search

jetstack / kube-oidc-proxy

Reverse proxy to authenticate to managed Kubernetes API servers via OIDC.
https://jetstack.io
Apache License 2.0
477 stars 91 forks source link

"x509: certificate signed by unknown authority" when using Ingress #149

Closed robertgates55 closed 4 years ago

robertgates55 commented 4 years ago

I've set up kube-oidc-proxy and enabled ingress with cert-manager generating letsencrypt certs for the endpoint. I used the helm chart to deploy.

However, when I try & connect with my generated kubeconfig, the CA obviously doesn't match up - I'm providing the root CA from my EKS cluster (sourced from /var/run/secrets...etc) to an endpoint that's got letsencrypt certs:

>>> kubectl get nodes
Unable to connect to the server: x509: certificate signed by unknown authority

What's the correct way to set this up? Is it actually possible to use ingress with ACME certs or is that my issue?

JoshVanL commented 4 years ago

Hi @robertgates55,

I guess this it's a question of where TLS is getting terminated. Are you serving your kube-oidc-proxy without TLS and having it terminated at your ingress controller?

It looks like you'll want to set the certificate authority in your kubeconfig to that of Let's Encrypt's CA.

robertgates55 commented 4 years ago

Thanks Josh - dug a little further & now have it working with a service of type:LB & certs generated with cert-manager (then using the letsencrypt CA to log in as you suggested)

robertgates55 commented 4 years ago

Suggests maybe the docs could do with a little more detail - but happy to close in the meantime.