Bug 1402251 - GitLabIdentityProvider doesn't take care of "ca:" field
Summary: GitLabIdentityProvider doesn't take care of "ca:" field
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: Jordan Liggitt
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-07 06:49 UTC by Kenjiro Nakayama
Modified: 2020-01-17 16:18 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-16 21:04:18 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Kenjiro Nakayama 2016-12-07 06:49:34 UTC 
Description of problem:
===
GitLabIdentityProvider doesn't take care of "ca:" field.

Version-Release number of selected component (if applicable):
===
OCP 3.3.1.5-1

How reproducible(Steps to Reproduce):
===
step-1. Configure GitLabIdentityProvider as below:

  ---
  oauthConfig:
    assetPublicURL: https://foo.example.com:8443/console/
    grantConfig:
      method: auto
    identityProviders:
    - challenge: false
      login: true
      mappingMethod: claim
      name: gitlab_auth
      provider:
        apiVersion: v1
        ca: /path/to/ca-bundle.crt
        clientID: xxxx
        clientSecret: xxxx
        kind: GitLabIdentityProvider
        url: https://gitlab.foo.example.com
  ---

step-2. Login

Actual results:
===
Failed to login with following error:

  Dec  5 04:34:44 ip-172-31-193-103 atomic-openshift-master-api: E1205 04:34:44.549405  121009 errorpage.go:30] AuthenticationError: Get https://git.foo.example.com/api/v3/user: x509: certificate signed by unknown authority

Expected results:
===
Login successfully

Additional info:
===
We confirmed that the ca.crt and ca-bundle.crt worked:

   $ curl --cacert /path/to/ca-bundle.crt https://git.foo.example.com
   $ curl --cacert /path/to/ca.crt https://git.foo.example.com

Also, after removing "ca: /path/to/ca-bundle.crt" from GitLabIdentityProvider, if we include the ca.crt into root cas, it the login worked well.

  # update-ca-trust enable
  # cp /path/to/ca.crt /etc/pki/ca-trust/source/anchors/
  # update-ca-trust extract

From this, most probably GitLabIdentityProvider doesn't take care of ca: field.
Comment 12 Chuan Yu 2016-12-08 05:53:25 UTC 
Checked with OSE v3.4.0.33, and got the correct ca-bundle.crt file, the issue was fixed.
# openshift version
openshift v3.4.0.33+71c05b2
kubernetes v1.4.0+776c994
etcd 3.1.0-rc.0
Comment 14 Troy Dawson 2017-02-16 21:04:18 UTC 
This bug was fixed with the latest OCP 3.4.0 that is already released.
Note You need to log in before you can comment on or make changes to this bug.