Openunison/Kubernetes Cert Issues

[icf-schubes]

Running Kubernetes on bare metal, using f5 to point to an nginx ingress controller, then to openunison. Okta redirect works an login is successful with the Openunison page displaying the option for the dashboard or tokens. Clicking the dashboard icon attempts to redirect to the dashboard_host from the values file but displays an Tremolo Security splash sceen error. The pod logs show the following at that time:

2021-05-04T18:17:30.802977238Z [2021-05-04 18:17:30,802][XNIO-1 task-1] INFO AccessLog - [Error] - k8s - https://tsb-kube-dashboard.yosemite.local/auth/oidc - uid=Anonymous,o=Tremolo - NONE [10.233.115.0] - [fd21af76ed512a9e9a3fb71171c33191b7086bfd1]
2021-05-04T18:17:30.804676918Z [2021-05-04 18:17:30,802][XNIO-1 task-1] ERROR ConfigSys - Could not process request
2021-05-04T18:17:30.804696725Z javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2021-05-04T18:17:30.804700883Z at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
....

Clicking the token icon redirects to the page with all of the token info but copying the kubectl command and then trying a kubectl command returns the following:

Cluster "tsb-kube" set.
Context "tsb-kube" modified.
User "00ukygpumukorZ0UQ0x7@tsb-kube" set.
Switched to context "tsb-kube".
 …/kubespray-local /main $kubectl get nodes
Unable to connect to the server: Get "https://tsb-kube-auth.yosemite.local/auth/idp/k8sIdp/.well-known/openid-configuration": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Seems like there is an issue with my certs? Any help is appreciated.

[mlbiam]

using f5 to point to an nginx ingress controller

Is your F5 hosting your certificate or is is just passing through the packets? If it's hosting the certificate, did you take a look at https://github.com/TremoloSecurity/OpenUnison/wiki/troubleshooting#how-do-i-change-openunisons-certificates ?

2021-05-04T18:17:30.804696725Z javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I suspect this answers my question that your F5 is a TLS termination point so the dashboard can't "federate" with the openunison host because your F5 cert isn't trusted by openunison. If your F5 certificate is from an internal CA, use the instructions above. If it's signed by a commercial CA - https://github.com/TremoloSecurity/OpenUnison/wiki/troubleshooting#using-a-commercially-signed-ingress-certificate

Unable to connect to the server: Get "https://tsb-kube-auth.yosemite.local/auth/idp/k8sIdp/.well-known/openid-configuration": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

My guess is if you look at your F5's certificate you'll see that it doesn't have a subject alternative name. You might need to create GODEBUG=x509ignoreCN=0 as an environment variable before running kubectl.

[icf-schubes]

I was able to get this resolved using the first link specified. Thanks for help.