rancher icon indicating copy to clipboard operation
rancher copied to clipboard

Published 20 hours ago verified publisher icon rancher

[BUG] Additional trusted CAs doesn't apply to keycloak oidc

Open HoustonDad opened this issue 1 year ago • 2 comments

Rancher Server Setup

  • Rancher version: 2.7.5

Information about the Cluster

  • Kubernetes version: 1.25.x
  • Cluster Type (Local/Downstream): Local

User Information

  • What is the role of the user logged in: Admin

Describe the bug Customers following the following: https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/configure-keycloak-oidc#configuration-reference

Will run into an issue where a self signed keycloak server will fail unles the full CA bundle is used. Meaning either the additional trusted CA's aren't passed properly, or the documentation needs to be updated to include the need for it with self signed certificates.

To Reproduce Create cluster using private signed CA Add CA to additional trusted CA's Configure keycloak server that uses certificates signed by the same CA Add just the client certificate, as CA is in additional trusted certs, and the documentation doesn't explicitly state that the full chain should be needed. Workaround: Is workararound available and implemented? yes What is the workaround: above

Result Needs full chain to function

Expected Result Either respects additional trusted CAs or documentation reflects that it doesn't.

SURE-6675

HoustonDad avatar Oct 19 '23 16:10 HoustonDad

This may be related to https://github.com/rancher/rancher/issues/42371

HoustonDad avatar Oct 19 '23 16:10 HoustonDad

Validation Template

Root Cause

The OS certificate bundle isn't used when a cert/key is provided to the keycloak auth provider configuration. This bundle contains the custom certs that user can specify during install.

What was fixed, or what change have occurred

We're now using the OS bundle when the cert/key is provided. So now the OS bundle is used whether or not the cert/key are provided.

Areas or cases that should be tested

  • P0 functionality for keycloak provider
  • Rancher can connect to a keycloak behind certs/keys from a trusted custom CA WITH certs/keys provided in the authconfig.

What areas could experience regressions

There might be regressions with the following properties when using the keycloak auth provider:

  • HTTP proxy
    • The HTTP proxy setting should be respected when no certs and keys are provided.
    • The HTTP proxy setting should NOT be respected when certs and keys are provided. (Will need another GH issue to fix this)
  • Custom CA certs
    • A keycloak instance should be trusted if the CA cert is part of the custom CAs when certs and keys are provided in auth config.
    • A keycloak instance should be trusted if the CA cert is part of the custom CAs when certs and keys are NOT provided in auth config.

Are the repro steps accurate/minimal?

N/A

tomleb avatar Dec 05 '23 18:12 tomleb

Release notes

Authentication

Behavior Changes

Rancher uses additional trusted CAs when establishing a secure connection to the keycloak OIDC authentication provider.

tomleb avatar Mar 21 '24 15:03 tomleb

Validated this issue on v2.8.3-rc3, looks good and closing this issue.

dasarinaidu avatar Mar 22 '24 00:03 dasarinaidu