Comments (11)
You have to mount in your CA root certificate and then add an entry for -openshift-ca=/certs/your-ca.pem
. If I remember correctly by editing the prometheus statefulset.
When the proxy tries to hit the API as in:
018/07/11 05:28:22 provider.go:522: 201 POST https://nonprod1.test.evil.corp.us:8443/apis/authorization.openshift.io/v1/subjectaccessreviews {"kind":"SubjectAccessReviewResponse","apiVersion":"authorization.openshift.io/v1","namespace":"dummy-uat","allowed":true,"reason":"allowed by openshift authorizer"}
2018/07/11 05:28:22 oauthproxy.go:612: 10.2.2.1:36804 authentication complete Session{[email protected] token:true}
It throws the x509: certificate signed by unknown authority
error because the CA that signed nonprod1.test.evil.corp.us is not trusted.
Adding the CA Root from /opt/certs/RootCA04.crt
(from nonprod1
) solved this.
from oauth-proxy.
If you are troubleshooting and/or don't have the certs, you can use the - -skip-auth-regex= arg and add the endpoints you need.
example:
- -skip-auth-regex=^/graph.*
- -skip-auth-regex=^/targets
- -skip-auth-regex=^/status
- -skip-auth-regex=^/config
- -skip-auth-regex=^/
Obviously not for prod :)
btw, - -ssl-insecure-skip-verify
doesn't work.
from oauth-proxy.
Fixed the client side x509 issue.
2018/02/21 15:43:46 oauthproxy.go:582: error redeeming code (client:10.1.2.1:53068): Post https://a.example.domain:8443/oauth/token: x509: certificate signed by unknown authority
2018/02/21 15:43:46 oauthproxy.go:399: ErrorPage 500 Internal Error Internal Error
Problem was that the cert chain in the browser was incomplete.
Now I keeping getting:
oauthproxy.go:657 x.x.x.x:5xxxx Cookie "_oauth_proxy" not present
Any thoughts? bearer token / sa related?
Maybe it's best to open a new issue and close this one.
from oauth-proxy.
@rflorenc that is just logged whenever you authenticate without a cookie. It's caused some confusion so we should probably change or remove it.
from oauth-proxy.
@mrogers950 thanks.
from oauth-proxy.
@rflorenc Could you please give more detailed information about how you did solve the issue? I'm facing the same problem.
from oauth-proxy.
Did you also find out how to solve this from an openshift-ansible point of view?
Is openshift_additional_ca a working option?
from oauth-proxy.
@sspreitzer I didn't try it out.
from oauth-proxy.
I am trying that at the moment, to solve prometheus, kibana and maybe others from a central spot. Will keep you posted.
from oauth-proxy.
@rflorenc openshift_additional_ca solved the problem as well!
Define openshift_additional_ca in your openshift-ansible inventory file with your CA or intermediate CA and it will work!
from oauth-proxy.
from oauth-proxy.
Related Issues (20)
- delegated authorization doesn't works as expected for multiple path prefixes HOT 4
- Need the username/info from application HOT 9
- Feature request: Provide metrics HOT 11
- Only token with "Bearer" prefix is passed HOT 4
- Need user authorization token for proper RBAC settings on custom backend APIs HOT 6
- refresh OpenShift token HOT 13
- oauth-proxy fails with perms error after OpenShift upgrade. HOT 9
- has anyone successfully using this with tekton dashboard? HOT 5
- Is there an updated location for the published image of this project? HOT 12
- The page isnβt redirecting properly HOT 11
- --ssl-insecure-skip-verify=true not work as expected HOT 4
- Cookie signature includes the hostname when the --cokie-domain flag is set HOT 4
- Is it possible to match URL path with request parameters in openshift-delegate-urls HOT 4
- Error when using single quote with options HOT 4
- Group/Role Access Restriction support in auth endpoint HOT 4
- can we encrypt username stored in oauth_proxy cookie ? HOT 19
- Inject custom headers HOT 4
- pass X-Forwarded-Groups header HOT 7
- 404 Not Found for oauth/start HOT 5
- `HTTP 301` redirection responses mangle `Location` header HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth-proxy.