containers-roadmap
containers-roadmap copied to clipboard
aws
[EKS] [OIDC]: Support idp with self signed certificate
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Tell us about your request
The new OIDC for EKS requires a commercially signed certificate on the IdP. There's no way to specify a certificate for the authority. Many enterprises have an internal CA that they use for web applications. A self hosted identity provider in an enterprise is likely to have a self-signed CA.
Which service(s) is this request for? EKS
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
Use EKS OIDC with a self-hosted idp using an internal CA.
Are you currently working around this issue? Using impersonation with a reverse proxy in front of the API server
Additional context Anything else we should know?
Attachments If you think you might have additional information that you'd like to include via an attachment, please do - we'll take a look. (Remember to remove any personally-identifiable information.)
Would this also cover the scenario where the self-hosted IDP issuer URL is not publicly accessible? I see this in the AWS docs... "The issuer URL of the OIDC identity provider must be publicly accessible, so that Amazon EKS can discover the signing keys. Amazon EKS does not support OIDC identity providers with self-signed certificates."
So just to give a quick (really stupid) work around for this particular issue. You can have a proxy in your VPC that points to your internal IDP and then create an external DNS entry that resolves to your proxy IP. This way the control plane knows were to look.
So basically you need: 1- Create a proxy machine (let say NGINX) in EC2 within your EKS Cluster VPC with a static IP (so that you can point your DNS A record here). This can/should be an internal IP, this machine doesn't need to be exposed to the internet. 2- Configure your Proxy so that it redirects to the internal IDP. 3- Create a DNS entry that resolves to the IP created in step 1.
So by doing this your control plane will get the Proxy IP address from the DNS server and since it has access to your VPC it will resolve to your proxy and your proxy will send it to your internal network.
Again this is an idiotic workaround, but its the only way to make it work for now as far as I know. Also it might cost you some money to set up the DNS record (or you could try to use free DNS resolvers and Nameservers options, from the top of my head freenom and cloudflare, won't vouch for its security though).
Really hope that this gets fixed soon.
So just to give a quick (really stupid) work around for this particular issue. You can have a proxy in your VPC that points to your internal IDP and then create an external DNS entry that resolves to your proxy IP. This way the control plane knows were to look.
So basically you need: 1- Create a proxy machine (let say NGINX) in EC2 within your EKS Cluster VPC with a static IP (so that you can point your DNS A record here). This can/should be an internal IP, this machine doesn't need to be exposed to the internet. 2- Configure your Proxy so that it redirects to the internal IDP. 3- Create a DNS entry that resolves to the IP created in step 1.
So by doing this your control plane will get the Proxy IP address from the DNS server and since it has access to your VPC it will resolve to your proxy and your proxy will send it to your internal network.
Again this is an idiotic workaround, but its the only way to make it work for now as far as I know. Also it might cost you some money to set up the DNS record (or you could try to use free DNS resolvers and Nameservers options, from the top of my head freenom and cloudflare, won't vouch for its security though).
Really hope that this gets fixed soon.
Nice workaround! But honestly, it would be easier if EKS enables setting oidc-ca-file used by API Server to validate the authenticity of the private certificates (like kubeadm, Tanzu, and many others do).
