Unknown x509 certificate

[llegolas]

Staring it against https keycloak i get this error. 2019/01/17 11:26:54 OIDC provider setup failed: Get https://sso-keycloak-sso.cloudapps02.euan-hume-02-ocp.svcs.dxc.com/auth/realms/kubeflow/.well-known/openid-configuration: x509: certificate signed by unknown authority

[llegolas]

Adding at least the default k8s/openshift CA.crt to the trust is nice feature to have. Will the below work?:

        rootCAs, _ := x509.SystemCertPool()
    if rootCAs == nil {
        rootCAs = x509.NewCertPool()
    }

    certs, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
    if err != nil {
        log.Fatalf("Failed to append /var/run/secrets/kubernetes.io/serviceaccount/ca.crt to RootCAs: %v", err)
    }

    if ok := rootCAs.AppendCertsFromPEM(certs); !ok {
        log.Println("No certs appended, using system certs only")
    }

    config := &tls.Config{
        RootCAs:            rootCAs,
    }

[ajmyyra]

Hi! Might be good to add support for both the service account as well as a 'disregard certificate validity' option, through Golangs InsecureSkipVerify: true. I'll look into this soon.

[llegolas]

You can also add support for custom certificates provided with volume mounts(backed by secrets). For example if file /tmp/custom-ca.crt exists append the it too.

[templarfelix]

I don't use self signed cert, and errors occurred.

Workarround: https://www.getambassador.io/reference/filter-reference/#installing-self-signed-certificates