OIDC auth does not handle custom CA certs

[jnummelin]

Looking at the Go client implementation, one is able to use trusted IDP certs with idp-certificate-authority or idp-certificate-authority-data attributes. See: https://github.com/kubernetes/kubernetes/blob/a3ccea9d8743f2ff82e41b6c2af6dc2c41dc7b10/staging/src/k8s.io/client-go/plugin/pkg/client/auth/oidc/oidc.go#L41-L42

Currently the OIDC auth implementation does not handle those attributes at all which means the oidc auth will fail when the idp uses custom CA. (custom == something not bundled in node itself).

For pure node clients one could use NODE_EXTRA_CA_CERTS to point to local CA bundle file with the idp CA in it. For us this does not work as we're building an Electron based app that does no allow one to extend the CA bundles at all. :(

[brendandburns]

We'd be happy to take a PR to add this support.

Thanks!

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[brendandburns]

/remove-lifecycle-stale

[brendandburns]

fwiw, I looked into the oidc client library here:

https://github.com/panva/node-openid-client/blob/2dfa313f24bab351344932b7b1c67c9cab6031f8/lib/helpers/client.js

And I don't think that the library supports custom Certificate Authorities.

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[brendandburns]

/lifecycle frozen

[panva]

fwiw, I looked into the oidc client library here:

panva/node-openid-client:lib/helpers/client.js@2dfa313

And I don't think that the library supports custom Certificate Authorities.

It does. Any valid got or stdlib http option such as ca can be added per request or by default to all requests. The thing is this package requires version 2.5.0 which is by all means and purposes legacy. I'd recommend using ^3.14.1 and in doing so setting this package's engines.node to >= 10.13.0 to be in line with openid-client@3 requirements.

[brendandburns]

@panva can you give a code sample of how to pass that through? The last time I looked at the code path I didn't see a way to pass that through from the OIDC client interface in the library.

[panva]

@brendandburns i'm not sure what you're asking. How to pipe those options through kubernetes-client? I have no idea, i just maintain openid-client and noticed kubernetes-client still uses an outdated version. I noticed this issue and your comment about something not being possible on the client's level, that particular customization is 100% possible on the latest release.