search

openshift / oauth-proxy

A reverse proxy that provides authentication with OpenShift via OAuth and Kubernetes service accounts
MIT License
263 stars 138 forks source link

The `--ssl-insecure-skip-verify` option does not seem to work #110

Closed InfoSec812 closed 4 years ago

InfoSec812 commented 5 years ago

I have configured:

args:
          - '--skip-provider-button'
          - '--ssl-insecure-skip-verify'
          - '--request-logging=true'
          - "--https-address="
          - "--http-address=:${PROXY_PORT}"
          - "--provider=openshift"
          - "--openshift-service-account=proxy"
          - "--upstream=https://openshift.default.svc:443/oapi/"
          - "--upstream=https://openshift.default.svc:443/api/"
          - "--upstream=http://localhost:${APP_PORT}/"
          - '--cookie-name=OCP_TOKEN'
          - '--cookie-expire=1h0m0s'
          - '--cookie-refresh=0h10m0s'
          - "--cookie-domain=.rht-labs.com"
          - "--cookie-secret=${COOKIE_SECRET}"
          - "--pass-user-bearer-token=true"

When I make a request to either of the SSL upstreams I get the following error:

2019/03/27 12:35:43 reverseproxy.go:321: http: proxy error: x509: certificate signed by unknown authority

I would have expected the --ssl-insecure-skip-verify to allow the application to ignore the self-signed certificates.

InfoSec812 commented 5 years ago

So, even when I was pointing at an upstream with a valid CA (LetsEncrypt) it was not working. But, digging through the code I found an undocumented --upstream-ca parameter which I pointed at /run/sercrets/kubernetes.io/serviceaccount/ca.crt and that resolved the issue. I will submit a PR to update the docs.

openshift-bot commented 4 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot commented 4 years ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot commented 4 years ago

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci-robot commented 4 years ago

@openshift-bot: Closing this issue.

In response to [this](https://github.com/openshift/oauth-proxy/issues/110#issuecomment-721338774): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.