Comments (8)
I think I just figured out the theory (why it didn't work).
Lately, our system administrator just replaced the self-signed cert with a commercial one. However, I don't think that the right ca cert has been re-deployed to OpenShift. That's why the container still gets the original self-signed ca cert. Of course, it cannot verify the commercial server certificate.
Regarding the openssl test I posted earlier, I also need to add the -servername parameter (for SNI) to test. It should look like,
openssl s_client -servername openshift.k8s.OURDOMAN.com -connect openshift.k8s.OURDOMAIN.com:8443 -CAfile ca.crt
I will check with our system administrator soon.
from oauth-proxy.
Can you post your fix? I have the same issue. Where did you add the ca file? To named certificates?
from oauth-proxy.
I have found the fix by appending the ca intermediate certificate to the custom cert file.
Here:
namedCertificates:
- certFile: /etc/origin/master/named_certificates/master_cert.pem
from oauth-proxy.
We found this issue could occur in the Tekton Dashboard on OpenShift after changing the cluster's default ingress certificate which was used by the OpenShift oauth server. The issue seems to be that the oauth-proxy will use the service account certificate /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
by default, which works when the oauth server is using the original certificate during installation, but is not updated with the new certificate authority information after making that change.
I think the problem can be worked around by an adjusted configuration of the oauth-proxy container, and using a configmap with an updated certificate bundle populated by OpenShift. After mounting the bundle from the configmap into the container, I found that adding two --openshift-ca
arguments works well: one pointing to the (default) certificate at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
, and another pointing to the new certificate bundle.
There is a more detailed patch example in tektoncd/dashboard#1603.
from oauth-proxy.
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
from oauth-proxy.
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle rotten
/remove-lifecycle stale
from oauth-proxy.
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen
.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Exclude this issue from closing again by commenting /lifecycle frozen
.
/close
from oauth-proxy.
@openshift-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting
/reopen
.
Mark the issue as fresh by commenting/remove-lifecycle rotten
.
Exclude this issue from closing again by commenting/lifecycle frozen
./close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
from oauth-proxy.
Related Issues (20)
- Feature request: Provide metrics HOT 11
- Only token with "Bearer" prefix is passed HOT 4
- Need user authorization token for proper RBAC settings on custom backend APIs HOT 6
- refresh OpenShift token HOT 13
- oauth-proxy fails with perms error after OpenShift upgrade. HOT 9
- has anyone successfully using this with tekton dashboard? HOT 5
- Is there an updated location for the published image of this project? HOT 12
- The page isnβt redirecting properly HOT 11
- --ssl-insecure-skip-verify=true not work as expected HOT 4
- Cookie signature includes the hostname when the --cokie-domain flag is set HOT 4
- Is it possible to match URL path with request parameters in openshift-delegate-urls HOT 4
- Error when using single quote with options HOT 4
- Group/Role Access Restriction support in auth endpoint HOT 4
- can we encrypt username stored in oauth_proxy cookie ? HOT 19
- Inject custom headers HOT 4
- pass X-Forwarded-Groups header HOT 7
- 404 Not Found for oauth/start HOT 5
- `HTTP 301` redirection responses mangle `Location` header HOT 12
- Where are the images of this project currently published? HOT 1
- Logout Url HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth-proxy.