.redhat.com/show_bug.cgi?id=1614425 ?
Comment 6 jtudelag 2018-08-23 08:08:45 UTC 
If Im not wrong, the 'ca' value has to be exactly this, right? 
'ca': '/etc/origin/master/ldap_ca.crt'.

This is the path where openshift-ansible copies the file set in the var "openshift_master_ldap_ca_file", otherwise It wont work.

At least this is how I made it work, here:
https://access.redhat.com/support/cases/#/case/02166420
Comment 7 Vadim Rutkovsky 2018-08-29 07:40:57 UTC 
PR to ignore `ca:` field in 3.10.z - https://github.com/openshift/openshift-ansible/pull/9803
Comment 8 Vadim Rutkovsky 2018-09-05 08:22:08 UTC 
Fix is available in openshift-ansible-3.10.43-1
Comment 10 Gaoyun Pei 2018-09-07 06:15:21 UTC 
Verify this bug with openshift-ansible-3.10.44-1.git.0.8c64e8d.el7.noarch

Specify LDAP CA certificate in openshift_master_ldap_ca_file

openshift_master_identity_providers=[{'name': 'testldap', 'login': 'true', 'challenge': 'true', 'kind': 'LDAPPasswordIdentityProvider', 'attributes': {'id': ['dn'], 'email': ['mail'], 'name': ['cn'], 'preferredUsername': ['uid']}, 'bindDN': '', 'bindPassword': '', 'insecure': 'false', 'url': 'ldaps://x.x.x.x/ou=users,dc=redhat,dc=com?uid'}]
openshift_master_ldap_ca_file=/root/ldap.ca.crt


After installation, LDAP CA certificate was copied to master as /etc/origin/master/testldap_ldap_ca.crt , master config was like: 

oauthConfig:
  assetPublicURL: https://xxx.xxx.xxx:8443/console/
  grantConfig:
    method: auto
  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: testldap
    provider:
      apiVersion: v1
      attributes:
        email:
        - mail
        id:
        - dn
        name:
        - cn
        preferredUsername:
        - uid
      bindDN: ''
      bindPassword: ''
      ca: /etc/origin/master/testldap_ldap_ca.crt
      insecure: false
      kind: LDAPPasswordIdentityProvider
      url: ldaps://x.x.x.x/ou=users,dc=redhat,dc=com?uid