Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for private Certificate Authority pubkey for certificate of OIDC-based IdP #2716

Open
vojtechmares opened this issue Dec 20, 2024 · 2 comments
Labels
enhancement New feature or request security

Comments

@vojtechmares
Copy link

vojtechmares commented Dec 20, 2024

Is your feature request related to a problem? Please describe the impact that the lack of the feature requested is creating.

I am unable to configure Headlamp with private Certificate Authority for OIDC IdP to allow signing in when a certificate is provided by the private CA. Or at least provide config option for disabling the certificate verification. Preferably both, because the later is insecure.

Describe the solution you'd like

Background:
We are trying out Headlamp in-cluster at Notino. We are using internal PKI for Dex acting as an interim-IdP between Azure Entra (formerly Azure AD) and the application.

And we run an Private Key Infrastructure (PKI) with our Certificate Authority to issue certificates for internal services.

Solution:
We are looking for configuration option in Headlamp to provide CA pubkey in order for Headlamp UI to validate the IdP's certificate from private CA. And with that also add an option to skip verification of the certificate. This option is insecure and should not be used in production, but can help in development or in early prototyping phase where a certificate is not a priority.

What users will benefit from this feature?

In-Cluster users with Headlamp connected to private IdP

Are you able to implement this feature?

No.

Additional context

List of abbreviations

  • CA - Certificate Authority
  • PKI - Public Key Infrastructure
  • IdP - Identity Provider
  • OIDC - OpenID Connect

Related:

Discussion #2704

@vojtechmares vojtechmares added the enhancement New feature or request label Dec 20, 2024
@dosubot dosubot bot added the security label Dec 20, 2024
@dal13002
Copy link

dal13002 commented Dec 21, 2024

You can do this today if you get creative- not sure if this is the "official" solution but it does work well. The backend of headlamp is written in Go which uses the operating system's CAs. So you can make a config map in the namespace that headlamp is running in with your private CA cert in it. And then mount that config map at /etc/ssl/certs/ca-certificates.crt inside the headlamp pod. Headlamp will read and trust that CA

This can all be done today with the official helm chart

@vojtechmares
Copy link
Author

vojtechmares commented Jan 15, 2025

Thanks @dal13002 for the idea. I've done exactly that and it works well.

For reference, I am adding a snippet of Helm chart values for anyone interested.

volumeMounts:
  - mountPath: /etc/ssl/certs/notino-ca.crt
    name: notino-ca
    subPath: notino-ca.crt
volumes:
  - name: notino-ca
    configMap:
      name: notino-ca

And the certificate is stored inside a ConfigMap under the key notino-ca.crt in a PEM format.

I'd say it's up for a debate if folks want to continue implementing this or just add this to the documentation and close this feature request. For now, I am leaving it open.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request security
Projects
None yet
Development

No branches or pull requests

2 participants