Skip to content
This repository has been archived by the owner on Apr 19, 2023. It is now read-only.

SSO Identity provider for openshift not configured properly when you do not set eval_self_signed_certs=true #1028

Open
rafaeltuelho opened this issue Sep 24, 2019 · 0 comments
Open

SSO Identity provider for openshift not configured properly when you do not set eval_self_signed_certs=true #1028

rafaeltuelho opened this issue Sep 24, 2019 · 0 comments

Comments

@rafaeltuelho
Copy link

rafaeltuelho commented Sep 24, 2019
edited
Loading

Description

the default value for the var eval_self_signed_certs is false. It causes the SSO provisioning to not set the ca: ca.crt property when it adds the OpenID connect IdentityProvider in the /etc/origin/master/master-config.yaml file.

look at roles/rhsso/tasks/indetityprovider.yml

- set_fact:
    rhsso_identity_provider_ca_cert_path: ""
  when: not (eval_self_signed_certs | bool)

Expected Behavior

Authentication through SSO to be working.

Actual Behavior

The following authentication error appears on Master API logs:

E0924 12:22:51.686524       1 errorpage.go:26] AuthenticationError: Post https://sso-integr8tly-sso.apps.tjpe-fef2.open.redhat.com/auth/realms/openshift/protocol/openid-connect/token: x509: certificate signed by unknown authority

Environment

  • Operating system: RHEL 7.6
  • OpenShift version: 3.11.104
oc v3.11.104
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server 
openshift v3.11.104
kubernetes v1.11.0+d4cacc0
  • Ansible version:
ansible 2.6.18
  config file = /root/integr8tly/installation/ansible.cfg
  configured module search path = [u'/root/integr8tly/installation/library']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /bin/ansible
  python version = 2.7.5 (default, Jun 11 2019, 12:19:05) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
  • Project Version/Tag: release-1.5.0

Steps to reproduce

  1. run the install playbook with eval_self_signed_certs default value which is false
  2. after installation is completed try to authenticate through SSO using some of the provided integr8tly users.
  3. You should see authentication error on master api logs like this:
E0924 12:22:51.686524       1 errorpage.go:26] AuthenticationError: Post https://sso-integr8tly-sso.apps.tjpe-fef2.open.redhat.com/auth/realms/openshift/protocol/openid-connect/token: x509: certificate signed by unknown authority
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rafaeltuelho