search

vmware-archive / gangway

An application that can be used to easily enable authentication flows via OIDC for a kubernetes cluster.
Apache License 2.0
410 stars 112 forks source link

GoDaddy wildcard with Rancher = "certificate signed by unknown authority" #157

Closed RomanGz closed 4 years ago

RomanGz commented 4 years ago

All works well as far as generating the config goes, however, kubectl fails with:

I0325 14:44:44.000579    8584 loader.go:359] Config loaded from file /home/username/.kube/config
I0325 14:44:44.001918    8584 loader.go:359] Config loaded from file /home/username/.kube/config
I0325 14:44:44.008193    8584 loader.go:359] Config loaded from file /home/username/.kube/config
I0325 14:44:44.015380    8584 loader.go:359] Config loaded from file /home/username/.kube/config
I0325 14:44:44.016176    8584 round_trippers.go:416] GET https://kubestage.mycodomain.com/k8s/clusters/c-kcmtz/api/v1/namespaces/default/pods?limit=500
I0325 14:44:44.016397    8584 round_trippers.go:423] Request Headers:
I0325 14:44:44.016607    8584 round_trippers.go:426]     Accept: application/json;as=Table;v=v1beta1;g=meta.k8s.io, application/json
I0325 14:44:44.016828    8584 round_trippers.go:426]     User-Agent: kubectl/v1.13.1 (linux/amd64) kubernetes/eec55b9
I0325 14:44:44.025062    8584 round_trippers.go:441] Response Status:  in 8 milliseconds
I0325 14:44:44.025115    8584 round_trippers.go:444] Response Headers:
I0325 14:44:44.025195    8584 helpers.go:216] Connection error: Get https://kubestage.mycodomain.com/k8s/clusters/c-kcmtz/api/v1/namespaces/default/pods?limit=500: x509: certificate signed by unknown authority
F0325 14:44:44.025246    8584 helpers.go:116] Unable to connect to the server: x509: certificate signed by unknown authority

Generated config:

echo "-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
" \ > ca-Staging.pem
kubectl config set-cluster Staging --server=https://kubestage.mycodomain.com/k8s/clusters/c-kcmtz --certificate-authority=ca-Staging.pem --embed-certs
kubectl config set-credentials username@Staging  \
    --auth-provider=oidc  \
    --auth-provider-arg='idp-issuer-url=https://oauth-stage.mycodomain.com'  \
    --auth-provider-arg='client-id=kubeapps'  \
    --auth-provider-arg='client-secret=<client secret>' \
    --auth-provider-arg='refresh-token=<refresh token>' \
    --auth-provider-arg='id-token=<token>'
kubectl config set-context Staging --cluster=Staging --user=username@Staging
kubectl config use-context Staging
rm ca-Staging.pem

^ That CA looks like the internal cert. Should it be something else? Replacing it with GoDaddy CA results in 401 unauthorized on kubectl calls

SSL on api server passes any other SSL checks. Not sure where the chain is broken as this issue only seems common with self-signed certs.

RomanGz commented 4 years ago

I should add that we have other apps like kubernetes dash working fine authenticating against the same dex oidc.

RomanGz commented 4 years ago

Figured it out. Didn't realize Rancher "api" wasn't a direct path to kube api, and had its own auth proxy in front of it.. Once I exposed & connected directly to the kube api, all worked well.