Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

_refresh_oidc is broken if using a publicly signed cert #2341

Open
linuxfreakus opened this issue Jan 30, 2025 · 1 comment
Open

_refresh_oidc is broken if using a publicly signed cert #2341

linuxfreakus opened this issue Jan 30, 2025 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@linuxfreakus
Copy link

linuxfreakus commented Jan 30, 2025
edited
Loading

What happened (please include outputs or screenshots):

When I call config.load_kube_config() it bombs out loading the config when i have an OIDC auth method that talks to a host using a publicly signed cert

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='my.hostname.com', port=443): Max retries exceeded with url: /auth/idp/k8sIdp/.well-known/openid-configuration (Caused by SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4149)')))

What you expected to happen:

No error should occur, the config works with every other client that I use it with, including kubectl.

How to reproduce it (as minimally and precisely as possible):

- name: username
  user:
    auth-provider:
      config:
        client-id: kubernetes
        client-secret: ''
        id-token: <redacted>
        idp-certificate-authority-data: ""
        idp-issuer-url: https://my.hostname.com/auth/idp/k8sIdp
        refresh-token: <redacted>
      name: oidc

Anything else we need to know?:

The problem is in this method:

python/kubernetes/base/config/kube_config.py

Line 422 in 9775a12

def _refresh_oidc(self, provider):

The code finds that the idp-certificate-authority-data key exists, and tries to use it even though it is empty.... but furthermore, even if you were to remove that line, that would cause it to fall down to disable the ssl check!! This should not happen. It should fall back to using the system default public CA bundle.

If I set idp-certificate-authority: /etc/ssl/certs/ca-certificates.crt then it works, but that is brittle since not every system will have the same setup and it should just fall back to system defaults anyway.

Environment:

  • Kubernetes version (kubectl version):
    Client Version: v1.32.1
    Kustomize Version: v5.5.0
    Server Version: v1.31.3

  • OS (e.g., MacOS 10.13.6): Docker image python:3.11

  • Python version (python --version): Python 3.11.11

  • Python client version (pip list | grep kubernetes): 32.0.0
@linuxfreakus linuxfreakus added the kind/bug Categorizes issue or PR as related to a bug. label Jan 30, 2025
@linuxfreakus linuxfreakus changed the title _oidc_refresh is broken if using a publicly signed cert _refresh_oidc is broken if using a publicly signed cert Jan 30, 2025
@roycaihw
Copy link
Member

roycaihw commented Feb 12, 2025
edited
Loading

@linuxfreakus Would you like to send a fix for this method?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@linuxfreakus @roycaihw