Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: an option to disable provider's TLS certificate validation (or option to provide trusted cert) #54

Closed
astappiev opened this issue Jan 18, 2025 · 8 comments · Fixed by #66
Closed

Feature request: an option to disable provider's TLS certificate validation (or option to provide trusted cert) #54

astappiev opened this issue Jan 18, 2025 · 8 comments · Fixed by #66
Labels
enhancement New feature or request

Comments

@astappiev
Copy link
Contributor

In Docker setup (for home lab), where I use kanidm as one container and traefik as another, the kanidm uses a self-signed certificate. And then Traefik is responsible for the final certificate.

Whenever I try to supply my public idm origin as the provider URL, it says Docker can't find the host. I assigned a label to my container, so Docker could find the correct path to it, but it still failed with a TLS error, saying that the origin of my certificate was unknown.

I solved that by copying Traefik's certificate to Kanidm, however, after it expires I will need to do that again manually. Because all this happens inside Docker networks, I would prefer to have one of the simpler options:

  1. Skip verification, similarly to traefik's serversTransport.insecureSkipVerify: true
  2. Option to specify the location (mount) of my self-signed certificate
@sevensolutions sevensolutions added the enhancement New feature or request label Jan 19, 2025
@sevensolutions sevensolutions mentioned this issue Jan 22, 2025
Open
@cowegner
Copy link

I would vote for 2. because security should be the default today.

@cdanis
Copy link
Contributor

cdanis commented Jan 22, 2025
edited
Loading

As a temporary hack/workaround you could do something like the following:

  • Create a new endpoint on Traefik, let's say on port 12345
  • Attach a router to that entrypoint that receives plain HTTP and forwards it to kanidm over HTTPS, but using a serversTransport that either has insecureSkipVerify: true or has a .crt file from your internal CA in the rootCAs list
  • Point the plugin at http://localhost:12345/... for the IDP URL.

I agree that the plugin should support both insecureSkipVerify and also rootCAs for the transport to the IDP, but you could try this out right now.

sevensolutions added a commit that referenced this issue Jan 24, 2025
@sevensolutions
#54: First draft for custom root CAs. Untested WIP.
47ce99b
sevensolutions added a commit that referenced this issue Jan 25, 2025
@sevensolutions
#54: Add e2e tests
c2c58f9
sevensolutions added a commit that referenced this issue Jan 25, 2025
@sevensolutions
#54: Rename CACertificateFilePath to CABundleFile. Add option for env…
d2a1a03 
…ironment variable.
sevensolutions added a commit that referenced this issue Jan 25, 2025
@sevensolutions
#54: Add documentation
7d03823
@sevensolutions sevensolutions mentioned this issue Jan 25, 2025
Merged
@sevensolutions
Copy link
Owner

At first, thx @cdanis for providing a workaround.
And yes, I'am implementing both options. InsecureSkipVerify and custom CAs.

Second:
@astappiev #66 will add support for self-signed certificates by allowing you to provide a custom CA file. In case you're using intermediates you need to provide a file containing the full chain (bundle).
It's not merged yet but if you want to try it out, feel free to check out the "feature/custom-ca" branch.
You can then configure your CA file like this:

Provider:
  Url: "https://your-provider"
  CABundleFile: "/certificates/bundle/ca_bundle.pem"
  # InsecureSkipVerify: true # If you don't want to use a CA file, but not suggested

I will release it this weekend hopefully.

@cdanis
Copy link
Contributor

cdanis commented Jan 25, 2025
edited
Loading

It might be interesting to also allow the plugin to receive the CA bundle as a raw string. This would allow k8s installations to use the urn:k8s:secret: feature of Traefik to read ca.crts that had been generated by cert-manager and/or distributed by trust-manager, without modifying the Traefik deployment itself.

I can experiment with this in a followup, since I don't think @sevensolutions has much k8s expertise.

@sevensolutions
Copy link
Owner

Good point @cdanis 👍. I'll add this tomorrow.

No sorry, I'am more the Nomad-guy 😀 but it would be great if you can do some testing on k8s.
But i can still test it using a plain string. Should be no difference to the file.

@sevensolutions
Copy link
Owner

@cdanis An inline certificate bundle has to preserve all the newlines.
This is not a problem with YAML. I can do:

Provider:
  UrlEnv: "PROVIDER_URL_HTTPS"
  CABundle: |
    -----BEGIN CERTIFICATE-----
    MIIF+DCCA+CgAwIBAgIUZRLUFUYKckhgTHaOoqgg61UiMOkwDQYJKoZIhvcNAQEL
    -----END CERTIFICATE-----

But would this work with k8s secrets?
Otherwise i can think of an option, that, if the string starts with base64:, i'll base64 decode it. Eg:

Provider:
  UrlEnv: "PROVIDER_URL_HTTPS"
  CABundle: base64:LS0tLS1CRUdJTiBDRVJUSUZJQ0FU...

sevensolutions added a commit that referenced this issue Jan 25, 2025
@sevensolutions
#54: Add option to provide an inline CA bundle as a raw string.
5c1d409
@cdanis
Copy link
Contributor

cdanis commented Jan 25, 2025

@cdanis An inline certificate bundle has to preserve all the newlines. This is not a problem with YAML. I can do:

Provider:
UrlEnv: "PROVIDER_URL_HTTPS"
CABundle: |
-----BEGIN CERTIFICATE-----
MIIF+DCCA+CgAwIBAgIUZRLUFUYKckhgTHaOoqgg61UiMOkwDQYJKoZIhvcNAQEL
-----END CERTIFICATE-----
But would this work with k8s secrets?

Certainly k8s secrets can contain multiline values with no problem. And commonly contain TLS cert/key material.

The thing I do need to check is how exactly Traefik's substitution of the secret values works, but I would guess it's probably fine.

Otherwise i can think of an option, that, if the string starts with base64:, i'll base64 decode it. Eg:

Provider:
UrlEnv: "PROVIDER_URL_HTTPS"
CABundle: base64:LS0tLS1CRUdJTiBDRVJUSUZJQ0FU...

I don't think this is necessary for k8s, nor am I sure offhand that you could use it with Traefik's urn:k8s:secret:... interpolation, but it seems like a useful feature anyway :D

sevensolutions added a commit that referenced this issue Jan 26, 2025
@sevensolutions
#54: Add e2e test for inline CA bundle
4a036da
sevensolutions added a commit that referenced this issue Jan 26, 2025
@sevensolutions
#54: Support for custom provider CAs (#66)
05b0130 
* #54: First draft for custom root CAs. Untested WIP.

* #54: Add e2e tests

* #54: Rename CACertificateFilePath to CABundleFile. Add option for environment variable.

* #54: Add documentation

* #54: Add option to provide an inline CA bundle as a raw string.

* #54: Add e2e test for inline CA bundle
@astappiev
Copy link
Contributor Author

Thanks @sevensolutions, you saved me from manual certificate renewal 🙃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#54: Support for custom provider CAs sevensolutions/traefik-oidc-auth
4 participants
@cdanis @astappiev @cowegner @sevensolutions